Davidson County, NC Hit By Ransomware – Reverts to Paper

While yet another local government being shut down by a ransomware attack is old news these days, it still can point to a few valuable things.

This time it is Davidson County, NC, home of Greensboro.

At 2:00 in the morning the county’s CIO was woken up – there was something strange going on with the 911 system.

What they figured out what that ransomware had compromised 70 servers and an unknown number of desktops and laptops.

Oh, yeah, and the phones weren’t working, which is sort of a problem for the 911 dispatchers.

The county manager said it could take weeks or months to fully resolve.  He also said that this kind of attack is common in Europe.  It is, but it is equally common in the U.S.  Just recently neighboring county Mecklenburg had the same problem.

One bit of good news is that they have cyber insurance.  That likely will help them pay for some of the costs.  At the time of the first article, they had not decided if they were going to pay the ransom.

By Monday the county said that 911 was working as was the tax collector.  You can see why both of these are important to the county.

They continue to work on the restoration, but did not give a time when things would be back to normal – just soon.

What what are the takeaways here?

  • Have a disaster recovery plan – it sounds like they did have one of these.
  • Have a business continuity plan  – how do we the doors open or answering the phone.  And, if you are a web based business and your web site is down, now what?
  • Having cyber insurance will help pay for all this.
  • Make sure you have backups.  Make sure it covers ALL of your data and systems.
  • Figure out how long it will take to restore those backups.  For nearby Mecklenburg, it was a couple of months.  Is that OK?  If not, what is plan B?
  • How are you going to communicate about it.
  • MUTUAL AID – this one is easier for non-profits and the public sector, still it is worth considering.  Davidson County received offers of assistance from the nearby City of Lexington and from Rowan County as well as the North Carolina Association of County Commissioners.  And they are talking with Mecklenburg County – that went through the same ordeal recently.  When I was in college in upstate New York (this was in the dark ages before the Internet), the volunteer fire departments up and down the Finger Lakes would invoke that mutual aid using fog horns that traveled across the lakes for miles.  A particular  burst meant that this fire department or that needed help.  It was a life saver, literally.  Maybe it is with a customer or a business partner or an investor.  You may not need the aid, but having it available could make a huge difference.

Ultimately, having a plan and testing that plan is hugely important.  Don’t hope it won’t happen to you.  That might be the case, but then again, it might not be the case.  Will you be ready if it happens to you?

Information for this post came from the Dispatch and Greensboro.com

New York Figured Out How to Make Cyber Security a Board Issue

On February 15, 2018 a milestone event occurred in New York.  For financial institutions licensed in New York (there are about 3,000 of them), The Chairman of the Board, CEO or some other similar executive had to personally sign a document and submit it to the State of New York.  The document says that the signer has personally reviewed documents, reports, certifications and opinions of such officers, employees, outside vendors and others as necessary to ascertain that the institution is in compliance with the New York cyber security regulation known as DFS 500.

While the law only applies to the roughly 3,000 financial institutions licensed in New York, it actually will have a much wider impact that I will explain in a  minute.

So, right now, for the first time ever, executives of New York financial institutions have to personally sign a document that says that they both understand the law and are in compliance with it.

During 2017, the period covered by the attestation, the law is relatively simple.  Conduct a risk assessment;  create a cyber security program, appoint a CISO and a few other things, all of which are good generally accepted cyber security practices.  Not easy.  Not cheap.  Not without organizational disruption.  But possible.

BUT, if the Board thinks they can rest easy, they shouldn’t.  The law is being phased in over two years and this period only covers the first part of the rules.  The document that they will have to personally sign next February (technically the same document but different requirements to be “in compliance”) will require much more work on the part of the organization.

While there is an exemption for very small organizations, even that is only a partial exemption.

There is another set of requirements coming due March 1st and again more requirements that need to be in place by September 1st, so 2018 will be a busy year for those folks.

But remember I earlier said that the regulation will impact way more than those 3,000 licensed financial institutions?  Here’s why.

The part of the regulation that financial institutions have the most time to  implement is the part that will be the hardest to implement.  These 3,000 organizations have to implement a vendor cyber risk management program.  We have some smallish clients (say 400 employees) that have around a hundred vendors each that this will impact.  Larger organizations, like the big banks, might have a couple thousand vendors.

Basically, all of their vendors, if they want to continue to be vendors to these New York licensed financial institutions, need to implement a similar cyber security program to what the financial institutions are implementing now.

When it comes to which vendors it impacts, it probably doesn’t impact the corner deli delivering lunch or even the office supply store, but it could impact the janitorial company and it certainly will impact all vendors that the institution shares data with.

My guess is that this will impact somewhere between a quarter million and a half million businesses.

That is, through all the whining, a good thing.

We know that other states are looking at what New York is doing.  Vermont and Colorado have implemented a piece of it already.  California is likely to be number two for implementing the whole enchilada.

For those people who thought that New York was going to back down – apparently not.

Congratulations New York at getting the Board’s attention.  Forcing the CEO or Chairman to sign his or her name to a legal document that carries significant financial penalties is often effective at getting people’s attention.

I think other states were waiting to see if the New York regulators would fold.  At least so far they are not folding.  Stay tuned.

What could be next is significant fines.  No one knows what the regulator is going to do next, but the indications are that Maria Vullo is out to make sure that people understand that she is not to be messed with.  You don’t follow these rules at your own peril.

What this means for vendors that sell into the New York financial services space is that now is the time to check out the regulation and start making the changes – ahead of when your customer tells you that either you get with the program or they will find a vendor that will.  It is always easier to do it under your own timeline.  But don’t wait too long to start.  They will be coming for you sooner than you think.

Information for this post came from Cyberscoop.

Malicious Cyber Costs US $50 to $100 Billion Plus a Year

The White House (Council of Economic Advisors) released a 62 page report today detailing the cost of malicious cyber activity in the U.S. in 2016.  The White House says that the cost was between $57 Billion and $109 Billion for that one year.  That’s billion with a B.  The report is available here.

The report says that damages from cyber attacks and cyber thefts may spill over to economically linked firms from the original target, magnifying the damage.  In English, this means that if Target is hacked and their sales go down, it affects their entire supply chain.

They say that companies are not comprehending the costs external to their organizations (like to you and me) and as a result, they are under-investing in cybersecurity.  That is because, due to the nature of the laws, the company that gets hacked doesn’t really bear most of the costs.   For example, after the Target breach – way after – they settled the consumer class action lawsuit for about $30 million.  If there were 50 million victims, that means each victim gets about 60 cents.  For a company the size of Target, that $30 million payout may be considered a cost of doing business.

If we look at the law that goes into effect in May in the European Union, the fine from the regulators alone, worst case, might be $2.8 billion (4% of revenue of $70 billion).  Compare that to $30 million for that one lawsuit or $250 million overall.  We don’t know what the regulators are going to do, but they are making noises about making examples of people.  If Target or other companies faced a risk of a $2.8 billion fine, the economics of cyber security change quickly.

The report also says that attacks against critical infrastructure (such as power or energy) could be highly damaging to the economy.

Rick Perry, former governor of the big oil producing state of Texas and now Secretary of Energy says that the DoE plans to create an office of cybersecurity, energy security and emergency response.

Given the impact to the country in the case of hackers creating massive power outages or energy distribution failures and the cost to the businesses in Perry’s home state, it makes sense that he is doing that.  How they plan to fund that is unclear.  There is $96 million for it in President Trump’s proposed 2019 budget, but people are saying that budget is dead on arrival at The Hill. So, Perry can create the office, but, for now, the only way to staff it would be to steal people from other parts of the agency.  Given that the agency has a $30 billion annual budget, it is possible that there could be some waste there that Perry could clean up to create funding for this idea.  Maybe.

Of the report’s 62 pages, a little over two pages (45-47) are devoted to  thoughts about possible ideas regarding improving cyber security.

While the report doesn’t say so, maybe the White House will propose some legislation or regulation reqarding improving cyber security sometime in the future, but for now this report is merely meant to put some specifics on what we already know – that malicious cyber activity is costing us a fortune.

Information for this post came from the White House web site.


Private Facebook Posts May Not Be So Private

This is not Mark Zuckerberg trying to extract a few more cents out of you by pushing more ads to you – in fact, Facebook really doesn’t even have much of a say in this.  It is not even a Google thing.

Still, it is useful to understand.

In the case of a Manhattan woman who was disabled in a horseback riding accident, the courts have ruled back and forth.

The woman is blaming the trainer and horse owner for fitting the horse with a defective stirrup.  The case is unusual because usually equine trainers have no liability for accidents, based on the law.  In this case, the rider, who suffered brain and spinal injuries, is claiming negligence.

The trial court ruled that the woman had to provide both Facebook posts and photos from both before and after the accident during discovery.  The trainer is trying, I assume, to determine if the disabilities prevented her from doing the things that she did before the accident and turned her into a recluse, which is what she is claiming.

The trial court did exclude any nude pictures from having to be disclosed.

But then the appeals court reversed the trial court and said that she did not have to produce that information.

But now the full appeals court, by a vote of 7-0, said that the trial court was correct and that the information did have to be produced.  This court is the state’s highest court, so it is not clear if there is any further appeal avenue available.

The appeals court did acknowledge that the posts were private, but said that did not allow her to avoid discovery.

For users, there is a warning here.  Do not assume that anything that you post online, even if you think it might be private, is really private.  I am sure that this woman did not think about the implications of her Facebook posts during a trial.

But there is a simple answer – if you want it to be private, do not post it.  Don’t even put in on Google photos or Microsoft One Drive.  If you make it accessible to an Internet provider, it is likely disclose-able.

Information for this post came from Reuters.

FBI, NSA, CIA Say Don’t Use Huawei, ZTE Phones

The heads of the intelligence community – NSA, CIA, FBI and the Defense Intelligence Agency, appearing in front of the Senate Intelligence Committee, said that Chinese smartphones posed a threat to national security.

Exactly why they singled out those two Chinese phones, compared to the iPhone, which is likely made in the same factory, is not clear.  It would seem that two phones, made in the same factory by the same people would have a similar security risk, but apparently not.

FBI Director Chris Wray said that it was because Huawei and ZTE are beholden to the Chinese government.  I would think that Foxconn, who, for example, makes TVs for Sony and others, Cisco networking gear, HP and Dell computers and Nintendo games would also be beholden to the Chinese government in a very big way.

I suspect there is classified intelligence that they are not sharing that explains why these two companies are being singled out.

The concern, they say, is that these devices could steal information or conduct undetectable surveillance using the phone’s user.

AT&T was going to going to sell Huawei phones but magically decided not to last month.  No doubt these same agencies explained to AT&T why that was not a good plan.

Ultimately, everyone has to make their own decisions, but there are plenty of phones made in Korea, which seems to be a more friendly locale.  There are no phones made in the United States.

Apple and others do buy some parts in the US, like glass from Corning,  but those parts are then shipped to China to be assembled.  Apple is looking at assembling some phones in the US, likely for the PR value, but doesn’t actually do that.  Even if they do, since iPhones represent less than 15% of smartphone sales, that will still mean that 80% to 90% of smartphones are manufactured in other countries.

Information for this post came from CNN.

Consumer Reports Says Smart TVs Vulnerable to Hacking

Consumer Reports says that Smart TVs by Samsung and multiple brands that are powered by Roku are vulnerable to hacking.

While this particular hack won’t empty your bank account, it will allow the hacker to change the channel, volume and other settings.

What is even more interesting was the two vendor’s response to being contacted by Consumer Reports.

Samsung said that they would fix the problem as soon as technically feasible.

Roku said that it was feature;  that they published an interface to allow third party developers to control your TV and it didn’t compromise your Roku account on their server (which no one said it did).

Then they went further to say that you could disable that feature by clicking on SETTINGS, then ADVANCED SYSTEM SETTINGS, then EXTERNAL CONTROL, then DISABLED.

Call me dumb, but why wouldn’t you ship the system with that feature disabled and then allow the small minority that want to allow hackers or other third parties to control their TV to turn it on?

Separately, Consumer Reports said that all these TVs raise privacy concerns by collecting very detailed information.

Besides collecting all your viewing data and selling it, many have microphones and collect audio all the time.

Vizio paid a multi-million dollar fine last year for failing to disclose that feature.  Now Vizio says, in the manual, do not discuss anything sensitive in the same room as the TV.  Nice.

Consumer reports does say that you can limit the data collected by the TV by disabling the features you paid extra for when you bought a smart TV.  In other words, if you turn the smart TV into a dumb TV, it won’t collect data.  Or be very smart.

You could replace your iPhone with a rotary dial land line to improve security also, but that kind of misses the point.

Information for this post came from CNET.