If you’re an IT professional concerned about malware protection and data security in government, this 50-minute webinar Learning from Atlanta: 5 Steps to Securing Government IT is certainly worthwhile.
Atlanta, the capital city of Georgia in the southern U.S., is famous for many things: the Braves, Falcons, and Hawks pro sports teams; one of the world’s busiest international airports, Hartsfield-Jackson; Margaret Mitchell’s Gone with the Wind; and native son Martin Luther King, Jr.
Unfortunately, the city also made headlines earlier this year when a ransomware attack locked up critical systems and applications.
Writing for Wired.com on March 30, 2018, Lily Hay Newman reported:
“For over a week, the City of Atlanta has battled a ransomware attack that has caused serious digital disruptions in five of the city’s 13 local government departments. The attack has had far-reaching impacts—crippling the court system, keeping residents from paying their water bills, limiting vital communications like sewer infrastructure requests, and pushing the Atlanta Police Department to file paper reports for days. It’s been a devastating barrage—all caused by a standard, but notoriously effective strain of ransomware called SamSam.”
About three weeks later, Newman reported:
“The City of Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack the destabilized municipal operations last month. … So far, the recovery has been far more costly than the initial demand.”
Key Points from the Webinar
In the “Learning from Atlanta” webinar, co-host Chris Goettl, Director of Product Management at Ivanti, explains that unlike most ransomware, there were actually no phishing campaigns involved in this particular SamSam attack.
“The SamSam ransomware was developed around using other attack vectors through vulnerability exploits and through, you know, either password guessing or using other capabilities to match passwords to further the attack. And they also went as far as to keep on pushing the attack along as they went … taking on more of a behavior of an advanced persistent threat, what you’d normally see in more of a data breach scenario.
“So, utilizing a tool (JexBoss) that a security team would legitimately be using to test against an application framework, the attackers were able to probe into the public-facing Java servers, find an exploitable system, and that JBoss application server (Java development environment) became a remote access Trojan for the attackers. … They were able to find ways of exploiting vulnerabilities in these Java environments that had updates available for them prior to this event, but they weren’t being maintained.
“From that point, the JBoss application server became that external access point. From there, attackers used that platform as a remote access Trojan to allow them access to the broader environment.”
Eliminate the Common Threats
Goettl says there’s just no way to be “100-per cent guaranteed secure. … What you can do though is eliminate the common threats—you can mitigate the majority of risks. … Doing these things well, you can mitigate or eliminate 85 per cent to 95 per cent of common cyber threats, which were utilized in this [City of Atlanta] attack.”
What he’s talking about encompasses an effective defense-in-depth approach:
- Employee training and awareness, which is critical to reducing the impact of phishing and other attacks
- Discovery—knowing what’s in your environment so you can protect what’s authorized and eliminate what isn’t
- OS and application patch management
- Effective privilege management that limits admin rights but provides short-term permissions as needed so users can do their jobs
- Application control—making sure you’ve blocked the applications you can’t patch and provided zero-day protection
- Advanced reporting, customized to each role, for insight into issues and a quick gut check of your security posture
Goettl continues, “One of the biggest problems with solutions today is trying to deliver this level of security while balancing it with the user’s needs. Most security controls fail to succeed in an environment because the business has been crippled or the user experience is so painful that the business decides to throw that security control out. And you know, if you go back in time to your first fond memories of trying to implement software whitelisting, you’ll probably understand very clearly what I’m talking about.”
With Ivanti you can take a full admin back down to a regular user, and provide escalation of privileges where and when needed, from access to install applications, install a printer, use PowerShell, or whatever the user may need, but nothing more than what that user should have. Or you can take that full administrator and strip away the things they should not have access to. Take PowerShell away, or access to specific capabilities.
Goettl concludes, “What Ivanti offers, combined together, would have been a significant barrier to the success of the attack on the City of Atlanta, and it represents a starting-point foundation for any security program you want to implement.”
This article was originally published here.