Anyone within ear shot of Maryland, Washington D.C., and Virginia has heard of the ransomware attack on the City of Baltimore by a group who refer to themselves on Twitter as Robbinhood. This attack has already cost the city millions of dollars and subjected those who rely on the city for services to countless hours of hardship.
The hackers who attacked Baltimore did not need to develop a previously unknown zero-day exploit, invent new tradecraft, or pull off a master stroke of social engineering. The Baltimore attack exploited a well-known vulnerability for which a patch has been available for years. Baltimore is not alone—similar attacks have occurred in other major cities as well as in large government organizations and private sector enterprises. In fact, most cyber attacks exploit known vulnerabilities that have been left unpatched.
Prevention is always the best approach. But when a cyber incident occurs, several critical questions should be asked—and answered--in order to understand why it happened and what could/should have been done to prevent it.
What personnel and security polices are in place to prevent (or deter) these types of incidents from occurring?
How well are those policies enforced and supported?
Was this a known issue that the Cyber/IT professionals brought to the attention of leadership prior to the incident occurring?
If so, what was the leadership’s rationale for not patching the systems?
What are the complicating factors that possibly prevented the systems from being patched?
When was the last time the city had an impartial third party come do an assessment of all critical systems?
What actions did the city take based on those recommendations?
The answers to these questions help to lay the foundation for understanding and improving an organization’s Cyber/IT security posture. In today’s world, almost every aspect of our lives is intertwined with some piece of technology, which in turn must be constantly defended from those that would seek to exploit and misuse the information gained by nefarious means. Organizations must invest the time, and money, to develop, implement, and follow a strong security policy.