Cybersecurity and Local Governments
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
In the Meadow, we do business with the town offices. Margie is there to collect our water, sewer, and trash payments with a smile on her face. The town collects certain information as part of its standard operating procedure. We have also, unfortunately, become aware of phishing emails. Just last week, Mayor Jerry thought he was receiving an email from his grandson with birthday pictures. It turns out the surprise wasn’t only at the birthday party. After hours of frustration, his computer was back on track.
The town of Christiansburg is set up much like any other town with these services and functioning to collect fees. The town was targeted and was successfully attacked with a phishing campaign. The attack was discovered on October 26, 2018. The attack for this to be successful only took three staff email accounts to be compromised. The phishing emails were sent in May, June, and September 2018. The subject email accounts contained personally identifiable information (PII) for the affected parties.
Not all the residents of the town of Christiansburg were affected. There were 909 residents affected by the compromise. As of November 2018, the town was not aware of the data exfiltrated being fraudulently used. This, however, brings up a good point. The town wouldn’t necessarily know there is an issue. The town does not have access to all 909 person’s credit reports and other areas where the data could be misused. There is also not necessarily a shelf life for the data. This could be used this week, next month, or next year. The data, for the most part, won’t change. The person may move, however, unless they know there is a problem, prior to reporting this the attackers could use their credit card numbers or other pieces of data.
After the attack had been detected, the town contacted law enforcement and reported the compromise. The town also sent letters to the 909 persons affected by the compromise and are paying for the credit monitoring for the affected parties. For the staff, their login information was changed. As a preventive measure, there has also been additional training for the staff. The prior password convention appears to have been weak and has been updated to a more secure format. To test future potential phishing attempts, the town also is conducting their own phishing tests to raise awareness.
Cybersecurity is not merely a session of mental gymnastics after a compromise. This should be regularly scheduled training with lively, relevant material. When the stale recording that is shown year after year is presented, no one truly cares as the complacency grows.
The phishing training continues to be exceptionally important. The ease of use with the attack and success rate make this the attack of choice. These attacks will continue in numbers and depth as they continue to be successful on the many different levels.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Gangloff, M. (2018, November 30). Christiansburg offers free credit monitoring after data breach. Retrieved from https://www.roanoke.com/news/local/christiansburg/christiansburg-offers-free-credit-monitoring-after-data-breach/
NRV News. (2018). Free credit monitoring after data security incident. Retrieved from https://nrvnews.com/free-credit-monitoring-after-data-security-incident/
Romano, A. (2018, November 29). 900+ residents’ information compromised in town of christiansburg data security breach. Retrieved from https://ww.wdbj7.com/content/news/900-residents-501601722.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.