Lessons from Suffolk County’s Ransomware Attack

/ Categories IT Security Best Practices / by

In September 2022, Suffolk County, New York, became the victim of a ransomware attack carried out by the AlphV/BlackCat group. This incident crippled government services for months, disrupted emergency operations, and cost the county over $25 million in remediation. A recent legislative report offers cybersecurity lessons for municipal governments by revealing the failures that exacerbated the attack’s impact. Here’s how these insights can be applied to improve cybersecurity protocols within local government structures:

Chief Information Security Officer (CISO)

The absence of a CISO in Suffolk County left the IT systems disorganized, with various departments operating independently. Without a centralized figure to oversee security protocols, threat responses were delayed or mishandled. Every municipality should appoint a CISO responsible for overseeing the cybersecurity framework, implementing policies, and ensuring communication between departments. This role is important for implementing a defense strategy where multiple IT teams manage different areas of government operations.

Cyber Incident Response Plan

The report explains that Suffolk County lacked a cyber-attack response and recovery plan. This omission led to confusion and delayed remediation efforts, as staff across departments were unsure of how to coordinate their efforts. All municipal governments must have a well-rehearsed incident response plan. This plan should include roles, escalation processes, and actions for both internal IT teams and third-party vendors. Training and table-top exercises will ensure stakeholders are familiar with their responsibilities during an incident.

Firewall Management and Updates

One issue in Suffolk County was the creation of a pass-through in perimeter firewalls for the Clerk’s Office. This allowed suspicious data traffic to bypass security controls, exposing the entire county to risk. Several firewalls had also reached end-of-life status, meaning they were no longer receiving security patches. Firewall rules should be tightly controlled, and no exceptions should be made without documented risk assessments and approvals. Municipal IT teams must also establish upgrade schedules for firewalls and other security infrastructure, ensuring no systems remain unprotected due to outdated software.

Monitoring and Threat Detection

Although Suffolk County used Palo Alto Networks’ Cortex platform to monitor network activity, alerts were ignored or not acted upon effectively. In the months leading up to the attack, the system generated alerts indicating potential malware, which were never escalated. Invest in monitoring tools to detecting anomalies and potential threats. The technology itself is not enough, as organizations need their staff fully trained to analyze and act upon alerts immediately. Automated response systems that can isolate threats before they propagate may be effective here.

Response to External Warnings

The FBI warned Suffolk County about suspicious activity in June 2022, yet the county failed to act decisively. This ignored warning likely contributed to the success of the ransomware attack months later. Never ignore or delay responding to warnings from external agencies such as the FBI, CISA, or other cybersecurity experts. Municipal governments should have a direct line of communication with federal and state cybersecurity entities and respond to any threat intelligence they provide.

Audit IT Infrastructure for Vulnerabilities

The vulnerability that led to the Suffolk County breach was linked to Log4j, a well-known vulnerability in a widely-used open-source logging library. While Suffolk County had attempted to patch the issue, remnants of the vulnerability remained unaddressed. Conduct thorough audits of all IT infrastructure, with a focus on patch management. Implement automated patch management systems to ensure that vulnerabilities like Log4j are addressed across all departments. Penetration testing and vulnerability assessments will also help identify weak spots in the network before cybercriminals can exploit them.

Educate and Train IT Personnel

Interviews from the report revealed that Suffolk County’s IT security team lacked sufficient training, leaving them overwhelmed by the volume of alerts. A lack of training in tools such as Palo Alto’s Cortex left threats undetected.Municipal IT staff should undergo education and training on cybersecurity technologies and best practices. Certification programs and vendor-specific training can allow teams to manage security platforms and respond to incidents with confidence.

The Suffolk County ransomware attack reminds us of the importance of cybersecurity measures in municipal governments. Applying basic principles like appointing a CISO, enforcing audits, establishing response protocols, and providing continuous training is how local governments can protect themselves from the threat of cyber-attacks.

Image credit: Andrey Popov, AdobeStock

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has focus on data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone
Twitter

Related News

Stay Connected

  • Twitter
  • LinkedIn
  • Reddit
  • Mastodon

Subscribe

*Our Privacy Policy and Terms & Conditions