If technology is an optimistic concept, keeping it secure comes coupled with pessimism. Indeed, in a social climate where private- and public-sector entities alike routinely make headlines when their defenses are breached, it has become increasingly clear that keeping a digital infrastructure safe is an arduous task at best and an endlessly challenging one at worst. No matter how many resources an organization pours into preventing attacks, no matter how much effort they put into creating response plans before an event occurs, the potential for a breach to occur will always be there.
That does not mean first responders can give up on their information security efforts or avoid every technology that could introduce risk, however. Just as the constant threat of danger requires police, firefighters, and emergency medical technicians to offer a combination of preventative and reactive services, the inherent risks that come with using technology require a similar philosophy: do everything you can to stop a digital security event from happening, while preparing for the possibility that it might happen regardless.
Similarities between private-sector, first responder organizations could explain susceptibility
Turning back to the topic of private-sector hacks and attacks, it is easy to understand how first response departments may be at increased risk for digital attacks, particularly those departments with fewer resources at their disposal. As one Ponemon Institute study notes, some fifty-five percent of small and midsize business respondents claimed to have “experienced a cyber attack [sic] in the last 12 months,” with fifty percent reporting that they fell victim to a data breach in the same timeframe. While higher-profile, higher-revenue organizations like Wendy’s can, and do, still suffer noteworthy security events, cyber-criminals are no longer solely interested in large targets and the comparatively large illicit gains they bring.
Operating like small and midsized businesses, first response organizations may not have as many resources to spend on adequate security measures: personnel, outside consulting, software, hardware, and other features designed to hold back breaches and attacks. While these first responders do ostensibly have more oversight than the average private-sector company might, this point is moot if reinforcement for digital security is not there to begin with. California, for example, recently made news when the state auditor discovered “73 of 77 agencies [queried in a survey] were not in compliance […] with information security standards.”
Hacker motivations also play major role in scope and variety of attacks
Relatively small dollar amounts account for some of the biggest cybersecurity headaches emergency responders face. Enter ransomware: malicious code with a surprisingly effective path to police, fire, and emergency medical department pocketbooks. The malware surreptitiously encrypts data, locking up critical files and slowly rendering entire computer systems unusable until a small ransom (sometimes in the low hundreds of dollars) is paid or other solutions are found. Incidents of this type are on the rise across all sorts of governmental computer systems, including police, fire, and EMS. One report claims ransomware hackers made well over $200 million in the first quarter of 2016 alone.
Other attacks have nothing to do with a hacker’s desire for money. The rise of hacktivism, in which attackers deploy various security-busting methods to express some sort of political displeasure, has been of serious concern in an era marked by social strife, as one Government Technology piece notes. While either breed of attack can come from a focused group, hacktivism attacks are particularly reliant upon it. Distributed Denial of Service (DDoS) attacks, a major tool in the hacktivist’s arsenal, attempt to shut various web properties or other network-based tools (IP phone services are another popular target) by overloading the target with malicious traffic. Other attacks, like SQL injection, play out like a gradual game of deduction, meaning larger groups have a better chance of reaching a breaking point that springboards the movement to larger, nastier attacks.
Typically, hackers rarely fit into molds when it comes to their means and ends. The sheer variety of motivations and attacks can make it increasingly difficult to defend against them. For instance, financially motivated attackers may deploy a combination “DDoS ransom” attack to extort a given entity into compliance. When one breed of attack requires skilled knowledge of encryption tactics to overcome and another centers on advanced networking knowledge, making on-the-fly adjustments after the fact can be a stressful proposition.
Prevention and planning: The keys to successful security
Here is where the proper security philosophy of, “Do everything you can to stop a digital security event from happening, then assume it will anyway,” comes into play. Building a smart, thorough, policy-based response plan for breaches and attacks is crucial, but a well-rounded security plan centers on stopping every security event before it gets to that point.
To be clear, no set of preventative tasks can fully safeguard against digital attacks. This is due in part to the varied nature of technology, the misguided creativity of hackers, and numerous other factors beyond the individual organization’s control. However, the right set of actions can drastically reduce that organization’s chances of attack.
Take ransomware, for instance. Though seeing an image file with payment instructions tucked away in some hidden directory can be an agency’s worst nightmare, overcoming the problem is often as simple as performing daily backups and making sure all hardware and software touching the network/internet are up-to-date. The same simple action can help prevent denial-of-service attacks – some networking components can be patched with features that help fight malicious overloading – and countless other exploits hackers may deploy. Frequent backups are also good for general uptime and access in the case of ransomware and other malware attacks, since they allow the organization to temporarily move a “snapshot” to backup hardware while the afflicted devices are properly sanitized.
Older websites and web apps (an outdated crime map or online Contact Us form hosted by a police department) can also serve as weak links for attackers to abuse. Legacy code, as it is often called, does not offer up-to-date security features or exploit fixes, potentially opening it to attacks a newer system would brush off with ease, like SQL injection and other injection attacks. Organizations that manage their own web presence may wish give this concern particular attention; if the department’s site is part of a larger network of municipal sites, calling it to the attention of the appropriate webmaster or IT department may be wise. Departments may not have much need to update an old site once the basic information is created, and an IT employee (whether they are a fellow officer or part of a “civilianized” role) may not think to address such an obscure attack vector until it is too late.
Exploring, updating vendor rules and relationships further bolsters digital security
Financial losses are a primary concern when an organization endeavors to improve its cybersecurity efforts, but reputational damage can take a serious toll in the aftermath of an event as well. Whether or not police, fire, EMT, and other departments consider these losses in terms of “brand damage,” there is no doubt a breach can have a lingering effect on public perception and trust.
Compounding this is the fact that the proverbial buck usually stops at the public-facing organization after a breach, regardless of true responsibility. This makes proper vetting and ongoing evaluation of any third party vendors who process payments or personally identifiable information an absolute must, considering the sheer number of data-sensitive tasks a given organization may contract out. A breach involving a Philadelphia fire department illustrates this point: though the department could point to the vendor (and the vendor itself could point to the individual criminal action of the employee who stole the info), there is no tactful way to completely shift blame or accountability, and the fire department still shouldered extra work and expense due to the company’s actions.
Handling this concern largely comes down to the stage of the business relationship. Organizations concerned about security but not actively hunting for a vendor, for example, may wish to update their requirements for future engagements or ask the city to do the same if the decision is beyond their direct control. Language requiring secure behavior, setting concrete dates for security reviews, and establishing and clarifying direct lines of contact for security concerns may be helpful. Organizations approaching renewal time with an otherwise satisfactory vendor, however, may wish to stipulate extra security concerns.
Ultimately, security is not a single discipline or area of focus any more than it is something that can be totally controlled or managed. Treating it that way will only result in disappointment, stress, and expense when the inevitable breach does surface. However, knowing what to look for, why it happens, and the basic steps of staying secure are enough to put emergency response organizations ahead of the curve without overcommitting financial or human resources.
When hackers cripple data, police departments pay ransom
How to Hack the Police: Vigilante Hacker Publishes Online Tutorial Video
FBI: Incidents of Ransomware on the Rise
Technology Is Playing an Expanding Role in Policing
Hackers post private files of America’s biggest police union
The Most Vulnerable Ransomware Targets Are the Institutions We Rely On Most
One Year After OPM Data Breach, What Has the Government Learned?
2015 Cost of Data Breach Study: United States [PDF]
OWASP Top Ten Project