New York is a major target for cyberattacks – as are state governments. You may recall A New York Dam – specifically, in Rye, New York and numerous banks were targeted in a nation-state hacking attempt by Iranian hackers. This was one of the few attacks on physical infrastructure via the Internet and could have been life-threatening.

Atlanta is an example of a state which has been targeted extensively as of late. First ransomware cost the city of Atlanta many millions of dollars and lost data and productivity. That was last year. This tear, Jackson County got hit with Ransomware and it cost them $400,000!

With this in mind, it is worth noting New York State continues to be a huge, juicy target for nation-states, organized-crime and any hacker who wants to make a lot of money or gain notoriety.

Thankfully the state is not taking the threat lightly – Government Technology recently interviewed New York State CISO Deborah Snyder and much of the content is worthy of reviewing as you map out your own organization’s cybersecurity strategy – whether you work in Manhattan or Massachusetts.

Here are the excerpts we found most interesting:

Our cyber program builds upon well-established industry frameworks and practices (e.g., the National Cyber Security Framework and Top 20 Critical Controls). This assures it supports ITS’ mission of delivering secure, reliable and cost-effective IT services that meet our clients’ business priorities and compliance requirements.

Since ITS was formed, our team has grown to over 60 full-time security professionals, and investments in cyber have increased significantly. Part of this growth was simply due to the centralization of security resources as part of our continued efforts to transform and improve services delivery. This has been highly effective in driving standardized security processes and service delivery, to assure consistent performance and quality.

Part of it was making sure cyber security was firmly at the table in budget planning. Our approach was more a conversation about cyber as an element of enterprise risk management.  We provided relevant examples of the growing risk of cyberattacks, and associated costs of incidents and breaches.  We also examined and tracked spending in ways that provided a clearer picture of initiatives across the organization that support enhancing security. In other words, better understanding what we were spending beyond just my office’s direct costs.

We developed mechanisms to factor the cost of security activities into project planning and forecasting, improving our ability integrate incorporated consideration of security requirements into overall costs, scope and schedule.

While we certainly considered what others are spending on cyber security as a percentage of overall spend, particularly other states, it wasn’t used as a yardstick for what we need to spend. We looked at our overall security posture, and what we were spending and where, from a price, performance and capability maturity point of view -- did we have the required capabilities, capacity, level of readiness and resiliency that we need, or were there areas where we needed to invest further. We also built performance and outcome metrics into our efforts. This helped us ensure capital requests and investments were evaluated based on performance and value.

The threats we see are really no different than any other large organization.  NY State government, like other sizable public and private entities, relies on a large and complex technology environment to conduct its operations.  ITS secures the shared technology services, statewide network, data, systems and critical infrastructure used by state and local government entities -- over 160,000 endpoints, 140,000 users and 4,600 applications, across a distributed and complex infrastructure.

Cyber-criminals and hackers are opportunistic.  Attacks try to take advantage of your weakest links.  They “live off the land,” trying to identify and exploit vulnerabilities in system hardware and software that has not been kept patched and up to date.  If you closely examine “root causes,” the majority of breaches you see in the news today are the result of human error – social engineering, misconfigured systems. 

We have seen our share of targeted social engineering attacks – e.g., phishing campaigns aimed at obtaining sensitive information and compromising business email accounts.  We have also seen damaging malware attacks including ransomware that hit healthcare facilities and local government.

While industry reports indicate that ransomware dropped, and coin mining malware became the top means of monetizing attacks in 2018, I believe we are likely to see a resurgence in malware attacks in 2019, due to economic influences negatively affecting cryptocurrency values.

In terms of dealing with these threats, we’ve double down on assuring good cyber hygiene practices -- the essential measures that ensure a solid foundation for security. We also established a strategic roadmap for critical investments that will continue to enhance the State’s ability to protect data, systems and infrastructure, and strengthen our defense against next-generation cyber-attacks.

Critical success factors:

• Maintain an asset inventory so you know what you need to protect, and what state it is in.
• Control access based on a “need to know,” and assure strong user authentication. Deploy multi-factor authentication, manage your user accounts throughout their entire lifecycle – ensure proper Identify vetting, background clearance practices, account provisioning and deprovisioning, and pay close attention to privileged accounts.
• Ensure secure configurations on hardware/software on servers, workstations/laptops and mobile devices.
• Continuously assess systems to identify and remediate vulnerabilities, reducing opportunities for attackers to target weaknesses.
• Monitor and analyze logs, and alert on suspicious events, to help swiftly identify, understand, respond and recover from incidents.

Prevention-focused technologies, improved web-browser filtering, and intrusion detection help strengthen defenses and security posture.

• Protect sensitive data - encryption is the best data protection assurance going, but also consider data loss protection (DLP), information rights management (IRM), automated monitoring for unauthorized access and transfer of sensitive information, and proactively alerting on/or blocking such activities.
• Enhance web browser and email protections reduce opportunities for attackers to manipulate human behavior, by filtering and blocking malicious links and attachments. Deploy email authentication (trust) policies to reduce fraudulent email (spoofing) and potential financial and reputational risk.

Next-generation security platforms, automation, and standardization create efficiencies and cost savings.  Streamlining threat analysis and incident response processes helps increase capacity and improve active response times.

Heuristics and AI-based solutions detect, alert on and/or block “anomalous behaviors” that exceed tolerances and send up red-flags.  Segmenting networks helps isolate and more tightly control access to critical systems and highly sensitive data.

The interview is well worth a read – it’s a great blueprint for organizations, local, state and the federal government alike.

We hope you find it useful.

Every company is a potential target and should use a phishing simulation tool which tests employees by sending safe phishing emails. When employees click, they are then presented with educational material which helps them learn what to avoid.

One alternative, Phish360 is so effective, it has achieved almost 100% click rate when used in various organizations.

To ensure your organization is safe – even if you have internal IT, hire an experienced MSP or MSSP like Apex Technology Services.

It’s a dangerous world and it is getting worse. Every company must be proactive to stay secure.