Читать книгу Cyber Mayday and the Day After - Daniel Lohrmann - Страница 16

One thing that Dan learned from his high school football coach is that you can't keep doing the same things over and over and expect a different outcome or result. This concept has proven to be true within the cybersecurity community over the past decade, with the frequency and significant impact of ransomware attacks forcing changes to the strategies and tactics of incident response teams all across the globe. One set of ransomware stories, and how organizations adapted, comes from the former CISO for New York State government.

Deborah Snyder is a senior fellow at the Center for Digital Government, and she has a distinguished career in cybersecurity, most notably as the CISO for New York State until her retirement in late 2019. Deb has a wealth of helpful stories regarding cyber incident response with many practical implications. Specifically, she shared the following ransomware stories.

In the early hours of Sunday, April 9, 2017, Erie County Medical Center (ECMC), a 550-bed hospital in Buffalo, New York, was hit by a cyberattack. Staff noted a digital ransom note on a hospital workstation that demanded $44,000 in Bitcoin cryptocurrency for the key to unlock the hospital's files. Hackers had encrypted ECMC's data, impacting over 6,000 hospital computers.

When a ransomware attack hits a healthcare provider and brings down their computer systems, it can cause significant and life-threatening disruptions, interfering with patient care and public safety. The attack caused ECMC to shut down email and their website, and resulted in a six-week electronic health records systems outage. To avoid further damage, ECMC was forced to revert to paper records and process patient admissions, prescriptions, and other tasks manually for weeks. The FBI investigated, and a cybersecurity firm was brought in to support forensics and recovery efforts. The New York Office of Information Technology Services (ITS) and Cyber Incident Response Team (CIRT) staff provided security guidance and support to the state department of health in protecting state systems and assets used by the facility. This incident was a wake-up call for many, as it dramatically highlighted the implications of interconnected systems and third-party access, and helped everyone involved grasp the serious potential for collateral impact. While ECMC didn't pay the ransom demand, the massive cyberattack came with a hefty price tag – nearly $10 million in hardware, software, response assistance, overtime, and other related expenses.

In another event, on August 30, 2017, the New York State Cyber Command Center (CYCOM) received a call indicating that Schuyler County had fallen victim to a sophisticated ransomware attack. The New York State CIRT team was immediately activated and an investigation confirmed that the attack involved SamSam – the same variant of ransomware ECMC had experienced. SamSam is typically distributed by compromising servers and using them to move laterally through the network to compromise additional devices. Given the touchpoints between state and county governments – both technical and programmatic – the government temporarily shut down network connectivity and access to the state's network and applications to prevent potential damage. Disruption to the county's 911 center and resulting risk to public safety was a major concern. This incident illustrated the potential for cyber events to have significant impact on public safety operations – fire, emergency medical, law enforcement, emergency communications, and other public safety partners – which in turn would directly and negatively impact the health and safety of the communities they serve. Fortunately, while some enhanced functions, such as integrated mapping, were impacted, the county was still able to receive and dispatch calls.

These incidents, along with the September 2017 Equifax breach that compromised personal data of 143 million Americans, including 8 million New Yorkers, served as a catalyst for formalizing comprehensive cyber disruption protocols. Coordinating resources, reporting, and response efforts across all involved state agencies – the Office of Information Technology Services, Intelligence Center, and Division of Homeland and Emergency Security Services – enabled better defenses against cyber threats, protected citizens and government assets, and assured a coordinated, whole-of-state response to cyber incidents.