PROTECTING AGAINST CYBERATTACKS: A GUIDE FOR PUBLIC SAFETY LEADERS
1 Protecting Against Cyberattacks A NOTE FROM THE CHIEF
One of the most prevalent changes in today’s As a result, fire leaders have a new task. fire service is the advent of technology, which Cybersecurity has become our collective quite literally has infiltrated every aspect of responsibility, not just the responsibility of our professional lives. our IT department. This publication intends to enlighten fire leaders about issues related Technology is keeping firefighters safer and to cybersecurity, including identifying better protected. For example, self-contained threats to departments and strategies to breathing apparatus (SCBA) not only weigh protect networks. much less today than in the past, but also include technology such as thermal imaging Fortunately, fire leaders don’t have to know cameras (TICs) and personal alert safety all the terminology, understand the details system (PASS) devices integrated directly into of how systems work, or know how to best the packs. protect those systems. Instead, leaders need to know how to ask the right questions. Firefighters have access to advanced Included in this publication are questions to technologies to improve firefighting ask your IT professionals, tips for building capabilities, such as compressed air foam a stronger working relationship with them, systems (CAFS) and positive pressure training strategies, and much more. ventilation (PPV) fans. Fire trucks are equipped with mobile data computer (MDC) software, Do not wait until it’s too late to learn about portable radios that are actually mini- cybersecurity. Do not learn the lessons the computers, and have direct access to the hard and costly way. Just as fire leaders have data and information within computer-aided embraced technology to improve safety and dispatch (CAD) systems. operations, let’s tackle cybersecurity with that same passion and be instrumental in However, as the digital world continues continuing to protect our departments. to proliferate into our professional infrastructure, so does risk. Cyberattacks can Be safe, cripple these technological systems and jeopardize our ability to protect lives Sam Greif and property. Fire Chief of Plano, Texas Member, IAFC’s Terrorism and Homeland Security Committee
Protecting Against Cyberattacks 2 TABLE OF CONTENTS
SECTION 1: VULNERABILITY TO CYBERATTACKS
4 Agencies Under Cyberattack: Staying Ahead of the Hackers 8 Ransomware and Other Cyberattacks: How Criminals Are Targeting Personal Information
12 Technology is Changing Healthcare, But Not Without Risk
SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
14 11 Questions to Ask Your IT Department to Protect Against Cyberattacks
18 Tips for Improving Communication with IT 22 Preparing for a Cyberattack: Creating Contingency and Backup Plans 28 Tips on Training Adult Employees in the Workplace 31 Do’s & Don’ts of Online Activity
ABOUT THE PUBLICATION
American Military University produces high- has provided a forum for its members to quality, thought-provoking publications that exchange ideas, develop professionally and address important issues for professionals uncover the latest products and services who work in the fire service, law enforcement, available to first responders.” corrections, emergency response, and public health. To access our library of publications, A special thanks to the contributors who lent please visit InPublicSafety.com/library. their experience and expertise to create this magazine as well as IAFC’s Terrorism and This magazine was designed in collaboration Homeland Security Committee members for with FireRescue1 and the International their input. Association of Fire Chiefs (IAFC). IAFC represents the leadership of firefighters For questions, comments, submission and emergency responders worldwide. IAFC guidelines, or requests for print copies of this members are the world’s leading experts publication, email [email protected]. in firefighting, emergency medical services, terrorism response, hazardous response, Executive Editor: Leischen Kranick natural disasters, search and rescue, and Assistant Editor: Jinnie Chua public safety legislation. Since 1873, the IAFC
3 Protecting Against Cyberattacks SECTION 1: VULNERABILITY TO CYBERATTACKS
Agencies Under Cyberattack: Staying Ahead of the Hackers
Government agencies are conducting more and more services online, but they are struggling to stay ahead of hackers trying to steal valuable personal information.
This expansion and availability of PCs By Dr. Harry Cooper, Faculty Member, spurred the 1993 National Partnership for Cybersecurity and Information Technology, Reinventing Government (NPR), which was American Military University launched during the Clinton administration to review and reform how the government delivered services in the 21st century. It is The launch of personal computers (PCs) through the NPR that government agencies has significantly changed our world during redesigned their processes, enabling basic the past three decades. Computers, tasks—such as electronic benefits transfer, once restricted to use by corporations or access to government information, creation of government agencies, became accessible for a national law enforcement network, and filing use in the home. taxes—to go from lengthy in-person processes to simpler online processes.
Protecting Against Cyberattacks 4 From these humble beginnings, government Unfortunately, the government was forced services at all levels have drastically evolved. to play catch-up, as there was no federal law Today, almost all services handled by in place to prosecute such computer crimes. government can be accessed and It was not until 1986 that the Computer completed online. Fraud and Abuse Act was passed. Legislation continues to struggle to keep up with While this level of access is a great step technology. While numerous amendments toward bringing the government closer to its have been made to the Computer Fraud and constituents, it is not without significant flaws. Abuse Act over the past 30 years, it has not These flaws include government employees been enough to deter hackers, hacktivists, failing to adhere to policies and procedures phishers, scammers, nation-states, and many or not receiving proper training, both of others from committing acts of cybercrime. which can lead to compromised network systems. There is also a lack of proper funding for technology, security upgrades, About the Author and initiatives to protect systems, resulting Dr. Harry Cooper is an instructor in the STEM school at in potentially large breaches of improperly American Military University, focusing on cybersecurity secured information. and information technology with experience in both academics and as a practitioner. Dr. Cooper has Government Failing to Keep Up taught at various colleges and universities on a wide range of technology topics. Before entering academia, with Technology Dr. Cooper served as CEO/partner for Thimbleweed One of the earliest “hacks” against government Consulting and TWC Security. Dr. Cooper received took place in 1983 against the Los Alamos his D.Sc. in Cybersecurity from Capitol Technology University, where his research focused on the Mosaic National Laboratory by a hacker group called Theory of Intelligence, its role in today’s society, and “The 414s.” The 414s were six teenagers who how it has become available to most average users. He became some of the first “famous” hackers. also completed his M.S. in cybersecurity, intelligence, Part of their fame has been attributed to the and forensics at Utica College and his B.A. in political same-year release of WarGames, a film about science at the University of Pittsburgh. a teenager nearly launching World War III by unknowingly hacking into North American Aerospace Defense Command (NORAD).
5 Protecting Against Cyberattacks SECTION 1: VULNERABILITY TO CYBERATTACKS
TERMINOLOGY TO KNOW
Attack Encryption key An attempt to gain unauthorized access to A random string of bits created explicitly system services, resources, or information, for scrambling and unscrambling data. or an attempt to compromise system Encryption keys are designed with integrity. algorithms intended to ensure that every key is unpredictable and unique. Authentication The process or action of verifying the Firewall identity of a user or process. Hardware or software designed to prevent unauthorized access to a computer or Bot network from another computer or A computer connected to the internet network. that has been surreptitiously or secretly compromised with malicious logic to Hacker perform activities under the command and Someone who violates computer security control of a remote administrator. for malicious reasons, kudos, or personal gain. Encryption The transformation of data to hide its Malware information content. Software intended to infiltrate and damage or disable computers; shortened form of malicious software.
Protecting Against Cyberattacks 6 Pharming Spyware A cyberattack intended to redirect a Malware that passes information about a website’s traffic to another, fake site. computer user’s activities to an external party. Phishing Method used by criminals to try to obtain Trojan financial or other confidential information A computer program that appears to have (including usernames and passwords) a useful function, but also has a hidden from internet users, usually by sending an and potentially malicious function that email that looks as though it has been sent evades security mechanisms, sometimes by a legitimate organization (e.g., a bank). by exploiting legitimate authorizations of a The email usually contains a link to a fake system entity that invokes the program. website that looks authentic. Virus Ransomware Malware that is loaded onto a Malware that is a form of extortion. It computer and then run without the user’s works by encrypting a victim’s hard drive, knowledge or knowledge of its full effects. denying his or her access to key files. The victim must then pay a ransom to decrypt Worm the files and gain access to them again. Malware that replicates itself so it can spread to infiltrate other computers.
7 Protecting Against Cyberattacks SECTION 1: VULNERABILITY TO CYBERATTACKS
Ransomware and Other Cyberattacks: How Criminals Are Targeting Personal Information
Information breaches are often caused by personnel who unintentionally allow hackers to access private networks. Here are the methods hackers are using to mislead employees and steal sensitive data.
with examples of recent cyberattacks against By Dr. Harry Cooper, Faculty Member, organizations in the public sector, to better Cybersecurity and Information Technology, understand how cybercriminals are targeting American Military University governmental bodies, and what can be done to identify and protect against threats.
There has been a significant and steady Hackers Want More than Credit surge in online criminal activities. For the Card Information past decade, Verizon Enterprise Solutions has In 2008, hackers primarily focused on stealing released a yearly Data Breach Investigations payment card data. Verizon’s DBIR reported Report (DBIR) that tracks data breaches across that in 84 percent of breaches, credit cards all sectors. We can use these reports, along
Protecting Against Cyberattacks 8 were the top item of interest to hackers. be very convincing and presented in a way This is because it was very easy at the time that looks completely legitimate. For example, to monetize credit cards with little risk of phishing can appear to be real emails sent exposure to the perpetrator. Credit card theft from human resources asking personnel to was especially lucrative for organized crime update their beneficiaries on their retirement groups who orchestrated an estimated 50 plan or to submit their vacation schedule. The percent of all credit card breaches. goal of a phishing attack is to get personnel to provide sensitive personal information But organized crime groups are no longer just without questioning the request. after credit card data; they are after personally identifiable information or PII. This critical Malicious Files information often lives within government Another common tool used by perpetrators agency databases, so public-sector entities is malicious files. Malicious files come in are a highly desirable target. Their networked many shapes and forms, but the underlying systems hold valuable PII collected from tax goal is to get personnel to open a seemingly submissions, financial benefits, healthcare legitimate file often attached to an email. information, and more. Unfortunately, the malicious file contains more than what is expected; it includes The 2018 DBIR showed that of the 304 exploits that will infect the user’s computer confirmed data disclosure cases that it and install a backdoor malware that gives reviewed from the public sector, 55 percent the perpetrator complete access to the had been targeted for PII. Another 24 percent user’s computer, as well as the organization’s of cases were targeted for “secrets” that are network. Once a perpetrator has gained believed to also contain PII. access to a network through a foothold in a single machine, they work to gain access to Role of Personnel in and compromise other machines, servers, Security Breaches routers, and any other networked device. The DBIR determined that personnel are one of the leading causes of information breaches. What Happens After a Breach In the majority of these cases, personnel After accessing a network, the perpetrator are “unwitting participants.” An unwitting must decide what their end goal is for the participant is an individual who works for attack. They may choose not to take any an organization and carries out actions that, noticeable action in any of the machines they while seemingly legitimate or benign, actually have gained access to and instead passively enables a perpetrator to gain access to the monitor information flowing throughout the organization’s systems and data. network. This strategy allows them to spend time evaluating information to determine Phishing Attacks what is critical and valuable and then silently Perpetrators use many different types of collect, package, and exfiltrate data on a malicious tools to target personnel and carry schedule that matches periods of increased out their attacks. Phishing, for example, is network traffic in order to elude detection the act of getting someone to give up their from the organization’s IT department. credentials via an email solicitation. Phishing This type of an attack is called an Advanced attacks were used in roughly 74 percent of the Persistent Threat (APT). Because of the low- breaches reviewed in the DBIR. Phishing can key manner in which the malicious code acts,
9 Protecting Against Cyberattacks SECTION 1: VULNERABILITY TO CYBERATTACKS
APTs are capable of running for very long either release the encryption key or they may periods of time, from weeks and months to simply ignore the victim. It is estimated that even possibly years. only about 20 percent of organizations that pay actually get their files back unharmed. The other strategy a perpetrator might employ Many ransomware variants have bugs in the after a breach is to immediately strike. There code that corrupt the encrypted files, making are many ways for a perpetrator to harm an them impossible to be restored regardless of organization in extremely destructive ways, whether the organization has the key or not. such as wiping hard drives or blowing up industrial systems. Less destructive and more Citizens want their government to be more common actions include the use of malware accessible, but this comes at a price that and ransomware, which was used in 45 many would not have anticipated when percent of attacks. e-government systems were first developed. There is no perfect solution when it comes Ransomware to data security, and security measures Ransomware is a malicious attack against are often guided by risk assessments and an organization’s data where the malicious limited budgets. Therefore, it is important program surveys the contents of a machine’s for government agencies to do everything hard drive along with any network-attached or they can to lessen vulnerabilities and deter network-accessible drives. It then encrypts all perpetrators from taking advantage of the data using high-grade encryption methods security flaws. and algorithms. Once the data has been encrypted, the underlying encryption key is sent to a server controlled by the perpetrator About the Author and a message notifies the user of the Dr. Harry Cooper is an instructor in the STEM school at encryption and demands a ransom payment American Military University, focusing on cybersecurity for access to the encryption key. and information technology with experience in both academics and as a practitioner. Dr. Cooper has When this happens, organizational leaders taught at various colleges and universities on a wide range of technology topics. Before entering academia, must decide whether to pay the perpetrator Dr. Cooper served as CEO/partner for Thimbleweed for the encryption key or lose all the locked Consulting and TWC Security. Dr. Cooper received information. For organizations that have his D.Sc. in Cybersecurity from Capitol Technology exceptionally strong IT departments with up- University, where his research focused on the Mosaic to-date backups of critical systems and data, Theory of Intelligence, its role in today’s society, and how it has become available to most average users. He the decision will be not to pay the ransom and also completed his M.S. in cybersecurity, intelligence, instead to rebuild the affected machines. and forensics at Utica College and his B.A. in political science at the University of Pittsburgh. Unfortunately, many organizations do not have such robust IT departments, so they are often forced to pay the ransom. Once the payment is received, the perpetrator will
Protecting Against Cyberattacks 10 AGENCIES STRUCK BY RANSOMWARE
Numerous governmental bodies have fallen victim in the past few years to costly ransomware attacks. These attacks aren’t just affecting organizations’ digital assets; they are also harming their physical systems.
November 2016 March 2018 San Francisco, California Baltimore, Maryland San Francisco Municipal Transportation Agency hit by City’s CAD system that supports 9-1-1 and emergency massive ransomware attack that shutdown its ticketing calls hacked, forcing officials to resort to manual and management systems for railways and buses. Agency operations to handle calls. unable to accept fares and forced to allow passengers to ride for free for at least 2 days. COST: Undisclosed.
COST: Attackers demanded $73,000 to restore data.
September 2018 March 2018 Port of San Diego, California Atlanta, Georgia Ransomware compromises port’s information Municipal systems attacked causing technology systems, disrupting administrative widespread outages and halted many city operations at the shipping hub. services.
COST: Undisclosed amount of bitcoin demanded. COST: Attackers demanded $50,000 in digital currency, but recovery costs are estimated to be much higher. February 2018 Leeds, Alabama Hit by a ransomware attack that locked all city computers and data, including fire and police departments.
COST: Reportedly paid $8,000 in bitcoin.
11 ProtectingProtecting Against Against Cyberattacks Cyberattacks SECTION 1: VULNERABILITY TO CYBERATTACKS
Technology is Changing Healthcare, But Not Without Risk
Like any device connected to a network, advanced medical devices are vulnerable to cyberattacks. They must be protected to ensure patient care and the security of entire systems are not compromised.
Similarly, implantable devices allow for By Dr. Kevin Harris, Program Director, medical treatment to be administered without Cybersecurity, Information Systems Security direct medical staff intervention, often in life- and Information Technology Management, threatening situations. One such device is an American Military University implantable defibrillator that not only detects and reports when a patient’s heartbeat is irregular, but also initiates an electric shock to Modern-day healthcare is being revolutionized restore the heart’s rhythm. Other implantable by technological innovations in Internet devices include an insulin pump that delivers of Things (IoT) devices including wearable, insulin based on registered levels and cochlear portable, and implantable devices. These implants that provide the ability to hear for devices have been essential to improving those who have hearing loss. patient care. Vulnerability of IoT Devices For example, patients who need constant to Cyberattack monitoring of vital signs can be outfitted with a wearable device that measures temperature, While the benefits of IoT devices are blood pressure, and heart rate. Patients many, these devices can be targeted by can return home while medical personnel cyberattackers. If the devices and associated remotely monitor data received from the data are not properly protected, not only wearable devices. Medical professionals can could sensitive medical information be then analyze data trends and notify a exposed, but lives could potentially be at risk. patient if it’s determined they need to seek further treatment. If an insulin pump is compromised, an attacker could alter data and cause the pump
Protecting Against Cyberattacks 12 to deliver a potentially lethal dose of insulin. information technology professionals must all If an individual’s defibrillator is accessed, not work together. only could the patient’s life be in jeopardy, but others could also be harmed if that person is When it comes to using IoT devices, incapacitated while driving, for example. medical facilities must ensure their network infrastructure is secure. Equipment calibration Networked devices used by hospitals are also verification policies and processes must not immune from risk of cyberattack. For be continuously reviewed and updated. example, if an attacker were to gain access Training should be provided to users and to an infant warmer, they could alter the patients to ensure they’re aware of the risks temperature a few critical degrees, which associated with using IoT devices. Similarly, could prove fatal. manufacturers need to invest in security and devices must be developed with robust There are also vulnerabilities in the growing encryption protocols, redundancy, and trend of concierge healthcare, where medical potential attack-notification systems. professionals travel to the patient. While this can have many benefits, including improved As with all technological advances, safety and personalized medical care, there are should not be overlooked for the sake of also risks. For example, if medical providers convenience and innovation. IoT certainly has use networked equipment in the field and the potential to revolutionize healthcare, but receive updates to this equipment remotely, the proper steps need to be taken to ensure it this could potentially open the door for an is secure and protected. unauthorized party to gain access. An attacker could alter settings on the medical equipment, which could lead to incorrect diagnosis and About the Author treatment. All this could happen without the Dr. Kevin Harris has 25 years of experience in the medical professional detecting the intrusion. information technology field. During this time, he protected various organizations’ infrastructure and Regardless of whether a device is used by data in positions ranging from system analyst to chief a medical provider or a patient, there is information officer. His career encompasses diverse significant risk that an unauthorized party experiences both in information technology and academia. His research and passion are in the areas of could access private data. Such a breach cybersecurity, bridging the digital divide, and increasing could have a devastating impact on the diversity in the tech community. As an academic, he patient, cause strain on the relationship with has served students at various types of institutions their medical professional, and also require including community colleges, HBCU, public, private, significant financial costs to rectify impeded or graduate, undergraduate, as well as online. Dr. Harris has trained faculty from multiple institutions in the incorrect treatment. area of cybersecurity as part of an NSF multistate CSEC grant. He has delivered instruction in several Ways to Reduce Risk disciplines, including business, computer science, and computer networking, with a particular interest To mitigate risks of cyberattack in healthcare, in information security, cybersecurity, and computer which has been identified as one of the forensics. Currently, Dr. Harris serves as program critical infrastructure sectors by the director for Cybersecurity, Information Systems Security Department of Homeland Security, a team and Information Technology Management at American approach is necessary. Software developers, Military University. manufacturers, medical facilities, regulatory bodies, users, academic institutions, and
13 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
11 Questions to Ask Your IT Department to Protect Against Cyberattacks
Public safety leaders do not have to be experts in cybersecurity to ensure their agencies are adequately protected—they just have to know the right questions to ask.
The good news is fire chiefs do not have By Sam Greif, Fire Chief of Plano, Texas to know the details of how to protect our departments and our personnel against cyberterrorists. However, we do need to know Fire chiefs have plenty to be concerned about what questions to ask IT experts to ensure while trying to protect the public and our they fully understand all the vulnerable personnel. Over the last several decades, technology we use on a daily basis. new threats and challenges have emerged, including active shooter events, health Systems that need to be protected include epidemics, hazmat disasters, emergencies 9-1-1, public safety radios, CAD (computer- requiring technical rescues, and high-rise fires, aided dispatch), electronic patient reporting, to name a few. records management systems, mobile data computers, and phone PBX systems. These One additional new threat that has systems are all potential targets for those who devastating consequences and that many fire wish to do harm to our departments leaders are not adequately prepared for is and communities. cyberattacks. While many fire chiefs feel their IT departments should be more cognizant of Leaders in the fire service need to make sure cyber threats, many do not consider they are asking the right questions to the threats of cyberattack as part of their right people. day-to-day operations. To find out what questions I should be asking, It is understandable that there is a gap in I went directly to my local IT department. I grasping the complexities of cybersecurity. met with IT to learn how we could ensure the After all, terms such as authentication, systems my department uses are protected as declaration of conformity, DMZ, encryption, much as possible. Here are the questions all firewall, IDS, ISP, IPS, LAN, malware, proxy fire chiefs should ask: server, spyware, VPN, WAN, worm, and the rest of the IT alphabet soup are not part of the traditional fire service lexicon.
Protecting Against Cyberattacks 14 Photo credit: Jeremiah Lancaster
11 Questions to Ask Your IT Department:
1 What is the configuration 4 Have all default passwords of our firewall? been changed? The firewall should not allow any Many systems come with a default connections from the outside. All password or built-in account from the connections to computer-aided dispatch manufacturer or vendor. These passwords (CAD) and records management systems must be changed to lessen the chance (RMS) should be made over a virtual they can be hacked. private network (VPN). 5 Does the network have a central time 2 Do our systems meet CIS benchmarks? server called a NTP? The Center for Internet Security (CIS) A network time protocol (NTP) allows for benchmarks aid in server setup. the clocks on all equipment to stay in sync Requirements can be found here. for logging and audit purposes. Also, some encryption technologies require this. 3 Do our critical networks have a firewall between the internal network and the 6 Do all critical systems send their log protected networks? files to a central server? Critical networks include SCADA, building Using a central server allows for logging safety, and CJIS. Critical networks include and audit in case of a breach, and some supervisory control and data acquisition systems send an alert when it detects (SCADA), building safety, and Criminal a breach. Justice Information System (CJIS). All traffic in and out of the protected networks should be monitored and recorded.
15 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
7 Are user permissions on systems set to 10 Does IT limit the number of the minimum necessary for them to do administrator accounts on systems? their job? Administrators can expand their power Granting permission greater than by granting permission to accounts they the minimum necessary can increase do not normally have access to. Since compromises and removes accountability administrators have the ability to delete within those systems. If access is limited, entire systems and shut down access it will reduce the chance of changes— to all computers within the system, accidental or intentional—being made background checks should be in place for within the system. Limited access also all administrators. reduces the chance of exfiltration of information from the network. For departments storing HIPAA or 11 CJIS data on its server, are those hard Is there an ongoing and updated drives properly encrypted? 8 inventory of assets? Encryption is critical to protecting This should include date of purchase and personal data stored on servers. While disposal, who owns the equipment (IT), encryption is required by HIPAA, it’s smart and who owns the data on the equipment to verify that IT has proper encryption (PD, fire). protocol in place.
Does IT use tools to monitor Most of the answers to these questions are 9 servers for patches? still foreign to me, and I certainly would not Many departments use tools like Nessus know how to achieve getting them done. (free for up to 25 servers) or Qualys to However, by having the conversation with monitor systems and send notifications my IT department and discussing all the when server patches are needed and technology involved, I feel more confident available in order to keep them secure. they are on track working hard to protect our systems. This dialogue also led to IT providing
Protecting Against Cyberattacks 16 About the Author According to the 2016 Deloitte-NASCIO Chief Sam Greif began his career as a paramedic in Cybersecurity Study, state officials, 1982 and joined the Fort Worth (CO) Fire Department including emergency managers and as a firefighter in 1985, where he worked his way up chiefs of police, are more confident through the ranks to assistant chief of operations. In in their states’ ability to address June 2015, after an extensive nationwide search, it was cybersecurity (66 percent) than state announced that Greif was selected as the new fire chief for the City of Plano, Texas. chief information security officers are (27 percent). This confidence Chief Greif holds an associate in applied science gap signals a need for increased degree in fire science, a bachelor’s degree in leadership communication about cybersecurity risk from Midwestern State University, a master of public and methods to prevent and mitigate administration from the University of Texas at Arlington, and is a graduate of the National Fire Academy’s against potential harm. Executive Fire Officer Program.
Chief Greif has served on numerous state and national me with tips for my personnel about how to boards and committees. He currently is the chair of the International CAD Consortium and was on the board help protect our systems against phishing, of directors for Tarrant County 9-1-1 for eight years. vishing (voice phishing), and pharming He is a member of the IAFC’s Terrorism and Homeland attacks—all of which are designed to Security Committee, Metro Chiefs, and Collin County steal information or cripple an Fire Chiefs, and is an active member of the Plano Rotary organization’s technology. Club.
Until fire chiefs take an interest in cybersecurity and make time to have ongoing conversations with IT, they risk being vulnerable to cyberattacks.
17 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Tips for Improving Communication with IT
It often seems like IT professionals speak their own language. To help bridge the communication gap, a chief information officer provides insight on how employees can work better with technology departments.
a deputy or chief information officer for By Chris Chiancone, Chief Information Officer large cities—I have spent a lot of time and of Plano, Texas energy trying to better understand what makes communication so poor between technology departments and others within Effective communication is often cited as an organization. My experience has shown one of the greatest challenges within any that problems arise because people outside organization, but communication with an IT do not understand the personality traits of organization’s technology department can be the average technologist, and they don’t fully especially challenging. comprehend all the serious problems that IT staff are simultaneously trying to solve. During the 20-plus years of my working career—nearly half of which I’ve been either
Protecting Against Cyberattacks 18 The Anatomy of a Technologist technology department or other domino- True technologists are, in my opinion, one effect complications. of the easiest groups of people I have ever 3. They generally have incredibly high had the opportunity to lead. Technologists intelligence levels, moderate emotional who have embraced the mission and vision intelligence quotients (EIQ), and complex of the organization and understand its social skills. business problems work tirelessly researching issues, triaging problems, and leveraging 4. They typically will find a way around workarounds to make sure that services are bureaucracy, obstacles, and other operating at the best levels possible. They perceived non-logical situations. Some do all these things to avoid three things: outsiders interpret this behavior as being system failure, vulnerabilities and risk, and rogue, but it is the way technologists personal failure. are wired. They do not have time to watch and wait, especially when a When a problem arises with an unknown system has critical issues. They need solution, technologists often collaborate to start troubleshooting and look for online, building micro-communities of fact- workarounds to restore service. finding armies to sift through innuendo to 5. They recognize the need for paperwork, find the truth. These technical professionals but they often do not like it. The more will keep posting, responding, and evaluating electronic reporting systems that are in hundreds of posts until the answer to the place, the more adoption you will get issue becomes apparent. Once solutions from a technologist. are identified, they often report fixes to technology forums to help other technologists 6. They don’t have all the answers for every shorten their problem-solving process. system at their fingertips, but the more experience they have, the faster they can Typically, technologists all share some generate action. Many times, systems common traits: are very complex to diagnose, especially when the hardware, software, and/or 1. They genuinely care and strive to find connectivity are not standardized or are answers to common and complex heavily customized. business and technical issues. 7. Intra-departmental technology 2. As individuals, they are generally more communication is as tricky to foster introverted, non-confrontational, and as department-to-department have difficulty operating in foreign, communication. Highly evolved non-technical social environments. technology organizations make extensive Technologists sometimes have a hard use of technologies through their time expressing challenges, especially service desk software to make sure if the challenge is beyond their control. events revolving around an issue are Because of their personality, sometimes both memorialized and shared with technologists will not challenge business customers. These systems also help build requests in order to maintain harmony transparency to problem resolution and with the customer, even if it means allow for the department to be managed that it creates additional work for the from metrics.
19 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Technology departments deal with a multitude My experience has shown that problems of issues and are always working to keep arise because people outside IT do systems operational and technology as not understand the personality traits advanced as possible. One of the biggest of the average technologist, and they challenges for IT departments is that it must don’t fully comprehend all the serious not only support itself as a department, problems that IT staff are simultaneously but also provide support to every other trying to solve. department. With this massive organizational responsibility comes frustration. While technologists are working diligently to come Technologists work in a world of 8. up with solutions, they can’t solve all the abbreviations, analogies, and theory; problems all at once, leading to frustration. As it is okay to ask them to explain issues a result, many people feel it is difficult to work and problems in an easy to understand with technology departments, but I believe manner or provide a real-life example. there are a few things those outside 9. Technology is both an art and science; IT can do to help improve communication answers are not typically tangible and are and collaboration: very difficult to diagnose. Understand the department is not If technologists are treated with respect only there for you. Many IT departments and trusted to fix the issues within their provide support for 10, 20, or even 50 other control, you will have some of the most departments within an organization or dedicated, hard-working staff members in municipality. To serve all these interests, modern-day organizations. technology departments are constantly prioritizing and weighing risk, and working How to Work Better with Your on issues that impact the greatest number Technology Department of people. If they cannot address your problem or question immediately, there Around five years ago, technology became the is usually a good reason. However, due to engine driving organizations rather than the their communication limitations or heavy caboose following behind to support it. Today, workload, you may not always know when technology and its services are viewed as an they will get to your problem. You may need essential tool of modern-day to ask them for an ETA or escalate your issue business operations. to a manager.
The staff who were once holed up in the Work on explaining your needs basement of many organizations are and not what you want. Technology suddenly expected to be able to effectively departments are good at solutions, but communicate with stakeholders, participate in poor at implementing systems they have marketing meetings, interface with customers, no investment in or understanding about. and attend corporate events; all with the same IT personnel are best used when helping charismatic entrance and gregariousness develop a solution that meets your needs, as traditional “business” talent. I have some so work to tell them what the problem is breaking news: it is going to take a while and what you need from them without for the communication skills within an IT trying to insert what you think you want the department to catch up with these new and system to do. burgeoning expectations.
Protecting Against Cyberattacks 20 Troubleshooting is not easy and takes effective, all staff need to know how to use time. There are likely a multitude of factors it. In my experience, only about 35 percent contributing to your issues, many of which of staff attend training, of which 25 percent you are not aware of. Sometimes, it’s need additional help. Out of the 65 percent essential to conduct a thorough evaluation who do not attend training, 70 percent of your system and business processes end up requesting support, of which 90 that feed the system. This can be a time- percent of the type of support requested consuming and highly involved process. Just was covered in the training. Such requests because a solution worked one time for an dilute the IT service desks’ ability to respond organization does not mean it will continue to legitimate needs, creates a backlog, and to work. Many systems are not configured ends up slowing down other assistance that correctly and are too heavily customized, is duly needed. This problem could easily which leads to failure. be solved if staff attended the provided training. It’s okay to push the boundaries of technical possibilities. In our highly technological era, it’s expected that many There is no doubt that technology will users believe anything is possible with continue to evolve at breakneck speeds enough time, money, and resources. changing how organizations operate. However, those possibilities can often be Therefore, it is critical to have both constant overwhelming to IT staff who understand and effective communication with technology the technological requirements of staff. Once barriers, moats, and gorges have implementing such ideas. You do not have been crossed and staff begins to develop a to take an answer of “it can’t be done” at face dialog, personnel in all departments can truly value. Technologists work within boundaries, work together to improve the operation of but it’s important for others to challenge the organization. both internal and technical staff to be innovative and bring solutions, not more challenges. About the Author Have conversations about Service Level Chris Chiancone is a strategic thought leader with more than 20 years of experience delivering Agreements with your technology advanced hardware and software solutions for private department. Service Level Agreements corporations and public-sector organizations. Programs are negotiated, pre-arranged documents implemented by Chris and his team help organizations between the information technology deliver strong technological innovation, helping department and their customer align industry leaders with a substantial competitive advantage while (or by) focusing on technology departments. These documents outline transformation, increasing productivity, reducing cost, details such as expected response times cloud migration, and organizational security. based on the severity of issues, which can help IT managers better staff, plan, Chris has a strong track record of building versatile, and prioritize support according to the top-tier technology teams. His skillset includes strategic planning, technological innovation, IT architecture, expectations of departments. applications, security and production with large ERP, When new technology is introduced, cloud providers, ITIL, and data science technologies. require your staff to attend training and information sessions. IT departments regularly introduce new technology and, in order for it to operate properly and be
21 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Preparing for a Cyberattack: CREATING CONTINGENCY AND BACKUP PLANS
All agencies must have a contingency plan in place should they be hit by a cyberattack. Learn how leaders can work with their IT department to create a backup strategy to mitigate damages in a worst-case scenario.
can never be 100 percent protected from By Dr. Kenneth Williams, Executive Director, attackers. No matter how many detection Center for Cyber Defense at American Military systems or proactive measures are installed University to protect a network, there is no guarantee against intrusion.
Organizational leaders are expected to The best way for an organization to protect conduct due diligence in order to protect itself is to prepare as if the network is going to valuable resources and assets within their be attacked. Then, the organization can take information systems. While many leaders measures to mitigate the risk by developing clearly understand this need and their strong contingency plans and instituting responsibilities, very few have the expertise comprehensive backup and restoration and technological background to make an measures to minimize data loss. informed decision about how to actually protect their systems from intruders. Creating Business Continuity Plans Business continuity planning is the The first thing leaders must understand is implementation of a comprehensive strategy that an organization’s networked systems
Protecting Against Cyberattacks 22 to maintain business operations during a In addition to developing detailed contingency catastrophic event like a data breach or plans that address those questions, it is vital ransomware invasion. By creating contingency for an organization to regularly review and plans, an organization mitigates its risk and practice these plans. Organizations should: minimizes the loss of critical assets if an attack were to happen. • Monitor the organization’s data flow processes. A continuity strategy should be planned and developed at the highest echelons of • Refine contingency plans to address the organization and implemented changes in personnel and infrastructure throughout the organization. To begin, and/or changes in organizational strategy. leaders must ask themselves some • Initiate a robust testing plan that important questions, including: documents and measures the results of all successes and failures. Execute such • What are the critical interconnection tests at least once per year using points among people, processes, various scenarios. technologies, suppliers, and customers? What systems are vital for the operation? • Schedule regular reviews and updates This could include phone systems, VPN to business continuity plans to networks, digital radio systems, and accommodate the changing nature email, all of which are critical of technology and any changes in the for operation. organization’s strategy. • Assess all these current technologies and • Repeat the entire process continuously. create a contingency plan to safeguard data within those systems, including Organizational System backup, disaster recovery, vaulting, Backup Considerations snapshots, and replication. While a contingency plan defines how the • If these critical systems were to go down, organization will operate during an attack, the how could the organization maintain organization must also take steps to minimize operations using alternative systems? potential loss of data and other information Ideally, these alternative systems should after an attack. The organization must have be located far enough away not to be an effective backup plan in place to rapidly jeopardized during an attack. restore service following a cyberattack. Who will be part of the incident response • An organization’s backup strategy will depend team? How will those people be on its operational priorities, as well as on its notified? How will they notify others in size and specific operational environment. the organization about the attack and For example, small organizations with limited changes to operational procedures? networks can use digital devices such as • What are the recovery objectives and thumb drives or DVDs to store important files, what is the organization’s recovery while larger organizations should consider time profile? online resources such as redundant arrays of independent disks (RAID), automatic failover, server clustering, or mirrored systems.
23 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Organizational leaders should talk to their IT • Is data backed up on department about its backup strategy and ask different devices? questions such as: This could include anything from magnetic disks, tape or optical disks, • Are systems fully redundant and and thumb drives. It depends on the load-balanced? organization’s choice for backup, which could include electronic vaulting, network • Is data mirrored so that if something storage, or tape libraries. happens, the system can be restored? One technique to consider that protects • Does the department use automatic against data loss is the concept of failover and server clustering? Stripe and Mirror Everything (SAME). Automatic failover is when a hard This assures robust flexibility through drive fails and a backup hard drive mirroring technologies at the database automatically takes over the function file level rather than the entire disk level. without delay or interruption in service. Mirroring at the file level is duplicating Server clustering is when more than one data in individual files instead of the server is used to increase the service to entire hard drive; this saves space on the the user. This is similar to having a main hard drive and increases speed. server with multiple backup servers that will take over if the main server fails. • Are files spread across all available storage and not located in a single • Is the organization prepared for storage location? a loss of power during an attack? Organizations should consider • Does the organization have Service implementing Uninterruptible Power Level Agreements (SLAs) with Supply (UPS) to prevent data loss due commercial entities? to an unexpected power outage. UPS SLAs are similar to a service contract is designed to store enough energy in with a telephone company or car dealer. its internal battery to allow for active It provides technical expertise to repair IT response time by users and for the safe equipment, similar to a mechanic shutdown of all systems. for a car.
Protecting Against Cyberattacks 24 When Are Backups Conducted? Best Practices for Hardening a It’s also important to clarify how and when Network against a Cyberattack backups of the network will take place. Organizational leaders should also verify Regular backups of company data should be that their IT department is following best conducted either once a day or once a week, practices when it comes to hardening a and usually during hours when the data and network. Leaders should confirm the following network are not in use, such as around 1:00 recommendations are being followed: a.m. on Sunday morning. 1. Select, purchase, and install all hardware, Selecting a time when the system is not in software, and licenses for the system. use will lessen the chance that it will cause interruptions to regular business processes. 2. Verify the installation of antivirus There are three common methods for software on all computers and turn on conducting backups: automatic updates. 3. Configure all computers to use junk 1. Full backup: This captures all files on e-mail filtering and install spam filtering the disks and occurs on a single medium. on the mail server. The time required for a full backup is greater than that of incremental or 4. Turn on automatic software updates for differential backup, but ensures a greater all computers. level of accuracy. Due to the associated 5. Locate the server in a locked room with time and cost, a full backup is usually controlled access. performed during the initial phases or following a data restoration. 6. Institute backup and restoration procedures across the entire 2. Incremental backup: This captures files organization. Implement daily backups created or changed since the last backup with a full backup conducted weekly. and requires less time and cost to run Store the backed-up data in a location than a full backup. One issue with this outside of the organization’s geographical technique is the need to use different area. devices during recovery. For example, if differential backups are captured on 7. Configure services on the server to different devices such as a tape and enforce strong passwords of at least 10 a USB drive, recovering the data will characters with at least two uppercase require access to each media separately. characters, two lowercase characters, two numerals, and two special characters. 3. Differential backup: This type of backup is the storage of data since the last full 8. Configure individual computers to log backup, which occurs following a full users out after a five-minute period of backup, and is faster and less costly than idleness, so that those users are required a full backup. This type is considered to log back on. slower than an incremental backup, but offers a faster recovery time. During recovery, a differential backup only requires the use of the full backup device and the differential backup.
25 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Data Breach Considerations All organizations should operate under the assumption that a data breach will happen and create a plan to respond to an intrusion. Here are questions to ask your IT department about its breach response policies:
1. What’s our breach 3. How will you notify containment procedure? affected individuals? Upon detection of a breach, the The incident response team should organization should immediately be notified first, followed by affected activate its designated incident response managers and personnel. team. These initial steps will help the How will you conduct a review of the organization contain the spread of the 4. incident to help you prepare for virus to other networked systems and future breaches? limit additional loss of data. After the incident has been addressed 2. How will you evaluate the risk and remedied, it is important for IT staff of the breach? to have policies in place to learn from the Upon detecting a breach, an organization situation. They need to evaluate how the needs to immediately and thoroughly organization responded to the incident evaluate the risks associated with the and work to refine and further prepare breach, including who was affected and for future breaches. what harm was done.
Protecting Against Cyberattacks 26 User Education Considerations About the Author Organizations should also plan for robust Kenneth Williams, Ph.D., is the Executive Director user awareness training. The importance of of the Center for Cyber Defense at American Military training should not be ignored as it is common University. He holds a doctoral degree in cybersecurity knowledge that human error is considered and a master’s degree in information security/ assurance from Capella University. the greatest threat to organizations’ information systems. In addition, Kenneth is a Certified Information Systems Security Professional (CISSP) and holds Security+ and All users should receive training in critical CompTIA certifications. In the past, he has also held areas, including incident handling, disaster positions such as president/chief information officer for Thelka Professional Associates; adjunct professor for recovery, securing data at rest, phishing, Northern Virginia Community College, DeVry University, and safe home computing. This training will and Sullivan University; IT specialist/cybersecurity educate users on the importance of security, compliance auditor for the U.S. Army Inspector General; the proper handling of passwords, laptop information system security/VOIP engineer and contract security, virus prevention, safe internet lead for the U.S. Army’s CECOM; and information system security engineer and technical manager/ browsing, and consequences for unsafe and chief information officer for Onyma, Inc. He is an Army illegal actions. veteran with more than 24 years of active service.
27 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Tips on Training Adult Employees in the Workplace
Teaching employees about cybersecurity is a challenging but necessary step to protecting an organization’s systems. Here’s how one CIO approaches employee training.
my first semester of teaching when I could not By Chris Chiancone, Chief Information Officer figure out why students were having difficulty of Plano, Texas remembering content, were not very engaged during class, and were harsh in their critique of my teaching style. For many years, I worked as a part-time night and weekend adjunct professor for a few I reached out to my teaching advisor junior and private colleges. I will never forget for insight and ended up having a very
Protecting Against Cyberattacks 28 enlightening conversation about adult When conducting training that requires learning. Although his evaluation of my in-person attendance, it’s important to teaching style left no room for any feeling of remember that traditional training methods accomplishment, it proved to be one of the are often not effective for many employees. best coaching sessions I have ever had. I’ve Traditional sessions are often too long, overly applied what I learned directly to my current structured, and don’t focus on teaching career, which includes training personnel applied skills. how to use technological systems and protect network systems. When I deliver in-person training to employees, I employ a teaching model I Why Adult Learners Are Unique developed from my academic teaching experience that I refer to as CPR, which is Adult learners are distracted learners, my based on three principles: advisor told me. Period, end of story. Adult learners often have lots of things other than learning going on in their life. When in class, • Chunks: presenting small amounts of they might start thinking about what they’re information at a time. In order for this making for dinner, how to get their kids to information to stick, it must be attached different events around town, concerns with to a household finances, and a number of other • Peg: an image, belief, emotion, or other complicated and stressful things. As a sensory element that the person finds result, adults require some unique approaches to help them learn and • Relatable: and pragmatic in nature. understand new information. Information presented using the CPR method Delivering Effective Training needs to be repeated over and over, in a Similar to challenges in traditional academic process called inculcation. The more the settings, adults also have difficulties learning information relates to common business new information when at work in a business problems and is presented in a way that setting. Company training staff must directly applies to how the person will use it, remember this when conducting training the more likely the employee will understand sessions about new technologies, new and retain it. procedures, updates on company policies, and other important company information.
29 Protecting Against Cyberattacks SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Teaching Technology Skills Relate the material to solving a problem so Let’s take, for example, training employees employees know that what they’re learning is on how to use a new computer operating practical and can be applied to solving future system. Traditional teaching would go through problems they might encounter. By following the history of the operating system, versions, the CPR method, employees will increase advancements, high-level explanation of their knowledge about how the system works the use of the system, and common issues in a practical way, which will enhance their with the system. This is all well and good for ability to use it to solve future problems they technology staff who support such a system, might encounter. but non-technical people would undoubtedly be bored to death. Instructors should also present this information repeatedly, using inculcation, Instead, the non-technical adult learner needs which will eventually lead to better retention to be taught in a way that reflects how they of information, although it may cause some will use the system, in less than 50 minutes of frustration among employees. One way to time. The training session should include: combat this frustration is to record training sessions and allow staff to learn at their own pace, any time, and in their own environment. • A computer loaded with the new Conducting regular and thoughtfully operating system. structured training sessions will lead to • An environment in which the employee greater adoption by employees and improved can follow along, step by step, with the knowledge and efficiency. instructor as they complete common tasks. About the Author Break Chris Chiancone is a strategic thought leader with more than 20 years of experience delivering • More opportunity to follow the instructor advanced hardware and software solutions for private on common tasks related to chunks corporations and public-sector organizations. Programs implemented by Chris and his team help organizations of business knowledge. For instance, deliver strong technological innovation, helping working through an Excel document align industry leaders with a substantial competitive advantage while (or by) focusing on technology where the instructor teaches and the transformation, increasing productivity, reducing cost, student duplicates. cloud migration, and organizational security.
Chris has a strong track record of building versatile, Break top-tier technology teams. His skillset includes strategic planning, technological innovation, IT architecture, • Present chunks of business knowledge, applications, security and production with large ERP, attached to solving a real-life work cloud providers, ITIL, and data science technologies. problem.
Break
• Peg the real-life problem to a feeling of accomplishment and success.
Protecting Against Cyberattacks 30 SECTION 2: PROTECTING AN AGENCY FROM CYBERATTACKS
Do’s and Don’ts of Online Activity
Do’s! • Set a lock password and set up your cell phone • Ensure you are running some form of anti- to lock after at most five minutes of not being virus, malware detection, or firewall software. used. Even the best and brightest in cybersecurity fall prey to attacks—this software is necessary to • Set up your cell phone to “wipe your data” after protect your devices and systems. too many failed attempts to unlock it. • If you’re using department-issued equipment • Make sure you only purchase from websites at home, make sure your home WiFi network is you can find reviews on and make sure that secured. If you do not know how to set that up, the site is secure. Look for the lock or green reach out to your internet service provider. box in the address bar. • Update your important passwords on a • Make use of the privacy tools on your social consistent basis, such as every three months. media accounts. They are there to protect you. Use them to restrict who can see your information.
Don’ts! • DO NOT open an email from someone you do • DO NOT post information on your social media not know. accounts that you don’t want the public to see. Information can get leaked even with proper • DO NOT open any attachments in an email privacy settings, so if you do not want it online, unless you were expecting the attachment, do not put it there. even if it’s from a known sender. • DO NOT download any illegal/cracked • DO NOT reuse the same password for multiple software, music, and movies. In addition to this sites. Avoid using things such as your birthdate practice being against the law due to copyright as your password. Try using a combination of violations, most of these files come with symbols, numbers, and characters to build a viruses, malware, trojans, and more. memorable list of passwords. • DO NOT click on a link in any email without • DO NOT use public/free WiFi for anything other verifying the address is exactly what you than basic browsing. You should never go onto expect. It is very easy to miss a spelling error or any website requiring credentials or financial an extra hyphen in a web address. information on public WiFi. • DO NOT enter any credentials into an online • DO NOT access any site needing log-in website unless you type in the web address credentials on public computers at the library yourself. or internet cafes. If you do, make sure you ALWAYS log out as soon as you are done, and consider changing your password when you get home.
31 Protecting Against Cyberattacks CYBER THREATS ARE EVOLVING SO SHOULD YOUR SKILLS
Escalating cyber attacks threaten national security and our daily lives. Are you prepared with the skills and knowledge to further safeguard our nation’s most valuable digital assets? American Military University offers a variety of programs for public safety leaders to learn technology, network security, and strategies to thwart cyber threats.
AMU Offers Undergraduate Certificates in: AMU Offers Bachelor of Science Degrees in: Cybersecurity Cybersecurity Cybercrime Essentials Information Systems Security IT Project Management Essentials Information Technology Management Information Security Planning Information Systems Security Essentials
LEARN FROM THE LEADER
Earn your degree from a university that is recognized by the Department of Homeland Security and National Security Agency as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE).
AMUonline.com/cybersecurity
American Military Universi ty
American Military University is not affiliated with the U.S. Military. We want you to make an informed decision about the university that’s right for you. For more about our graduation rates, the median debt of students who completed the program, and other important information, visit www.apus.edu/disclosure.
Protecting Against Cyberattacks 32