Issue City and county government computer systems are at risk of Ransomware attacks. Are adequate

Recommendations 4

• R1

  Page 13
  Each of the governmental entities in San Mateo County with an IT department or IT function (whether in-house, handled by another government unit or outsourced to a private enterprise) as listed in Appendix F, should by November 30, 2020, make a request for a report from their IT organization that addresses the concerns identified in the report, specifically: 1. System Security (Firewalls, Anti-malware/Antivirus software, use of subnets, strong password policies, updating/patching regularly) 2. Backup & Recovery (In the event of an attack, can you shut down your system quickly? What is being backed up, how it is being backed up, when are backups run, and where are the backups being stored? Have backups been tested? Can you fully restore a Server from a backup?) 3. Prevention (turning on email filtering, setting up message rules to warn users, providing employee training on phishing and providing a reporting system to flag suspect content)
• R2

  Page 13
  These confidential internal reports should be provided to the governing body by June 30, 2021. This report should describe what actions have already been taken and which will be given timely consideration for future enhancements to the existing cybersecurity plan.
• R3

  Page 13
  Given the results of their internal reports, governmental entities may choose to request further guidance by means of a Cybersecurity review from the U.S. Department of Homeland Security56 and/or a cyber hygiene assessment from the County Controller’s Office.57
• R4

  Page 14
  Given the results of their internal reports, governmental entities may choose to ask their IT departments to review their own Cybersecurity Plan with the detailed template provided by the FCC’s Cybersecurity Planning Guide and consider customizing it using FCC’s Create Custom Cybersecurity Planning Guide tool (see footnote 52). METHODOLOGY Documents  Attack incident reports were requested from IT Departments who experienced attack(s). No incident reports were received. Site Tours  No site tours were performed as a part of this report. Interviews Reports issued by the Civil Grand Jury do not identify individuals interviewed. Penal Code Section 929 requires that reports of the Grand Jury not contain the name of any person or facts leading to the identity of any person who provides information to the Civil Grand Jury.  Three Information Systems Managers of three different public entity IT organizations.  Two non-public professional IT Managers. Both of these Managers’ IT infrastructure environments had been infected with Ransomware attacks. One paid the ransom and the other did not.  A professional Ransomware expert who often consults with companies who have been attacked or desire assistance preventing attacks. He also teaches classes on preparing for and preventing Ransomware attacks.  Numerous security industry professionals at the RSA Conference held at Moscone Center in San Francisco between February 24th and 28th 2020. BIBLIOGRAPHY Anslinger, Joe. “File Backup vs. Image Backup – Which is Best?” Lieberman Technology. June 11, 2013. https://www.ltnow.com/file-backup-vs-image-backup-which-is-best/ Cisco Systems. Ransomware - Anatomy of an Attack. https://www.youtube.com/watch?v=4gR562GW7TI 56 https://www.us-cert.gov/resources/assessments 57 2018-2019 San Mateo Grand Jury Report – Security of Election Announcements Coveware, “Ransomware Payments Increase In Evolving Distribution of Enterprise Ransomware Variants.” April 29, 2020. https://www.coveware.com/blog/q1-2020-ransomware- marketplace-report Davis, Jessica. “As Ransomware Attacks Increase, DHS Alerts to Cybersecurity Insights.” Health IT Security, September 9, 2019. https://healthitsecurity.com/news/as-ransomware- attacks-increase-dhs-alerts-to-cybersecurity-insights Deere, Stephen. “Confidential Report: Atlanta’s Cyber Attack Could Cost Taxpayers $17 Million.” The Atlanta Journal- Constitution. August 2018. Department of Homeland Security (DHS): Cybersecurity and Infrastructure Security Agency (CISA). “Assessments: Cyber Resilience Review (CRR)” https://www.us- cert.gov/resources/assessments Duncan, Ian. “Baltimore Estimated Cost of Ransomware Attack at $18.2 Million as Government Begins to Restore Email Accounts.” Baltimore Sun, May 29, 2019. Epicor Corporation. Protecting Yourself From Ransomware. January 2020. Fadilpasic, Sead. “Welcome to the era of Ransomware 2.0” ITProPortal. February 12, 2020. https://www.itproportal.com/news/welcome-to-the-era-of-ransomware-20/ Federal Communications Commission. Cyber Security Planning Guide. https://www.fcc.gov/cyber/cyberplanner.pdf Gutman, Yotam. “What is the True Cost of a Ransomware Attack.” SentinelOne. January 8, 2020. https://www.sentinelone.com/blog/what-is-the-true-cost-of-a-ransomware-attack-6-factors- to-consider/ Iloh, Raphael. ”The 3-2-1 Backup Rule and Effective Cybersecurity Strategy.” Management Wire. January 7, 2020. https://www.managementwire.com/the-3-2-1-backup-rule-and-effective- cybersecurity-strategy/ Jendre, Adrien.” Ransomware Attacks: Why Email Is Still the #1 Delivery Method.” Vade Security. January 16, 2020. https://www.vadesecure.com/en/ransomware-attacks-why-email-is- still-the-1-delivery-method/ Kass, DH. “Average Ransomware Payment Rises Again: Research.” MSSP Alert. April 30, 2020. https://www.msspalert.com/cybersecurity-research/average-ransomware-payment-rises- again-research/ Kraft Technology Group. “When Was The Last Time You Tested Your Business Backups?” https://www.kraftgrp.com/when-was-the-last-time-you-tested-your-business-backups/ MailChannels. “What is Spam Filtering?” https://www.mailchannels.com/what-is-spam- filtering/ MIT Technology Review, “Ransomware May Have Cost the US More Than $7.5Billion in 2019.” January 2, 2020. https://www.technologyreview.com/2020/01/02/131035/ransomware- may-have-cost-the-us-more-than-75-billion-in-2019/ National League of Cities Report. “Protecting Our Data: What Cities Should Know About Cybersecurity.” Forward by Clarence Anthony, CEO and Executive Director. Pearson Education. Ubuntu Unleashed. 2015 Edition. . Ranger, Steve. “What is cloud computing? Everything you need to know about the cloud explained.” ZD Net, December 13, 2018. https://www.zdnet.com/article/what-is-cloud- computing-everything-you-need-to-know-from-public-and-private-cloud-to-software-as-a/ Samani, Raj. “Ransomware – Mitigating the Threat of Cyber Security Attacks.” Zerto. 2019. https://www.zerto.com/wp-content/uploads/2019/09/ransomware-mitigating-the-threat-of-cyber- security-attacks.pdf San Mateo Grand Jury Report. Security of Election Announcements. 2018-2019. Search Networking, “Protocols, Lesson 6: IP subnetting - The basic concepts.” October 2004. https://searchnetworking.techtarget.com/tutorial/Protocols-Lesson-6-IP-subnetting-The-basic- concepts Sheehan, Patrick. “Cascading Effects of Cyber Security on Ohio.” Ohio Emergency Management Agency. September 19, 2012. Stone, Adam. The Weakest Link. Government Technology Magazine, October/November 2018. Trend Micro. “Online Phishing: How To Stay Out Of The Hackers’ Nets” November 20, 2019. https://blog.trendmicro.com/online-phishing-how-to-stay-out-of-the-hackers-nets/ Wu, David. “UCSF pays $1.14 Million Ransom to Recover Data.” San Jose Mercury News. July 4, 2020. APPENDIX A – SURVEY QUESTIONS 1. Has your Organization had a Ransomware attack? Specifically, has there been an instance or multiple instances when an attack has locked up a computer or computers and presented a demand for ransom to unlock the infection? If you answered Yes or Possibly to Question 1, please provide a detailed description of the attack. What actions were taken once the attack was realized? 2. Is your Information Systems Budget adequate to secure your network properly from malicious attack? 3. Please provide an explanation of your Systems Backup processes? How often are backups run, where do you store the Backups? 4. Have you ever had to Restore from Backups? Please describe in detail why you did the Restore and describe the process used. 5. Do you provide training to employees regarding Malware? 6. What defenses do you currently employ to block malware? Please be specific. (Firewall brand/model, Software filters/spam blocker, etc.) APPENDIX B – EMPLOYEE TRAINING OPTIONS Phishing is the primary method of entry in cyber-attacks worldwide. Over the past few years, some security industry companies have come up with excellent testing, training, monitoring, measuring and reporting solution to help with employee training. The primary goal of an employee training program is to change user’s behavior when viewing emails that might contain threats. The typical components of these solutions include:  Customized phishing attacks designed to test employees in spotting attack attempts  Provide users a simple to use reporting tool to flag suspected attacks  An incidence response platform for controlling the spread of an attack  Reporting dashboards tracking user click-throughs  Employee training programs Here are some website links for the companies offering training solutions. www.knowbe4.com www.lucysecurity.com www.metacompliance.com www.mediapro.com www.cofense.com www.elevatesecurity.com www.securitymentor.com www.habitu8.io APPENDIX C – EMAIL MESSAGE RULE - EXTERNAL APPENDIX D – BACKUP & RECOVERY APPLIANCES & SERVICES There are a large number of companies that provide Backup and Recovery solutions. Solutions Review has prepared a buyer’s guide for the leading vendors. Click on the following link or copy and paste this URL into a browser to get your own copy of this guide. https://solutionsreview.com/backup-disaster-recovery/get-a-free-backup-and-disaster-recovery- buyers-guide/ Specifically, some of the vendors in this report do not provide appliances, only virtual server support. Here is a partial list of appliance and solution vendors: www.unitrends.com www.barracuda.com www.carbonite.com www.commvault.com www.dellemc.com www.axcient.com www.cohesity.com www.datto.com www.infrascale.com APPENDIX E – PHISHING DEFENSE VENDORS Some companies that provide solutions that improve email defenses are: https://www.opswat.com/products/metadefender/email-gateway-security https://www.agari.com/products/phishing-defense/ https://www.inky.com/anti-phishing-software https://www.mimecast.com/products/email-security-with-targeted-threat-protection/ APPENDIX F: PUBLIC ENTITIES IN SAN MATEO COUNTY (68) City/Town Governments (20) Town of Atherton City of Belmont City of Brisbane City of Burlingame City of Colma City of Daly City City of East Palo Alto City of Foster City City of Half Moon Bay City of Hillsborough City of Menlo Park City of Millbrae City of Pacifica Town of Portola Valley City of Redwood City City of San Bruno City of San Carlos City of San Mateo City of South San Francisco Town of Woodside County Government (1) County of San Mateo, Information Services Department School Districts (25) Bayshore Elementary School District Belmont Redwood Shores School District Brisbane School District Burlingame School District Cabrillo Unified School District Hillsborough City School District Jefferson Elementary School District Jefferson Union High School District La Honda Pescadero School District Las Lomitas Elementary School District Menlo Park City School District Millbrae School District Pacifica School District Portola Valley School District Ravenswood City School District Redwood City School District San Bruno Park School District San Carlos School District San Mateo Foster City School District San Mateo Union High School District Sequoia Union High School District San Mateo County Community College School District San Mateo County Office of Education South San Francsico Unified School District Woodside School District Independent Special Districts (22) Bayshore Sanitary District Broadmoor Police Protection District Coastside County Water District Coastside Fire Protection District Colma Fire Protection District East Palo Alto Sanitary District Granada Community Services District Highlands Recreation District Ladera Recreation District Menlo Park Fire Protection District Mid Peninsula Regional Open Space District Mid-Peninsula Water District Montara Water and Sanitary District North Coast County Water District Peninsula Health Care District San Mateo County Harbor District San Mateo County Mosquito and Vector Control District San Mateo County Resource Conservation District Sequoia Healthcare West Bay Sanitary District Westborough Water District Woodside Fire Protection District Not Included: County-governed special districts and subsidiary special districts governed by their respective city councils. Issued: October 7, 2020 June 23, 2021 The Hon. Danny Y. Chou Judge of the Superior Court c/o Jenarda Dubois Hall of Justice 400 County Center, 8th Floor Redwood City, CA 94063-1655 Subject: Bay Area Water Supply & Conservation Agency Response to Grand Jury Report Entitled “Ransomware: It Is Not Enough To Think You Are Protected” Dear Honorable Chou: The Bay Area Water Supply & Conservation Agency (Agency) received the 2019-2020 Grand Jury report entitled “Ransomware: It Is Not Enough To Think You Are Protected.” In response, the Agency’s Board of Directors requested an internal IT report regarding the Agency's cybersecurity practices, which it received at the May 20, 2021 regular Board meeting. In addition, this letter responds to all of the findings and recommendations in the Grand Jury report. Responses to Findings: 1. Ransomware is a real and growing threat to public entities, including those in San Mateo County. The Agency agrees with this Finding. 2. Across the country, local governments and schools represent 12% of all Ransomware attacks. The Agency does not have first-hand knowledge to agree or disagree with this statistic. The Agency nonetheless accepts the Grand Jury's finding. 3. The direct and indirect costs of Ransomware can be significant. The Agency agrees with this Finding. 4. Cybersecurity reviews and assessments, and an updated, well-executed Cybersecurity plan, are critical components of IT security strategy. The Agency agrees with this Finding. 5. A comprehensive Cybersecurity plan should include, at a minimum, information concerning prevention steps, spam and malware software, and backups and full recovery testing. The Agency agrees with this Finding. 6. The identification of the phishing attempts, including the use of spam filters, is an important component to protecting an IT system from Ransomware attacks. The Agency agrees with this Finding. Bovet Road, Suite 650, ⚫ San Mateo, CA 94402 ⚫ ph 650 349 3000 ⚫ fx 650 349 8395 ⚫ www.bawsca.org 17624043.3 Hon. Danny Y. Chou June 23, 2021 7. Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part of an entity’s backup plan to recover lost information. The Agency agrees with this Finding. 8. Training of new employees, and the recurring training of existing employees, is an important component of defense against Ransomware. The Agency agrees with this Finding.