Cyber-attacks Threaten Santa Barbara County

Conclusions 9

• CL1
  Some public entities within Santa Barbara County do not have a written cyber security plan.
• CL2
  Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication.
• CL3
  Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software.
• CL4
  If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it.
• CL5
  Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. 2019-20 Santa Barbara County Grand Jury Page 8 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY
• CL6
  A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium.
• CL7
  Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible.
• CL8
  Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data.
• CL9
  The 2019-20 Santa Barbara County Grand Jury determined that cyber-attacks and related threats are an ongoing reality and that all public entities within Santa Barbara County need to take prompt and aggressive steps to prevent significant disruption from these attacks. When cyber-attacks are successful, the costs to respond and recover can be in the millions of dollars. While some local public entities are taking steps to protect themselves from these risks, many are not adequately prepared. FINDINGS AND RECOMMENDATIONS Finding 1 Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. Recommendation 1 That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. Finding 2 Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully understand the risks, security issues and costs associated with the destruction of systems or loss of data. Recommendation 2 That each public entity within Santa Barbara County complete a full inventory of their data, electronic and communication systems and determine the related security risks. Finding 3 Some public entities within Santa Barbara County do not have a written cyber security plan. Recommendation 3 That each public entity within Santa Barbara County establish a written cyber security plan. 15 Wany Zhao and Gregory White, “A collaborative information sharing framework for community cyber security,” published in Homeland Security (HST), 2012 IEEE Conference on Technologies for Homeland Security (HST), November 13-15, 2012 2019-20 Santa Barbara County Grand Jury Page 7 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY Finding 4 Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. Recommendation 4 That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. Finding 5 Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. Recommendation 5a That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. Recommendation 5b That each public entity within Santa Barbara County install and update all operating software regularly. Recommendation 5c That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. Recommendation 5d That each public entity within Santa Barbara County periodically ensure electronic system-related contractors have been trained for cyber security awareness. Finding 6 If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. Recommendation 6a That each public entity within Santa Barbara County create and implement a full backup and recovery plan. Recommendation 6b That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. Finding 7 Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. 2019-20 Santa Barbara County Grand Jury Page 8 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY Recommendation 7 That each public entity within Santa Barbara County secure adequate cyber insurance. Finding 8 A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. Recommendation 8 That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. REQUEST FOR RESPONSE Pursuant to California Penal Code Sections 933 and 933.05, the Santa Barbara County Grand Jury requests each entity or individual named below to respond to the enumerated findings and recommendations with the specified statutory time limit: Responses to Findings shall be either:  Agree  Disagree wholly  Disagree partially with an explanation Responses to Recommendations shall be one of the following:  Has been implemented, with brief summary of implementation actions taken  Will be implemented, with an implementation schedule  Requires further analysis, with analysis completion date of no more than six months after the issuance of the report  Will not be implemented, with an explanation of why Santa Barbara County Board of Supervisors – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Buellton – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 2019-20 Santa Barbara County Grand Jury Page 9 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY City of Carpinteria – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Goleta – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Guadalupe – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Lompoc – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Santa Barbara – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Santa Maria – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 City of Solvang – 90 Days Findings 1, 2, 3, 4, 5, 6, 7, and 8 Recommendation 1, 2, 3, 4, 5a, 5b, 5c, 5d, 6a, 6b, 7, 8 2019-20 Santa Barbara County Grand Jury Page 10

Observations 1

• OB1
  The responses to the Grand Jury’s survey showed most entities were deficient in one or more critical areas. Many of those surveyed reported that they had no cyber security plan, had never performed a security audit and carried no cyber insurance. Clearly, many public entities within Santa Barbara County are not fully prepared to withstand a cyber- attack. Important Concepts and Best Practices: As a result of its investigation, the Grand Jury found the following important concepts and best practices should be implemented as soon as possible to lower an organization’s risks from cyber threats and damage:  Identify someone to be in charge. Organizations should appoint a designated individual with the proper expertise who is granted authority to be accountable and responsible for all cyber security, including managed service providers.14  Identify the nature of the organization’s data and the electronic systems employed and understand the security risks. Organizations should understand what type of data they maintain and use in the execution of their mission and the electronic systems employed that do, or could, allow access to the data. How is the data handled and protected to prevent unauthorized use? Who has access to that data and under what circumstances? What are risks related to unauthorized access or, in the worst case, destruction of the organization’s data?  Establish a written cyber security plan. A cyber security plan adds a layer of protection to an organization’s important resources. Protecting important data and related systems is important, not only for the organization, but also its customers. Cybercrime is escalating and having a strong defense and recovery plan helps protect the organization’s reputation. A well written plan should not only detail the preventative steps the organization needs to take to prevent an attack, but also provide a recovery plan in case the data is attacked, corrupted or otherwise compromised.  Protect data from internal and external threats. Data can be attacked or compromised from many sources, whether intentional or by accident. Protecting an organization’s data and systems from an external threat and intentional attack is not enough—they also must be protected from unauthorized internal access, accidental corruption or destruction. An organization’s plan needs to identify and 14 Edward Gately, “ESET: MSPs Not Proactive Enough with Cybersecurity”, ChannelFutures.com, February 7, 2020 https://www.channelfutures.com/channel-research/eset-msps-not-proactive-enough-with-cybersecurity. (Last visited 02/10/2020) 2019-20 Santa Barbara County Grand Jury Page 5 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY address all possible threats and should require periodic changing of all passwords and making sure sensitive systems are contained in a secure environment with controlled access.  Have strong firewalls, appropriate authorization and access controls, and effective antivirus software. Strong firewalls prevent unauthorized outside access to an organization’s systems and data. If an attacker cannot get into the system, it is harder for them to disrupt operations or damage or steal data. Having an appropriate authorization and access control system helps, among other things, assure that employees and authorized contractors can access only the systems and data they require to properly execute their duties and helps prevent unauthorized activities, theft, corruption or destruction of data. Antivirus software helps prevent software viruses, worms, “Trojan Horses,” spyware or malware from being downloaded to an organization’s electronic systems, as well as increasing protection from phishing attacks.  Install and update software regularly. Using the correct software and keeping it updated frequently is a strong step to help prevent attacks. Software providers are continually updating and improving their products to not only make it more effective but to address flaws that are discovered that could be used to attack an organization’s systems or data. Old and out-of-date software is much more vulnerable than current software. Software should not only be updated on internal equipment but also on all portable devices that have access to the organization’s systems.  Maintain cyber security awareness and training for all employees. A system is only as strong as the people who are using it. While there are many ways to attack a system electronically, one of the easiest ways to get access to a system is to trick someone to open the door for you. This “social engineering” is cheap, effective and quicker than trying to break into a system through other means. Employees and contractors with access to the system should be made aware of the dangers of social engineering and phishing scams, and be trained how to prevent access through these means. This awareness and training should focus not only on electronic devices provided by the organization but also personal and portable electronic devices that have access to the organization’s system via Wi-Fi, email or the internet.  Create a recovery plan. While planning and prevention is a vital component to strong cyber security, the reality is that things can go wrong, attackers can succeed, and things break. Therefore, it is very important that an organization have a detailed and documented recovery plan. This plan, among other things, should include periodic backups, and safe offsite storage of backup data and system software.  Regularly update and test the plan. Just like practice fire drills are an important component of assuring the safety of employees, practicing the steps of an organization’s cyber security plan, especially the recovery components of the plan, is vitally important. Practice runs not only help to confirm if the plan works and what improvements could be made, they also prepare the organization for a fast response in the case of an actual attack. 2019-20 Santa Barbara County Grand Jury Page 6 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY  Consider working with other organizations to improve cyber security practices cost effectively. Working as a consortium provides an approach allowing even those with smaller budgets to participate and contribute to a successful security program.15

Agency Responses 9

Government agencies' official responses to this report's findings and recommendations. Click on a response to see the structured breakdown.