📋
Extracted from Consolidated Report
This investigation was originally published as part of a larger consolidated report containing multiple investigations. View the consolidated PDF for the complete document.
San Mateo County Grand Jury
• 2019-2020
Issue City and county government computer systems are at risk of Ransomware attacks. Are adequate
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings 8 findings
F1
Page 72
Ransomware is a real and growing threat to public entities including those in San Mateo County. City response: City of Menlo Park agrees that cybersecurity threats, including ransomware, are a growing threat to public agencies.
F2
Page 72
Across the country, local governments and schools represent 12% of all Ransomware attacks. City response: City of Menlo Park agrees with the finding that local governments are increasingly the target of cybersecurity threats.
F3
Page 72
The direct and indirect costs of Ransomware can be significant. City response: City of Menlo Park agrees that the direct and indirect costs of cybersecurity threats are significant.
F4
Page 72
Cybersecurity reviews and assessments, and an updated, well-executed Cybersecurity plan, are critical components of IT security strategy. City of Menlo Park 701 Laurel St., Menlo Park, CA 94025 tel 650-330-6600 www.menlopark.org DocuSign Envelope ID: 7348ACE7-C70B-43BD-A11A-E88BC232048B City response: City of Menlo Park agrees with the finding.
F5
Page 73
A comprehensive Cybersecurity plan should include, at a minimum, information concerning prevention steps, spam and malware software, and backups and full recovery testing. City response: City of Menlo Park agrees with the finding.
F6
Page 73
The identification of phishing attempts, including the use of spam filters, is an important component to protecting an IT system from Ransomware attacks. City response: City of Menlo Park agrees with the finding.
F7
Page 73
Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part an entity’s backup plan to recover lost information. City response: City of Menlo Park agrees with the finding.
F8
Page 73
Training of new employees, and the recurring training of existing employees, is an important component of defense against Ransomware. City response: City of Menlo Park agrees with the finding.
Recommendations 8
-
R1Page 73Each of the governmental entities in San Mateo County with an IT department or IT function (whether in-house, handled by another government unit or outsourced to a private enterprise) as listed in Appendix F, should by November 30, 2020, make a request for a report from their IT organization that addresses the concerns identified in the report, specifically: 1. System Security (Firewalls, Anti-malware/Antivirus software, use of subnets, strong password policies, updating/patching regularly) 2. Backup & Recovery (In the event of an attack, can you shut down your system quickly? What is being backed up, how it is being backed up, when are backups run, and where are the backups being stored? Have backups been tested? Can you fully restore a Server from a backup?) 3. Prevention (turning on email filtering, setting up message rules to warn users, providing employee training on phishing and providing a reporting system to flag suspect content) City response. Implemented. DocuSign Envelope ID: 7348ACE7-C70B-43BD-A11A-E88BC232048B
-
R2Page 74These confidential internal reports should be provided to the governing body by June 30, 2021. This report should describe what actions have already been taken and which will be given timely consideration for future enhancements to the existing cybersecurity plan. City response: Will be implemented
-
R3Page 74Given the results of their internal reports, governmental entities may choose to request further guidance by means of a Cybersecurity review from the U.S. Department of Homeland Security56 and/or a cyber hygiene assessment from the County Controller’s Office. City response: Further analysis required pending results from R1.
-
R4Page 74Given the results of their internal reports, governmental entities may choose to ask their IT departments to review their own Cybersecurity Plan with the detailed template provided by the FCC’s Cybersecurity Planning Guide and consider customizing it using FCC’s Create Custom Cybersecurity Planning Guide tool. City response: Further analysis required pending results from R1. Sincerely, Cecilia Taylor Mayor MAYOR CITY OF PACIFICA Deirdre Martin 170 Santa Maria Avenue • Pacifica, California 94044-2506 MAYOR PRO TEM www.cityofpacifica.org Sue Beckmeyer COUNCIL Sue Vaterlaus Scenic Pacifica Mary Bier Incorporated Nov. 22, 1957 Mike O’Neill December 14, 2020 Honorable Judge Chou: Hall of Justice 400 County Center; 8th Floor Redwood City, CA 94063-1655 Subject: Re: City of Pacifica’s response to the Grand Jury Report: “Ransomware: It Is Not Enough To Think You Are Protected” Honorable Judge Chou: Thank you for the opportunity to review and comment on the above referenced Grand Jury Report filed on October 7, 2020. Pursuant to Penal Code section 933 (c), the City of Pacifica’s response to both the
-
R5Page 78A comprehensive Cyberseciirity plan should include, at a minimum, information concerning prevention steps, spam and malware software, and backups andf ull recoveiy testing. The District agrees with this Finding.
-
R6Page 78The identification ofphishing attempts, including the use of spamf ilters, is an important component to protecting an IT system from Ransomware attacks. The District agrees with this Finding.
-
R7Page 78Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part an entity 's backup plan to recover lost information. The District lacks information to fully agree or disagree with this Finding given that it did not conduct the research related to this Report. The District, however, accepts the Grand Jury's Finding for the purposes of this Response.
-
R8Page 79Training of new employees, and the recurring training of existing employees, is an important component of defense against Ransomware. The District agrees with this Finding. Lincoln Avenue . Daly City, CA 94015 . 650-991-1000 phone . 650-992-2265 fax . http://www.jsd.k12.ca.us 3of4 Recommenilations: /. Eacho ft he governmental entities in San Mateo County with an IT department or ITf unction (whether in-house, handledb y another government unit or outsourced to a private enterprise) as listed in Appendix F, shouldb y November 30, 2020, make a request for a report from their IT organization that addresses the concerns identifiedi n the report, specifically: /. System Security (Firewalls, Anti-malware/Antivirus software, use ofsilbnets, strong password policies, updating/patching regularly)
Conclusions 1
-
CL1Grand Jury survey results and in-depth interviews determined that some local government agencies have Cybersecurity strategies in place. For them, this report is asking those IT departments to re-challenge the sufficiency of their employee training, the regular (full) testing of their defense strategies and the adequacy/age of their Cybersecurity strategy including consideration of cloud hosting. For the rest, this is a good time to complete a review and see what additional measures can be taken to beef up their IT security using the information provided in this report as a guide. The biggest trap is believing that a malware attack, or in the worst case a Ransomware attack, is unlikely to happen to organizations and that the Cybersecurity strategies already in place are sufficient to successfully recover. As learned from the best practices example of the IT manager who thwarted two attacks successfully, a comprehensive Cybersecurity plan includes user prevention steps, spam and malware software, back-ups and full recovery testing. These suggestions as well as those from the professional literature on Cybersecurity include the following list of best practices: Anti-Malware definitions need to be constantly updated to retain their effectiveness. Software updates need to be kept current. To identify external emails, message rules can be used to flag external emails and thereby decrease the probability that a user clicks on bad content. To thwart phishing attempts, footers can be added to incoming emails to warn about opening attachments and clicking on links (see Appendix C). Security training, awareness and assessment need to be routine along with testing all employees to recognize, delete and report attempted attacks (See Appendix B). Establishing a thorough and comprehensive backup process for all Servers using the 3-2- 1 rule and establishing a separate backup process for key users’ critical folders (e.g., administration, accounting, human resources) to be able to restore/recover from a secure onsite and/or offsite backup. Snapshots and/or image backups provide the most complete backup and the fastest recovery option. Consider cloud-hosting of email and other applications to provide added security, backup & restore capabilities and filtering benefits to close the largest and easiest route for Ransomware to penetrate entity systems.