Santa Barbara County Grand Jury
• 2020-2021
• Agency Response
Response to:
CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY
Gua May 26, 2020 The Honorable Judge Michael J. Carrozzo Presiding Judge, Santa Barbara Superior Court*
⚠️ Translation Notice: This content has been automatically translated. The original English text is the official version. Translation may contain errors.
⚠️ Este contenido ha sido traducido automáticamente. El texto original en inglés es la versión oficial. La traducción puede contener errores.
Findings and Recommendations 5 findings
F4
Nationally, cyber-attacks on governmental organizations have been successful for many years and are occurring with more frequency and sophistication. Response: Agree. <b>Recommendation 4</b> That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats. Response: Has been implemented. A hardened firewall, updated regularly, is in place to • Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 protect all City IT infrastructure from external attacks. To help remedy internal attacks, all City staff are limited to access only the data needed to perform their job functions. Auditing in place on servers allows for tracking of suspicious behavior. Enterprise-grade anti-virus is installed to protect data from any malicious activity. The City will receive a cybersecurity scan of its network to identify any weaknesses. The City will have its employees change their passwords often and will include multifactor authentication. In addition, the City is evaluating other alternatives to mitigate security risk, which may include moving records from a physical server to a cloud-based system, cybersecurity scan of its network, further isolating and protecting backups, updating to Microsoft Office 365, and rotating out outdated equipment.
Related Recommendations (1)
R4
That each public entity within Santa Barbara County take substantial steps to protect data from internal and external attacks or threats.
F5
Cyber-attackers use a number of methods to install malicious software on systems including access through backdoors, staff or employee carelessness, and known bugs in software. Response: Agree. .
Related Recommendations (4)
R5a
That each public entity within Santa Barbara County install and maintain current antivirus software to detect malware and other threats. • Response: Has been implemented. Enterprise-grade anti-virus is installed on all appropriate devices to protect data from any malicious activity (malware and other threats).
R5b
That each public entity within Santa Barbara County install and update all operating software regularly. Response: Will be implemented. The City is already in the process of upgrading all servers. The City's plan is to complete upgrades of all old workstations and laptops throughout the coming year fiscal year 20-21. The City's accounting system is in the process of being upgraded and should be completed within one year. All systems owned by the City receive weekly security updates to the current operating systems, as well as line of business applications where appropriate.
R5c
That each public entity within Santa Barbara County periodically train employees and then test their cyber security awareness. Response: Will be implemented pending available funds for service. The City will be developing a cyber-security awareness training plan for its employees within the next 6 months. Testing cyber-security awareness for the City's employees is best completed using services purchased from a 3rd party. The City currently has no funds available for this purpose. The City will seek attempt to obtain funding for this purpose by applying Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 for grants and/or trying to increase revenue. The City will instruct its employees about cyber security awareness by advising all City employees about the Grand Jury's report and the City's response and direct all employees to read the Grand Jury's report in order to increase cyber-security awareness.
R5d
That each public entity within Santa Barbara County periodically ensure electronic system- related contractors have been trained for cyber security awareness. Response: Has been implemented.
F6
If data is lost or compromised for any reason, including cyber-attack, mechanical failure or error, the most cost effective and expedient way to recover is to have current data backups and a plan to reinstall it. Response: Agree.
Related Recommendations (2)
R6a
That each public entity within Santa Barbara County create and implement a full backup and recovery plan. . Response: Has been implemented. Enterprise-grade backup and disaster recovery software is installed on all servers. All City data is stored on the servers. The City's IT service provider continually updates the recovery plan as changes take place. However, the City is evaluating the alternative of having offsite cloud backups.
R6b
That each public entity within Santa Barbara County regularly update and test their backup and recovery plan. Response: Has been implemented. The City's IT service provider tests the integrity of backups, as well as the recovery process, every 3 months. The back and recovery plan is updated as changes are made.
F7
Some public entities within Santa Barbara County do not have any, or adequate, cyber insurance. • Response: Agree.
Related Recommendations (1)
R7
That each public entity within Santa Barbara County secure adequate cyber insurance. • Response: Has been implemented. The city has cyber insurance through the California Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 Joint Powers Insurance Authority.
F8
A cost-effective method to address cyber risks and concerns is to form an information sharing and learning consortium. Response: Agree. • <b>Recommendation 8</b> That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance. Response: Has been implemented. The City is already actively addressing cyber risks and concerns; however, the City is willing to participate in such a cyber security working group and share costs provided that the City has available funds for such purposes. Sincerely, Ariston D. Julian Mayor Gina Rubalcaba, Mayor pro tem Tony Ramirez, Council member Eugene Costa Jr., Council member Liliana Cardenas, Council member Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 <b>RESOLUTION NO. 2020-39</b> A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF GUADALUPE ADOPTING A RESPONSE TO THE SANTA BARBARA COUNTY GRAND JURY REPORT ENTITLED "CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY" WHEREAS, the Santa Barbara County Grand Jury released a report on March 18, 2020 titled "Cyber-Attacks Threaten Santa Barbara County" with eight (8) findings and twelve (12)
Related Recommendations (1)
R8
That each public entity within Santa Barbara County that is unable to allocate adequate funds for cyber security develop a cybersecurity working group to establish best practices and share costs for education, expertise, and insurance.
Conclusions 6
-
CL1Ensuring critical cyber security tasks and activities are properly executed on a timely basis requires a designated individual to be accountable and responsible. Response: Agree. <b>Recommendation 1</b> That each public entity within Santa Barbara County designate an individual to be accountable and responsible to oversee cyber security. Response: Has been implemented. The City Administrator has been designated the primary individual to be accountable and responsible to oversee cyber security.
-
CL2Most public entities within Santa Barbara County have an inadequate understanding of what communication and electronic systems they use and what data they maintain, and do not fully Administration Department: Tel (805) 356.3891 Fax (805) 343.5512 918 Obispo Street P.O. Box 908, Guadalupe CA 93434 understand the risks, security issues and costs associated with the destruction of systems or loss of data. Response: Agree. •
-
CL3Some public entities within Santa Barbara County do not have a written cyber security plan. Response: Agree. •
-
CL4Have strong firewalls, appropriate authorization and access controls, and effective antivirus software. Strong firewalls prevent unauthorized outside access to an organization's systems and data. If an attacker cannot get into the system, it is harder for them to disrupt operations or damage or steal data. Having an appropriate authorization and access control system helps, among other things, assure that employees and authorized contractors can access only the systems and data they require to properly execute their duties and helps prevent unauthorized activities, theft, corruption or destruction of data. Antivirus software helps prevent software viruses, worms, "Trojan Horses," spyware or malware from being downloaded to an organization's electronic systems, as well as increasing protection from phishing attacks. . Install and update software regularly. Using the correct software and keeping it updated frequently is a strong step to help prevent attacks. Software providers are continually updating and improving their products to not only make it more effective but to address flaws that are discovered that could be used to attack an organization's systems or data. Old and out-of-date software is much more vulnerable than current software. Software should not only be updated on internal equipment but also on all portable devices that have access to the organization's systems.
-
CL5Maintain cyber security awareness and training for all employees. A system is only as strong as the people who are using it. While there are many ways to attack a system electronically, one of the easiest ways to get access to a system is to trick someone to open the door for you. This "social engineering" is cheap, effective and quicker than trying to break into a system through other means. Employees and contractors with access to the system should be made aware of the dangers of social engineering and phishing scams, and be trained how to prevent access through these means. This awareness and training should focus not only on electronic devices provided by the organization but also personal and portable electronic devices that have access to the organization's system via Wi-Fi, email or the internet.
-
CL6Create a recovery plan. While planning and prevention is a vital component to strong cyber security, the reality is that things can go wrong, attackers can succeed, and things break. Therefore, it is very important that an organization have a detailed and documented recovery plan. This plan, among other things, should include periodic backups, and safe offsite storage of backup data and system software. DocuSign Envelope ID: 0E7E470B-AF89-4B1A-A428-6D26C4BA7D54 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY
Observations 3
-
OB1Identify the nature of the organization's data and the electronic systems employed and understand the security risks. Organizations should understand what type of data they maintain and use in the execution of their mission and the electronic systems employed that do, or could, allow access to the data. How is the data handled and protected to prevent unauthorized use? Who has access to that data and under what circumstances? What are risks related to unauthorized access or, in the worst case, destruction of the organization's data?
-
OB2Establish a written cyber security plan. A cyber security plan adds a layer of protection to an organization's important resources. Protecting important data and related systems is important, not only for the organization, but also its customers. Cybercrime is escalating and having a strong defense and recovery plan helps protect the organization's reputation. A well written plan should not only detail the preventative steps the organization needs to take to prevent an attack, but also provide a recovery plan in case the data is attacked, corrupted or otherwise compromised. Protect data from internal and external threats. Data can be attacked or compromised from many sources, whether intentional or by accident. Protecting an organization's data and systems from an external threat and intentional attack is not enough—they also must be protected from unauthorized internal access, accidental corruption or destruction. An organization's plan needs to identify and 14 Edward Gately, "ESET: MSPs Not Proactive Enough with Cybersecurity", ChannelFutures.com, February 7, 2020 https://www.channelfutures.com/channel-research/eset-msps-not-proactive-enough-with-cybersecurity. (Last visited 02/10/2020) DocuSign Envelope ID: 0E7E470B-AF89-4B1A-A428-6D26C4BA7D54 CYBER-ATTACKS THREATEN SANTA BARBARA COUNTY 0 Unpatched software is software that has not been updated to the latest version provided by the vendor. Similar to outdated software, it can be easier to attack. . System misconfiguration is when settings within a computer program are not configured properly and could allow unauthorized access or unintended consequences. ٠ Inside attack is an attack by someone with authorized access to a computer system or network that uses the access in ways not approved or granted by the organization. This can sometimes occur when a terminated employee's system access has not been revoked on a timely basis.
-
OB3Physical attack involves gaining access to computer systems and networks through physical means. This includes unauthorized access to facilities and buildings but can also include accessing the systems and networks by using an unattended computer terminal. Every public entity within Santa Barbara County needs to be familiar with these dangers and threats and the steps that need to be taken to prevent them.
* This report's PDF did not contain easily extractable text and required Optical Character Recognition (OCR) for analysis. There may be minor errors in the extracted findings and recommendations due to OCR limitations with scanned documents.