Did the City of Atlanta adhere to cybersecurity best practices but still fell victim to a ransomware attack? Or, did it leave unattended previously identified vulnerabilities in its IT infrastructure that had existed for some time?
Two new reports claim Atlanta knew it was exposed and could have done more to shore up its cyber defenses ahead of last week's ransomware attack. Months earlier, the city was warned in an internal, confidential audit that its infrastructure was vulnerable to hackers, according to a new CBS46 investigation.
Background: A ransomware attack hit Atlanta’s network infrastructure on March 22, crippling some municipal offices and customer-facing applications. While officials are still rummaging through the rubble to determine the damage, a few systems have been brought back online but others remain idled. To date, the city appears determined to refuse to pay the extortionists’ $50,000 demand.
Moving too Slowly?
A 41-page audit presented to the city last summer described its IT systems as alarmingly vulnerable to a cyber attack, CBS46 reported. At the time, Atlanta had no formal plans to fortify its cyber flanks, the audit revealed. The assessment accused the city of complacency and dragging its feet to tackle numerous “severe and critical vulnerabilities” that have “existed for so long,” as CBS46 reported. The audit also chided the city for leaving its IT departments without the necessary tools, resources and time to analyze and fix the flawed systems.
Apparently, it was months later that Atlanta’s Information Management unit came up with a suitable blueprint to strengthen the city’s deficient network infrastructure. When the ransomware attack hit last week, Atlanta was in the process of installing several new security features but were slowed by insufficient resources, city auditor Amanda Noble told CBS46.
So far, Atlanta mayor Keisha Lance Bottoms has not said how the city is progressing on repairing the specific vulnerabilities detailed in the audit, the report said.
Another Audit: More Concerns?
Meanwhile, a second audit uncovered similar network security flaws in Atlanta’s mass transit system that apparently has also lagged remediation, CBS46 reported separately. While that system thus far remains untouched by this ransomware infection, officials declined to say whether the city has met the spring schedule to fix the vulnerabilities identified in the audit. In a statement, mass transit representatives said the agency is working with outside consultants (MSSPs, perhaps?) to examine its systems. “We have been diligent in developing and executing a strategy for the remediation of gaps and vulnerabilities,” city officials said, while declining to provide specifics.
Atlanta’s rapid transit system, which carries 500,000 riders each day, is the eighth largest in the U.S.
Earlier this week, Atlanta hired Mike Cote, CEO of Secureworks -- a Top 100 MSSP for 2017 -- to investigate the ransomware attack. Cote reportedly thinks he knows who’s behind the cyber extortion but declined to provide any more information.
Other security executives have also weighed in on the ramifications of the Atlanta attack.
“The attack on the city of Atlanta shows once again that ransomware is not going away anytime soon. Organizations can continue to layer additional security tools into their IT stacks, but until employees have a better understanding of what they should and shouldn’t be clicking on, these types of infections will continue to occur,” said Jon Toor, Cloudian CMO. “IT teams should not wonder if they might be targeted next, but assume that they’re already in the attacker’s crosshairs,” he said.
Backup alone isn’t enough protection against ransomware because backed up files can be infected as well, Toor said. “Organizations must store data in a manner where that data is unchangeable, even by ransomware. This will create another security layer with data that is immediately accessible.”
Atlanta Ransomware Attack: Latest Recovery Information
Meanwhile, the city has launched an online information hub containing the latest updates on the ransomware attack and recovery. Also, a key city website -- called ATL311 -- has resumed accepting online requests for a range of city services. Atlanta had previously deactivated some of the online services over an abundance of caution.