Baltimore's patching mistake

On May 7, 2019, the City of Baltimore was hit by ransomware. A month later, in June, Ars Technica reported that the city had already lost $18 million. At that point, it was still far from full recovery. Less than a third of employees were back at work. Many were using "paper-based workarounds."

How did this happen? Because the city was behind on patching.

While hackers and foreign agents do seem to be aggressively going after American city governments and law firms, the City of Baltimore itself was not targeted. Cybercriminals simply look for the places where defenses are down and entry is easy, like thieves who try the handle of every parked car on the street in a search for one that's been left unlocked. This was not a zero-day attack. The breach was the result of a giant spray attack looking for the weakest member of the herd.

The city government's paralysis could have been prevented with timely patching. Hackers used an exploit called EternalBlue, for which Microsoft had provided a fix two years ago. Likewise, a reported 90% of hacked firms could have saved themselves with a patch.

Patching: it can be tedious, time-consuming, and lacking in visibility as compared to innovative IT projects.

Still, not patching amounts to negligence, especially when privileged data is at stake.

Losing control of data

While the city is undoubtedly suffering - systems for tracking water bills, property taxes, and parking fines are down, and Baltimore's IT team has been working round-the-clock to provide the city's 10,000 employees with new passwords - the cyberattack has even more worrying long-term implications for its citizens.

The Ars Technica  article points to evidence that "personal identifying data, health data, and other sensitive information" was stolen during the hack, which is likely to leave behind a long trail of identity theft and other violations. It will not speak well of Baltimore as place to put down roots.

Where were the backups?

The cyberattack and the city's reaction to it revealed other remarkable gaps in its technology.

The New York Times  reported::

It could take months of work to get the disrupted technology back online. That, or the city could give in to the hackers' ransom demands.
"Right now, I say no," Mayor Bernard Young told local reporters on Monday. "But in order to move the city forward? I might think about it. But I have not made a decision yet."

Mayor Young's deliberation over whether to give in to the extortionist demands (against the advice of the FBI) in order to get the city's systems running points to a concerning lack of backups. Kraft Kennedy installs cloud-based, up-to-the-minute backups for our clients with Datto, which also provides security experts with access to event logs, firewall logs, file access records, and registry information for security incident remediation.

Equifax

The Baltimore catastrophe recalls another high-profile cyberattack that led to an enormous exposure of privileged data that could have been prevented with a patching routine.

When the credit-scoring company Equifax was breached, the personal data of 143 million people was exposed. In a familiar story, hackers exploited a vulnerability for which a patch had been released two months earlier. Getting into the unpatched systems was "simple."

Consider also that when Microsoft or other vendors release a patch, they typically provide detailed information on the issue that the new patch resolves. Such information can amount to a blueprint for attacking unpatched systems (and Windows 7 will be such an unpatched and at-risk system in January 2020).

Danger for the legal industry

While Baltimore and Equifax could not hide that they had been attacked, we know from experience that many other such attacks go unreported. Understandably, who wants to admit to such an unforced error?

Law firms especially are in danger. The FBI has warned the industry multiple times that it is being persistently targeted.

Automating patching is the answer

So what is the solution?

Network World article entitled, "The unrelenting danger of unpatched computers" suggests automation, the assignment of clear responsibility, and inventory-taking.

Kraft Kennedy has developed solutions to make all of these tasks straightforward, so our clients can get back to the work they actually want to do. Our Managed Services team manages updates for clients, testing and applying patches as they are released.

For larger firms with many servers, Kraft Kennedy has also pioneered Automated Server Patching. Whereas IT teams used to have to stay up all night to patch such environments, they can now leave it to the efficient tools our Managed Services team has developed. To learn more about getting automated, patched, and protected, we encourage you to reach out to us at hello@kraftkennedy.com.