San Mar­cos at risk be­fore phish­ing scam

Re­port in fall 2015 found city lacked cy­ber­se­cu­rity train­ing.

Austin American-Statesman - - FRONT PAGE - By Tay­lor Gold­en­stein tgold­en­stein@states­man.com

More than a year be­fore the Fe­bru­ary phish­ing at­tack that led a San Mar­cos em­ployee to ac­ci­den­tally leak hun­dreds of W-2 forms, an as­sess­ment iden­ti­fied the city’s lack of cy­ber­se­cu­rity train­ing as a vul­ner­a­bil­ity.

The as­sess­ment, com­pleted in the fall of 2015 by SHI Se­cu­rity Ser­vices, found that the city didn’t have a se­cu­rity aware­ness train­ing pro­gram. The find­ing was one of a dozen low- and high-risk vul­ner­a­bil­i­ties listed in a draft ver­sion of the re­port ob­tained by the Amer­i­can-States­man and was de­scribed as “the eas­i­est to solve.”

A fol­low-up test was con­ducted with the city’s bless­ing, ac­cord­ing to the city’s for­mer in­for­ma­tion tech­nol­ogy in­fra­struc­ture man­ager, Lenora New­som. The test found a num­ber of San Mar­cos em­ploy­ees fell for a sim­u­lated phish­ing email sent with the help of a se­cu­rity con­sul­tant, New­som said.

The city’s IT di­rec­tor pur­chased a one-year em­ployee train­ing pack­age from that con­sul­tant, KnowBe4, but the plans to roll out the train­ing took longer than ex­pected, city spokes­woman Kristi

Wy­att said. The IT de­part­ment sub­mit­ted a bud­get re­quest last year to ex­tend the sub­scrip­tion, she said, but that re­quest was de­nied dur­ing the fis­cal 2017 bud­get­ing process.

New­som, who left the city in Au­gust 2016, was one of more than 800 cur­rent and for­mer em­ploy­ees whose W-2s were stolen last month. When the city no­ti­fied her of the breach, New­som said she was in­fu­ri­ated.

“I thought, ‘Are you kid­ding me? I worked re­ally hard to pre­vent this,’” New

som said. “I be­lieve that San Mar­cos is ahead of a lot of places in the IT realm ... but this was a piece that, well, in my opin­ion, was not taken se­ri­ously.”

Wy­att con­firmed that the city doesn’t have manda- tory cy­ber­se­cu­rity train- ing for em­ploy­ees out­side of its in­for­ma­tion tech­nol- ogy de­part­ment. Rather, man­agers pe­ri­od­i­cally send emails to em­ploy­ees with ed­u­ca­tional ma­te­ri­als and in­for­ma­tion about the lat­est hack­ing trends, and hu­man re­sources em­ploy­ees talk to new hires about cy­ber­se­cu­rity, Wy­att said.

The city’s IT di­rec­tor is work­ing on cre­at­ing a train­ing pro­gram and on Fri­day

held its first ci­ty­wide, in-per- son train­ing on se­cu­rity, Wy­att said.

“The city will con­tinue to pro­vide se­cu­rity aware­ness and ex­pand train­ing to all em­ploy­ees,” Wy­att said. “Train­ing is only one fac­tor in pro­tect­ing our in­for­ma­tion from scam­mers . ... In many in­ci­dents, in­clud­ing our re­cent at­tack, hu­man er­ror plays a role. While we can’t pre­vent ev­ery pos­si­ble breach, we can and have taken steps to limit our expo- sure.”

City fo­cus­ing on im­prove­ments

The re­port by SHI Secu- rity Ser­vices de­scribed the lack of train­ing as a “low- risk” find­ing. But it noted that the “is­sues de­scribed rep­re­sent a demon­stra­ble risk of ser­vice in­ter­rup­tion and/or theft of sen­si­tive data with a medium- or high-level of ex­ploit skills.”

City of­fi­cials de­clined to com­ment on the draft re­port ob­tained by the States­man.

“The re­cent phish­ing inci- dent is cur­rently be­ing in­ves­ti­gated by the San Mar­cos Po­lice De­part­ment, and the city is also work­ing closely with the IRS and the FBI,” Wy­att said, adding that “fur- ther dis­cus­sions could fur­ther com­pro­mise our se­cu­rity sit­u­a­tion.”

Mike Sturm, the city’s IT di­rec­tor, wasn’t avail­able for an in­ter­view Fri­day. But he said in an emailed state­ment that, af­ter buy­ing the train- ing pack­age from KnowBe4, the de­part­ment be­gan “eval­u­at­ing, test­ing, and de­vel­op­ing a plan to im­ple­ment train­ing across the or­gani- za­tion.” Wy­att was un­able to pro

vide in­for­ma­tion about why the city didn’t ap­prove the IT de­part­ment’s re­quest to

ex­tend the sub­scrip­tion for the KnowBe4 train­ing pack- age dur­ing the fis­cal 2017 bud­get­ing process.

Stu Sjouw­er­man, CEO of KnowBe4, said he couldn’t speak about any spe­cific cus- tomer, but said send­ing ed­u­ca­tional emails and go­ing over in­for­ma­tion with new

em­ploy­ees isn’t a strong enough method of pre­vent- ing breaches.

S jouw­er­man s aid his com­pany has had suc­cess in re­duc­ing its cus­tomers’ vul­ner­a­bil­ity to at­tacks by train­ing. In one ex­am­ple he of­fered, a cus­tomer went from about 16 per­cent of its em­ploy­ees fall­ing for sim­u­lated at­tacks to 1 per­cent.

“There will al­ways be some­body who has an off day and falls for that at­tack any­way,” he said. “But it’s dra­mat­i­cally less” with train­ing.

Luck ran out

The type of at­tack that d uped the San Mar­cos

em­ployee in Fe­bru­ary, in which a hacker im­per­son- ates a fa­mil­iar con­tact to

trick some­one into for­ward­ing con­fi­den­tial in­for­ma­tion, is called “CEO fraud” and is in­creas­ingly com­mon, Sjouw­er­man said.

In Fe­bru­ary, the IRS is­sued a warn­ing about such a W-2 phish­ing scam that had ini­tially tar­geted the cor­po­rate sec­tor but had spread to other ar­eas,

in­clud­ing school dis­tricts, tribal or­ga­ni­za­tions and non­prof­its.

That same month, em­ploy­ees of Bel­ton school district’s busi­ness of­fice re­leased W-2 forms for about 1,700 cur- rent and for­mer district work­ers af­ter be­ing tar­geted by a phish­ing email that ap­peared to be from the district’s su­per­in­ten­dent. The forms in­clude sen­si­tive in­for­ma­tion, such as So­cial Se­cu­rity num­bers,

and some hack­ers use the in­for­ma­tion to file fraud­u­lent tax re­turns seek­ing re­funds.

In the case of the San Mar­cos breach, city of­fi­cials have said, the email re­quest­ing the in­for­ma­tion was made to look as if it came from

the mayor. Sjouw­er­man said hack­ers can con­fig­ure such emails us­ing a forged ad­dress. That’s why it’s so im­port

ant for em­ploy­ees be trained to rec­og­nize and flag sus­pi­cious emails, he said.

In a June 29, 2016, email ob­tained by the States­man, Sturm re­quested that em­ploy­ees of the hu­man re­sources de­part­ment in­cor

po­rate the KnowBe4 soft­ware into new hires’ train

ing — right away. “There are so many phish­ing emails and di­rect calls go­ing around, that if a new em­ployee doesn’t un­der­stand the risk on their first day, there is huge se­cu­rity risk to the City,” Sturm

wrote. “Yes, we have been lucky so far.”

DEB­O­RAH CAN­NON / AMER­I­CAN-STATES­MAN 2015

A re­port from 2015 deter­mined that the lack of cy­ber­se­cu­rity train­ing for city em­ploy­ees in San Mar­cos could be a vul­ner­a­bil­ity.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.