Ransomware – Holding 911 Hostage

Security is one of the critical elements that anyone who operates a network should be concerned with. One industry, in particular, Public Safety, is often thought of as being safe and secure, but in reality, they are as susceptible as their weakest link. 911 center directors in public safety need to be especially concerned with DDoS and Ransomware attacks.  The information contained in their networks is very sensitive and if compromised cold create a national disaster.

In response to events seen this week in the commercial space, I sat down wits with the NENA Director of Public Safety and Government Affairs to discuss this issue. Trey Forgety.

Fletch: Trey, welcome back. Unfortunately, every time we get to talk it’s never good news.

Forgety: That’s right. Today as in the past we’re experiencing some really, really tough issues.

Fletch: this week we have a cyber attack going on, not necessarily a DDoS attack but a Ransomware attack that is affecting commercial businesses and could potentially affect public safety as well.

Forgety: That’s right. Unlike a DDoS attack where someone tries to flood a network with more traffic that it can handle, in a Ransomware attack, they’re trying to deny you access to a computer by encrypting all of the files on the machine’s drive. The attack that we’ve seen today is particularly pernicious because unlike many in the past this one actually doesn’t require anyone to click on a link.

Fletch: That’s a little scary because I can totally understand the “click bait” that’s out there. You’ve just inherited 20 million dollars, click here – and then they use social engineering to basically collect information. How do you execute an attack without getting the user to interact? That’s new.

Forgety: It is sort of new. In this case, a vulnerability and something called the Server Message Block or SMB protocol. It’s a file sharing protocol that’s commonly used by Windows computers. A vulnerability in older versions of SMB that are still enabled on a lot of systems was exposed that can allow attackers to remotely execute code. Now, the good news is that there are mitigations. If you have your machine attached to the networks with a firewall for example and you prevent off network SMB access that’s one way to hopefully shield your network from this type of attack.

Fletch: Now, is that something normal network administration, security administration would have enabled?

Forgety: One would hope so but it’s not the case everywhere. Looking at the networks that I administer personally it was only about a year or two ago that I got to looking at making sure regularly that things like SMB were explicitly blocked. A lot of folks try to fall back on a default deny rule so that everything I haven’t thought of will get denied. That works great but for a lot of things where you know there’s a vulnerability it’s also a good idea to go in and put in a hard rule so that if at some point in the future something changes, somebody changes the default rules or something, you know that that hard rule is always there to protect you. Now I make it a point of anything that doesn’t need to come into my networks from somewhere else in the world, I make sure to go ahead and explicitly block those things at my firewall.

Fletch:  You know, when you look at typical public safety IT department they have a lot of great policing and knowledge but they don’t always have the best IT staff nor do they have access to IT experts. I think that leaves a big chunk of our public safety kind of vulnerable, doesn’t it?

Forgety: You know, it absolutely does. We really have a workforce crisis in the public safety field on cyber security. That’s not unique to public safety, that workforce crisis exists across every sector of our economy. For us, it’s particularly acute because of the sensitivity of the public safety mission and its importance in safety of life. One of the things that I always tell folks is you’ve got to self-educate and you’ve got to get good at taking the basic steps that you can do without having an elite information security team on your side.

Fletch: NENA is very proactive with its member community. You’ve raised the awareness quite a bit over the past couple of years. There was an alert that went out late this afternoon to members letting them know. What did you announce there?

Forgety: First off, I appreciate your recognition because it really has been, both for NENA as an organization and for me personally, an important thing over the past few years to raise the profile of security issues. The step that we took today is sort of a new thing that we’re doing to try and be helpful when we do hear about a major new threat. We issued a memorable late this afternoon that described the type of attack in fairly plain terms and then went on a little bit to talk about what the vulnerability is. I think most importantly we provided our members with five concrete actions that they can take right away to help protect their networks.

Fletch:  What were those actions?

Forgety: The first thing is local PSAP or county IT administrators need to download the Microsoft patch for this vulnerability. They’re calling it MS17-010. You’re going to want an IT admin to test this patch to make sure you’re not breaking anything, knocking systems offline before you deploy it to everything. Nonetheless, it is something that needs to get patched in a very, very big hurry.

The second thing that we’re advising is that center managers should make sure that they check up on their backup process. They need to make sure that they have onsite and offsite and hopefully one of those is actually offline backups for all of their critical systems. Make sure those are routinely being maintained and periodically go in, verify and test restores for those backups. If you haven’t tested a backup you don’t know that it’s going to work and you can’t rely on it. We’ve seen that demonstrated rather dramatically just in the past year. We’ve seen some major software providers learn that three different backup systems weren’t working the way they thought and in fact, they were going to have to rebuild from scratch.

The third thing that we recommend is that PSAP IT departments consider permanently disabling the service message block or SMB 1.0 and 2.0 protocols along with CIFS or the common internet file system. Those are all sharing protocols that are commonly used on the window systems that have this vulnerability so SMB-1, SMB-2, and CIFS should all be turned off permanently. They still have SMB-3 as an option, that’s the version that is currently being maintained. More than anything, it will also give you higher speeds and better security going forward.

The fourth item, shift supervisors, and this is an important thing for us. A lot of our members are telecommunicators and dispatchers so we wanted to make sure that we have advice that shift supervisors can give to their frontline employees. Our advice is to make sure that front line employees are briefed to report any unusual computer behavior and to make sure they’re exercising added caution whenever they’re clicking links or entering credentials even in systems that they normally access. You want to just make sure that anything that your frontline employees touch from time to time they’re being a little bit extra careful about right now just to make sure you don’t accidentally leak credentials to a potential attacker.

Then the last thing we’re recommending is if you do fall victim to Ransomware whether it’s the current WannaCry attack or any subsequent attack, don’t pay. Don’t pay the ransom unless you absolutely have no other option for recovering your data. First, you should contact your local FBI field office and second notify the National Cyber Security and Communications Integration Center if an attack impacts your 911 service. I’ll give you their phone number here for your listeners. That’s 888-282-0870. Again 888-282-0870. Then as you do that make sure you’re taking steps to preserve log files and anything else that might be helpful in a forensic investigation.

Fletch: Now, fortunately, public safety is used to collecting evidence and documenting everything and that’s what’s really going to help to put an end to this. That’s what the FBI wants, all this detailed log data to help them trace back to the culprits.

Forgety: Absolutely. You know, the sad reality is that in any given case it’s unlikely that the FBI or anybody else is going to find the specific attacker and prosecute them for attacking you directly. But, taken together, correlated log files from across multiple attacks can allow agencies in law enforcement and intelligence to figure out where the attackers are coming from, find out what their common techniques are, and then ultimately go after those attackers where they live. For the long term that’s the most important thing.

Fletch: The obvious question here is, Next Generation-911 is going to provide a plethora of information but in that, you’re connecting with the internet of things. How do we do that in a secure environment to gain the benefits of NextGen without opening up the door to allow these types of attacks, happen more easily? It’s kind of a double-edged sword.

Forgety: It’s absolutely true and that’s something we’ve had to acknowledge from day one. As you move to modern internet era technologies … Just to be clear, we’re not talking about putting 911 on the internet, that’s not what Next Gen 911 is about. We do use common internet technologies. A result of that is that you will have different types of vulnerabilities than what you face today with the telephone system. The good news though is that in addition to having new kinds of vulnerabilities you get access to all sorts of new tools that simply don’t exist in the telephone world to combat those vulnerabilities. At NENA for example in the i3 standard and the NGSX standard, we’ve worked very hard with the vendor and public safety communities to make sure that security mechanisms to protect these life critical systems are built in from the ground up.

Fletch: You bring up a good point, NENA is a standard definition organization, an SDO.

Forgety: That’s right. We’ve actually been the recognized SDO in the public safety field since the early 90s for 911. Our standards are universally adopted for things like ANI and ALI, how that data is transferred, how PSAP transfers occur, and how PSAPs answer calls. Then in 2011, we went from being just the recognized standards body to being both recognized and accredited. NENA got their ANSI accreditation. All that means is that we ran our standards process by The American National Standards Institute and they signed off that that process met their requirements for the minimum due process.

Fletch: NENA and EENA, the European Emergency Number Association, recently issued a joint press release about Next Generation 911 Services. That was a big deal.

Forgety: It was a really big deal. One of the advantages that often goes overlooked of moving to Next Generation-911 is that it brings public safety systems into the global standards realm. The I3 standard for NG-911 was intentionally designed with that in mind. We’ve worked very closely with EENA over the years to make sure that their standards for Next Generation-112 are aligned. They won’t be exactly the same because how they do things in Europe is a little different but they’ll be very well aligned with the I3 standard. What we announced earlier this year was that we were going to renew that effort and work even harder to drive global standardization in the NG-911 world.

Fletch: You also recently had the Canadian CRTC adopt the NENA i3 standard as their direction forward as they build out Next Generation north of the border.

Forgety: That’s right. In Canada the CRTC has recognized i3 as the standard for NG-911.

Fletch: What about to the south? What’s happening in South and Central America? I haven’t really heard much about Next Generation. People ask about it, but I haven’t heard of any real standards work down there.

Forgety: We’re not aware of any separate standards work going on in Central and South America but we do make available our standards developers and our standards work on a relatively free basis for others to develop into compatible systems. When it comes time for Central and South America to start looking at NG-911 all of that existing body of work will be there so that they can bring themselves into harmony with the global standards process.

Fletch: Also the ASEAN market. I’ve talked to a few people, a great group of folks that are currently attending George Washington University that also attended the recent 911 Goes to Washington conference. They were very interested in rolling out multimedia services over in Thailand. What they said to me is why should I go reinvent the wheel? Which totally makes sense.

Forgety: Absolutely, that’s what we’re hoping everyone around the world will do and so far what they seem to be doing.

Fletch: You are the official NENA hacker, and you got to go present at the DEF CON conference this year.

Forgety: As a matter of fact attacks like this and denial of service and so forth came up quite a bit. In fact, we were … Well, not us directly but the Dark Tangent, a guy by the name of Jeff Moss, the founder of DEF CON tweeted out months before the conference last year that he wanted a position on NG-911. I think that is a testament to how much these systems are making it into the popular consciousness, both in public safety and in the information security community. We’re hopeful that with some renewed effort on our part that we can get NG-911 in front of the Infosec community even more frequently.

Fletch:  Again, it’s the security side of this because if you look at any network unprotected it scares the hell out of me and what could potentially happen. It’s not necessarily the use case of the network, I think that accentuates the importance of it but it’s the security blanket that you’re going to wrap around this. That’s where the work really needs to be put in. It’s great to see you raising awareness and getting the industry focused on wrapping that blanket around public safety. Multimedia, multimodal communications, hey, that’s what the world does today, right? My daughter just came home from college today. I talked to her all day long, not once did I speak to her on a phone. We chatted, we face timed, we did everything but make a phone call. I mean, that’s tomorrow, that’s what’s happening. You can’t ignore it any further. We’ve got to move public safety into that mode. Phone calls are going to go away, I believe.

Forgety: That’s absolutely right and as they do we’ve got to secure what comes next. We’re going to continue working very hard to do just that.

Listen to “NENA advises of Ransom-ware vulnerability for PSAPs” on Spreaker.https://widget.spreaker.com/widgets.js

If you are interested, a complete audio version of this interview in it’s entirety is available  here:  TiPS – NENA’s Trey Forgety on Ransomeware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s