While speaking in Nacogdoches County during May, state cybersecurity officer Tony Sauerhoff asked attendees to guess how many malicious connection attempts the state blocks in a 24-hour period. The guesses: 50,000 … over a million.
The answer, he said, is 900 million. That's almost a billion a day every day, Sauerhoff said, emphasizing the magnitude of the threat to just the state's network.
"We are all targets," he said, whether city, county or state.
Sauerhoff, the state cybersecurity coordinator at the Texas Department of Information Resources, was among the speakers at the first County Technology Workshop of 2022. The series of daylong events, sponsored by the Texas Association of Counties (TAC) and the V.G. Young Institute of County Government, ran from May through July and were spread across the state.
Sauerhoff said most of the probes are automated and the attackers include nuisance hackers, hacktivists, organized crime and state-sponsored threats, with Russia, China, North Korea and Iran among the leaders in that last category.
Lately, phishing has been closely linked with ransomware, he said.
"Folks click on a link or open an attachment that they're not supposed to … without thinking about where it's coming from, whether it's legitimate or not, and that's how the ransomware gets in," Sauerhoff said.
Since 2019, at least 17 counties and 35 cities have been hit by ransomware technology attacks, he said. That's down from the 23 local governments that were shaken by the ransomware blitz of late August 2019.
Cyberattack on Lone Star County
In an interactive session based on a ransomware attack on the fictitious Lone Star County, TAC's Robert Ruiz and Andrea Beard covered scenarios and possible solutions to the breach. Their presentation used a video showing how a county employee finds a USB drive on the street and attempts to wipe it on his county computer, but he ends up infecting the network. Problems soon begin to cascade and include malfunctioning equipment, locked accounts and malicious emails.
"You're going to see a common thread here: email, email, email," said Beard, a Legal Liability Claims Supervisor with TAC Risk Management Services.
Moreover, the average time before the detection of malware is 192 days, said Ruiz, Associate Director of TAC Risk Management Services.
"It's not if but when you will be hit," he said. So, safeguards have to be in place to protect against external threats and internal vulnerabilities, he said. "Cybersecurity is about people, process, technology."
Some solutions to head off such an attack would include a computer isolated from the network that could be used to check USB drives, training on opening unverified emails and multifactor authentication (MFA).
"If you don't have MFA in play, you're a ticking time bomb," Beard said.
How to not be gator bait
Conference attendees also heard from Chad Adams, a cybersecurity expert with the federal Cybersecurity and Infrastructure Security Agency. He outlined the many powerful services the U.S. government offers, including a phishing campaign assessment. Its levels of difficulty range from one to six, he said, and difficult is very difficult.
"It might fool your IT people," Adams said.
Another is a remote penetration test, where a team identifies vulnerabilities.
"You'll know that they were there," he said, because the team will present you with evidence, such as a list of all your passwords.
The best part is the price.
"Everything we offer is free," he said, but there is a wait time of six to eight months for some services.
In closing, state cybersecurity officer Sauerhoff said that it isn't possible to totally prevent a breach.
"You just need to make your network harder to get into than the next one," said Sauerhoff, who has ties to Louisiana. "You don't have to outrun the alligator, just your buddy."