WKRG Mobile reports that the Mobile Housing Board has been “hacked” and robbed of an estimated $500,000.
Government entities are frequent targets of exploit because of the perceived “value” of the target, such as personnel data (useful to identity thieves) and account information (for fraud). Particularly at the local level, government agencies can be easy targets for hackers or other bad actors, including internal threats.
Why? There are several reasons, pointing to where the vulnerabilities reside.
- Government entities are perceived as high-value targets. Even a small local government entity can be useful to a hacker, particularly if it is a step to get to an even higher value target. Large or strategic government entities such as the Department of Defense and Department of the Treasury are under constant attack because of the high-value information an intruder potentially could harvest. Nation-states launch advanced persistent threats against US government entities regularly. These threats grow more elaborate and sophisticated over time.
- Government entities often have large amounts of personal information on individuals and corporations. They also have large amounts of money in various accounts. Both are very interesting targets for hackers.
- Government entities by law must maintain a certain amount of transparency through audits and public information disclosures. Information such as email addresses, account information, employee names and titles can be exposed and potentially used for phishing attacks.
- Cyber-security may not be given sufficient budget priority in local government entities. This can contribute to a lack of tools, awareness and expertise.
- Higher-level government entities often provide lower-level ones detailed guidance on cyber-security practices and tools, but likely do not provide resources to implement or maintain them.
- Local government entities generally do not have sufficient governance over security or business continuity and recovery from incidents. They tend to have less mature plans and have heavy dependence on third party contractors. This may create significant additional vulnerabilities.
Much of the problem is rooted in, or complicated by, lack of resources, lack of expertise and/or inefficient security operations.
John Sawyer, associate director of services and red team leader at IOActive, says “Security is one of those areas it’s tough to get funding for,” says Sawyer. “It’s seen as a sinkhole”. He also noted that it is often hard to determine whether or not the investments made in cyber-security are doing the job for your company.
We don’t yet know what the nature of the hack against Mobile Housing Authority was. The incident apparently happened early this year. However, given this incident, the Authority should initiate a review of its cybersecurity practices and tools. It should also update its asset, threat and vulnerability assessments, and then update its incident response and recovery plans and procedure with this experience in mind.