The Florida Association of Special Districts conference on Friday, Oct. 18 featured a presentation on cybersecurity by William Silliman, chief information officer for the Village of Wellington.
The conference was held at Hawks Cay Resort on Duck Key in the Florida Keys. Several local officials, including Indian Trail Improvement District President Betty Argue and Supervisor Joni Martin, attended the conference. FASD President Tanya Quickel, Wellington’s director of administrative and financial services, organized the event.
“There were a lot of people paying attention,” Argue said of Silliman’s presentation.
Silliman offered advice for any organization or individual to maintain a level of security from hackers trying to get into computer systems.
“In the FASD community, there are some that have a lot of money and some that do not. What I did was explain about why and how hackers are doing it. I told them about how the threat landscape has changed and gave them specifics on it, which I think was eye-opening for some of them,” Silliman said, explaining that recent incidents, such as a hack into the City of Riviera Beach, began with an innocent-looking e-mail that an employee opened, and it took over the entire system, demanding a ransom in Bitcoin to restore it.
The malicious package may be a fake invoice made to look like a vendor that a worker is accustomed to dealing with.
“When you click on it or enter your credentials, now they’ve got you. They’re hacking you,” Silliman said. “There’s a bunch of different methods, but ransomware is the biggest problem. Once they get in, whatever they can find, they encrypt and make you pay for it. An additional scare factor is they put a timer on your screen, and each time the timer hits zero, the price goes up.”
He said that defending against these hackers is not usually difficult, and most organizations have the means in place to defend against them — if they are used properly, kept up to date and the potential victim is diligent.
The most common hack is an e-mail spoof that poses as a familiar client but carries a malware package. Silliman noted that most systems, such as Microsoft or Google, have protection built in if it is turned on.
“It’s not just ransomware to watch out for. Phishing, spear phishing, database breaches — they’re going after credit cards,” he said. “There’s a new thing called ‘form jacking,’ where you go to a web site and you fill out an online form. If there’s not proper security on that, what they do is inject malicious code on that, and they’re capturing all that data, and/or if you hit OK on that, you’re actually hitting OK to download something onto your computer. You have to watch your forms now.”
Hackers are also going after virtual private networks (VPNs), a means for individuals to access their business network remotely, which gives the hacker access to the whole network.
“The other thing they’re doing is going after backups,” Silliman said. “They know that most places have only one backup system. They figure out if they get in, they grab the data, and then destroy the backups — either encrypt them, lock them, erase them, blow it up so I can’t use it. Then they have the one copy of the data, and they’ll demand six figures to get it back.”
Silliman said that one way of protection is to have two security codes, a general and individual code.
“Most places now employ a two-factor identification to turn that on, because even if they steal your password, they need that second factor, that code, that gets sent to your phone. So, if they do trick you into clicking on that e-mail and you put in your credentials, and they then try to log in as you, they don’t have that second piece because they don’t have your phone or they don’t have that code generator,” he said.
Silliman added that computer users should regularly check to see that their built-in protection devices are functioning as they should and keep them up to date. “Try to stay within one, two, three versions of the latest to make sure there aren’t any bugs,” he said.
Multiple backups, such as a hard backup in addition to the cloud, are also recommended.
“Most backup solutions now, at least for cities, it gives what they call snapshots, so you’ve got a quick snapshot, which you’ve got locally, and then you burn that off the tape and then you burn it off the cloud… So, I’ve got it copied, and even if they do destroy one of them, I’ve got two others that I can go to as a good point of restore,” Silliman said.
He gave participants 10 key questions to ask their information technology departments, including whether files and folders are locked down, is there a password policy and how often are they changed, what access does the information technology department have, are there backups, is there e-mail protection, does the company have cyber insurance, are vendors verified to make sure they have adequate security and is there a cybersecurity training program?
“It’s not fun, by any means, but it’s something that everybody needs to hear and do,” Silliman said. “Even on a personal level, I want to make sure that AOL, Google, Yahoo, they all have two-factor identification, but it’s not on by default. You have to do a little bit of research and see how to turn it on. It’s a little bit of an annoyance, but it’s better than being hacked.”