WECHU’S Data and Cyber Security
With the advent of technology, organizations have benefited from increased resource capacity. This benefit, while great, also exposes organizations to a greater risk of theft from cyber related crimes. In recent months, attacks on the City of Baltimore, Riviera Beach, Florida Police Department and Algoma Public Health, have highlighted the impacts cyber crime has had on public sector organizations. On May 7th, 2019, hackers digitally seized about 10,000 government computers from the City of Baltimore and demanded around $100,000 USD worth in bitcoins to free them back up. On May 29th, 2019, a staff person in the police department at Riviera Beach opened an e-mail infected with ransomware causing their entire system to go down. Their council authorized the city insurer to pay 65 bitcoins ($600,000 USD) in hopes the hackers would provide a decoding key to regain access to their data. On April 19th, 2019, hackers successfully targeted data on Algoma Public Health’s network with ransomware. Algoma’s systems were down for weeks as they worked to restore services.
The Windsor Essex County Health Unit (WECHU) utilizes multiple systems, vendors and best practices to reduce the risk of cyber threats. This report details our ongoing efforts to address the impacts of cyber crime in our organization.
WECHU’s Information Technology Department (“IT”) has employed several layers of security to protect the WECHU, its data and staff. The diagram below depicts the layers that protect our data.
The WECHU staff represent the first layer, in our layered security solution. IT is in regular communication with staff regarding threats that pass through the WECHU’s systems. IT provides training to staff, advising them to be cautious at all times for emails containing hyperlinks and attachments, even if they appear to be from familiar senders. Real-time network monitoring allows us to create benchmarks and send threshold notifications for immediate investigation. IT performs security awareness training at departmental meetings. Additionally, we are investigating third party training solutions to help augment staff awareness of cyber related threats.
The next layer, Intrusion Detection System, is WECHU’s Palo Alto Appliance. This appliance has a subscription to Palo Alto’s industry leading Threat Prevention Services. This allows the WECHU to stop known threats before they can connect to any of our systems. The firewall also employs SSL decryption, a method that allows the WECHU to see inside normally secure traffic. Only SSL traffic from financial institutions and government websites pass through encrypted.
The next layer is the firewall. It only exposes the bare minimum of our network to the outside world. The WECHU only allow services like inbound e-mail, and web traffic to pass to the WECHU network. This traffic is untrusted and moved into a zone of control. WECHU maintains several zones to prevent communication between services and computers that are not required. For example, only the Barracuda E-mail Security Gateway accepts e-mail and web traffic and it can never initiate a request to the internal network. These basic zones of control ensure that a compromised node (server or workstation) is limited in the scope of the WECHU systems that interact with it.
An additional specialized firewall, the Barracuda E-mail Security Gateway, looks at all e-mail before delivery to our mail servers. This allows IT to inspect, remove or quarantine e-mail before it reaches the network.
The aforementioned systems work very well for known threats, but an unknown threat, or fast moving newly discovered threat, can bypass these protections. Antimalware engines at both the firewall and desktop make up the next layer of our security solution, monitoring the behavior of applications using a decision model to determine if the applications are behaving as anticipated. If they are not, the system quarantines the process, notifying IT immediately of the potential threat.
The next layer of our security solution is traditional antivirus. When retrieving files and processes, the computer accesses memory, which are reviewed and sandboxed or tested until, proven safe. This process can quickly identify files as they move between workstations and the internet or vice versa.
The final layer of our security solution is the operating systems. The WECHU IT Department monitors operating systems including Windows, Linux and vendor proprietary systems. Daily, IT reads bulletins, releases notes and threat assessments and determines actions to mitigate the risk of a cyber-threat. By maintaining current patches, and eliminating legacy systems or protocols, IT is able to provide a secure environment for WECHU staff to carry out their responsibilities.
The following individuals contributed to this report:
- Mike Martin
- Fernando Bayuga
- Lorie Gregg