Not surprisingly, attacks intended to disable computer systems in South Dakota schools increase about the time of semester tests. The culprits, presumably, are students who are smart enough to launch Distributed Denial of Service (DDoS) attacks on institutional networks but are too lazy or too mischievous to study for exams.
Jim Edman, a technology official in South Dakota state government (shown speaking in photo), noted the rather amusing timing of DDoS attacks during the Sioux Falls Cybersecurity Conference, which was held March 27 at the Holiday Inn City Centre. Edman is the deputy commissioner and chief information security official in the Bureau of Information and Telecommunications.
Edman also recounted a frustrating case in which experts spent months tracking the person responsible for an attack, only to have the investigation stymied by an uncooperative school district. The suspected attacker avoided significant consequences.
Those were among the interesting tidbits shared by local, state and national cybersecurity experts who participated on two panel discussions. The Sioux Falls Area Chamber of Commerce and the U.S. Chamber of Commerce hosted the regional conference.
Of special relevance to the business-oriented audience of about 225 people was a discussion of two real-life ransomware attacks that happened over the past several years in Sioux Falls. The Sioux Falls Area Chamber of Commerce and Sioux Falls Catholic Schools were both victims. In both cases, human shortcomings – not equipment failures – allowed malware to infect networks.
Thane Barnier, web development and information technology manager for the Sioux Falls Chamber, described how he and others worked 60 straight hours restoring data. They ran out of time, however, and reluctantly had to pay a small ransom to save the organization’s membership database.
Sioux Falls Catholic Schools avoided paying a ransom. But Joe Hurley, informational technology director for the system (shown speaking in photo), said he spent about two years after the attack convincing staff members that they don’t have to open every email they receive. Suspicious and possibly tainted emails should just be deleted, he said.
Related blog: Chamber's experience underscores value of good cyber training
Related blog: Schools turn phishing attacks into educational opportunity, raise awareness
The six-hour conference featured individual speakers as well as the two group discussions. One of the panels focused on the role of state and federal agencies in cybersecurity. The other focused on what organizations should do after they are hacked.
Experts on both panels stressed the need for businesses to effectively back up their data away from their main network to minimize the potential impact of successful attacks.
“Back up. Back up. Back up,” said Harley Rinerson, cybersecurity advisor for the Office of Infrastructure Protection in the U.S. Department of Homeland Security. “We’re a data-driven society.”
Jared Ducommun, a cyber insurance specialist with Howalt + McDowell Insurance, said his company deals with three or four cyber claims a year. The price of insurance is going down because the product is becoming more popular, he said. Generally, the more updated a company’s network, the less the cost.
Social engineering is the biggest cause of computer issues, Ducommun said. Social engineering refers to hacker tactics such as phishing with fake emails to trick employees into releasing sensitive information or providing entry to a network.
The weakness of the human link protecting networks was another recurring theme at the conference. The potential vulnerabilities of employees at every level of organizations attest to the need for good, ongoing training.
No matter if a network intrusion or data breach is the result of an equipment failure, flawed software or human carelessness, the impact on businesses can be devastating. Industry or federal regulations often require that data breaches be disclosed to alert potentially affected customers.
In addition, as Edman pointed out, South Dakota recently became the 49th state with its own data breach notification requirement. Gov. Daugaard signed Senate Bill 62 into law on March 21. It will become law July 1. South Dakota’s law is similar to public-disclosure measures in other states. Alabama is now the only state without a notification law.
South Dakota’s law requires the attorney general to be notified if 250 or more state residents have to be advised of a breach. Companies that fail to notify customers of breaches as required by the law can be prosecuted and required to pay civil penalties. Hopefully, those provisions won’t come into play often.
WATCH the panel discussions and other presentations from the conference in this YouTube playlist.