To get them to take a non-lawyer's advice, that is. Illinois Attorney General responds to cybersecurity attack, audit warning
So as I mentioned earlier, the Illinois Attorney General's Office got hit by a ransomware attack, most or all of their files were encrypted and work basically stopped. One story said that they were applying for delays in various court cases because they had no access to documents.
It also came to light, in an audit, that they were not following basic cybersecurity guidelines. They had some bovine scatology answer about "competing priorities" which I took to mean that the lawyers didn't want to spend money on stuff they didn't understand.
Now we have a statement from the Illinois Attorney General, Kwame Raoul, from his testimony to the House Appropriations General Services Committee hearing.
Since the attack, Raoul said his office has set up multiple layers of security, and put in place application-level security and monitoring, network authentication requirements, and firewalls. In addition, his office has implemented “continuous vulnerability scanning,” and intrusion detection and response protocols for their network, he said.
OK, so here is my question to Mr. Raoul: Why the F*%# was none of this in place years ago. This is not rocket-science-level computer security. This is what EVERY organization that has servers exposed to the public internet should be doing. I would guess, that whoever supplies Information Technology support to the AG's Office has been asking for this for a long time.
But...
- It costs money,
- It makes the lawyers' lives marginally more difficult when they log into the system remotely, and
- Lawyers don't understand what hackers do, so it can't be important.
All of these security enhancements could have been in place for years, at no additional cost over what they have today, and as a bonus, the AG's office would (perhaps) not have been as crippled as they have been in the weeks since the attack.
Now I can't say that they could have screened out all chances of an attack. But when you run a system in 2021 that is basically "low hanging fruit" from a hackers point of view, I have trouble feeling sorry for you when you get hit by a hack.
None of those things would have saved an organization from the Microsoft Exchange server bug/fiasco. But I haven't seen any references to exactly how the breach occurred.
pretty sure the answer is in your quote. Yep, there it is, just the name alone (and of course DDG'ing it proves the thesis): Kwame Raoul
ReplyDeleteIs that a trick question Deb? I'm thinking an axe would be appropriate!!
ReplyDeleteNobody is serious about security. People talk about it but even huge IT security companies are getting hacked. SolarWinds? Microsoft? Systems aren't designed with security in mind and businesses have to try to defend everywhere even though they don't know where vulnerabilities exist. And smarter hackers spend huge amounts of time looking for exploits. Even still, most hacks are inside jobs. It's a losing game and anyone who promises you security is either stupid or dishonest.
ReplyDelete