Written by Rebecca San Juan on June 25, 2019
Miami-Dade County and the county’s cities are safeguarding their financial data through multi-layered approaches, protecting information from a variety of hackers on the prowl.
The county and the cities shelter all types of information with equal attention. Health information, financial information and personally identifiable information all receive the same treatment and level of priority.
“All of the data that we have, we work to protect and prevent that data from being intentionally exposed by malicious actors,” said the county’s chief information security officer, Lars Schmekel.
Frank Quintana, City of Miami Beach information technology support division director, shares the same message when asked specifically about financial data: “We don’t look at financial data any differently than we do from our other production systems that have critical information to the city or that may hold citizen information in them. We include that in our kind of overall security policies and procedures, the way that we secure our infrastructure. To us, we look at it with an equal level of importance.”
The lesson to municipalities here and elsewhere became very clear in May when a cyberattack by digital extortionists in Baltimore froze thousands of city computers, shut down email, and disrupted such municipal activities as facilitating real estate sales, sending water bills, offering health alerts and far more.
Information technology professionals here admit hackers often seek certain information over other types.
“As an industry as a whole, financial data and personal identifiable information are typically the most high-risk type of information,” Mr. Quintana said. “Any time you can make money off of something, it kind of puts it as a higher value target. Selling PII information or financial data is always something that has a lot of reward in store for whoever is able to capture that.”
But hackers have different motivations. With those different motivations, says Mr. Schmekel, they employ different tools and tactics.
Script kitties rent malware to steal information from organizations. Another group targets an organization for exemplifying an ideology counter to the hacker’s own beliefs.
Mr. Schmekel said, “They disrupt the online services for the county where they might do something like a website defacement where they just put their manifesto out on the county’s website, saying, ‘You’ve been hacked. Here is what we’re demanding.’ In some cases, they do things that are designed to take an entity’s web presence offline. Those are called distributed denial service attacks.”
Advanced persistent threats, or those trying to impact operations and gain intelligence, are also of concern.
Insider abuse is also a possibility, Mr. Schmekel said. “An employee or disgruntled former employee who believes they have been wronged may try and use the privileges that they have in their job to be able to get information which might be used to their benefit.”
And, finally, criminal enterprises creating ransomware target local and private agencies alike.
“They are bringing systems and county operations to a halt and they are charging a ransom fee to unlock your files in your system so that you can continue operations,” Mr. Schmekel said. “That payment is made to them and there is no guarantee that you are going to get the keys to unlock the information.”
“Threats can come in the form of emails, phone calls, or even from the inside,” Michael Sarasti, chief information officer and director of innovation and technology for the City of Miami, writes by email. “We have to be aware of all possible threats and find the best ways to reduce them as quickly as possible.”
Staff education is critical, says Mr. Sarasti: “Hackers may target specific departments or employees looking for specific information. It’s often a series of small, but progressive attacks. They try to get a little bit of information, then a little bit more – all with an intent to get higher levels of access into our networks. They often send communication requests to multiple employees with the hope that at least one will provide them with some type of information they are looking for. That’s why educating employees is one of the key factors in preventing data leaks.”
New city employees attend an orientation meeting with instructions on computer use and approach for cyber threats. All employees are required to report suspicious files, emails or requests. They are also notified if Mr. Sarasti’s department detects any dubious communication.
Data breaches constitute a serious threat for all organizations in the county as well as across the country. A spokesperson for the City of Coral Gables writes to Miami Today, “We are aware of the alarming cyberattacks targeting U.S. cities recently and recognize the risk exposure to our city and all local municipalities. The City of Coral Gables is extra vigilant in protecting its assets in order to prevent any breaches on cybersecurity. We continue working diligently with the help of auditors and industry experts to deal with the cyber threats organizations like ours are facing nowadays, and remain alert.”
Mr. Sarasti said, “Cities – including the City of Miami – use a combination of advanced security software and internal-access restrictions to keep systems safe. Threats have become far more sophisticated. New vulnerabilities are discovered almost every day in all type of systems. As a result, organizations are increasingly relying on innovative technologies such as behavior analytics and Artificial Intelligence detection systems.”
The county and many cities share a common goal – avoid stolen data and the risks involved with loss of information. Stolen information can lead to a range of troubles, from financial fraud to property value changes essentially effecting taxes.
Administrations work within a broader network of agencies to protect information. Law enforcement partners at the federal, state and local levels are often involved.
Strategies may evolve over time, Mr. Sarasti told Miami Today. “This is a rapid evolving space, and we must continuously review internal department policies and reinforce employee compliance through on-going education and trainings.”