HomeMy WebLinkAboutReso - CC - 155-2020DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
RESOLUTION NO. 155-2020
A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF BURLINGAME APPROVING
THE RESPONSE TO THE SAN MATEO COUNTY CIVIL GRAND JURY
WHEREAS, the 2019-2020 San Mateo County Civil Grand Jury released a report entitled,
"Ransomware: It Is Not Enough to Think You Are Protected"; and
WHEREAS, the report warns that ransomware and other malware attacks pose a
significant threat to all local government Information Technology (IT) systems; and
WHEREAS, the report concludes that IT staff should confidentially and urgently assess
their respective ransomware protection strategies and training and address any shortcomings in
their cybersecurity programs; and
WHEREAS, the City Council has received and reviewed the proposed draft response
letter attached hereto as Exhibit A.
NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF BURLINGAME RESOLVES AND
ORDERS AS FOLLOWS:
That the letter in response to the San Mateo County Grand Jury Report, "Ransomware: It
Is Not Enough to Think You Are Protected" is approved, and the Mayor is authorized to sign and
convey said letter on behalf of the City.
DocuSigned by:
B4$^...
Emily Beach, Mayor
I, Meaghan Hassel -Shearer, City Clerk of the City of Burlingame, certify that the foregoing
Resolution was introduced at a regular meeting of the City Council held on the 71" day of
December, 2020 and was adopted thereafter by the following vote:
AYES: COUNCILMEMBERS: BEACH, BROWNRIGG, COLSON, O'BRIEN KEIGHRAN, ORTIZ
NOES: COUNCILMEMBERS: NONE
ABSENT: COUNCILMEMBERS: NONE DocuSigned by:
SD484C3D80E7449...
Meaghan Hassel -Shearer, City Clerk
DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
EMILY BEACH, MAYOR
ANN O'BRIEN KEIGHRAN, VICE MAYOR
RICARDO ORTIZ
MICHAEL BROWNRIGG
DONNA COLSON
December 7, 2020
Honorable Danny Y. Chou
Judge of the Superior Court
c/o Jenarda Dubois
Hall of Justice
400 County Center, 2nd Floor
Redwood City, CA 94063-1655
The City of Burlingame
CITY HALL -- 501 PRIMROSE ROAD
BURLINGAME, CALIFORNIA 94010-3997
TEL: (650) 558-7200
FAX: (650) 566-9282
www.burlingame.org
Subject: City of Burlingame's response to 2019-2020 Civil Grand Jury Report entitled "Cybersecurity — It Is Not Enough To
Think you Are Protected"
Dear Judge Chou:
After reviewing the 2019-2020 Grand Jury report entitled "Cybersecurity — It Is Not Enough To Think you Are Protected," the
following are the City of Burlingame's responses to the Grand Jury's findings:
F1. Ransomware is a real and growing threat to public entities including those in San Mateo County.
Response: The City of Burlingame agrees with this finding.
F2. Across the country, local governments and schools represent 12% of all Ransomware attacks.
Response: The City of Burlingame agrees with this finding, although no effort was made to substantiate the actual
statistic.
F3. The direct and indirect costs of Ransomware can be significant.
Response: The City of Burlingame agrees with this finding.
F4. Cybersecurity reviews and assessments, and an updated well -executed Cybersecurity plan, are critical
components of IT security strategy.
Response: The City of Burlingame agrees with this finding.
F5. A comprehensive Cybersecurity plan should include, at a minimum, information concerning prevention steps,
Spam and malware software, and backups and full recovery testing.
Response: The City of Burlingame agrees with this finding.
DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
The Honorable Danny Y. Chou
December 7, 2020
Page 2
F6. The identification of phishing attempts, including the use of spam filters, is an important component to
protecting an IT system from Ransomware attacks.
Response: The City of Burlingame agrees with this finding.
F7. Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part an
entity's backup plan to recover lost information.
Response: The City of Burlingame agrees with this finding.
F8. Training of new employees, and the recurring training of existing employees, is an important component of
defense against Ransomware.
Response: The City of Burlingame agrees with this finding.
The following are the City of Burlingame's responses to the Grand Jury's recommendations:
R1. Each of the governmental entities in San Mateo County with an IT department or IT function (whether in-house,
handled by another government unit or outsourced to a private enterprise) as listed in Appendix F, should by
November 30, 2020, make a request for a report from their IT organization that addresses the concerns
identified in the report, specifically:
Response: The City of Burlingame requested a written response to this recommendation from its IT management team,
in lieu of a separate report addressing these concerns, so that management could develop a response to the final three
recommendations of the report.
1. System Security (Firewalls, Anti-malware/Antivirus software, use of subnets, strong password policies,
updating/patching regularly)
The City of Burlingame utilizes several strategies to protect against nefarious acts including but not limited to:
• Industry recognized leaders' dedicated firewall appliances at all electronic entry points into the City. On each
firewall, all ports are blocked by default. Only known needed ports are opened, thus limiting the type of traffic
coming into the City network infrastructure.
• All servers and desktops run an industry leader endpoint protection software, which is automatically updated.
It provides key protections including: endpoint detection and response (EDR), which detects and investigates
suspicious activity with AI -driven analysis; anti-ransomware from sources including browsers, multi -media, MS
Office applications, and email; behavioral analysis (acting on many files in a short period) issuing warnings,
stopping errant processes, and notifying IT of such activity; malicious macros and other forms of code
detections and protections; and exploit prevention techniques, which detect and stop common and known key
vulnerabilities including zero -day attacks. The software communicates with the manufacturer's cloud site,
which continuously updates the local software with the latest protections.
• VLANs, or virtual segmented networks, are used strategically throughout the organization to limit end -point
access to servers and networks in which access is needed.
• Password policies are considered very strong and include required changing periodically, as well as not
allowing the re -use of recent passwords. Required changing has been suspended during the pandemic due
to having to VPN into the City's network, adding a layer of complexity as well as the reality of passwords
expiring for users who don't VPN in and only access cloud services such as email, with no user friendly method
of notifying users or them having an easy, intuitive way to change their password.
u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L
DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
The Honorable Danny Y. Chou
December 7, 2020
Page 3
• All servers are patched as appropriate, generally after a short while once a patch has been released and tested
by others as bug free.
• Two Factor Authentication is being researched and expected to be implemented City wide once the best
solution for the City is determined.
2. Backup & Recovery (In the event of an attack, can you shut down your system quickly? What is being
backed up, how it is being backed up, when are backups run, and where are the backups being stored?
Have backups been tested? Can you fully restore a Server from a backup?)
More than 12.5 TB of user data is backed up in multiple ways. Most importantly, a shadow copy is created twice
daily on the server to allow for easy rollback of deleted or changed files. In addition, files are backed up to an on -
premise dedicated appliance. The appliance replicates itself to the manufacturer's cloud on a daily basis. In the
event the on -premise device becomes infected with mal-ware, including ransomware, the device can be wiped
clean and the data restored from the cloud's backup. If the backup device itself fails, within three business days a
new appliance will be shipped, which is pre -loaded with the City's backed -up data. Data can also be recovered
directly from the manufacturer's cloud storage. Daily backups are preserved for 12 days, weekly backups are
preserved for five weeks, monthly backups are saved for 12 months, and yearly revisions are kept for no less than
two years. The process is continuously being tested in normal operations via requests from users asking IT to
restore data from one of the previous day's backups.
All databases in the City's robust database infrastructure are included in all backup processes. As new databases
are brought online, the using department is involved in determining the requirements of the backup. For example,
is recovery to the previous night adequate, or is there a legitimate requirement to be able to restore the database
to within the last hour, such as the City's utility billing database in which hundreds of transactions occur daily? All
database servers run a process (agent) that is part of the backup appliance solution. In addition, some databases
also use the native database engine to back up a database, which is also included in the overall backup process.
The City runs in a robust, industry -best virtual environment. This not only allows the City to realize cost savings by
having many virtual servers running on fewer physical servers, it also allows the City to maintain hot -standby
servers in the Police Department data center.
It is the opinion of the City's IT Manager that the testing of a system -wide recovery is not practical as it is a mix of
different functions, services, and protections. In his opinion, it would be near, if not impossible, for any single
incident, short of a major catastrophe such as an earthquake or fire in the City Hall data center, to bring down the
entire infrastructure. Different functions/components are generally tested during the normal course of business as
functions fail, servers are patched, or requested data is restored.
All network devices have their configurations backed up nightly in the event of an equipment failure or breach.
3. Prevention (turning on email filtering, setting up message rules to warn users, providing employee training
on phishing and providing a reporting system to flag suspect content)
The City utilizes both cloud and an on -premise dedicated SPAM prevention appliance and software in which all
email is first run though before being delivered to recipients. The appliance continuously communicates with the
manufacturer's secure site to update its protections to the latest known threats. In addition, the appliance wraps all
links within an email with a path which, when clicked, first goes through the manufacturer's secure cloud services
to confirm (to the extent possible) that the link is legitimate and not a known hacking site.
u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L
DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
The Honorable Danny Y. Chou
December 7, 2020
Page 4
The City pre-pends the subject of certain emails with [suspect] when an email contains one of many known -to -be -
trouble phrases such as "gift cards." Every external email pre-pends the body of the email with a warning that the
email is from an external source and to use caution when responding or clicking on any links contained within.
With more staff working remotely, IT staff has increased its frequency of cautionary a -mails warning all users of
common phishing schemes and malicious links. Staff intends to work with the HR Department on implementing a
segment on cybersecurity within its new employee orientation program.
Additional City Security Strategies
As cloud services become more a part of the City's infrastructure, City IT strives to connect cloud services to its
internal Active Directory security model. This allows IT staff to disable users in a single, secure place, which in turn
disables them on the connected cloud services.
City IT is investigating the implementation of multi -factor authentication. This effort has been ramped up given the
current pandemic environment in which the majority of the workforce is located outside of a City facility. Whereas
in the past security was focused on blocking external parties from the City's network, the pandemic has turned that
strategy into one which secures endpoints theoretically located anywhere in the world. Multi -factor authentication
is one of the predominant methods of securing access from outside the City's firewalls.
The City carries cyber security insurance in the event of a data breach, which provides the City with resources to
assist in the cost of recovery, including notifications to those whose personal information was likely breached. The
insurance carrier also has resources available to assist the City in implementing best practices to deter
cybersecurity attacks.
R2. These confidential internal reports should be provided to the governing body by June 30, 2021. This report
should describe what actions have already been taken and which will be given timely consideration for future
enhancements to the existing cybersecurity plan.
Response: The recommendation will not be implemented, as the City believes an analysis and discussion of its
cybersecurity practices are continually underway. An in-depth written report at a particular point of time would not be
useful to Council or management, as its efficacy would be recognized only by the technical staff that produced the
report. In the wrong hands, such a report could be used to circumvent the cybersecurity protocols the City has in place
and/or is considering. In addition, management does not believe a comprehensive cybersecurity report is the best use
of the City's IT resources. The pandemic has necessitated a largely technology -driven response, and IT staff is
occupied with enabling users to safely access the IT resources needed to provide continued services to the public as
efficiently as possible.
If the City Council or management request additional detail or have specific concerns regarding these protocols, these
will be immediately addressed. The summaries developed in response to R1 are meant to convey that the City's IT
staff are aware of the risks mentioned in the Grand Jury's report, as evidenced by the measures currently established
to prevent cyberattacks and be able to recover promptly should they occur. Staff continuously examines best practices
in cybersecurity, evaluating various tools available to protect access to data, software, and hardware systems, and their
suitability for the City's use.
R3. Given the results of their internal reports, governmental entities may choose to request further guidance by
means of a Cybersecurity review from the U.S. Department of Homeland Security and/or a cyber hygiene
assessment from the County Controller's Office.
u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L
DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE
The Honorable Danny Y. Chou
December 7, 2020
Page 5
Response: This recommendation will not be implemented because it is not warranted at this time. Although the City
IT personnel recognize the value of a cybersecurity review from the U.S. Department of Homeland Security (DHS), staff
feels the security measures currently in place represent affordable, usable, and practical best practices in cybersecurity.
As noted in response to R1, City staff is very much aware of the heightened risks of cyberattacks, and has implemented
protocols to guard against them and facilitate recovery in the event they do occur. Through research, trade journals
and websites, and participation in a state-wide coalition of municipal IT leadership, staff continuously monitors,
maintains, and upgrades to the latest cybersecurity measures, software and hardware, and best practices. If at some
point in the future IT resources become available, staff will reach out to DHS and/or the County Controller's Office for
their respective assessments.
R4. Given the results of their internal reports, governmental entities may choose to ask their IT departments to
review their own Cybersecurity Plan with the detailed template provided by the FCC's Cybersecurity Planning
Guide and consider customizing it using FCC's Create Custom Cybersecurity Planning Guide tool (see
footnote 52).
Response: This recommendation will not be implemented because it is not warranted at this time. The FCC's
Cybersecurity Planning Guide was reviewed and compared to solutions currently implemented in the City. In most
cases, the recommendations were already enabled, or are planned to be in the near future. Recommended solutions
within the Planning Guide not currently in place nor planned have been evaluated and deemed to be less suitable for
use by the City, generally due to one or more of the following: IT assessment of the solution cost versus the risk it
mitigates; alternative, yet equivalent, solutions already in place; and/or usability/complexity issues for City staff users.
The Burlingame City Council approved this response letter at its public meeting on December 7, 2020.
Sincerely,
Emily Beach
Mayor
u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L