Loading...
HomeMy WebLinkAboutReso - CC - 155-2020DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE RESOLUTION NO. 155-2020 A RESOLUTION OF THE CITY COUNCIL OF THE CITY OF BURLINGAME APPROVING THE RESPONSE TO THE SAN MATEO COUNTY CIVIL GRAND JURY WHEREAS, the 2019-2020 San Mateo County Civil Grand Jury released a report entitled, "Ransomware: It Is Not Enough to Think You Are Protected"; and WHEREAS, the report warns that ransomware and other malware attacks pose a significant threat to all local government Information Technology (IT) systems; and WHEREAS, the report concludes that IT staff should confidentially and urgently assess their respective ransomware protection strategies and training and address any shortcomings in their cybersecurity programs; and WHEREAS, the City Council has received and reviewed the proposed draft response letter attached hereto as Exhibit A. NOW, THEREFORE, THE CITY COUNCIL OF THE CITY OF BURLINGAME RESOLVES AND ORDERS AS FOLLOWS: That the letter in response to the San Mateo County Grand Jury Report, "Ransomware: It Is Not Enough to Think You Are Protected" is approved, and the Mayor is authorized to sign and convey said letter on behalf of the City. DocuSigned by: B4$^... Emily Beach, Mayor I, Meaghan Hassel -Shearer, City Clerk of the City of Burlingame, certify that the foregoing Resolution was introduced at a regular meeting of the City Council held on the 71" day of December, 2020 and was adopted thereafter by the following vote: AYES: COUNCILMEMBERS: BEACH, BROWNRIGG, COLSON, O'BRIEN KEIGHRAN, ORTIZ NOES: COUNCILMEMBERS: NONE ABSENT: COUNCILMEMBERS: NONE DocuSigned by: SD484C3D80E7449... Meaghan Hassel -Shearer, City Clerk DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE EMILY BEACH, MAYOR ANN O'BRIEN KEIGHRAN, VICE MAYOR RICARDO ORTIZ MICHAEL BROWNRIGG DONNA COLSON December 7, 2020 Honorable Danny Y. Chou Judge of the Superior Court c/o Jenarda Dubois Hall of Justice 400 County Center, 2nd Floor Redwood City, CA 94063-1655 The City of Burlingame CITY HALL -- 501 PRIMROSE ROAD BURLINGAME, CALIFORNIA 94010-3997 TEL: (650) 558-7200 FAX: (650) 566-9282 www.burlingame.org Subject: City of Burlingame's response to 2019-2020 Civil Grand Jury Report entitled "Cybersecurity — It Is Not Enough To Think you Are Protected" Dear Judge Chou: After reviewing the 2019-2020 Grand Jury report entitled "Cybersecurity — It Is Not Enough To Think you Are Protected," the following are the City of Burlingame's responses to the Grand Jury's findings: F1. Ransomware is a real and growing threat to public entities including those in San Mateo County. Response: The City of Burlingame agrees with this finding. F2. Across the country, local governments and schools represent 12% of all Ransomware attacks. Response: The City of Burlingame agrees with this finding, although no effort was made to substantiate the actual statistic. F3. The direct and indirect costs of Ransomware can be significant. Response: The City of Burlingame agrees with this finding. F4. Cybersecurity reviews and assessments, and an updated well -executed Cybersecurity plan, are critical components of IT security strategy. Response: The City of Burlingame agrees with this finding. F5. A comprehensive Cybersecurity plan should include, at a minimum, information concerning prevention steps, Spam and malware software, and backups and full recovery testing. Response: The City of Burlingame agrees with this finding. DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE The Honorable Danny Y. Chou December 7, 2020 Page 2 F6. The identification of phishing attempts, including the use of spam filters, is an important component to protecting an IT system from Ransomware attacks. Response: The City of Burlingame agrees with this finding. F7. Testing a full restore of a server to ensure that backups are reliable should be undertaken regularly as part an entity's backup plan to recover lost information. Response: The City of Burlingame agrees with this finding. F8. Training of new employees, and the recurring training of existing employees, is an important component of defense against Ransomware. Response: The City of Burlingame agrees with this finding. The following are the City of Burlingame's responses to the Grand Jury's recommendations: R1. Each of the governmental entities in San Mateo County with an IT department or IT function (whether in-house, handled by another government unit or outsourced to a private enterprise) as listed in Appendix F, should by November 30, 2020, make a request for a report from their IT organization that addresses the concerns identified in the report, specifically: Response: The City of Burlingame requested a written response to this recommendation from its IT management team, in lieu of a separate report addressing these concerns, so that management could develop a response to the final three recommendations of the report. 1. System Security (Firewalls, Anti-malware/Antivirus software, use of subnets, strong password policies, updating/patching regularly) The City of Burlingame utilizes several strategies to protect against nefarious acts including but not limited to: • Industry recognized leaders' dedicated firewall appliances at all electronic entry points into the City. On each firewall, all ports are blocked by default. Only known needed ports are opened, thus limiting the type of traffic coming into the City network infrastructure. • All servers and desktops run an industry leader endpoint protection software, which is automatically updated. It provides key protections including: endpoint detection and response (EDR), which detects and investigates suspicious activity with AI -driven analysis; anti-ransomware from sources including browsers, multi -media, MS Office applications, and email; behavioral analysis (acting on many files in a short period) issuing warnings, stopping errant processes, and notifying IT of such activity; malicious macros and other forms of code detections and protections; and exploit prevention techniques, which detect and stop common and known key vulnerabilities including zero -day attacks. The software communicates with the manufacturer's cloud site, which continuously updates the local software with the latest protections. • VLANs, or virtual segmented networks, are used strategically throughout the organization to limit end -point access to servers and networks in which access is needed. • Password policies are considered very strong and include required changing periodically, as well as not allowing the re -use of recent passwords. Required changing has been suspended during the pandemic due to having to VPN into the City's network, adding a layer of complexity as well as the reality of passwords expiring for users who don't VPN in and only access cloud services such as email, with no user friendly method of notifying users or them having an easy, intuitive way to change their password. u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE The Honorable Danny Y. Chou December 7, 2020 Page 3 • All servers are patched as appropriate, generally after a short while once a patch has been released and tested by others as bug free. • Two Factor Authentication is being researched and expected to be implemented City wide once the best solution for the City is determined. 2. Backup & Recovery (In the event of an attack, can you shut down your system quickly? What is being backed up, how it is being backed up, when are backups run, and where are the backups being stored? Have backups been tested? Can you fully restore a Server from a backup?) More than 12.5 TB of user data is backed up in multiple ways. Most importantly, a shadow copy is created twice daily on the server to allow for easy rollback of deleted or changed files. In addition, files are backed up to an on - premise dedicated appliance. The appliance replicates itself to the manufacturer's cloud on a daily basis. In the event the on -premise device becomes infected with mal-ware, including ransomware, the device can be wiped clean and the data restored from the cloud's backup. If the backup device itself fails, within three business days a new appliance will be shipped, which is pre -loaded with the City's backed -up data. Data can also be recovered directly from the manufacturer's cloud storage. Daily backups are preserved for 12 days, weekly backups are preserved for five weeks, monthly backups are saved for 12 months, and yearly revisions are kept for no less than two years. The process is continuously being tested in normal operations via requests from users asking IT to restore data from one of the previous day's backups. All databases in the City's robust database infrastructure are included in all backup processes. As new databases are brought online, the using department is involved in determining the requirements of the backup. For example, is recovery to the previous night adequate, or is there a legitimate requirement to be able to restore the database to within the last hour, such as the City's utility billing database in which hundreds of transactions occur daily? All database servers run a process (agent) that is part of the backup appliance solution. In addition, some databases also use the native database engine to back up a database, which is also included in the overall backup process. The City runs in a robust, industry -best virtual environment. This not only allows the City to realize cost savings by having many virtual servers running on fewer physical servers, it also allows the City to maintain hot -standby servers in the Police Department data center. It is the opinion of the City's IT Manager that the testing of a system -wide recovery is not practical as it is a mix of different functions, services, and protections. In his opinion, it would be near, if not impossible, for any single incident, short of a major catastrophe such as an earthquake or fire in the City Hall data center, to bring down the entire infrastructure. Different functions/components are generally tested during the normal course of business as functions fail, servers are patched, or requested data is restored. All network devices have their configurations backed up nightly in the event of an equipment failure or breach. 3. Prevention (turning on email filtering, setting up message rules to warn users, providing employee training on phishing and providing a reporting system to flag suspect content) The City utilizes both cloud and an on -premise dedicated SPAM prevention appliance and software in which all email is first run though before being delivered to recipients. The appliance continuously communicates with the manufacturer's secure site to update its protections to the latest known threats. In addition, the appliance wraps all links within an email with a path which, when clicked, first goes through the manufacturer's secure cloud services to confirm (to the extent possible) that the link is legitimate and not a known hacking site. u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE The Honorable Danny Y. Chou December 7, 2020 Page 4 The City pre-pends the subject of certain emails with [suspect] when an email contains one of many known -to -be - trouble phrases such as "gift cards." Every external email pre-pends the body of the email with a warning that the email is from an external source and to use caution when responding or clicking on any links contained within. With more staff working remotely, IT staff has increased its frequency of cautionary a -mails warning all users of common phishing schemes and malicious links. Staff intends to work with the HR Department on implementing a segment on cybersecurity within its new employee orientation program. Additional City Security Strategies As cloud services become more a part of the City's infrastructure, City IT strives to connect cloud services to its internal Active Directory security model. This allows IT staff to disable users in a single, secure place, which in turn disables them on the connected cloud services. City IT is investigating the implementation of multi -factor authentication. This effort has been ramped up given the current pandemic environment in which the majority of the workforce is located outside of a City facility. Whereas in the past security was focused on blocking external parties from the City's network, the pandemic has turned that strategy into one which secures endpoints theoretically located anywhere in the world. Multi -factor authentication is one of the predominant methods of securing access from outside the City's firewalls. The City carries cyber security insurance in the event of a data breach, which provides the City with resources to assist in the cost of recovery, including notifications to those whose personal information was likely breached. The insurance carrier also has resources available to assist the City in implementing best practices to deter cybersecurity attacks. R2. These confidential internal reports should be provided to the governing body by June 30, 2021. This report should describe what actions have already been taken and which will be given timely consideration for future enhancements to the existing cybersecurity plan. Response: The recommendation will not be implemented, as the City believes an analysis and discussion of its cybersecurity practices are continually underway. An in-depth written report at a particular point of time would not be useful to Council or management, as its efficacy would be recognized only by the technical staff that produced the report. In the wrong hands, such a report could be used to circumvent the cybersecurity protocols the City has in place and/or is considering. In addition, management does not believe a comprehensive cybersecurity report is the best use of the City's IT resources. The pandemic has necessitated a largely technology -driven response, and IT staff is occupied with enabling users to safely access the IT resources needed to provide continued services to the public as efficiently as possible. If the City Council or management request additional detail or have specific concerns regarding these protocols, these will be immediately addressed. The summaries developed in response to R1 are meant to convey that the City's IT staff are aware of the risks mentioned in the Grand Jury's report, as evidenced by the measures currently established to prevent cyberattacks and be able to recover promptly should they occur. Staff continuously examines best practices in cybersecurity, evaluating various tools available to protect access to data, software, and hardware systems, and their suitability for the City's use. R3. Given the results of their internal reports, governmental entities may choose to request further guidance by means of a Cybersecurity review from the U.S. Department of Homeland Security and/or a cyber hygiene assessment from the County Controller's Office. u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L DocuSign Envelope ID: DA971656-A924-48E0-9F8E-7158FAEE12FE The Honorable Danny Y. Chou December 7, 2020 Page 5 Response: This recommendation will not be implemented because it is not warranted at this time. Although the City IT personnel recognize the value of a cybersecurity review from the U.S. Department of Homeland Security (DHS), staff feels the security measures currently in place represent affordable, usable, and practical best practices in cybersecurity. As noted in response to R1, City staff is very much aware of the heightened risks of cyberattacks, and has implemented protocols to guard against them and facilitate recovery in the event they do occur. Through research, trade journals and websites, and participation in a state-wide coalition of municipal IT leadership, staff continuously monitors, maintains, and upgrades to the latest cybersecurity measures, software and hardware, and best practices. If at some point in the future IT resources become available, staff will reach out to DHS and/or the County Controller's Office for their respective assessments. R4. Given the results of their internal reports, governmental entities may choose to ask their IT departments to review their own Cybersecurity Plan with the detailed template provided by the FCC's Cybersecurity Planning Guide and consider customizing it using FCC's Create Custom Cybersecurity Planning Guide tool (see footnote 52). Response: This recommendation will not be implemented because it is not warranted at this time. The FCC's Cybersecurity Planning Guide was reviewed and compared to solutions currently implemented in the City. In most cases, the recommendations were already enabled, or are planned to be in the near future. Recommended solutions within the Planning Guide not currently in place nor planned have been evaluated and deemed to be less suitable for use by the City, generally due to one or more of the following: IT assessment of the solution cost versus the risk it mitigates; alternative, yet equivalent, solutions already in place; and/or usability/complexity issues for City staff users. The Burlingame City Council approved this response letter at its public meeting on December 7, 2020. Sincerely, Emily Beach Mayor u Register online with the City of Burlingame to receive regular City updates at www.Burlinaame.org L