An Assessment of the Cyber Readiness of a Local Government Authority
Local government authorities across the UK have been the target of a growing number of cyber-attacks in recent years, having faced as many as 263 million cyber-attacks in the first half of 2019, averaging around 800 cyber-attacks every hour, according to LocalGov. Local councils have the need to safeguard information and protect citizens and their rights, and the Local Government Association has raised concerns that councils are not giving cybersecurity the same attention as threats to physical infrastructure.
Cyber security readiness is not just about technology but also includes people and business processes. This project implemented a cyber security monitoring exercise that served to both understand the current cyber security readiness level and also set the basis for the future implementation of cyber security risk assessment and strategy for a local council in the UK. As it was felt by the council that the resilience of its technical infrastructure was adequate, this collaboration between the Centre for Business in Society and the specific Council was set out to explore the cybersecurity awareness and resilience of the Council’s workforce. This was done by conducting a vulnerability testing exercise based on a series of social engineering techniques that targeted cyber awareness of the workforce and their ability to make informed decisions when dealing with potential cyber security threats.
Social engineering involves manipulating individuals to induce them to carry out some specific action to divulge information and does not require a large amount of technical knowledge. Attacks may vary from bulk phishing emails that deliver malicious software (malware) that enables an attacker to gain information, commit fraud and/or obtain access to secure systems. Social engineering constitutes a security risk because it can be used to bypass intrusion detection systems, firewalls, and access control system with the offender taking advantage of people to obtain information or knowledge one should not have.
In order to assess the digital vulnerabilities in relation to the council staff and identify any security gaps, a social engineering exercise was carried out that included:
- Phishing emails sent to staff across the council
- USB memory left unattended in different parts of the organisation
- Rogue customer calls to the Revenues and Benefits helpdesk
- IT rogue desk calls made to obtain access to systems.
These techniques would be used to lead the council staff to grant us access to key information assets such as details of council tax of members of the community, planning, building and regeneration documents, and information about specific schools, benefits, jobs, social care etc.
Exercise 1 – First Phishing Email
A phishing email was sent to a cross-section of the council staff, containing a link to a dummy malicious “payload” document developed by the project team. Its purpose was to capture how many staff members clicked the link or ran the malware it contained. The exercise was an attempt to capture –in a fully secure way, sensitive information about the individual who opened the email attachment or followed the link included.
The phishing email was designed as a request to the Council staff to update their personal information, prompting that IT services was updating records and hence staff were to click on the link provided and update their information. The sender address was masked to appear as it was coming from the Council’s IT Services.
A total number of 1,846 phishing emails were sent to a selection of 1,495 email addresses of the staff provided by the Council. Of those, 521 emails were responded to by the recipient, meaning that 28% of emails sent (potentially by a cyber criminal) could be considered as a successful attack.
The highest responses were obtained by the Corporate Services department, with 188 staff responding to the email, followed by Children's Services with 99 staff responses, with 84, 70 and 49 responses were Department of Place, Chief Executive and Health & Wellbeing, respectively.
Exercise 2 – USB Attack
Another common mechanism for gaining access to information about individuals or the organisation consists of leaving a form of digital media (e.g. a USB flash drive, CD, DVD) unattended, perhaps labelled with something alluring to, and in a location frequented by the intended victim (e.g. a car park, by the printer). The intent is that individuals will pick it up and then use it on a personal or work computer, which as a result becomes infected with malware. Conferences and other events also allow for this type of attacks, as the attacker is often in a position to hand out free USB drives as gifts or provide further information on digital media which is secretly loaded with malware.
25 USB sticks were loaded with a phony weblink and placed at random places in the Council offices across 3 buildings. The malware was masked as a document named: Pay Scales in the Council.txt. This was actually a Web URL link (PayScales in the Council.txt.url) that would open the users’ web browser and take them to a particular URL which allowed us to record their visit through the particular web page we had created.
Out of the 25 USBs that were placed, 9 were used and 3 staff members clicked on the link it included, opening the possibility for hackers to gain access to the credentials of the staff.
Exercise 3 – Second Phishing Email
The second email template was designed as a ‘Staff Satisfaction Survey’. A total number of 1490 email accounts of Council staff were provided to us for testing, which we split in to 3 groups of users. The text of this email read as follows:
‘In order to further improve our employees’ satisfaction at work, we are running an employee satisfaction survey which will take a few minutes to complete. Please provide answers to the questions and please do complete as soon as possible.’
The first of the email ‘shots’ was sent on the 27th Mar 2018, with the second and third following on 30th Mar 2018. Once enough time had been allowed for the Council staff to have received both phishing emails, the analysis showed that, out of 1490 emails were sent, 145 members of staff responded to this request.
Exercise 4 - Rogue Calls
This exercise involved impersonating one of the public members whose limited details (i.e initials, last name and address) were available on the public domain. A call was made at various times/days of the week, to test the robustness of the system and if all the procedures of security was being followed.
Out of the 12 names chosen at random, on 3 occasions we were able to persuade the staff and:
- Obtain the council tax reference number
- Change direct debit details
- Obtain information on the history of payments
Although this may appear insignificant, most historical social engineering attacks are not just a one-step approach, but a series of steps that lead to gaining inside knowledge resulting in significant data breaches.
Whilst one cybersecurity incident may have devastating consequences for the Council, this study has shown that a coordinated effort is -at present, likely to lead to cybercriminals gaining access to the information technology and management infrastructures of the Council. This is demonstrated by the following statistics:
- 521 individuals within the Council (30% of the email addresses provided to us) fell victims of the first phishing email
- 9 ‘infected’ memory sticks were used by Council staff, with 3 of them opening a potentially infected file and therefore releasing the credentials to an external entity
- With the rogue calls, we had 3 breaches that resulted in access to citizens’ personal identifiable information.
Based on our findings, the recommendations to the Management Board of the specific Local Government Authority were focused on the need for immediate action to address the vulnerabilities associated to the human component of their system. Improvements on the cybersecurity management capabilities within the organisation were recommended in two main domains:
The Management Board
Each member of the Board of Directors has a role to play in the Council’s efforts to prepare, deal with, recover and learn from cyberattacks. From the HR director to Communications, Finance and every senior executive within the organisation.
As with any organisation, it is essential that every employee within Councils becomes fully aware of the nature of the data and information resources that they have access to, of the need to protect such resources, the potential threats and the consequences that a cyberattack may have on the organisation and the community. It is also important that every member of the staff recognises the importance of reporting cybersecurity incidents without fear of being penalised, and that they have a mechanism to do so. Every effort must be made to minimise the risk of cybersecurity incidents. A data breach that goes unreported may have devastating consequences in the medium term for the Council and for individuals affected. To achieve this aim, a multidimensional training and development strategy must be implemented by the Council to include online and face to face sessions that cover each relevant area: legal, technical and organisational.
The findings of this project were published in a short report for The Conversation shortly after its completion, with an aim to raise awareness of the importance of increased efforts in the sector.