We put the IT in city®

CitySmart Blog

Friday, February 22, 2019
Kevin Howarth, Marketing & Communications
Wednesday, February 20, 2019
Ryan Warrick, Data Center Engineer
Ryan Warrick

It was inevitable. With so many serious data breaches over the years (including Yahoo’s 3.5 billion records breached, Marriott’s 500,000,000 records breached, Adobe’s 152,000,000 records breached, eBay’s 145,000,000 records breached, etc.), hackers have compiled a massive list of usernames and passwords on the Dark Web. Recently, two aggregated collections went “public” after being sold on the Dark Web for years. One collection includes 773 million unique usernames and passwords. The other collection consists of 2.2 billion unique usernames and passwords.

Why should cities care? A researcher who works for Microsoft, Troy Hunt, created a website where you can check your email address against a database of these stolen credentials. For example, one of our colleagues uses a Gmail address that he barely shares with anyone. He inputted his Gmail address into Hunt’s database and the following came up:

  • His email address, password hints, password, and usernames were exposed in the Adobe data breach of October 2013.
  • His email address, password, and username were exposed in the Dailymotion data breach of October 2016.

Luckily, our colleague has changed his Gmail password multiple times since these dates. However, even with an email address that he barely uses or shares, our colleague’s password could have been at risk (and may still be at risk in some ways, such as with password hints that were stolen in the Adobe breach).

Troy Hunt’s website is a legitimate, trusted site. Feel free to input your email address into it to see if you may be at risk. Most likely, you are. And you will see that your email address was exposed in a few or many breaches.

What to do? Our usernames and passwords are becoming more exposed and available to even amateur hackers after years and years of severe data breaches. All is not hopeless, though. Here are some password best practices you can implement to protect your city (and yourself personally).

1. Change your password if haven’t changed it in a long time.

Let’s start with the obvious. If your password has been breached and you haven’t changed it since that breach, CHANGE IT.

Secondly, if you haven’t changed your password in a long time, then change it—even if Troy Hunt’s database doesn’t suggest it’s been affected. The longer you use the same password, the higher the likelihood of exposure to a hacker. And anyway, it’s likely you’ve used one or more of the services over the years that have gotten breached, which include commonly used banks, retailers, and online services.

2. Implement Two Factor Authentication (2FA).

Even if a hacker does steal your username and password, 2FA presents a hurdle that’s hard to get past. For example, when you sign into your email, you might need to input a code (something like a random number) generated on a mobile app on your phone. If a hacker tries to breach your account, they would have to have your phone, be able to log in to your phone, and then obtain a current code generated by your mobile app that expires every 30 seconds in order to get into your account.

2FA might seem annoying sometimes because you must input a number along with a password. It may take a while to become habit for employees. However, 2FA adds another layer of protection that significantly decreases the likelihood of a hacker succeeding.

3. Consider using a password manager.

If you haven’t heard about password managers, they are services that automatically generate strong passwords, remember all your passwords, and encrypt them. In other words, a password manager helps you implement specific password best practices without you having to think about it. Your IT staff or vendor can help you implement a password manager across your organization. Once implemented, they tend to work smoothly in the background and make your life easier.

4. Develop a password policy for your city.

The above best practices are tools and tactics. For the long-term, you need to strategically develop a password policy that enforces best practices to keep you safe. A policy would outline:

  • Specific rules around the creation of passwords for employees, including changing passwords on a periodic basis.
  • Requirements for training related to your password policy, including reviewing best practices.
  • Rules around protecting passwords—from sharing them to writing them down on sticky notes in plain sight of others.
  • Automated rules that are enforced (such as requiring strong passwords or preventing someone from logging in if they repeatedly input the wrong password).
  • Authentication requirements that may go beyond a password (such as 2FA, the use of tokens or biometrics, etc.).

5. Follow password best practices.

We’ve written about password best practices in the past. To recap a few of the most important:

  • Use a password on all your devices. This includes tablets and smartphones.
  • Use strong passwords. We recommend using passphrases (which are long phrases that are easy for you to remember but difficult for a hacker to guess). You can also use complex passwords (a long string of letters, numbers, and symbols).
  • Do not write passwords down and leave them visible. We still see too many city employees writing down passwords on sticky notes and attaching them to their computer monitors or in notebooks that they place inside a desk drawer. Anyone walking by could snap a phone picture and use that password to later break into that employee’s account.
  • Do not use obvious passwords. Here is a list that you can check. If you are using one of these, then change it immediately.
  • Do not use the same password for all systems you access. If a hacker gets a hold of your username and password, then they can access all your accounts—rather than just one.

Because of the cybersecurity landscape we find ourselves in today, we must be more vigilant and stricter about how we create and use passwords. The above best practices will help your city protect itself in this global environment where we continue to regularly hear of newer, larger compromises putting more and more people at risk.

Need help with your password and cybersecurity policy? Reach out to us today.

Friday, February 15, 2019
Kevin Howarth, Marketing & Communications

We hope to see you at the following city events this week! Our own Dave Mims, CEO of Sophicity, will present on “Cybersecurity Risks Every City Faces” in Lexington, Kentucky. That same day, Brian Ocfemia, Engineering Manager at Sophicity, will present about cybersecurity in Braselton, Georgia.

City EDvantage Session: Cybersecurity Risks Every City Faces
February 20, 2019
Lexington, Kentucky

2019 IIMC Region III Conference
February 20, 2019
Braselton, Georgia

 

To keep up with upcoming events over the next few months along with receiving the latest city government and municipal league news, articles, and interviews, subscribe to our email newsletter.

Friday, February 15, 2019
Kevin Howarth, Marketing & Communications
Wednesday, February 13, 2019
Sarah Diggs, Client Services Manager
Sarah Diggs

Just when you might feel you’re starting to get your hands around spotting classic phishing emails, a new twist is emerging. We’ve talked to a few rattled people who received what they thought was a personalized and very frightening blackmail message over email. The email seems incredibly specific, very aggressive, and, in one instance, even referenced a stolen password.

We will analyze these emails below, but it’s important to note that these emails are not personalized blackmail threats toward you. They are automated messages sent by machines, with hackers hoping that the general messaging hits a nerve with a small segment of the users it targets. It can use stolen credentials (gotten through many, many huge data breaches over the last few years) to fill in the blank of an email message, rather like a form letter personalized to you.

Because these attacks tend to be very explicit, we will not print an example in its entirety. However, we will analyze a few clues that will help you realize that these threatening emails are no threat at all.

1. The email message could apply to anyone.

While the message tries to sound specific, there are no personal details that would confirm that someone knows exact details about you and your behavior. Read the message and see if there are any exact details that only apply to you. If not, then it is a mass message where the hacker is betting on a few details coincidentally striking true.

2. Look for details that are not true.

In the email message, the blackmailer will state something like, “I placed a malware on the X video clips (pornographic material) web-site and guess what, you visited this web site to have fun (you know what i mean).” Later, the blackmailer mentions that they captured salacious activity via the person’s webcam. These untrue details are a clear sign this message is not personalized.

3. Understand how technology works.

Many tech support scams use a person’s lack of knowledge about technology to trick them into thinking a problem on their computer needs fixing. These blackmailers use the same lack of knowledge about technology to strike fear into a person.

Here is part of a blackmailing threat email: “While you were viewing video clips, your internet browser started out functioning as a Remote Desktop that has a keylogger which provided me accessibility to your display screen as well as web cam. after that, my software program gathered every one of your contacts from your Messenger, FB, as well as e-mail. and then i created a video.”

Oh my! Let’s break this down:

  • Remote desktop access is something you must grant to another person. It is software that requires clear permissions from your computer. When used ethically, you see this when an IT support person logs into your computer and takes it over to fix something. However, an internet browser cannot all of a sudden start functioning as a remote desktop.
  • A keylogger is malicious software that captures what you type and sends that data to a hacker. However, this is software that you would have to install. Saying “a remote desktop has a keylogger” makes no sense.
  • The blackmailer’s software program is like the Energizer Bunny. It just keeps going and going! Somehow it also gathers Messenger, Facebook, and email contacts. Again, it’s possible you could possibly install malicious software by accident that does such a thing. But—given just this email—the attacker is playing on your fear.

If you’re unsure about such technological descriptions, always ask your IT vendor or staff.

4. Google phrases from the email.

One easy way to check if the email is an empty threat is to take a phrase or two and Google it. For example, Googling the phrase “While you were viewing video clips, your internet browser started out functioning as a Remote Desktop” brings up the following credible articles among many:

If you receive a suspicious email, it’s unlikely you’re alone. Do some Googling and see if others have received the same email. Think of it like a form of fact checking.


Even though this type of blackmailing email is not a threat, you should take a few precautions:

  • If the blackmailer mentions a password that you’re still using, change it immediately! And better yet, change your password to a passphrase and enable 2FA.
  • Try not to open the email. If you open it, the blackmailer will know you at least opened it and may send you additional messages. Again, even these follow-up messages will likely be automated. It’s recommended that you mark the email as spam or junk, or simply delete it, without opening it.
  • Do not download any unknown software or attachments from untrustworthy sources. Whether you receive an email or visit websites, never download something without knowing you fully trust it. And even then, when in doubt, ask your IT vendor or staff when emails, links, or attachments seem suspicious.

Need training to help your city employees spot these increasingly complicated phishing emails? Reach out to us today.

Friday, February 8, 2019
Kevin Howarth, Marketing & Communications
Wednesday, February 6, 2019
Dave Mims, CEO
Dave Mims

Barraged with cybersecurity news every day while you work to focus on the needs of your community and the business of your city, it’s difficult to sift the real danger from the noise. Ransomware, email hacking, cyberattacks, phishing, and website defacing are high risks for cities. Cities cannot remain passive against well known, serious, and confirmed cybersecurity dangers.

Our Regional Cybersecurity Workshop will get you up to speed on what you need to know, answer your questions, and give you the knowledge you need to take the next steps toward addressing your cybersecurity risks.

This workshop will benefit mayors, council members, city managers, and city clerks from cities of all sizes.

There is no cost to attend this workshop and lunch will be provided.

Our host and host city for this regional workshop is Charles Cawthon, City Manager of the City of Lavonia. I will be presenting both cybersecurity training sessions in the agenda below, and I look forward to seeing you there.

Register today to confirm your seat!

 

When

Wednesday
March 27, 2019
9:30 AM - 1:00 PM

 

Location

Community Center
39 Poole St
Lavonia, GA

 

Agenda

9:30 AM - Registration/Check-in
10:00 AM - Cybersecurity Session 1
10:50 AM - Break
11:00 AM - Cybersecurity Session 2
11:50 AM - Break
Noon - Lunch 

 

Register today to confirm your seat!

Tuesday, February 5, 2019
Mark Holbrook, Account Manager
Mark Holbrook

Across the country as people become more politically engaged, they pay more attention to elections. One offshoot of this situation is an increased number of Open Records and FOIA requests as local government scrutiny increases. In addition, more technology and ease of accessing information online is increasing citizen expectations of accessing public records quickly from a city.

Unfortunately, cities can lag in responding to these requests in a timely fashion. It’s not intentional. Paper-based manual processes, storing documents and records on individual desktops, or poorly organizing or centralizing documents all make an Open Records or FOIA request a potential nightmare. You might think you’re adhering to the letter of the law, but your lack of timely response resulting from technology issues may negatively impact your ability to comply.

Combined with the right document management and records management systems, these tips can help you improve your Open Records and FOIA response processes.

1. Reevaluate your current document management / records management system.

First, do you have one? Some cities store documents and files on individual computers or shared files on servers. This is not ideal, especially when the processes you’ve built around such systems are non-existent, ineffective, or limited to only a few people able to access documents.

If you do have a document management system, does it:

  • Back up your records and allow you recover them in case of disaster?
  • Allow you to easily search and retrieve records?
  • Keep your records secure from cyberattacks and hackers?
  • Automatically enforce records retention policies?
  • Provide you enough storage?

We’ll talk about some of these specific capabilities below in more detail, but you first need to make sure you have a records management system that covers these bases. Otherwise, your system may fail you when you need it most and not allow you to effectively respond to Open Records and FOIA requests.

2. Design a records management system that centralizes, tags, and secures records.

Even if you have the right technology, you must focus on three activities that need your full participation.

  • Centralizing documents: A best practice for records management is creating one centralized place where records are stored and accessed. This eliminates document sprawl and the problem of not being able to locate and access records spread across one or more individual computers (or in hard-to-find shared folders on one or more servers).
  • Tagging documents: You need to set up a policy where employees tag documents with labels such as title, author, organization, description, keywords, etc. These labels help employees find records faster because they are labeled correctly and relevantly.
  • Securing documents: While your IT staff or vendor will help with security, part of security is limiting records access to only authorized employees. You can help with this process by creating policies around records access and authorization, which your IT resource can then enforce through document management administration.

3. Design a workflow for documents and records.

In a past blog post about workflow design, we said, “For each document created, what needs to happen? How is the document created? How many reviewers? What happens after it’s approved? Focus on creating generic roles such as document creator, reviewer, or approver that are assigned to people.” A records workflow process will include automatically enforced rules around:

  • Document creation
  • Document review
  • Document approval
  • Document storage and archiving

This way, documents are created once, go through a process, and receive quality control.

4. Train employees and enforce policies.

Even if you buy the right technology, set it up correctly, and create workflows, it’s useless if no one uses it or continues to rebel against it by sticking with their old habits. Training and policy enforcement are essential. Make sure employees know the records process, why you’re doing it, and that you will enforce policies around it.

5. Follow state records retention schedules.

Cities that follow all four tips above can still make the mistake of keeping every record indefinitely or applying broad records retention schedules to all documents. The reality is that you are only legally required to keep specific records for specific lengths of time. Why increase your storage costs, operational work, and liability by keeping records past their legal deletion date?

With the right document management system, you can automatically apply records retention schedules to documents so that you consistently follow state law and city policies. The system will enforce policies such as archiving, retention, authorization, and deletion with a combination of automation and oversight from your IT staff or vendor.

6. Address email in relation to records retention.

Email poses a particular conundrum for many cities. Your document management system may work well, but Open Records or FOIA requests involving email may throw you off base. In a past blog post, we noted “If you have an older email system, you might have limited storage on your email server. That means employees will often store emails on their own computers in local archives. When that happens, it’s difficult to retrieve emails and keep them secure. You also risk losing emails because you’re relying on non-technical employees to archive this information as well as hoping their workstation doesn’t experience a failure. And if you happen to use a consumer-grade, cheap email solution, then you risk issues not only with reliability but also compliance.”

Consider email seriously as part of your records management system. You need to:

  • Use a business-class email system.
  • Centrally manage and organize your email.
  • Follow your city’s retention schedule.
  • Clarify city policy and procedures about using personal and business email.

We end this post with two bonus tips that will also help cities:

  • Get municipal-experienced IT help. Municipalities have unique needs that general IT vendors often struggle to handle. Helping with Open Records and FOIA requests is one of those needs. Your IT resources should be able to help you quickly retrieve files related to Open Records and FOIA requests, maintain compliance by applying best practices, and create policies that you can adapt and implement at your city.
  • Back up your data. We’ve written many, many blog posts about backing up city records, including our recent post addressing this exact issue. Ask yourself, “How are my city’s records backed up?” and read our recent post for more tips and advice.

Need some extra help processing your Open Records and FOIA requests? Reach out to us today.

Friday, February 1, 2019
Kevin Howarth, Marketing & Communications
Tuesday, January 29, 2019
Nathan Eisner, COO
Nathan Eisner

Only recently has Windows 10 finally become more popular than the much older Windows 7, signifying an important milestone that should make cities sit up and take notice. Extended support for Windows 7 will end on January 14, 2020. Enhancements to the product long ago ended on January 13, 2015, with Microsoft now only patching bugs, reliability issues, and security vulnerabilities. After January 14, 2020, Microsoft will no longer provide security patching for Windows 7. The same issue holds true for Windows Server 2008, with extended support ending on the same day.

Why should cities care? Let’s look at it the other way. What happens if cities don’t care?

First, we know you may want to keep Windows 7 and Windows Server 2008. Some of your reasons may include:

 

  • Not wanting to spend the money for an upgrade.
  • Habit—you like Windows 7 and you’re used to it.
  • Older legacy software—you fear something might break if you upgrade.
  • Or, you may think, “What’s the worst that could happen?”

So, let’s see what can happen by not preparing, now, to upgrade from Windows 7 and Windows Server 2008 to a newer operating system before January 14, 2020.

1. Open your arms to ransomware, viruses, malware, and hackers.

Here, we can learn from history. One of the reasons severe ransomware like WannaCry wrecked such havoc in May 2017 is because too many organizations still used Windows XP—an outdated operating system with extended support having ended on April 8, 2014. Once Microsoft stops providing extended support, they stop providing patching.

In our cybersecurity training sessions with towns and cities, we talk about the 3Ps: Passwords, Patching, and People. If you have software—like Windows 7 or Windows Server 2008—that you cannot patch, that means you’ve got software now open to the malware and viruses of the world.

So, if you want to increase the chances of hackers breaching your systems or ransomware holding your city hostage, stay on Windows 7 and Windows Server 2008.

2. Encourage downtime at your city with crashing computers and servers.

Windows 7 support doesn’t just fix security vulnerabilities. It also fixes bugs and reliability issues. These are the kinds of issues where, if you don’t patch, your computers and servers can crash and freeze. It’s inevitable. Staying on Windows 7 and Windows Server 2008 means you are opening the door to a wave of frozen, crashed, and slow computers.

Yes, that means downtime. Billing may not get out. Payroll may not be processed. Serving the requests and needs of citizens will be at risk.

Imagine having a meeting where you make a business decision, and part of that business decision is that your employees’ computers will slow down and freeze a lot. You also point out that IT people will also need to constantly arrive onsite to fix machines. You justify this decision by saying you’re saving money, even though an iceberg lies clearly ahead.

That’s what you’re doing if you stay on Windows 7—justifying an operational disaster waiting to happen.

3. Stop your city from using modern software and applications.

A lot of software—especially the now common cloud software that doesn’t require dedicated onsite servers—needs modern operating systems like Windows 10 to run properly. Modern operating systems have the built-in capability to handle modern complex software and applications. By contrast, Windows 7, which came out in 2009 (now 10 years ago!), was built before many modern applications.

Just for a little perspective, here are some things that did not exist when Windows 7 and Windows Server 2008 came out in 2009:

  • Modern tablets such as the iPad. (The iPad was released April 3, 2010.)
  • Snapchat
  • Instagram
  • Pinterest
  • Square
  • 4G networks in the US
  • Slack

This illustrates how technology can emerge, evolve, and become commonplace so quickly. Software, applications, and technological improvements have occurred that literally weren’t here when Windows 7 and Windows Server 2008 were released. Over time, the pace of technological innovation moves so fast that these old operating systems become incapable of keeping up. That expanding chasm creates great risk that hackers use to their advantage.

If you want to skip technology evolution and innovation that leads to using modern software and applications that can improve your city, then stick with Windows 7. You will miss out.

4. Increase the cost of maintaining your systems.

When more things break, you will lose more time, become busier, and more often call your IT resource or require IT staff to fight fires. That costs money and time, especially if your IT resource is billable by the hour and if onsite visits are expensive. And if you wait until things literally break, then you will need to suddenly and unexpectedly replace hardware, software, and applications.

Even if you rely on a fixed cost IT vendor, your costs will still increase from:

  • Lost time and productivity.
  • Major disruptions related to essential software.
  • Dealing with the aftereffects of a virus, ransomware, or malware.
  • Forced hardware and software replacement from operating system incompatibility.

For cities thinking they are saving money by staying on Windows 7, you’re in for quite a surprise in 2020.


Obviously, we took a slightly playful tone in this post to make some key points. But if you are currently using Windows 7 and/or Windows Server 2008, then you need to start planning for a transition long before January 14, 2020. If you need to make a case for it, then explain that this upgrade:

  • Keeps your city secure.
  • Keeps your technology reliable.
  • Allows you to use modern software and applications to help your city do work.
  • Keeps maintenance costs low.
  • Reduces technology disruptions.

Are you on Windows 7 and/or Windows Server 2008, but are unsure about how to transition off them? Reach out to us today.

| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 |