La Plata County governments say cybersecurity increasingly critical

IT teams wage battle against ever-changing hacks
Ryan Bono, owner of Seccuro Group, a cybersecurity company based in Durango, works in his office on Wednesday. Bono and his team are hired by organizations to think and act like hackers. They try to find digital weaknesses where a potential hacker could break in. (Jerry McBride/Durango Herald)

Government cybersecurity teams in La Plata County are playing a continuous, high-stakes game of whack-a-mole against hackers trying to snatch information and hold it for ransom.

Protection comes down to “constant vigilance,” said Mark Lindstone, La Plata County director of information technology.

“We’ve been dealing with this for many years now,” Lindstone said. “They’re constant, and they seem to be increasing, there’s no doubt about that.”

Malware attacks this year have crippled infrastructure and supply chains around the United States. Hackers held information systems hostage in a ransomware attack against Colonial Pipeline, which disrupted gas supplies along the East Coast until the company paid $4.4 million in ransom.

Health care institutions, insurance firms, computer manufacturers, food suppliers – all have been targeted in 2021 with large-scale attacks as recent as the Fourth of July weekend.

But small city and town governments across the country also have had their fair share of attacks.

In February, a hacker tried to compromise internal systems to effectively poison the town’s water supply in Oldsmar, Florida. Other ransom schemes target confidential data held by governments, said Ryan Bono, CEO of Seccuro Group, a cybersecurity company based in Durango.

La Plata County and the city of Durango said information technology teams have quickly and successfully fought off cyberattacks in the past few years.

“In a government agency of 1,500 machines, if someone opens an email with a ransomware link – and if they click that and it infects their machine – within seconds it can bring down an entire network,” Bono said.

Ryan Bono, owner of Seccuro Group, checks company servers Wednesday in Durango. The total cost of cybercrime is expected to cost trillion of dollars this year, Bono said. (Jerry McBride/Durango Herald)
The attack

Bono and the Seccuro team get hired by organizations to think and act like hackers. They dive into systems, trying to find open doors and digital weaknesses where a potential hacker could break in.

These attacks, Bono said, can come from many sources: disgruntled employees, international crime syndicates, malicious insiders like business partners and clients.

A single data breach costs businesses an average of about $500,000 and days of downtime. The total cost of cybercrime is expected to cost trillions of dollars this year, Bono said.

Criminals use man-in-the-middle attacks to eavesdrop and steal data during a two-party interaction. A zero-day attack exploits a network vulnerability before it is patched up.

Barracuda Networks, a worldwide leader in security, said in 2019 its analysis of hundreds of attacks across a broad set of targets revealed that government organizations are the intended victims of nearly two-thirds of all ransomware attacks.

Years ago, a Durango employee fell victim to a phishing scheme, which is an attack disguised as a reputable source, said Justin Carlton, the city’s security and infrastructure manager.

Around 2018, an infected website, used legitimately by a county staff member, introduced some ransomware, Lindstone said. This is one of the most common forms of cyberattacks.

Both incidents were resolved with minimal impact to the systems, city and county IT teams said.

They also said they are on full alert and have a multi-pronged, constantly adapted approach to fortify systems against hackers, even as the method of the hack changes.

Seccuro Group, based in Durango, gets hired by organizations to act like hackers, trying to find digital weaknesses where a potential hacker could break in. (Jerry McBride/Durango Herald)
‘Constant vigilance’

Both Carlton and Lindstone were cautious about giving too much away about their security systems or government data. They did not want to put the organizations at risk.

“Constant vigilance. On emails, you really need to think hard about it. It’s always that one you miss that gets you,” Lindstone said.

The towns of Ignacio and Bayfield said cyber security was a top concern. Bayfield contracts with a security company, but Katie Sickles, town manager, declined to comment further citing security concerns.

Ignacio did not respond to requests for additional information, and the Southern Ute Indian Tribe declined to comment.

Bono said he advises clients to have multiple backups for data and to conduct security audits every six months to one year. Software applications, antivirus solutions and operating systems must be up to date, and networks should be segmented properly to limit network exposure.

Two-factor authentication, secure Wi-Fi systems and limiting personal information shared online help build a secure system, he said.

“The biggest mistake that government agencies make is they’ll have ports open on their firewalls to allow people to work remotely or allow vendors to get in remotely,” Bono said. “Basically, those aren’t audited very often. Any open port on a firewall is anything that can be scammed from the outside in. That leaves you vulnerable to an attack.”

Even text messages and emails can open devices to attack, Lindstone said.

“Especially on your computer, it’s having good virus protection and anti-malware systems in place on computers and laptops,” he said. “Don’t give away passwords or personal information. Be thoughtful about what information you share and in what medium you share.”

La Plata County and Durango have multiple staff members working on cybersecurity, watching current events, staying in line with best practices and using varied security tactics. The city said its cybersecurity budget has increased in recent years, and the county said cybersecurity takes up a “significant” amount of its information technology budget.

“It takes a lot of our time,” Lindstone said. “The reality is it’s everybody’s responsibility in IT to worry about that, and we’re always thinking about that.”

The entire county staff even gets involved, Lindstone said.

“We have in-house developed and delivered cybersecurity training required for all employees, which is provided six times a year to educate staff on the various types of threats and appropriate response,” he said.

The consensus is clear among cyber experts: Cybersecurity is an increasingly big deal, and all employees, contractors, vendors and system managers are a part of the battle.

“It’s a constant, constant fight to keep systems secure. I think moving into the future we’re going to see security budgets increase,” Carlton said. “It’s very important, and we’ve already seen the crippling effects of these attacks on our nation and others as well.”

smullane@durangoherald.com

This story has been updated to clarify the town of Ignacio’s response to requests for comment made by The Durango Herald.