Enhancing your public housing organization's cybersecurity posture remains paramount as we move into 2024, particularly in light of the ever-increasing stakes involved.
In the wake of a significant surge in ransomware attacks across the United States in 2021, 2022 appeared to offer a respite with a notable decrease in reported incidents. However, any hopes of a sustained lull were dashed in 2023 as ransomware activity skyrocketed, reaching unprecedented levels.
"The amount of personal data that [public housing authorities] store makes us a prime target for cybercriminals," said Trey McElveen, chief operating officer of Athens Housing Authority.
Cybersecurity breaches at public housing organizations occur with increasing frequency (far more often than reported in the news). We've previously highlighted the ransomware attack against Denver Housing Authority in 2021 that locked the organization's employees out of vital systems for a week until the ransom was paid. In early 2023, the Housing Authority of the City of Los Angeles reported a cyber event, with those responsible claiming to have seized 15 terabytes of data.
Luckily, there's cybersecurity help available, and it comes at no cost to public housing organizations. The Multi-State Information Sharing & Analysis Center (MS-ISAC)–operated by the Center for Internet Security and recommended by the U.S. Department of Homeland Security—provides various free cybersecurity services to U.S. state, local, tribal, and territorial government entities, including public housing organizations.
Free MS-ISAC services available to public housing organizations
HAI Group notified members about MS-ISAC via an email campaign in 2022. After reading the email, McElveen said he registered Athens Housing Authority with MS-ISAC for two reasons.
"First, the services were being offered for free since we are a local government agency," he said. "Second, it was an additional resource for cybersecurity updates and protection that requires a low time commitment."
Cybersecurity is an ever-evolving threat involving complex and sophisticated criminal organizations. Public housing employees already have too much on their plate, and taking on cybersecurity full-time isn't realistic for most organizations. But that's where MS-ISAC can help.
"I don't have the time needed to thoroughly research every new cyber threat to keep our organization safe, so it's very helpful to have an additional, trusted source for this information delivered to my inbox," McElveen said. "The resources MS-ISAC provide will complement your current security plan and will be a secondary line of defense against the threats that will occur at your organization."
Recommended: Security operations center (SOC)
Among MS-ISAC's most valuable free services is its SOC, said Mike Konopka, HAI Group's senior IT security analyst.
"The SOC service is a no-brainer for housing organizations," he said.
MS-ISAC's SOC monitors and responds to cyber incidents, providing real-time network monitoring and notification, early cyber threat warnings and advisories, and vulnerability identification and mitigation. MS-ISAC members can call or email the SOC directly for assistance with real-time network monitoring and incident response and recovery.
In a video posted on MS-ISAC's website, Charles Scharnagle said during his time as the chief information officer with the Mohegan Tribe in Connecticut (he's since transitioned to a new job), his team took full advantage of MS-ISAC's tools, including the SOC service.
"It's more than just a set of eyes," he said of MS-ISAC's SOC. "It literally, to me, is another security layer. It's just knowing I've got a trusted partner out there that I can contact anytime. I would pay a fortune to be able to call someone and know what type of service I'm getting. Here, I'm getting it for free. Why wouldn't I take advantage of it."
Recommended: Malicious domain blocking and reporting (MDBR)
MS-ISAC's MDBR tool can help protect against cybersecurity threats such as malware, phishing, and ransomware by proactively blocking network requests from known harmful web domains.
McElveen said Athens Housing Authority takes advantage of the MDBR service. HAI Group deploys a similar domain-blocking tool, Konopka said. MDBR prevents an organization's system from connecting to known harmful web domains. The fact that the MS-ISAC version is free to public housing organizations and takes just minutes to install makes it another go-to measure to improve cybersecurity, Konopka noted.
"This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain," MS-ISAC's website explains.
A weekly report is sent, including all blocked requests. MS-ISAC notes that the service can be installed in 15 minutes and requires "virtually no maintenance."
Data collected through MDBR is shared with MS-ISAC's SOC team to provide greater threat intelligence reporting for members.
Recommended: Cyber incident response team (CIRT)
After a cybersecurity incident is discovered, Konopka said that a response plan is necessary to investigate the source of the breach, determine the extent of sensitive data accessed by cybercriminals, and fix vulnerabilities to prevent a similar breach from happening again. These services are usually rendered through a cyber forensic analysis firm but can be costly. Fortunately, MS-ISAC provides free response services to member organizations.
Among the CIRT services that could prove especially valuable for public housing organizations responding to a breach is an emergency conference call and ongoing communications throughout the incident, according to Konopka. Dealing with a cybersecurity incident can be intimidating, even for the most seasoned housing professional.
"These check-ins provide peace of mind that the appropriate mitigation steps are being taken and help keep the internal and external response coordinated so messaging remains consistent and accurate, especially regarding media inquiries," Konopka said.
Additional CIRT services include:
- Forensic analysis
- Log analysis
- Mitigation recommendations
- Reverse engineering
- Incident summary
Jeremy Mio, an information security officer with Cuyahoga County, Ohio, a local government organization, said MS-ISAC's response team provides peace of mind.
"They have someone that can call us, and that we can call, and they know exactly what to do and the recommendations to offer us," Mio said in a video posted on MS-ISAC's website.
Recommended: Malicious code analysis platform (MCAP)
McElveen said MCAP is another free MS-ISAC service Athens Housing Authority plans to take advantage of soon. MCAP is a web-based sandbox where members can submit suspicious files in a controlled and non-public fashion.
"I plan to use the [MCAP] for files or links that seem suspicious but made it through our other security measures," McElveen explained.
Essentially, this service analyzes whether files contain malware or not. So instead of taking the risk of opening a suspicious file on the housing organization network, it can be inspected safely via MCAP to determine if it's legitimate or not.
Recommended: Cybersecurity awareness and education
MS-ISAC members also gain access to working groups where members can share ideas and experiences, table-top exercise templates, and webinars examining critical and timely cybersecurity issues.
McElveen said Athens Housing Authority takes advantage of the MS-ISAC's free educational resources.
"We receive cybersecurity alerts, advisories, and newsletters," he said. "Vulnerability notices are good reminders to keep browsers, operating systems, phones, and other technology updated and keeps cybersecurity fresh in the minds of end users."
This article is for general information only. HAI Group makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.