“We could be attacked tomorrow,” Lisa Sagona, Johnson City’s IT director, told city commissioners during an agenda review meeting on Monday. “These are not your run of the mill people. They are extremely patient and very smart and they have tools to deploy when they get in.”
Sagona said the city has installed a stronger web filtering program that will also stop data from being extracted off the city’s network. The organization is also implementing a dual authentication log-in system. Employees working remotely will receive a code that is randomly generated every 30 seconds they will have to enter when they access the city’s network. This will be deployed to the roughly 125 people that have to access the city’s network off-site.
Employees working in the building will receive a small, physical device they can attach to their key ring that they will plug into their computer’s USB port to verify their identity. Those cost about $250 per 50 users, Sagona said.
She said the city will also be implementing software that will flag abnormal behavior on the city network.
“If every day you come in, you log in, you get in your email, you open an Excel file, you do some Word stuff, and then suddenly one day you start copying files to some large external hard drive that’s never existed, we’re going to get an alert,” she said.
“What we really want to know is somebody using your computer and doing something they shouldn’t that’s not normal for you,” she said. “That’s what would’ve helped us.”
After the attack, the city removed all impacted computers and laptops from its network and made the decision to reimage all computers that are less than a year old.
“I hope to never be in this position ever again, and that’s going to take a lot more work than what we’ve done,” Sagona told commissioners.
The city announced last week that it would be replacing 300 desktop computers following the attack, which will cost about $215,000. Sagona said that will be offset by $165,000 the city budgets every year for the purchase of new computers.
Sagona said the city was fortunate to have its new hyperconverged storage area network installed roughly three weeks before the attack, without which she said the city would have lost at least 10 days worth of data. Commissioners approved the roughly $650,000 purchase, which includes about $185,000 that will pay for five years of maintenance, during the city’s last budget year.
The city has said its financial system and credit card information were not compromised during the attack, and although it did have to complete tasks by paper in some cases, city services remained operational.
Sagona told commissioners the FBI is investigating the attack.
“They have so many tools ... that can lend a hand a little bit,” she said. “We have not heard a thing from them, so I guess they were not very successful.”