TAC Blog

While speaking in Nacogdoches County recently, state cybersecurity officer Tony Sauerhoff asked attendees to guess how many malicious connection attempts the state blocks in a 24-hour period. The guesses: 50,000 … over a million.

The answer, he said, is 900 million. That's almost a billion a day every day, Sauerhoff said, emphasizing the magnitude of the threat to just the state's network. "We are all targets," said Sauerhoff, whether city, county or state.

Sauerhoff, the state cybersecurity coordinator at the Texas Department of Information Resources, was among the speakers at the first daylong County Technology Workshop of the year. The regional events, sponsored by the Texas Association of Counties (TAC) and the V.G. Young Institute of County Government, are continuing and are set for May 25 in Corpus Christi, June 9 in Amarillo, July 26 in Monahans and July 28 in San Angelo.

Sauerhoff said most of the probes are automated, and the attackers include nuisance hackers, hacktivists, organized crime and state-sponsored threats, with Russia, China, North Korea and Iran among the leaders in the last category.

Lately, phishing has been closely linked with ransomware, he said. "Folks click on a link or open an attachment that they're not supposed to … without thinking about where it's coming from, whether it's legitimate or not, and that's how the ransomware gets in," Sauerhoff said.

Since 2019, at least 17 counties and 35 cities have been hit by ransomware attacks, he said. That's down from the 23 counties and 40 municipalities that were shaken by the ransomware blitz of late August 2019.

In an interactive session on a ransomware attack on the fictitious Lone Star County, TAC's Robert Ruiz and Andrea Beard covered scenarios and possible solutions to the breach. Their presentation used a video showing how a county employee finds a USB drive and attempts to wipe it on his county computer, but he ends up infecting the network. Problems soon begin to cascade, including malfunctioning equipment, locked accounts and malicious emails. "You're going to see a common thread here: email, email, email," said Beard, a Legal Liability Claims Supervisor with TAC Risk Management Services.

Moreover, the average time before the detection of malware is 192 days, said Ruiz, Associate Director of TAC Risk Management Services. "It's not if but when you will be hit," he said. So safeguards have to be in place to protect against external threats and internal vulnerabilities, he said. "Cybersecurity is about people, process, technology."

Some solutions to head off an attack would include having an isolated computer to check unconfirmed USB drives, training on opening unverified emails and establishing multifactor authentication. "If you don't have MFA in play, you're a ticking time bomb," Beard said.

Conference attendees also heard from Chad Adams, a cybersecurity expert with the federal Cybersecurity and Infrastructure Security Agency. He outlined the many powerful services the U.S. government offers, including a phishing campaign assessment. Its levels of difficulty range from one to six, and difficult is very difficult, he said. "It might fool your IT people," Adams said.

Another is a remote penetration test, where a team identifies vulnerabilities. "You'll know that they were there," he said, because the team will present you with evidence, such as a list of all your passwords.

The best part is the price. "Everything we offer is free," he said, but there is a wait time of six to eight months for some services.

In closing, state cybersecurity officer Sauerhoff said that it isn't possible to totally prevent a breach. "You just need to make your network harder to get into than the next one," said Sauerhoff, who has ties to Louisiana. "You don't have to outrun the alligator, just your buddy."