Smithtown could be hit with a cyber attack similar to that of Brookhaven and the state of Ohio, according to a review of its cyber security practices.
On June 25, the Town of Brookhaven website was taken over with a seemingly pro-ISIS message after a group hacked into the system. It was later disabled and the town launched an investigation.
Smithtown is vulnerable to a similar attack, and possibly a more severe one, according to an internal report done on the lack of cyber security on the town’s network. According to a source with knowledge of the report, the website and the network holding payroll accounts and employee information could be easily hacked into, since it is using a program, Microsoft Access, from 1997.
The town uses a service called CivicPlus to host and monitor the town’s website. According to CivicPlus’s website, they provide security support and diagnostics for municipal government sites.
In an email to town employees and elected officials, Director of Information Technology Kenneth Burke, responded to the Brookhaven hack saying that “their web site was written in house and may be more susceptible to hacking.” He added that security provided by CivicPlus is their “forte.”
According to the same source, who left the Town in 2015, the report was done in late 2014 by an outside firm and diagnosed the town as being incredibly vulnerable to hacking, saying: “It was like a recipe of how to take over the IT system from the outside.”
At the time the source left, there had been no advances in cyber security in the town. Burke says that they are constantly making updates.
“We are constantly looking at our security, applying patches to stave off any attacks,” he said.
The report is still in the hands of the Town of Smithtown Department of Information Technology.
According to the contract between the Town and CivicPlus, obtained by a Freedom of Information Law request, for the hosting service, there is an antivirus protection included, but it is unclear what is actually protected and how effective it could be for a serious breach, and does not cover the back end of information. CivicPlus only covers the website and does not protect the back end information.
The source previously mentioned with knowledge of the town’s vulnerability says that they should get another independent report done. The same source added that a big vulnerability was the lack of a Chief Information Officer, and that the IT department should be moved back under the Comptroller’s office. “They could suffer very much the same fate as Brookhaven,” if changes are not made, according to the source.
The town holds the identity of every employee since they switched to a digital system, an average of 500-1,000 identities per year, in a 1997 software. This includes names, addresses, social security numbers, payroll information, and more.
“At the very least, local governments absoloutely should have a top of the line firewall in place with multifactor authentication tools present in order for somebody to gain access to secure and confidential servers,” says Paul Taylor, a risk analyst for Cashstar with a background in international justice and security. “A lot of times local governments of small towns don’t have a lot of classified data that could jeopardize the security of our nation, but they are at risk of losing important files with financial and logistical data that help the town run smoothly.”
In a conversation on Real Time with Bill Maher on June 30, former U.S. National Coordinator for Security, Infrastructure Protection, and Counterterrorism Richard A. Clarke said that the success of many attacks goes unknown to the organization attacked.
“We’re just hearing about 1/10 of those who succeed,” he said. “They have a very high rate of success, we don’t know how to stop it, and the people who do it can’t be punished.”
So, is Smithtown safe from a cyber breach? “It’s a constant battle,” Burke said. “Is anyone really 100% secure? Really, the answer is no.”