NYPD’s fingerprint database was shut down for a few hours in October last year, when an accidental ransomware infection affected nearly 23 machines linked to the department’s LiveScan fingerprint-tracking system.
How it happened?
The incident took place at the Police Academy in Queens, when a third-party contractor was setting up a digital display system. As soon as he connected the already infected NUC mini-PC to the police network, the virus attached itself to the system.
How NYPD responded?
The Deputy Commissioner for Information Technology Jessica Tisch said, “Cops realized within hours that there had been a breach. The department’s cyber command and the Joint Terrorism Task Force were notified of the contamination almost immediately.” The cyber forensic investigation found that the ransomware was “never executed”. But the NYPD shut down LiveScan that night and reinstalled software on 200 computers citywide as a precautionary measure, she added.
The IT contractor that accidentally infected the network was brought in for questioning but was neither charged nor arrested as the breach impacted 0.1 % of the department’s computers, and that too unknowingly.
Lessons to Learn
The NYPD cyber cell and incidence response team did a fantastic job by
- quickly detecting and containing the infection (by shutting off the fingerprint database),
- cleaning the systems (by reinstalling software in 200 systems on the same network) and
- determining that there was no malicious intent on the part of the contractor (by questioning him in person) who caused the mess.
What could have been different?
The infected machines were a part of the NYPD’s LiveScan fingerprint system that is a very critical system for any law enforcement agency. The Academy’s digital display network should ideally not have anything to do with the LiveScan (fingerprint database) network. Had firewalls or Access Control Lists (ACL) and Virtual Local Area Network (VLAN) been used to separate the digital display network from the rest of the network, the damage could have been limited to the less critical signage network only. The question is, “Is this Feasible?” The answer is Network Segmentation.
Network Segmentation
Network segmentation, also known as, network segregation, network partitioning, or network isolation divides a computer network into smaller parts with an intent to improve network performance and security.
Segmentation works by controlling how traffic flows among the parts. The network traffic in one part can be stopped from reaching another, or can limit the flow by traffic type, source, destination, and many other options. This methodology not only helps in containment but also in keeping the remainder of the network live even when one or more modules/systems on the network are affected or compromised.
This setup type is not cost efficient, and this is one of the main reasons why they are not the first choice in government organizations. In case of the NYPD incidence though, had there been network segmentation in place then that would have helped the containment of the ransomware to the signage network only and a need to shut down the entire fingerprint database system – LiveScan could have been avoided.