The City of Germantown, Tennessee recently reported that the city government had experienced "a malicious cybersecurity incident." The FBI is assisting with the criminal investigation.

The city received reports of the disruption at around 6:00 a.m. on the morning of the attack, and many systems throughout the city were taken offline as a security measure.

The attack was contained. The servers were isolated and all network computers were shut down. The attack potentially affected a limited number of internal, on-site servers. The city says IT staff and incident response specialists were working to restore system functionality and further limit the impact of the incident.

911 services were fully operational, the city said. However, other phone lines to city offices were affected.

Data related to finance, utilities, and payment information have not been compromised. The city says those systems are intentionally cloud-based to limit the scope of potential cybersecurity attacks. David Royer, Shay Simon "FBI investigating Germantown cyber attack" wreg.com (Feb. 02, 2023)

Commentary

This serves as an example of how planning can minimize the impact of a successful cyberattack.

The potential damage was limited to certain on-site servers and did not affect the cloud-based data hosting locations, according to the city. The city's decision to keep a portion of its network localized on-site and keep crucial and sensitive data compartmentalized on cloud-based servers was a good decision.

Although this kind of approach may not be a good fit for every organization in every case, it illustrates the importance of spreading network assets over a larger target area to minimize the impact of a successful malware penetration on one particular server or network node. Strong firewalls and compartmentalization between those assets are key to minimizing the disruption to your organization in the event of a successful malware attack.

One as-yet unreported aspect of this attack is how the on-site servers were infected in the first place. It is probable the malware entered the city's network through one of two attack vectors. Most likely, a user clicking an embedded link in an email or text message or downloading a corrupted file was the method of entry. This is by far the most common way for malware to enter a system.

Constantly train employees on social engineering and other ever-changing cyberattack methods.

Another, slightly less common, attack vector is outdated or unpatched software, which is often exploited by cybercriminals when found on a system. Keep all programs up to date and patched.