City of Yonkers Fights off Sophisticated Cyberattack

Yonkers Rising found in 2021 that the City of Yonkers had been the victim of a ransomware attack, and that City Hall and its employees had been without computers for five days.

We were also told by city officials familiar with the matter that Yonkers would NOT pay the proposed ransom to unlock its computer servers, instead spending a week attempting to upload as much data as possible from backups.

Multi-Factor Authentication (MFA) enters the picture for the City of Yonkers here. MFA is one of the most prevalent solutions for addressing the general limitations related to passwords.

To translate this idea into reality, the City of Yonkers has solicitated a professional services contract to buy a commercially available, centrally managed Multi-Factor Authentication (“MFA”) system created to make sure the City’s user logins are indeed the correct users’ logins. The goal is to keep bad actors, viruses, and unlawful use of information and networked resources out of the City’s production networks.

Having established the core reason for the contract, we are in a position to dig into many layers of the solicitation. However, it’s good to look at this city since Yonkers has a long history to tell.

Yonkers – Where Creativity Thrives and Inventors Flourish

In the 1640’s, Adriaen Van der Donck got a grant of land from the Dutch East India Company which he identified as Colon Donck, and constructed one of the very first sawmills in the New World at the junction of the Hudson and Nepperhan Rivers.

Because of his status in Holland, Van der Donck was referred to as Jonk Herr (“young Gentleman” or “young Nobleman”), and these terms evolved through various revisions to The Younckers, The Yonkers, and eventually to the current Yonkers.

The area purchased by Van der Donck passed into the hands of the Philipse family in the late 17th century, and Philipse Manor Hall was built in the early 1680s near the confluence of the two rivers.

Yonkers’ strategic location aided its growth as a major commerce center, and its early residents (including Native Americans, English, and Dutch) established a diversified community.

Yonkers was a small agricultural town in the 1700s, but many businesses quickly sprouted up: sawmills and grist mills proliferated, land development flourished, and blacksmith shops, taverns, and general stores sprouted up.

Yonkers has long been the home of innovators and inventors. The breathtaking views of the Palisades and majestic Hudson River have inspired creativity for more than 150 years. Elisha Otis invented the safety elevator here in 1854 and built his first factory in Yonkers.

In 1867 Charles Harvey of Yonkers built the first elevated train line on Greenwich Street in Manhattan, which paved the way for the subway system and mass transit.

Edwin Armstrong invented FM radio in 1912, building his antenna on the Palisades across the river from his Yonkers home. Just six years earlier Yonkers resident Leo Baekeland invented the first plastic, a good thing since all those radios would need cases.

In 1888, John Reid and a few companions designed America’s first golf course, named it St. Andrew’s after Scotland’s famous course. Ella Fitzgerald, Gene Krupa, Jon Voight, W.C. Handy, Sid Caesar, and Mary J. Blige have all lived in Yonkers.

During the twentieth century, Yonkers became an industrial powerhouse. Not only did Otis continue to produce elevators here, but the Nepperhan Valley also housed the world’s largest carpet mill.

Yonkers changed with the times and the economy. Today, the Otis Elevator plant is home to industry leaders such as Kawasaki, which manufactures rail cars for the MTA, Metro North, Long Island Railroad, and other transit systems around the world; Mindspark, one of the leading web app developers; and ContraFect Corp., which manufactures bio-engineering therapies.

The carpet mill is home to the YoHo Artist Studios, which house scores of artists, craftspeople, singers, and new media professionals.

It’s hard to admit that such a developed city as Yonkers cannot avoid becoming a victim of a cyber-attack. This unpleasant scenario continues to follow them several times amid the effort to protect the City’s security.

When Ransom-Hacking Keeps Being a Nightmare

Apart from the 2021 cyber-attack mentioned in the first paragraph, ransom-hacking is nothing new to minor municipalities and school districts around the country. Last year, the computer systems of the Yorktown and Croton-Harmon school districts in Westchester County were hijacked by a cyber security attack perpetrated by someone requesting payment to remove ransomware that had frozen both systems.

After learning of a cyberattack, the Yorktown schools were obliged to temporarily switch from a hybrid learning style to all-remote instruction.

The ransomware attack locked data on the Yorktown Central School District’s networks, forcing administrators to restore servers from backups and reimage devices room by room. A similar attack was allegedly planned for the Croton-Harmon school district in 2020. Both these school districts did not pay the ransom and were able to restore their systems using data backups instead.

Ransomware attacks against US organizations have happened in recent years, with the most recent being WannaCry in 2017, which the US Government blamed on North Korea, which, according to published reports, operates a government-sponsored ransomware operation that accepts Bitcoin payments.

When we look at the larger picture, we see that the number of data breaches is increasing, with over 37 billion data records being leaked in 2020. Users frequently attempt to strengthen the security of their data by changing passwords in order to protect themselves from a data breach, but passwords alone may not be sufficient to secure personal data.

There is no uniform playbook for dealing with ransomware attacks and demands for local governments and school districts. Some pay, while others do not. According to Daniel Tobok, CEO of Cytelligence, in his experience helping 500 municipalities, the ransom is sometimes paid up and sometimes it is not. After a certain number of days, though, “you don’t have a choice and you have to make a business decision.”

Hiring a cybersecurity specialist to deal with cyber thieves is sometimes a wise business decision. That, however, is not the case in Yonkers. The City has taken a more long-term approach to security by requesting Multi-Factor Authentication services in a contract.

Facilitating MFA – The Effort to Reimagine the City’s Security

MFA is adopted to determine whether a user’s identity is legitimate. It necessitates the presentation of two or more pieces of evidence, or elements, for authentication. MFA’s primary purpose is to strengthen security by adding additional authentication factors. A well-planned multi-factor authentication approach strikes a balance between increased security and user comfort.

The fundamental goal of multi-factor authentication is to lessen the danger of account takeovers while also providing added security for users and their accounts.

Because weak or stolen passwords cause over 80% of cyber breaches, MFA can provide the additional levels of security required to protect individuals and their data. If one of the elements, such as a user’s password, is stolen or compromised, the other factors give an extra layer of security and assurance of the user’s identity.

All users authenticating to the City of Yonkers’ IT systems will be affected by the MFA system. MFA rules will be adapted to reduce needless risk while supporting the business requirements of the departments/organizations to which they are linked. The City is looking for a system that would confirm that each authorized user is who they claim to be.

The City’s network is made up of roughly 150 Microsoft Windows and 10 Unix/Linux servers, which are distributed over an on-premise VMWare environment and several Commercial Off-the-Shelf (COTS) SaaS services. Cisco routers and switches, as well as Cisco firewalls, comprise the network infrastructure.

The telecommunication system for the city is an on-premise AVAYA Aura VoIP solution that supports telephony devices (phones, ATAs, voice gateways, and so on). It has voice mail and ACD queues, and it serves the city’s first responders as well as the 911 center. We predict that the MFA solution will be deployed to about 1000 desktops and 250 laptops.

The winning Vendor will be responsible for the effective deployment and continuing maintenance of the described solution. The duration of the funding will be 5 years. But what exactly must the winning vendor provide? The following section explains it thoroughly.

Deliverables and Responsibilities for Beating off Cyberattacks

Starting with Software Provider’s General Obligations, which encompass proposing a project schedule, collaborating with key department staff to develop system specifications, identifying hardware and software requirements, testing the MFA solution, installing and configuring it in the City’s environment, providing training to IT staff and system administrators, offering ongoing support and maintenance, and ensuring the system’s ability to be updated and migrated.

These tasks encompass the entire lifecycle of the MFA solution, from planning and specification to implementation, training, support, and future-proofing the system.

Additionally, network access to City-owned/managed systems will require the completion of a Memorandum of Understanding (MOU) related to IT Security, which will be finalized with the chosen proposer after the contract award.

Next, Project Management is a crucial responsibility of the Software Provider, with the assigned project manager being responsible for updating the work plan and project schedule, submitting monthly status reports, coordinating project resources, and attending meetings as required by the City’s project manager.

When it comes to the Implementation stage, the Software Provider must determine the City of Yonkers’ common modes of operation and preferred procedures. The selected software must be installed with minimal interference to daily operations. Since all current workstations are in use on a daily basis, an upgrade/changeover plan must be developed to minimize downtime on existing workstations.

With the Acceptance Testing phase, on-site acceptance testing will include appropriate Software Provider and department staff and will occur at a time agreeable to both the Software Provider and the department. User acceptance tests will test all system components according to the test plan section of the work plan and will be designed to simulate the department’s actual work environment.

Tests conducted on the COY environment shall not prevent the operation of existing systems or cause system interruptions unless previously approved by the department.

The following part is Variance Reports. In this one, a variance report must be prepared for any deviation from the specified requirements. It should include a sequential identifying number, date and time of occurrence, variance status, references to relevant documentation, and the identification of staff involved in the test. This report ensures proper documentation and resolution of any deviations from the requirements.

Final Acceptance is also an important stage. The COY shall give final acceptance of software, configuration, training and other services following the Software Provider’s completion of all such work in accordance with the contract and after thirty (30) calendar days of continuous successful and error-free operation of the system in COY’s actual work environment.

Last but not least, training is an integral part of the package price, and the Software Provider is responsible for providing all necessary training for successful implementation and operation of the system.

Once the Scope of Work (SOW) has been defined, the evaluation process comes into play to assess the proposals received. By evaluating each proposal against the established criteria, the City can ensure a fair and comprehensive assessment, ultimately leading to the selection of the best proposal for successful project implementation.

An Evaluation Process to Select the Optimal Vendor

A City evaluation committee will review the proposals and may conduct interviews with one or more of the qualified proposers as part of the final selection process. Proposers may be asked to make a presentation to the evaluation committee.

The City shall evaluate proposals based on responses to the following items. These items are not necessarily listed in order of importance. The City reserves the right to weigh its evaluation in any manner it deems appropriate. If two offers are found to be substantially technically equivalent, price shall be the basis for determining the award recipient.

For the Technical Proposal section, the City requires the vendor to provide key information about their firm and designate a direct contact person for the RFP and subsequent contract. This includes a brief history and description of the company, outlining their expertise and experience.

Additionally, the vendor should detail their qualifications, technical experience, and skills, emphasizing past projects of similar scope and nature. It is crucial to provide information on organizational staffing and financial stability. If the subcontractors or consultants are involved, the proposal should describe their roles, qualifications, experience, and the percentage of work they will perform.

Independence and absence of conflicts of interest are paramount, so the proposal must include an affirmative statement from the vendor and each subcontractor or consultant affirming their independence from the City of Yonkers or Yonkers Public Schools. Furthermore, any direct or indirect conflicts of interest that may exist should be disclosed.

To understand the vendor’s approach to the project, a Statement-of-Work should be provided, outlining their strategy for delivering the services described in the Scope of Work and Objectives section. This should include a breakdown of tasks, organized by phase, with estimated timeframes for completion. If any resources from the City are required, the proposal should clearly indicate those needs.

The proposal should demonstrate how the vendor intends to fulfill each requirement listed in the Scope of Work/Objectives. Additionally, the ease of use of the software being proposed should be described, highlighting user-friendliness and intuitive interfaces.

Execution is a crucial aspect, and the proposal should detail the vendor’s ability to deliver and execute the project as outlined. This includes factors such as project quality, cost control, and timeliness in completing the project.

Lastly, the proposal should provide an explanation of how the vendor distinguishes itself from its competition. This may include highlighting unique features, proprietary technology, or specific expertise that sets the vendor apart.

In addition to the above, proposals will be evaluated based on their responsiveness to the project requirements, their ability to address the objectives outlined in the RFP, their understanding of the project, and their compliance with submission requirements.

The quality of the proposal itself will be considered, assessing the clarity and effectiveness of the plan for project execution, alignment with project goals and objectives, and the use of quality techniques, methods, and resources to ensure accurate data and analysis.

One thing must be said that this contract was already closed in September 2022. This means that the City of Yonkers has already picked the most suitable vendor for the role. However, there are no tabulation sheets of the finalists and the winner attached. Even with zero information about who the City awarded the contract, we are sure that that one must be fulfilling all demands from the issuing organization.

After this solicitation, the city will be able to enhance its online security, but it’s just a part of the benefit, cause what they receive varies.

The Bigger Picture of Fighting off Against Ransomware

The most crucial thing to know regarding ransomware is that the quicker you respond, the smoother your recovery.

Unfortunately, many organizations do not have the means to develop and implement response plans. As a result, IT Governance USA created its Cyber Security Incident Response Service.

However, as part of the contract, the City of Yonkers will be provided with a new cyber security platform to defend it from ransomware assaults and digital infections.

Smart cities have a unique characteristic: integration of deployment of information and communication technology services and innovations to handle complex data in storage devices and during citywide transmission.

Yonkers is fully aware of these issues, and the contract is just one component of the city’s effort to combat cyberattacks; it is part of Governor Kathy Hochul’s “shared services” program.

Hochul proposed a $30 million “shared services” program in the first quarter of 2022 to assist local governments and other regional partners in acquiring and deploying cybersecurity services. She stated that governments and large cities must collaborate to improve security.

“We can no longer act independently. And that has been the case where the State of New York has its plan,” the governor said. “City of New York has a plan. Our mayors, our local governments throughout the State of New York. And that is not sustainable in light of the threats that we’re seeing. And we can’t expect cities and counties to go it alone.”

The center was created in collaboration with the mayors of New York City, Yonkers, Syracuse, Buffalo, Rochester, and Albany. According to Jackie Bray, Commissioner of the State Division of Homeland Security and Emergency Services, municipal responses to assaults vary right now.

“What’s going on now is that any entity that is being attacked is responding. New York City has a very robust and mature response, and the responses of our cities, counties, and authorities range from that incredibly mature, robust response to one that requires assistance, according to Bray.

Hochul said the effort is in response to a phone discussion between President Biden and governors from across the country, during which he warned of a heightened threat due to tensions between Russia and Ukraine.

“The White House thought it was important enough to let governors know to be prepared. The criminals, the terrorists – they don’t telegraph. What they’re going to do because they want the element of surprise,” Hochul explained.

She added, “But we’re on notice now. We’re on notice of what they could do to dismantle our systems, our communication systems, our 9-1-1 systems, our transportation network. I mean, they all run on the technology and you disrupt that technology, that connectivity, there is an opportunity for rather cataclysmic consequences.”

As part of the shared services scheme, counties in New York and the state’s initial JSOC partners offered free CrowdStrike endpoint detection and response services in May 2022.

Yonkers would save about $75,000 per year as a result.

Mayor Mike Spano, along with New York City Mayor Eric Adams, Buffalo Mayor Byron Brown, Albany Mayor Kathy Sheehan, Syracuse Mayor Ben Walsh, Rochester Mayor Malik Evans, and other cyber leaders from across the state, participated in the establishment of the cyber command center, which will provide a statewide view of the cyber-threat landscape.

It will not, nevertheless, support Yonkers Public Schools’ cyber security measures because the new program currently only includes municipalities and not school districts.

Bottom lines

Yonkers Mayor Mike Spano is committed to establishing an atmosphere that will boost the economy, attract new families, and encourage businesses to start, relocate, or expand in the city.

Mayor Spano’s approach to development and investment has changed. The city’s development ambitions were halted when he took office in 2012. Big initiatives were on the drawing board but never got off the ground.

That’s when Mayor Spano called his economic development team together and told them to come up with creative strategies to make stalled projects work. Yonkers municipal planners are now offering faster turnaround times and incentives to recruit businesses.

Ensuring security is a crucial part in this road, it’s not a boast to say the contract is aligning with his mission to better the City of Yonkers.