Security Incident

Owned by Knowledge Assistant
Last updated: Feb 14, 2024 by Moriah Yorkey
3 min read
Description of Issue

What steps do we take when our site has discovered it has been infected with ransomware or other security breach?

How do we report that a Cyber Security Incident has made Enterprise ERP (Munis) inaccessible?

Context

  • Munis

  • Enterprise ERP

  • Ransomware

  • Virus

  • Security issue

  • Hosted

  • On Premise

Cause

Ransomware is a type of malware classified under cryptovirology that threatens to publish the victim's data or perpetually encrypt the files on the affected computer, making them inaccessible, unless a ransom is paid. The payload easily infiltrates as a computer worm or Trojan horse and quickly spreads to networked devices. It is essential to quarantine the infection before it spreads.

Resolution

The site will:

  1. Reach out to TSM Support within 24 hours of detection

    1. Call 1-800-772-2260 ext 3608 (SaaS) or ext 3851 (OnPrem)

  3. Work with tech to open a Critical ticket with the title:  SECURITY INCIDENT – CITY OF NAME and enter the following information:

    1. When was the infection first identified?

    2. What were the observed symptoms of the infection?

    3. What is the name of the malware (if known)?

    4. What organization is handling the response?

    5. What steps were taken to contain (and eliminate) the malware?

  5. Make sure to provide a site Point of Contact, including offsite email and phone number if email and phone systems are compromised.

  6. Follow the Information Technology Security Office Policy (below) to obtain a final report from the 3rd party security firm that is handling the response.

NOTE:  The Hosting team will scan the client’s data with an ITSO approved anti-malware solution and transfer the data into the new, fully segregated AWS environment. This quarantine will remain in place for a minimum period of six (6) months. This added safeguard ensures that any malware present in the environment can not affect any other Tyler service. 

Additional Information

Tyler Information Technology Security Office (ITSO) Policy

Reporting the Incident:

An affected site must notify Tyler within 24 hours of discovery of the infection/attack. Tyler will immediately close down all active connections to the site and disable user accounts that have access to hosted services. This includes:

  • Clients who use VPN technologies to access Tyler hosted solutions

  • Clients using remote access technologies to access Tyler hosted solutions (ex. Parallels)

  • Client environments accessed by Tyler employees via remote access or support technologies (ex. Bomgar, GoToAssist, RDP)

Recording the Incident:

  • Tyler will create a ticket in CRM to track the progress of the attack. This ticket will be checked as Internal for Tyler's use and not client searchable.

  • Tyler will open up a Sev-1 to include Hosting Services, Deployment, Disaster Recovery (DR) Support, Information Technology Security Offices (ITSO) and others if needed and track the progression of the resolution.

Next steps:

For Tyler hosted client environments or Tyler DR client declarations involving malware, additional precautions will be taken. Client application environments will be moved from the multi-tenancy Tyler Hosting center into a temporary quarantined hosted environment. The Hosting team will scan the client’s data with an ITSO approved anti-malware solution and transfer the data into the new, fully segregated AWS environment.

This quarantine will remain in place for a minimum period of six (6) months. This added safeguard ensures that any malware present in the environment can not affect any other Tyler service. 

Tyler will need documentation including the following information on official letterhead. This can be emailed, faxed, or mailed to the assigned Tyler Support Technician.

  1. When was the infection first identified?

  2. If known, what was the root cause of the initial infection?

  3. What were the observed symptoms of the infection?

  4. What is the name of the malware (if known)?

  5. What organization is handling their response?

  6. What steps were taken to contain and eliminate the malware?

  7. Provide an outline of the response/restoration actions taken.

    1. If available, provide a copy of the incident response procedure used.

  9. What remote access software do Tyler employees use to connect to the client system?

  10. When was the site declared clean of malware?

  11. What ongoing monitoring has been put in place to prevent another outbreak?

A report from a government agency (FBI or Secret Service), third-party security firm that is handling the response, or responses on the site's official letterhead is requested.

Restoring connection to the cleaned site:

Once the client has provided appropriate documentation that their network is free of malware, Tyler’s IT Security Office will review within 72 hours and authorize Hosting or Division Support to re-enable remote access. 

The six (6) month quarantine window begins on the day that the above written report is reviewed and accepted in writing by Tyler's Information Security team (or delegate).

Â