A total of more than ₡13,418,907,369 will cost the Costa Rican State to rehabilitate and rebuild the systems of seven institutions after the cyberattack produced by Conti since April of this year. This is mentioned in the General Emergency Plan for Cyberattack, published this Wednesday, August 24th, in La Gaceta.
These are the Ministries of Finance, Science, Innovation, Technology and Telecommunications (MICITT), Labor and Social Security (MTSS). As well as the Costa Rican Social Security Fund (CCSS), the National Meteorological Institute (IMN), the Administrative Board of the Municipal Electrical Service of Cartago (Jasec) and the Alajuela Interuniversity Headquarters (SIUA).
The objective of the plan, it mentions, is to develop actions, works and services necessary to contain, solve and prevent new attacks against the Information Systems of the Costa Rican State, specifically the institutions that received the cyber attack.
Emergency care will be attended with the institutions’ own funds as well as with resources from the National Emergency Fund (FNE). In detail, these are the institutions that are in the phase of rehabilitation and reconstruction of systems:
Rehabilitation Phase
- Costa Rican Social Security Fund (CCSS). It will use its own resources for ₡10,000,000,000.
- Treasury. With resources from the National Emergency Fund, it uses ₡917,500 and with its own funds ₡1,123,625,974.
Reconstruction Phase
- Treasury. In this phase, the institution will resort to ₡1,049,388,494 from the National Emergency Fund to rehabilitate its systems.
- Ministry of Science, Innovation, Technology and Telecommunications (MICITT). He will require ₡641,475,400 from the National Emergency Fund to attend to his situation.
- Ministry of Labor and Social Security (MTSS). Estimates the use of ₡345,000,000 from the National Emergency Fund.
- National Meteorological Institute (IMN). With resources from the National Emergency Fund, it plans to rehabilitate its systems using ₡66,000,000.
- Administrative Board of the Municipal Electrical Service of Cartago (Jasec). The entity of the province will require about ₡130,000,000 from the National Emergency Fund and with its own resources will attend to its situation with ₡34,000,000.
- Alajuela Interuniversity Headquarters (SIUA). The institution mentions in the plan that it needs lliance ₡28,500,000 from the National Emergency Fund.
According to the CNE, the National Emergency Plan was prepared lliance the information provided by the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), –as rector in the matter—and by the institutions that have been affected to date. The document also mentions other actions such as the response to the events, institutional activation and guidance to execute the reconstruction phases.
Deficiencies in system protection
Precisely, on June 27, the minister of the llian portfolio, Carlos Enrique Alvarado, announced an lliance with the National Council of Rectors (Conare) and public universities to address the current situation in the country due to cyber attacks on state entities.
On that occasion, he released a series of findings in 226 institutions that have deficiencies in their systems:
- 188 institutions DO NOT have specialized Cybersecurity personnel to manage the systems.
- 28 institutions have systems developed by third parties, but they do NOT include security aspects.
- 41 institutions DO NOT make backup copies of the systems that are hosted by a third party.
Of the systems that are administered by third parties, 28.8% (65 institutions) do not have a record of the activity carried out by the administrators in their systems.
There are 38 institutions that have not implemented DNS security and protection systems:
— 104 (46%) institutions do not have EDR protection systems.
— 43.8%, 99 institutions have NOT implemented double factor authentication in their systems.
— 38.9%, 88 institutions have operating systems out of support, however, that number is higher since many indicated that they only had a few computers, so the percentage increases to almost 50%.
— 94 (41.6%) institutions have NOT performed security audits on their servers.
— 51 institutions do NOT have defined policies for backup copies.
— 38.1% (86) institutions DO NOT carry out backup restoration tests.
— 16.4% (37) institutions DO NOT have the site configured to prevent SQL injection type attacks.
— 42.9% (97) institutions DO NOT have active unnecessary services such as SSH, FTP, telnet.
— 32.3% (73) institutions have NOT configured a concurrent access limit to avoid DDoS denial of service attacks.