PowerPoint Presentation

When Bad Things Happento Good Governments

We are here to drill down on cyber security and state and local government.

The sub title was chosen on purpose. Information Security experts agree that it is not an issue of when youre agency is attacked but when. And they caution not be complacent because just because you have not heard about it, doesnt mean it hasnt happened.

Our purpose is to learn from those jurisdictions that have lived through a breach or other cyber attack and give you a better sense of what you can and should do as you leave here today.1

The Year of the BreachReal-Time Response I (Panel)The Cases: 2 You Know, 2 You Dont Real-Time Response II (Panel)What Have We Learned?The 1 Thing (Panel)Our Time Together

During our time together, we will begin with a broad look at the landscape.Youll meet our panel, who will provide color commentary to case stories from state and local government.Well also harvest takeaways from the discussion and suss out what everybody from elected officials to front line employees needs to be doing. Cyber security may not be in your job description but you share responsibility for our mutual protection in a hyper-connected government environment.

2

Cyber SecurityBreachHackDDoSMalwarePhishingMalwareSpywareRansom-wareVirusesWormsBotnets

Information Security

A Cyber Attack is an attack initiated from a computer against a website, computer system or individual computer (collectively, a computer) that compromises the confidentiality, integrity or availability of the computer or information stored on it. Attacks come in a growing number of forms, often in combination.Narrowly defined, a breach is the intentional or unintentional release of secure information to an untrusted environment. We are using it for the next hour somewhat more broadly as a shorthand for cyber attacks.

[Reveal]It is worth noting that cyber security is a subset of the wider discipline of information security which also involves the security of information or information systems in both the cyber and physical worlds. That is, the physical security of the systems, including facilities and access control/3

Source: Center for Digital Government, Digital States, Counties, Cities, 2014.Public IT Priorities Cybersecurity Shared Services Cloud Mobility Staffing Cybersecurity StaffingShared Services Mobility Cost Control Open Gov/Data MobilityCybersecurity Staffing/Portal DR/ COOPSTATE CIOsCOUNTY CIOsCITY CIOs

If the first rule of real estate, is location, location, location, the first priority of the public IT community is cybersecurity, cybersecurity, cybersecurity. It has not always been this way but there is consensus across state, county, and city CIOs that cybersecurity is at or near the very top of the list. The other entries on those Top 5 lists make systems more complex and potentially more vulnerable. Couple that with increasing awareness of malicious activity by rogue states and stateless rogues and the public sector cyber threat landscape is constantly changing.

It is also worth noting, n mid-April 2015, NASCIO released a report, State IT Workforce: Facing Reality with Innovation (2015) in which state CIOs ranked cybersecurity as the top staffing priority (67%).4

Elected + Appointed OfficialsWhat Respondents want in a NetworkSource: Center for Digital Government, 2015.

It is not just the CIOs who are paying attention. When asked what they prioritized the highest when thinking about their jurisdictions network was security (79%), followed by availability (72%), and resiliency (59%).Clearly, its on their minds too.5

How Did We Get Here?

It is top of mind for elected, appointed, and technology leaders because they see what we see and a good deal more!There is good research data on the vulnerabilities and evolving threat environment. There is also good staff work being done by CISOs, CTOs, data scientists, and policy staffs.And then there is medias role in giving us something to talk about.6

Sources: ABC | KRON TV | WCPO TV | WWLP TV | WOCH TV |WTNH TV | WH.gov

Ripped from the Headlines

What we see are vulnerabilities in retail, credit scoring, health insurance, and even entertainment.The numbers are so large and the impacts so personal - that they cannot help get your attention. 7

Career Defining Breaches

You probably remember these, and thats the point.

The South Carolina breach was three years ago and the environment there is still poisoned by mistrust. Its Department of Revenue had poor controls, hackers had access to the system for over a month and went UNDETECTED, exposing the records of 4 million residential and 700,000 businesses. It cost the DoR director his job.

Utah had a mature cybersecurity program and strong controls. But a routine software upgrade went terribly wrong. It was a 1-day breach exposing the records of 750,000 people - and it ended up costing the state $9-million in mitigation. It also cost the state CIO his job. His resignation protected his employee, his organization, and importantly his governor.

------ Additional Detail -----Cybersecurity is a high stakes challenge. For governments and business to be sure. It can also be intensely personal in a career defining way.

It is worth reminding ourselves of a couple of large state data breaches that we probably prefer to forget. But there are important lessons in both of them.

South CarolinaLets begin in South Carolina. It was September 2012. An employee at the state Department of Revenue employee had opened a phishing email the month before, giving the hacker access to the department's data system.During a period of weeks, the hacker patiently and methodically scoured the department's system by remote access, using the stolen employee's credentials and then finding more credentials once inside the system, undetected by the agency.The resulting investigation of the exposure of the personal data of nearly 4 million individual filers and 700,000 businesses.A subsequent investigation detailed that the Department of Revenue was literally clueless. It had no visibility on what was happening, nor any program, policies, or procedures in place to detect, prevent, or respond to cyber incidents.That was almost three years ago and it is still a politically charged issue today fostering mistrust between the executive and legislative branches, and between government and 4 million state residents.The damning results of the investigation led to the resignation of SCs DoR director.

UtahA smaller but still significant data breach earlier in the year in Utah also was career defining. State CTO Steve Fletcher resigned because, as he wrote, it happened on my watch. The resignation also served to insulate the governor, who was about to run for re-election. Unlike South Carolina, Utah had a fairly well-developed cybersecurity program. It saw that bad stuff was happening almost as soon as the trouble began. And it it took steps to mitigate the damage, but not before hackers from Eastern Europe gained access to the health records and other personal information of three-quarters of a million state residents.This breach was not caused by sophisticate malware.Instead, a series of configuration mistakes during an upgrade left the server wide open to attackers, who downloaded data on a single day.The state has since spent about $9 million on security audits, upgrades and credit monitoring for victims.

8

Managing the News Cycle

Speaking of protecting the governor, that was the goal when the Courts systems were hit in Washington state.But they are completely different branches of government, you say. Yes. So why would the executive branch step in? Because the courts needed help and nobody wanted this splashing on the governor.Unlike Utah and South Carolina where the story went on and on, the Washington state courts breach only hung around for a couple of news cycle.The response was so effective that [REVEAL] that the state has made what worked a a permanent statewide policy. In case of a breach or cybersecurity breach, regardless of which agency is impacted, only one person speaks publically about it. Not the PIO. Not the agency CIO. The lone, official source is the state CIO.

---- Addditional Detail ----In a third breach the next spring in Washington State, as many as 160,000 Social Security numbers and 1 million driver's license numbers were compromised in a breach at the office of State Administrator of the Courts.It provides a lesson in strong message discipline.There was a strong desire to avoid the damage and lingering headache of the types experienced in South Carolina and Utah.The courts had been caught flatfooted, responding with a promise of an investigation and to "undertake significant security enhancements to prevent further compromise.There were two unusual outcomes to this case:In a state where division of powers is jealously guarded, Gov. Jay Inslee asked the Office of the state Chief Information Officer to help the AOC enhance the security of data under judicial branch control; The incident was also a catalyst for the creation of a statewide policy for handling IT Security Incident Communication, which encourages internal sharing of incident information within channels but effectively prohibits all state employees and officials from speaking about cyber incidents. All except one person the state CIO.The CIO stepped in during the Courts breach to keep the incident from splashing on the governor. The policy makes that splashguard permanent.

9

Managing the News Cycle

Speaking of protecting the governor, that was the goal when the Courts systems were hit in Washington state.But they are completely different branches of government, you say. Yes. So why would the executive branch step in? Because the courts needed help and nobody wanted this splashing on the governor.Unlike Utah and South Carolina where the story went on and on, the Washington state courts breach only hung around for a couple of news cycle.The response was so effective that [REVEAL] that the state has made what worked a a permanent statewide policy. In case of a breach or cybersecurity breach, regardless of which agency is impacted, only one person speaks publically about it. Not the PIO. Not the agency CIO. The lone, official source is the state CIO.

---- Addditional Detail ----In a third breach the next spring in Washington State, as many as 160,000 Social Security numbers and 1 million driver's license numbers were compromised in a breach at the office of State Administrator of the Courts.It provides a lesson in strong message discipline.There was a strong desire to avoid the damage and lingering headache of the types experienced in South Carolina and Utah.The courts had been caught flatfooted, responding with a promise of an investigation and to "undertake significant security enhancements to prevent further compromise.There were two unusual outcomes to this case:In a state where division of powers is jealously guarded, Gov. Jay Inslee asked the Office of the state Chief Information Officer to help the AOC enhance the security of data under judicial branch control; The incident was also a catalyst for the creation of a statewide policy for handling IT Security Incident Communication, which encourages internal sharing of incident information within channels but effectively prohibits all state employees and officials from speaking about cyber incidents. All except one person the state CIO.The CIO stepped in during the Courts breach to keep the incident from splashing on the governor. The policy makes that splashguard permanent.

10

The Rise of Hacking CrewsVikingdom2015: From Russia with Malice

Fast forward to this spring, and some states have been having a bad run thanks to the rise of so-called hacking crews underscores the need for fast, flexible, and nimble defenses (to quote the president).States and localities recently got a first-hand look at a hacking crew from Russia called Vikingdom2015 that claimed credit for DDoS take downs of a half dozen state and local government websites in April.(Maine, South Carolina, Iowa, North Dakota, Tennessee, Connecticut )

[Reveal]The news cold have been much worse. Vikingdom had called out 41 state websites on its Destroy American [sic} list.

The calculation here is a little like the old Bear in the woods joke. My jurisdiction doesnt have to be faster and better defended than all the sites on that list just yours!

http://www.businessinsider.com/vikingdom2015-anonymous-hacking-group-threatens-gov-websites-2015-3

11

Managing the News Cycle

Then there is a story of the state of Missouri.

You know about the tragedy and protests in Ferguson.But you may not know what happened 100 miles up the highway in the state capital, Jefferson City.Theirs is not a story of message discipline.Theirs is a story of overall discipline of an IT lead cybersecurity program.You may not have heard much about it for one very simple reason. IT WORKED.

12

Michael Brown

August 9, 2014

August 9, 2014The shooting of Michael Brown, an 18-year-old African-Amercian, by a white police officer ignited protests in Ferguson that would spread across the country.

\

13

Dateline: FergusonFlickr: Chuck Jines

Brown was killed at around noon. Within 2 hours, local officials were requesting mutual aid from other police departments as protests rocked Ferguson.Protests on the ground became so violent that Amnesty International sent a team to Ferguson and the Governor deployed the National Guard,

14

Within a day the hacking group Anonymous joined the cause. 15

August 9, 2014 January 7, 2015Sources: Operation Ferguson/ Al Jazeera America

Global-Local Hacktivism

August 10, 2014In a Tweet, Anonymous claimed its first take down of a government website that of St. Louis.

[Reveal]Anonymous also released the fist of a number of video messages encouraging protests and warning of a relentless cyber attack. The video is a 1 minute edited version of the original that ran over 20 minutes.

[The reveal shows the speaker, which is an icon for the video. Click on the speaker to play.]

-------[Presneter note definition: Hacktivism is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. The individual who performs an act of hacktivism is said to be a hacktivist.]

16

Meanwhile in the CapitolGoogle Maps

The groundwork had been laid long before.

They had already established a smooth-running Network Operations Center and a Security Operations Center. Each served as a hub used by a wide range of stakeholders to communicate about everyday IT issues. During the Ferguson events, the centers fed the War Room real-time information about what was being experienced by end users and IT staff. This allowed the War Room staff to troubleshoot potential problems as they arose.All the skills and players had previously been identified and recruited. They were prepared mobilize quickly in the event of an attack. They practiced, and performed exercises at regular intervals.A War Room makes all the difference because the players can work real-time and in person, constantly asking each other What are you seeing? The War Room had only been used twice before, for relatively minor incidents. But it had already proved that it could be assembled and operating within hours. The wrinkles had already been ironed out. The same processes, particularly the Network Operation Center, works for all other types of crises too: such as tornados, ice storms, droughts. So in many ways, this Ferguson incident was just another crisis.

Incident

Within hours of the incident, state IT officials took note of the violent protests and realized right away that the state is likely to be targeted. They started preparing.Within 48 hours, hacktivists had taken down the City of Ferguson. St. Louis County would be shut down a couple days later. State officials were certain they would be next in line. The only question? How soon. It wouldnt be long.

17

Dateline: Jefferson CityFlickr: Steve Warren

DAYS THAT MISSOURI WAS A WORLDWIDEHacktivist Target:123

There were four distinct phases of the original response - each 48 hours long -- and another important 48 period toward the end. Each represented a high stakes test of the defenses - and MO had to be remain vigilant for all five as they adapted to a rapidly changing environment.

On Day 3 after the shooting, the State CIO and State CISO discussed actions taken by Anonymous against City of Ferguson.Couple days later, CISO runs a table top exercise on DDoS attacks.Few days later, attacks start on the state. Varying types and degrees of DDoS.For the next 3 weeks, Missouri was the #1 hacktivist target in the world.

------ Additional Detail Below ----The states cybersecurity response can be understood by looking at it as four successive 48-hour phases.

First 48 hoursAugust 14-15, 2014City of Ferguson IT had been taken down by Anonymous.Governor Nixon orders Highway Patrol to take control of security, increasing the risk of a cyber attack on the state by making it (and the governor himself) a target for post-Ferguson protesters and hacktivists.State IT leadership in Jefferson City recognized an attack on state IT infrastructure was imminent and inevitable.

State had developed, tested, tested, and operationalized a comprehensive cybersecurity program.Within 48 hours, CISO leads a top exercise on Anonymous DDoS attack on state network.Activated War Room, integrating the Network Operations Center (NOC), Security Operations Center (SOC), and social media monitoring.

Second 48 hoursAugust 16-17, 2014Massive and sustained Distributed Denial of Service (DDoS) begin against states IT infrastructure, ranging from Internet traffic floods to full network saturation. The number of connections overwhelmed firewalls and Internet Protocol Security (IPS), an end-to-end security scheme operating . State DNS for websites redirected to CloudFlare, IPS blocks put in place, and bandwidth increased.Offshore traffic blocked

Third 48 hoursAugust 18-19, 2014Website migration continued.New blocks implemented on the IPS.International blocks removed.

Fourth 48 hoursAugust 20-21Changes made to firewall.The Missouri Research and Education Network (MOREnet) reconfigured for second connectionState sites serviced by CloudFlare set to have their original IP addresses blocked at Firewall, except CloudFlares IP range.New discussions begin among internal team and vendors regarding DNS and additional protections

In the weeks that followed, an iterative pattern of:Blocking new IPs based on reports of unusual connections.Transition to Verizon DNS/ DDosS protection services, Site migration to CloudFlareAdaptive security devices put in place between MOREnet and IPS18

Launch and LearnFlickr: Steve Warren

The one unfinished part of the states cybersecurity program and plan when crisis hit:DDoS

Oh, the irony. This was the prime tactic though not the only one used by the attackers.Whats DDoS? It stands for distributed denial of service. It involves flooding the host with external communication requests.It can also involve malware and other means of draining system resources. The idea is to overload a system enough to take it offline. Distributed Denial of Service uses a botnet: adding up to hundreds or thousands of sources. But the state had a system and a process was in place. So they could withstand a serious oversight or two.They were able to learn and re-adjust on the fly because they were in control rather than out of control.They most definitely delivered on the Presidents challenge that, in the face ever more sophisticated attacks, we need to be just as fast and flexible, and nimble, in developing our defenses,Missouri proved that it can be done. In real-time (when it has to be)!

19

Target: Governor NixonFlickr: Steve Warren

REVEAL 1: Good Morning, Governor tweet]August 18, 2014Tweet came the same day as:Governor lifted curfew but called up the National Guard.The next day, the Governor Nixon got doxed. (Having your real personal information (e.g. name, address, phone number) discovered and revealed on the Internet, destroying anonymity.)

[REVEAL 2: Really Governor tweet]August 25, 2014Tweet came the same day as:Funeral held for Michael Brown.Audio of shooting released.

[REVEAL 3: Leave Power Tweet]August 27, 2014 Tweet came the same day as:Anonymous encouraged protests to the Governor on all fronts by calling and tweeting. There was a day long push on Twitter to use #ArrestDarrenWilson to @GovJayNixon for a Twitter storm.Tweets promote General Strike continue.

20

Target: Governor Nixoncolorofchange.org

Throughout, the Governor was repeatedly threatened by Anonymous and other hacktivist groups. During the heaviest period, the state was spotting and terminating multiple outside scanning attempts per hour. Each of these was an outside attempt to find system vulnerabilities.Theres not enough time to go into the details of the attacks, which primarily consisted of DDoS, but also countless attempts at breaching systems, including doxing, which is the exposure of private or personally identifiable information.

-------- Additional Detail -----As Leaks, Rumors, and Protests persisted in anticipation of Grand Jury Decision, social media campaign augmented with rolling billboard announced with a tweet directed at the Governor, look out your door.

ColorofChange.org, which bills itself as the nations largest online civil rights organization, used this moving billboard to to amplify the Governors responsibility and emphasize that as we come closer to a decision around the indictment.The truck was confiscated on November, three weeks before the grand jury decision.

21

The Grand Jury DecisionScott Olson/ Getty Images

November 24, 2014

Just before Thanksgiving, the grand jury decision was announced. (It did not indict the police officer.)Rioting occurs in the streets and cyber attacks start all over again. Anonymous brought everything they could muster. They threatened to shut down Missouri government. But the state was ready.Multiple DDoS launched against state, starting with Secretary of State, Legislature, and Courts.Attacks came from all over the globe, not just from Anonymous. Hosts from China and Ukraine were blocked.Finally it all died out in December, 123 days from the first attack.Security controls held, with no significant events. Thats why this is the story you never heard. There isnt time to list all the ways, means and tools used by the State to fight back. Suffice to say, they were successful. The tools they used werent secret, mysterious or unavailable to any state, county or city. It was the process and preparation that made the difference.

----- Additional Detail -----

A final 48 hours of DDoS begins after the grand jury announcement. (It did not indict.)

November 24-26, 2014Multiple external hosts quarantined for performing attacks.China and Ukraine blocked by the MO Enterprise Intrusion Protection System and CloudFlareAnonymous threatened to shut down Missouri government and bank websites.Multiple DDoS launched against state, starting with Secretary of State, Legislature, and Courts.Sites protected by CloudFlare were resilient and had minimal downtime.Multiple external hosts quarantined for performing attacks.Verizon DDoS protection enabled.Inbound blocks put in place at firewall for 500+ websites.Security controls held, no significant events.

December 10, 2014Verizon DDoS protection ended.22

Bring up the panel 23

What have we Learned?Flickr: Steve Warren

Understand Hacktivism Motives and MethodsUnderstand DDoS AttacksAssess Your Network and InfrastructurePrioritize AssetsEstablish and Exercise a War RoomIntegrate Network Operations Center (NOC) Integrate Security Operations Center (SOC) Develop a PlanMonitor Social MediaRemain Nimble and Adaptable

So, to review Before we start the list: One important thing to mention. Its State CIO, Tim Robyn, told us their main secret: We are constantly talking about security, from the Cabinet right on down. Its our #1 priority. WE TALK ABOUT SECURITY ALL THE TIME, every day, and have been for years, even before these things were on the national radar.

This is the culture that made their success possible.

----- Additional Detail -----Understand Hacktivism - Their Motives and MethodsHacktivists are hackers that engage in Cyberattacks against another entity under the auspices of a cause to which they attach themselves. The entity being attacked is perceived to have committed an offense against the hacktivists cause. It is important to note that it is the perception of wrong doing that is important.Attacks by hacktivists often occur with little or no warning and be associated with an event that is difficult, if not impossible, to predict.There are numerous well known and effective hacktivist groups that are currently active including Anonymous, the group that was active during the events in Ferguson. Many hacktivist groups are loosely organized via the Internet and composed of individuals all over the world. Individuals within the group do not always agree on strategies and tactics. Members are diverse:Some are highly skilled professional hackers capable of sophisticated attacks Some are novice hackers that are not sophisticated at all Some are true believers to the cause who believe they are pursuing justice where none exists Some merely enjoy the rush of inflicting damage any way they can to whomever they can If the offending event is significant enough, hacktivists will initiate a formal operation against the offending entity. Anonymous did this during the events in Ferguson, setting up Operation Ferguson. Anonymous identified numerous offending entities during Operation Ferguson some of which had little or nothing to do with the situation in Ferguson.There were individuals and entities that sustained collateral damage because they were perceived to be somehow connected to Ferguson. There were even cases of mistaken identity where entities and individuals were attacked with absolutely no connection to Ferguson. The campaign eventually devolved into hacking chaos as hackers from all over the world began firing away at easy targets across Missouri and beyond.Hacktivists can have multiple goals and employ a variety of tactics during campaigns. This makes it imperative for states to secure critical assets just as they should against all adversaries. However, their most frequent and effective strategy is to launch Distributed Denial of Service (DDoS) attacks against websites, networks and other assets. Understand DDoS AttacksA DDoS attack is an attack by multiple machines on a host that attempts to make a network resource temporarily of indefinitely unavailable. A successful attack essentially renders one or more of the victims services unavailable for consumption. In the case of an attack on a state this may be state websites, state Internet connectivity, email, internal applications, internal network and even DNS services.DDoS attacks come in a variety of forms. States should be well versed in what types of DDoS attacks are widely used and how those attacks work.There are several different DDoS attacks that hacktivist groups tend to utilize. While the methods all have the same goal of resource exhaustion, they accomplish this goal very differently:SYN Flood A SYN packet is the initial packet used to establish a TCP connection. Attackers can exhaust resources by creating thousands upon thousands of half open connections on firewalls, load balancers, web servers, and other networked devices by sending spoofed SYN packets.ICMP Flood The Internet Control Message Protocol is one of the primary protocols on IP networks. ICMP allows network equipment to talk with one another about availability. It is also used within ping and traceroute commands. In an ICMP flood, the attackers utilize a vulnerable network to flood the target network with large, malformed ping packets.NTP Amplification Attack The Network Time Protocol provides the mechanism for networked devices to set the proper time. Older NTP servers are vulnerable to being leveraged by spoofed requests. The NTP servers process these spoofed requests and send responses back to the target network at an amplification of 500x.HTTP POST Attack The HTTP POST attack leverages default POST configurations within web servers. The attacker initiates the attack by sending a POST header specifying the length of the content and then proceeds to send the content at an extremely slow rate. This DDoS approach ties up system resources first on the web server and can quickly impact other components on the network. Assess Your Network and InfrastructureIt is imperative that states understand their infrastructure before a DDoS attack occurs. States should understand the architecture of their entire network including firewalls, security appliances, web servers, DNS servers, email servers, Internet connections, data center connections, etc. Assessing network architecture should be done before a DDoS attack occurs. How is traffic routed as it travels from Internet connection through firewalls and security appliances to data centers, web servers, email servers, end computing devices and other assets? Where are the bandwidth choke points? Where are the single points of failure? Conduct brainstorming sessions designed to identify what you would attack if you wanted to cause the most harm to your state. Then prioritize mitigating those points of vulnerability.Prioritize AssetsStates should conduct white board sessions to determine what assets to protect. While it is obviously necessary to identify critical resources and keep them online during DDoS attacks, states should also determine which assets might be allowed to be successfully taken offline by attackers. Not every asset is critical. Determining in advance which assets to protect and which not to protect will prevent states from wasting precious time, energy and resources during an actual attack on non-critical assets. Assets that are unprotected can divert the hackers attention. It might also give them an opportunity to declare victory and move on.War RoomA War Room is a place where any necessary individuals can be alerted to assemble during a crisis. Having IT professionals together in the same room to work through issues is of great value. A War Room supports timely, precise communication that can be the difference between success and failure. Other important characteristics of the War Room include:VDI Workstations Public Wireless Network Teleconferencing/Web Conferencing White Boards Large Mounted Monitors/Televisions Charging Stations Food/Snacks Bottled Water Our War Room can support up to one dozen people at a time. With teleconferencing and adjacent rooms that number can easily get much larger, but the core people need to be together in the War Room talking through problems and white-boarding solutions. Enterprise security, networks, State Data Center and web server personnel were working in our War Room 24/7 for two full weeks during the Ferguson events.Network Operations Center (NOC)The NOC is a central communications hub used by a wide range of stakeholders to communicate about everyday IT issues. It allows reports of suspected outages and potential problems to be received by a central entity. The NOC is also used routinely to distribute information about planned and unplanned outages to IT staff and state agency stakeholders in order to reduce confusion and coordinate activities. During the Ferguson events, NOC personnel fed the War Room real-time information about what was being experienced by end users and IT professionals. This allowed War Room staff to troubleshoot potential problems as they unfolded or delegate the matter to another team. War Room personnel also used the NOC to communicate to end users and other IT employees about necessary outages and upgrades as mitigation plans were executed. This centralized hub reduced confusion during the DDoS attacks.Security Operations Center (SOC)The SOC is an enterprise security operations center that monitors security events and responds to incidents as swiftly as possible. SOC personnel were busy round the clock during the Ferguson events, blocking a variety of attackers by IP. Network scanning activity by adversaries ramped up significantly during that time and SOC personnel were employed to identify those attackers by IP and stop their scans in order limit their visibility into our network assets. Develop a PlanDevelop a plan using the information above that includes the following:Strategies and tactics to eliminate weaknesses in the network Strategies and tactics to harden infrastructure Strategies and tactics for defending websites War Room NOC SOC Funding needs Procurement requirements Do not wait for funding to develop the plan. Do not wait for funding to contact vendors about DDoS protection services. If you are attacked funding will probably become available even if it wasnt before and you will need to act quickly.Monitor Social MediaHacktivists are active on Twitter. Use Twitter in real time to track formal hacking operations and gather intelligence on hacktivist campaigns as they develop. Twitter can also be used to track individual adversaries. Many adversaries are motivated to take credit for attacks (successful or not) in order to enhance their individual reputation. This allows a state to identify adversaries and research them via the Internet or other information obtained through ISAC bulletins. This can give a state insight into the types of attacks likely to occur. Adversaries sometimes declare their intentions prior to launching attacks which can give state personnel a heads up on what is about to occur. Social media should also be used to watch for insider threats. Insiders may voice support of hacktivist operations by retweeting or replying to hacktivist tweets. Even if the insider tries not to disclose his/her identity they may reveal enough information that their identity may be revealed by obtained other social media.

24

Another resting slide if needed.25

Cybersecurity = risk management.Security incidents are inevitable. Prepare.Fund and support.Plan PR mitigation.Elected and Appointed Officials

What Have We Learned?The Little Red Breach Book

There is something for all of us no matter where we fit in public service to do.

Beginning at the top. We should expect Elected/appointed officials:To have an understanding that cyber security isnt an IT problem but a risk management issue.To be prepared for an inevitable security incident by understanding organizational preparation and response plans.To Ensure that appropriate resources are available and applied in advance of an incident and that financial and public relations mitigation plans are in place to respond when an incident occurs.

26

What Have We Learned?

The Little Red Breach BookChief Information/ Technology OfficersOwn the plan.No surprises. Champion a strong cybersecurity culture.

Ensure appropriate policies, procedures and processes are in place to identify potential risks, respond to incidents or breaches and remediate vulnerabilities.Regularly advise elected and other appointed leaders of the enterprise risk profile and strategies implemented.Advocate for and champion an organizational culture of cyber security awareness and preparedness.27

Identify and apply best practices. Evaluate and recommend strategies, programs and tools. Monitor and manage critical systems and infrastructure.Chief Information Security Officers

What Have We Learned?The Little Red Breach Book

Identify and apply best practices to prevent, prepare for, respond to and recover from cyber security incidents and breaches.Evaluate and recommend strategies, programs and tools appropriate to the enterprise.Oversee the monitoring and management of critical systems and infrastructure.

28

Know security implications of delivery systems.Encourage employees to take security seriously.Apply agency resources to support cyber security as appropriate.Agency or Line of Business Managers

What Have We Learned?The Little Red Breach Book

Understand and consider the security implications of their public service delivery systems.Encourage their employees to take cyber security seriously and adhere to enterprise policies and standards.Apply agency resources in support of cyber security when necessary and appropriate.

29

Understand good cyber security is good for everybody.Train.See something, say something.If you dont know what it is, dont click on it.Front Line Employees

What Have We Learned?The Little Red Breach Book

Understand the importance of good cyber security policies and adhere to them.Regularly participate in training.Report suspicious activity to appropriate personnel.

30

Adopt security best practices.Adhere to government security requirements.Share information regarding suspicious activity, incidents or potential breaches.Service Delivery Partners PrivateNon Profit

What Have We Learned?The Little Red Breach Book

Implement and maintain a good cyber security program for their organization.Understand and adhere to requirements established by public sector agencies they collaborate and share information with.Regularly share information regarding suspicious activity, incidents or potential breaches of their systems with their service delivery partners.

31

Encouraged through awareness campaigns to:Do the basics well. Stay alert for common tricks. Help authorities fight cybercrime.General Public - Netizens

What Have We Learned?The Little Red Breach Book

Practice good security, (password, system, browser, anti-virus updates, and safeguarding personal information) for their computers and mobile devices.Be aware of common tactics and methods used to breach security and how to avoid or mitigate such things.Help the authorities fight cybercrime:Report stolen financial information, identities and incidents of cybercrime.

32

Download slides athttp://bit.ly/1D7wPuD

govtech.com/security