cyber security threats - scgmis - homescgmis.org/resources/documents/ms-isac presentation.pdfleon...
TRANSCRIPT
Cyber Security Threatsy yShehzad Mirza
Director of the MS‐ISAC SOC
Will PelgrinCIS President and CEOCIS President and CEO
MS‐ISAC Chair
2.6 Billion Internet Users2.6 Billion Internet Users
10%6% 3%
1%Asia 44%
Europe 22 7%44%
13%
10% Europe 22.7%
North America 13.0%
Lat Am / Carib 10.3%
23%
Africa 5.7%
Middle East 3.3%
Oceania / Australia 1.0%
Connect with constituents Learn new ideasConnect with constituents Learn new ideas
The Internet is a t d t l
Broadcast public functions live
tremendous tool for governments
Broadcast public functions live
Pay employees easilyAllows your constituents to register onlineregister online
Criminals look for data… and state and local governments have a lot of it!
From Cradle To Grave
And Beyond!
Confidential Informants
Leon Panetta, Secretary of Defense
“The next Pearl Harbor that we confront could very well be a b k h lcyber attack that cripples our
power systems, our grid, our security systems, our y ygovernment systems… Cyber war could paralyze the U S ”U.S.
Who Is Behind The Threats?Who Is Behind The Threats?Cyber Criminals Hacktivists
N i SNation States
Cyber Threats
Hacktivism
Mobile Devices
Insider Threats & Human Error
Phishing
Old Infrastructure
HacktivismHacktivism
H kti iHacktivism
“Attacking corporations governmentsAttacking corporations, governments, organizations and individuals…to make a point” Sophos 2012Sophos 2012
Hacktivist groups target:• Private corporations• Federal Government
St t G t• State Government• Local Government• Education• Education• Law enforcement groups
User Account CompromiseA k S iAttack Scenario
1. Law Enforcement Association (i.e. Sheriff i i P li B l S i )association, Police Benevolent Society, etc) gets
compromised2. Attackers gather the stolen credentials and either
post to sharing website (i.e. Pastebin) or keep the login information for themselves
3. Either the hackers themselves or other malicious actors then download and use the credentials from sharing website to login and access local and federal law enforcement systems
4. The compromise of the "association" system may lead to the compromise of the SLTT government systems
What Can You Do To Prevent This?What Can You Do To Prevent This?
• Perform regular vulnerability assessments of allPerform regular vulnerability assessments of all Internet facing systems
• Remind employees not to re‐use work passwords
• Monitor Webmail for:– Failed logins– Logins from out of the area or country
dd h– Logins at odd hours
Mobile DevicesMobile DevicesMobile DevicesMobile Devices
Smartphone and Tablet Security Risks
Too Many Individuals StillToo Many Individuals Still…– Don’t use encryption, passwords,
time-out settings or any other securitytime out settings or any other security protection
– Store their sensitive corporate information on smartphones
– Lose one of these devices at some pointpoint
Mobile Devices – Targets of AttackMobile Devices Targets of Attack
“The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year” – U.S. Government Accountability Office
Leaving your l tlaptop or
smartphone tt d dunattended
can lead to big blproblems…
More than 10,000 laptops are reported lost every week at 36 of the p p p ylargest U.S. airports, and 65 percent of those laptops are not reclaimed.
Ponemon Institute
Insider Threats Insider Threats and Human Errorand Human Error
Insider Threats are Real…Can be intentional or accidental
• WikiLeaks – Hundreds of thousands of confidential documents leaked by military employee
• Inadvertent posting of the Social Security numbers and birth dates of 22,000 government retirees on a state procurement website
• Disgruntled city employee tampers with city t k t d t t d i i t tnetwork to deny access to top administrators
Human Error – Weak Passwords
tomshardware.com
A longer password is a better passwordStrong passwords should be 9-12 h t dcharacters and
possess a combination of letters, numbers, , ,and special characters.
Example of Strong PasswordExample of Strong Password• ThisI• Is
• A• BetterBetter• Password• Which
Password = T1@bPwWBH2C• Would
• Be• Harder
T1@bPwWBH2C
• Harder• To• CrackCrack
Most Dangerous Cyber Celebrity!!!! g y y
Phi hiPhi hiPhishingPhishing
Gone Phishing…Phishing scams entice email recipients into
g
clicking on a link or opening an attachment which is malicious.c s a c ous
• WELL WRITTEN
• APPEARS CREDIBLE
• ENTICING OR SHOCKING SUBJECTSUBJECT
• APPARENT TRUSTED SOURCE
Protect YourselfProtect Yourself• Never click on a link in a suspicious e‐mail.Never click on a link in a suspicious e mail. • Open a new web browser and manually go to the vendors website to log into your account. g y
• Call your vendor using a phone number from an official source to get the information you need. g y
Old InfrastructureOld InfrastructureOld InfrastructureOld Infrastructure
Old hardware and software that is beyond the end of its supportlif i ft till i t dlife is often still in use today
No longer supported by the vendors
Using them after end of life places your organization at great risksince any security vulnerability will NOT be fixed, making it easy forhackers to launch a successful cyber attack
Industrial Control Systems
Internet Facing Industrial Control Systems
Approximately 7,200 Internet Facing Control System Devices Source: US Department of Homeland Security ICS‐CERT Monthly Oct‐Dec2012
Case StudiesCase Studies
South Carolina 2012South Carolina 2012• More than 3.3 million unencrypted bank account
numbers and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue.
• Data lost: SSNs, bank account numbers and credit card numbers.
• Breach due to a state employee falling for a phishing attack that enabled hackers to leverage p g gthat employee's access rights to gain access to the government entity's systems and databases.
State of Utah 2012• 280,000 Social Security numbers were stolen,
and another 500 000 people lost personaland another 500,000 people lost personal information.
• Eastern European hackers broke into the server maintained by the Utah Department ofmaintained by the Utah Department of Technology Services in the spring of 2012 by taking advantage of a misconfiguration.g g g
What Can You Do?What Can You Do?
• Keep your systems patchedKeep your systems patched• Have cyber security policies
i li i h h li i• Monitor compliance with the policies• Log and monitor network traffic • Backup your systems on a regular basis and check them before storing off siteg
• Train employees on good cyber security practicespractices
Zeus Financial FraudZeus Financial FraudA bank informed a School District that $758,758.70 was to be transferred overseaswas to be transferred overseas
The School District cancelled the transaction
The Bank than asked about the $1,190,400 that was already sent overseas
And the $1,862,400… also already sent overseas
already sent overseas
What Can You Do?What Can You Do?
• Have a dedicated computer for financialHave a dedicated computer for financial transactions
• IP Filtering/white list• IP Filtering/white list• Limit software programs (no java, flash, email,
t )etc.)• Set up “non‐privileged user” account
• Take advantage of two factor authentication where availablewhere available
StatsStats
Number of Infections – All MSS PartnersNumber of Infections All MSS Partners
400
450
Dec‐12
Jan‐13
300
350
Feb‐13
Mar‐13
200
250
100
150
0
50
Daily Activity Summary – All MSS Partners
300
350
Dec‐12
Jan‐13
Feb 13
250
300 Feb‐13
Mar‐13
200
100
150
50
100
0Accepted Inbound Port
ScansPeer‐to‐Peer Usage SQL Injection Exploit
AttemptsSystem File Access
AttemptsLogin Brute Forcing Server Attack: Web
ServerSpyware Traffic Events
NotificationsNotifications300
Dec‐12
Jan‐13
Feb‐13
250 Mar‐13
150
200
100
150
50
0Darknet Keylogger Defacement Credentials
The MS-ISAC is here to help!
What is the MS‐ISAC?What is the MS ISAC?
The Multi‐State Information Sharing and l i C ( S S C) i h f l i fAnalysis Center (MS‐ISAC) is the focal point for
cyber threat prevention, protection, response d f h i ’ l land recovery for the nation’s state, local,
territorial and tribal (SLTT) governments.
MS-ISAC Is Built On A Strong Foundation
Situational AwarenessFederal Government
Homeland Security AdvisorsSHARE
Situational Awareness
States & US TerritoriesSHARE
Local GovernmentsCOLLABORATE
Local GovernmentsTRUST
AK
MS-ISACMember
AKMS-ISACMember
MS-ISACMemberMS-ISAC
MemberMS ISAC
MS-ISACMemberMS-ISAC
MemberMS-ISACMember
MS-ISACMember
MS ISAC MS-ISACMemberMS-ISAC
MemberMS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember MS-ISAC
MemberMS-ISACMember
MS-ISACMember
MS-ISACMS-ISACMS-ISAC
MS-ISACMember
MS ISAC
MS-ISACMember
MemberMS-ISACMember
MemberMember
MS-ISACMember MS-ISAC
MemberMS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISAC MS ISAC
MS-ISACMember
MS-ISACMember
MS-ISACMember
S S CMember MS-ISAC
MemberMS-ISACMember
MS-ISACMemberMS-ISAC
MemberMS-ISACMember
MS-ISACMember
MS-ISACMember
MS-ISACMemberMS-ISAC
MS-ISACMember
MS-ISACMember
MS ISACMember
A Trusted Model for Collaboration and Cooperation across All States, L l G t d S l U S T it i B ilt 10
American Samoa
HI
Local Governments and Several U.S. Territories—Built on over 10 years of Centralized Outreach, Awareness and Bidirectional Information
Sharing.
Local Governments
MS-ISAC Local Government members represent 33% of the U.S. population
MS‐ISAC Monitoring PartnersWashington
Lane Co.
Connectic t
Idaho
Maine
Massachusetts
Michigan
Minnesota
Montana
NewHampshire
New York
North Dakota
Oregon
Rhode Island
South Dakota
Vermont
Wisconsin
Wyoming
Johnson Co.
NYC
CaliforniaColorado
Connecticut
DelawareIllinois Indiana
Iowa
Kansas
Maryland
g
Missouri
NebraskaNevada
New Jersey
Ohio
Pennsylvania
Utah
Virginia
WestVirginia
y g
S Di
LAWABrentwood
CaryArizona
Arkansas
Georgia
KentuckyMissouri
New Mexico
North Carolina
OklahomaSouth Carolina
Tennessee
San Diego
Goodyear
AlabamaGeorgia
Louisiana
Mississippi
Texas
Florida
Alaska
Hawaii
Security Operations CenterSecurity Operations Center
ff hStaff at the NCCIC
24x7 Cyber Security Operations Center
• Central location to report any cyber security incident, staffed 24x7
• 24x7 support for:– Albert and Managed Security Services– Albert and Managed Security Services– Vulnerability Assessments– Research and analysis
• 24x7 analysis and monitoring of:– Threats– Vulnerabilities
A k– Attacks
• 24x7 reporting:– Web DefacementsWeb Defacements– Account Compromises
CERT CapabilitiesCERT Capabilities
• Incident Responsep– Includes on‐site assistance
• Malware Analysis• Computer Forensics• Network ForensicsL A l i• Log Analysis
• Statistical Data Analysis• Netflow Monitoring / Albert• Netflow Monitoring / Albert• Rapid Sensor Deployment• Penetration Testing• Penetration Testing
MS‐ISAC Intelligence SourcesMS ISAC Intelligence Sources
• 7x24 Monitoring7x24 Monitoring– Analysis of 12 billion logs/records per week
• Intelligence Partners• Intelligence Partners• Federal Government• Private Sector• Internet Research
Multi-State Information Sharing and Analysis CenterProducts and Services
24/7 C b S it A l i N ti l W b t I iti ti
Products and Services
• 24/7 Cyber Security Analysis Center
• Cyber Security Alerts and
• National Webcast Initiative
• National Cyber Security Awareness MonthCyber Security Alerts and
Advisories
• Public and Secure MS-ISAC W b it
Awareness Month
• Monthly Conference Calls
Websites
• Participation in cyber exercises
• Annual Meeting
• Ensuring collaboration with all ti
• Common cyber alert level mapnecessary parties
MS-ISAC Public Website
Take advantage of our RSS feed!Connect to our Cyber Security Advisories to provide greater awareness to thoseawareness to those agencies, organizations and business that frequent your website
Connect to our Daily Cyber Security Tip to provide greaterprovide greater awareness for your employees, constituents and others
Monthly Newsletters
The MS-ISACThe MS-ISAC distributes the newsletters in a template form so they can be re-branded and distributed broadly throughout states and local governmentslocal governments
Cyber Security Guides Cyber Security Guides
Cyber Security Awareness Toolkit
How can you join?How can you join?
SummarySummary
• There is no “silver bullet” for cyber securitye e s o s e bu et o cybe secu ty• Don’t become complacent• Have policies and methodologies in place toHave policies and methodologies in place to monitor compliance
• Log and monitor all trafficg• Be a cyber security champion in your organization
Thank YouThank You
Questions???Questions???
Contact Information:brian calkin@msisac [email protected]
orinfo@msisac [email protected]‐866‐787‐4722