Cyber Security Threatsy yShehzad Mirza

Director of the MS‐ISAC SOC

Will PelgrinCIS President and CEOCIS President and CEO

MS‐ISAC Chair

2.6 Billion Internet Users2.6 Billion Internet Users

10%6% 3%

1%Asia  44%

Europe 22 7%44%

13%

10% Europe  22.7%

North America  13.0%

Lat Am  / Carib  10.3%

23%

Africa  5.7%

Middle East  3.3%

Oceania / Australia  1.0%

Connect with constituents Learn new ideasConnect with constituents Learn new ideas 

The Internet is a t d t l

Broadcast public functions live

tremendous tool for governments

Broadcast public functions live

Pay employees easilyAllows your constituents to register onlineregister online

Criminals look for data… and state and local governments have a lot of it!

From Cradle To Grave

And Beyond!

Confidential Informants

Leon Panetta, Secretary of Defense 

“The next Pearl Harbor that we confront could very well be a b k h lcyber attack that cripples our 

power systems, our grid, our security systems, our y ygovernment systems…  Cyber war could paralyze the U S ”U.S.

Who Is Behind The Threats?Who Is Behind The Threats?Cyber Criminals Hacktivists

N i SNation States

Cyber Threats

Hacktivism

Mobile Devices

Insider Threats & Human Error

Phishing

Old Infrastructure

HacktivismHacktivism

H kti iHacktivism

“Attacking corporations governmentsAttacking corporations, governments, organizations and individuals…to make a point” Sophos 2012Sophos 2012

Hacktivist groups target:• Private corporations• Federal Government

St t G t• State Government• Local Government• Education• Education• Law enforcement groups

User Account CompromiseA k S iAttack Scenario

1. Law Enforcement Association (i.e. Sheriff i i P li B l S i )association, Police Benevolent Society, etc) gets

compromised2. Attackers gather the stolen credentials and either

post to sharing website (i.e. Pastebin) or keep the login information for themselves

3. Either the hackers themselves or other malicious actors then download and use the credentials from sharing website to login and access local and federal law enforcement systems

4. The compromise of the "association" system may lead to the compromise of the SLTT government systems

What Can You Do To Prevent This?What Can You Do To Prevent This?

• Perform regular vulnerability assessments of allPerform regular vulnerability assessments of all Internet facing systems 

• Remind employees not to re‐use work passwords

• Monitor Webmail for:– Failed logins– Logins from out of the area or country

dd h– Logins at odd hours

Mobile DevicesMobile DevicesMobile DevicesMobile Devices

Smartphone and Tablet Security Risks

Too Many Individuals StillToo Many Individuals Still…– Don’t use encryption, passwords,

time-out settings or any other securitytime out settings or any other security protection

– Store their sensitive corporate information on smartphones

– Lose one of these devices at some pointpoint

Mobile Devices – Targets of AttackMobile Devices  Targets of Attack

“The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year” – U.S. Government Accountability Office

Leaving your l tlaptop or

smartphone tt d dunattended

can lead to big blproblems…

More than 10,000 laptops are reported lost every week at 36 of the p p p ylargest U.S. airports, and 65 percent of those laptops are not reclaimed.

Ponemon Institute

Insider Threats Insider Threats and Human Errorand Human Error

Insider Threats are Real…Can be intentional or accidental

• WikiLeaks – Hundreds of thousands of confidential documents leaked by military employee

• Inadvertent posting of the Social Security numbers and birth dates of 22,000 government retirees on a state procurement website

• Disgruntled city employee tampers with city t k t d t t d i i t tnetwork to deny access to top administrators

Human Error – Weak Passwords

tomshardware.com

A longer password is a better passwordStrong passwords should be 9-12 h t dcharacters and

possess a combination of letters, numbers, , ,and special characters.

Example of Strong PasswordExample of Strong Password• ThisI• Is

• A• BetterBetter• Password• Which

Password = T1@bPwWBH2C• Would

• Be• Harder

T1@bPwWBH2C

• Harder• To• CrackCrack

Most Dangerous Cyber Celebrity!!!! g y y

Phi hiPhi hiPhishingPhishing

Gone Phishing…Phishing scams entice email recipients into

g

clicking on a link or opening an attachment which is malicious.c s a c ous

• WELL WRITTEN

• APPEARS CREDIBLE

• ENTICING OR SHOCKING SUBJECTSUBJECT

• APPARENT TRUSTED SOURCE

Protect YourselfProtect Yourself• Never click on a link in a suspicious e‐mail.Never click on a link in a suspicious e mail. • Open a new web browser and manually go to the vendors website to log into your account. g y

• Call your vendor using a phone number from an official source to get the information you need.  g y

Old InfrastructureOld InfrastructureOld InfrastructureOld Infrastructure

Old hardware and software that is beyond the end of its supportlif i ft till i t dlife is often still in use today

No longer supported by the vendors

Using them after end of life places your organization at great risksince any security vulnerability will NOT be fixed, making it easy forhackers to launch a successful cyber attack

Industrial Control Systems

Internet Facing Industrial Control Systems

Approximately 7,200 Internet Facing Control System Devices Source:  US Department of Homeland Security ICS‐CERT Monthly Oct‐Dec2012

Case StudiesCase Studies

South Carolina 2012South Carolina 2012• More than 3.3 million unencrypted bank account

numbers and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue.

• Data lost: SSNs, bank account numbers and credit card numbers.

• Breach due to a state employee falling for a phishing attack that enabled hackers to leverage p g gthat employee's access rights to gain access to the government entity's systems and databases.

State of Utah 2012• 280,000 Social Security numbers were stolen,

and another 500 000 people lost personaland another 500,000 people lost personal information.

• Eastern European hackers broke into the server maintained by the Utah Department ofmaintained by the Utah Department of Technology Services in the spring of 2012 by taking advantage of a misconfiguration.g g g

What Can You Do?What Can You Do?

• Keep your systems patchedKeep your systems patched• Have cyber security policies

i li i h h li i• Monitor compliance with the policies• Log and monitor network traffic • Backup your systems on a regular basis and check them before storing off siteg

• Train employees on good cyber security practicespractices

Zeus Financial FraudZeus Financial FraudA bank informed a School District that $758,758.70 was to be transferred overseaswas to be transferred overseas

The School District cancelled the transaction

The Bank than asked about the $1,190,400 that was already sent overseas

And the $1,862,400… also already sent overseas

already sent overseas

What Can You Do?What Can You Do?

• Have a dedicated computer for financialHave a dedicated computer for financial transactions

• IP Filtering/white list• IP Filtering/white list• Limit software programs (no java, flash, email, 

t )etc.)• Set up “non‐privileged user” account

• Take advantage of two factor authentication where availablewhere available

StatsStats

Number of Infections – All MSS PartnersNumber of Infections  All MSS Partners

400

450

Dec‐12

Jan‐13

300

350

Feb‐13

Mar‐13

200

250

100

150

0

50

Daily Activity Summary – All MSS Partners

300

350

Dec‐12

Jan‐13

Feb 13

250

300 Feb‐13

Mar‐13

200

100

150

50

100

0Accepted Inbound Port 

ScansPeer‐to‐Peer Usage SQL Injection Exploit 

AttemptsSystem File Access 

AttemptsLogin Brute Forcing Server Attack: Web 

ServerSpyware Traffic Events

NotificationsNotifications300

Dec‐12

Jan‐13

Feb‐13

250 Mar‐13

150

200

100

150

50

0Darknet Keylogger Defacement Credentials

The MS-ISAC is here to help!

What is the MS‐ISAC?What is the MS ISAC? 

The Multi‐State Information Sharing and l i C ( S S C) i h f l i fAnalysis Center (MS‐ISAC) is the focal point for 

cyber threat prevention, protection, response d f h i ’ l land recovery for the nation’s state, local, 

territorial and tribal (SLTT) governments.

MS-ISAC Is Built On A Strong Foundation

Situational AwarenessFederal Government

Homeland Security AdvisorsSHARE

Situational Awareness

States & US TerritoriesSHARE

Local GovernmentsCOLLABORATE

Local GovernmentsTRUST

AK

MS-ISACMember

AKMS-ISACMember

MS-ISACMemberMS-ISAC

MemberMS ISAC

MS-ISACMemberMS-ISAC

MemberMS-ISACMember

MS-ISACMember

MS ISAC MS-ISACMemberMS-ISAC

MemberMS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember MS-ISAC

MemberMS-ISACMember

MS-ISACMember

MS-ISACMS-ISACMS-ISAC

MS-ISACMember

MS ISAC

MS-ISACMember

MemberMS-ISACMember

MemberMember

MS-ISACMember MS-ISAC

MemberMS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISAC MS ISAC

MS-ISACMember

MS-ISACMember

MS-ISACMember

S S CMember MS-ISAC

MemberMS-ISACMember

MS-ISACMemberMS-ISAC

MemberMS-ISACMember

MS-ISACMember

MS-ISACMember

MS-ISACMemberMS-ISAC

MS-ISACMember

MS-ISACMember

MS ISACMember

A Trusted Model for Collaboration and Cooperation across All States, L l G t d S l U S T it i B ilt 10

American Samoa

HI

Local Governments and Several U.S. Territories—Built on over 10 years of Centralized Outreach, Awareness and Bidirectional Information

Sharing.

Local Governments

MS-ISAC Local Government members represent 33% of the U.S. population

MS‐ISAC Monitoring PartnersWashington

Lane Co.

Connectic t

Idaho

Maine

Massachusetts

Michigan

Minnesota

Montana

NewHampshire

New York

North Dakota

Oregon

Rhode Island

South Dakota

Vermont

Wisconsin

Wyoming

Johnson Co.

NYC

CaliforniaColorado

Connecticut

DelawareIllinois Indiana

Iowa

Kansas

Maryland

g

Missouri

NebraskaNevada

New Jersey

Ohio

Pennsylvania

Utah

Virginia

WestVirginia

y g

S Di

LAWABrentwood

CaryArizona

Arkansas

Georgia

KentuckyMissouri

New Mexico

North Carolina

OklahomaSouth Carolina

Tennessee

San Diego

Goodyear

AlabamaGeorgia

Louisiana

Mississippi

Texas

Florida

Alaska

Hawaii

Security Operations CenterSecurity Operations Center

ff hStaff at the NCCIC

24x7 Cyber Security Operations Center

• Central location to report any cyber security incident, staffed 24x7

• 24x7 support for:– Albert and Managed Security Services– Albert and Managed Security Services– Vulnerability Assessments– Research and analysis

• 24x7 analysis and monitoring of:– Threats– Vulnerabilities

A k– Attacks

• 24x7 reporting:– Web DefacementsWeb Defacements– Account Compromises

CERT CapabilitiesCERT Capabilities

• Incident Responsep– Includes on‐site assistance

• Malware Analysis• Computer Forensics• Network ForensicsL A l i• Log Analysis

• Statistical Data Analysis• Netflow Monitoring / Albert• Netflow Monitoring / Albert• Rapid Sensor Deployment• Penetration Testing• Penetration Testing

MS‐ISAC Intelligence SourcesMS ISAC Intelligence Sources

• 7x24 Monitoring7x24 Monitoring– Analysis of 12 billion logs/records per week

• Intelligence Partners• Intelligence Partners• Federal Government• Private Sector• Internet Research

Multi-State Information Sharing and Analysis CenterProducts and Services

24/7 C b S it A l i N ti l W b t I iti ti

Products and Services

• 24/7 Cyber Security Analysis Center

• Cyber Security Alerts and

• National Webcast Initiative

• National Cyber Security Awareness MonthCyber Security Alerts and

Advisories

• Public and Secure MS-ISAC W b it

Awareness Month

• Monthly Conference Calls

Websites

• Participation in cyber exercises

• Annual Meeting

• Ensuring collaboration with all ti

• Common cyber alert level mapnecessary parties

MS-ISAC Public Website

Take advantage of our RSS feed!Connect to our Cyber Security Advisories to provide greater awareness to thoseawareness to those agencies, organizations and business that frequent your website

Connect to our Daily Cyber Security Tip to provide greaterprovide greater awareness for your employees, constituents and others

Monthly Newsletters

The MS-ISACThe MS-ISAC distributes the newsletters in a template form so they can be re-branded and distributed broadly throughout states and local governmentslocal governments

Cyber Security Guides Cyber Security Guides

Cyber Security Awareness Toolkit

How can you join?How can you join?

SummarySummary

• There is no “silver bullet” for cyber securitye e s o s e bu et o cybe secu ty• Don’t become complacent• Have policies and methodologies in place toHave policies and methodologies in place to monitor compliance

• Log and monitor all trafficg• Be a cyber security champion in your organization

Thank YouThank You

Questions???Questions???

Contact Information:brian calkin@msisac orgbrian.calkin@msisac.org

orinfo@msisac orginfo@msisac.org1‐866‐787‐4722