BENJAMIN BEBERNESS, CHIEF INFORMATION OFFICER SNOHOMISH COUNTY - - PowerPoint PPT Presentation

BENJAMIN BEBERNESS, CHIEF INFORMATION OFFICER SNOHOMISH COUNTY PUBLIC UTILITY DISTRICT

AGENDA

• Security Culture
• Culture of Collaboration
• Culture of Thinking Outside the Box
• Culture of Managing Risk - Risk Assessment

Security Culture Results Culture

WHAT IS SECURITY CULTURE?

A way of thinking, behaving, or working that exists in a place or

• rganization

An organization's security culture is the styles, approaches and values that it wishes to adopt towards security, and is essential to an effective personnel security regime

• Employees are engaged with, and

take responsibility for, security issues

• Levels of compliance with protective

security measures increase

• The risk of security incidents and

breaches is reduced by encouraging employees to think and act in more security conscious ways

• Employees are more likely to report

behaviors/activities of concern

• Improved organizational

performance through effective management, established reporting mechanisms, increased employee satisfaction and commitment to the

• rganization
• The risk of reputational and

financial damage to the organization is reduced

HTTP://WWW.MERRIAM-WEBSTER.COM/DICTIONARY/CULTURE HTTP://WWW.CPNI.GOV.UK/ADVICE/PERSONNEL-SECURITY1/SECURITY-CULTURE/

SNOPUD'S SECURITY CULTURE

Leadership

• Sponsorship / support and

active engagement

• Regular communication to

Commission

• Bi-monthly meetings with

leadership

• Bi-monthly meetings with

subject matter experts across District

• Discuss cyber security from a

Risk perspective

• Likelihood of a breach
• Average cost of a breach.
• Policy

Employees

• Informing and educating them

that we are all targets

• National Guard operation
• Testing our defenses
• Policy
• Operational Procedures
• Incident response, DRP, BCP

฀Visible Physical Security presence (cameras, access devices, signage and on-site Security Officers) Communication

• Training and Awareness
• Training
• Phishing
• Flyers
• Public Relations
• Community Involvement
• Bake security into everything

you do

• Identify the right

communications channel

“Effective communication is cited as the number one skill necessary for success within the CSO job function.” Cisco/CSO Magazine Research “Employee error (unintentional) is reported by respondents as the top security threat.” Cisco/CSO Magazine Research “It all starts at the top. Executive management that’s interested in fostering a positive security culture — and does so without fail — is mandatory if the risks of a breach are to be minimized.” IBM

CULTURE OF SECURITY COLLABORATION

http://www.snopud.com/AboutUs/cybersummit.ashx?p=2167

TAKE AWAY FROM CYBERSECURITY GUIDE FOR CRITICAL INFRASTRUCTURE FOR THE STATE OF WASHINGTON

Simple actions can be taken to update your systems (upgrade, patch, and control access) Share information among peers (build your own trusted networks) Review and start with the Cybersecurity Guide for Critical Infrastructure for the State of Washington Work to convince Boards, CEO’s, Executive Leadership of what probability is and how to reduce risk and cost of cyber attack Conduct a risk assessment that identifies where your utility has the highest potential of a cyber attack and prioritize what actions to take and what cyber products help reduce these risks

CULTURE OF THINKING OUTSIDE THE BOX

NATIONAL GUARD OPERATION

• Snohomish PUD and the WA State National Guard

planned and conducted the first-ever, joint cybersecurity collaborative exercise.

• The scope of work included the National Guard

performing penetration and vulnerability testing for SnoPUD over a two- to four-week period.

• During this time, the National Guard gained experience

with the utility industry and learned about control systems and utility cyber architecture.

• SnoPUD observed how hackers might approach attacking
• ur system, and learned how to better monitor our system

during an attack.

• Emergency response

NATIONAL GUARD PENETRATION TEST – FOUO/PCII

Event Detection Response Impact & Lessons Learned Privileged user targeted with phish. Malware dropped on machine. Credentials pulled from memory using secondary malware. Other malware used to determine local admin accounts. Encrypted tunnel created as well as a persistent back door. Machine used as a jump point. New privileged accounts created on captured machine. Network Mapped and critical systems and non-critical systems identified. Back door remains in place for future use. Physical access systems compromised and access granted to sensitive

• areas. ICS access through shared

infrastructure accounts. Very difficult due to the access by a privileged user to systems normally accessed. Anomalous activity not seen on privileged user’s screen. Persons without access to sensitive areas granted access, should have been seen. Admin account creation would have been identified by logs. No monitoring in place. Final detection was by clear indicators hard to not notice. No notification by team on their own. Too late in the process. Damage was done and recovery operations hindered by communications being encrypted No internal detection process in place and monitoring was either ineffective or not being watched. Once compromise was identified, incident response was initiated and admin user account killed and process to identify new accounts put in place. Annual review of all privileged accounts Require management approval for all privileged accounts Alert on any newly created accounts. Do not use any shared system accounts (workstation local admin). Do not allow interactive login for service accounts. Only allow privileged accounts access for privileged actions (no user accounts). Limit access of VPNs to only known entities. Set alerts for unusual network activity. Do not leave local admin accounts, remove from users.

9

Identify and gain Access to critical systems Phish to Privileged User Privileged Credentials Captured – Back door established Collect and analyze Intelligence Extract 2FA Domain Admin Token from Memory Search for Local Admin Account Create Domain Admin Account Shared infrastructure account used to access Firewall

UKRAINE ATTACK - FOUO

Event Detection Response Impact & Lessons Learned The use of spear phishing. Targeted emails contained attachments of Microsoft Office Documents with Visual Basic macros embedded in them. The adversary harvested credentials of operators and likely other

• users. In most of the successful attacks in this

event, legitimate credentials were used to authenticate via Virtual Private Network (VPN). Once credentials were harvested, the attackers could move laterally making it very difficult to detect their presence without sophisticated log correlation and analysis. Detection very difficult due to the access by a privileged user to systems by a normal entry point (VPN). No detailed monitoring was in place, so no unusual traffic was seen or logged for later discovery. User training was not adequate if even done. No two factor authentication was used, so access was simple after credentials stolen. No detection capabilities or poorly managed. Too late in the process. Damage was done and recovery operations hindered by sabotage of systems. Activity only discovered after operations were not possible. No internal detection process in place and monitoring was either ineffective or not being

• watched. All responses were after the

damage was done. Annual review of all privileged accounts. Require management approval for all privileged accounts. Use two factor authentication. Alert on any newly created accounts. Do not use shared accounts. Do not allow interactive login for service accounts. Only allow privileged accounts access for privileged actions. Limit access of VPNs to only known entities. Set alerts for unusual activity no normal for system function. Train users continually.

10

Gain Access to critical systems Establish VPN Phish to Multiple Users Credentials Captured using malware User Accounts harvested Movement Laterally across network

CULTURE OF MANAGING RISK - RISK ASSESSMENT

How can I prioritize my security budget? How do I track loss reduction from year to year? How can my resources most reduce losses? Which control areas lead to my largest loss? Which security controls am I missing, and which controls are least effective? What can I expect to realistically achieve in loss reduction? Where do my corporate assets reside? How often will each be damaged and by how much? What is maximum probable loss to the company?

THE CHALLENGE OF MANAGING TODAY’S CYBER RISK…

” ” ”

Likelihood of a Major Asset Loss Key Missing Security Controls Strategy to Mitigate Different Losses

In-depth, prioritized corporate cyber strategy to mitigate risk A platform to allow C- Suites and technical staff to address risk from same base-line Year-to-year tracking and enhancements of loss reductions Missing security controls that lead to cyber loss Analysis of which SCMs are most effective (categorized) Actionable security enhancements In-depth, comprehensive base- line of major breach likelihood Expected types of cyber attacks, tailored to company The cost implications

• f attacks

OUR APPROACH TO ADDRESS CURRENT LIMITATIONS IN THE SECURITY MARKET…

Likelihood of a Major Asset Loss Key Missing Security Controls Strategy to Mitigate Different Losses

Risk Assessment

CONFIDENTIAL

Our modeling builds on NIST standards, vulnerability scans, penetration tests to provide the full range of attack pathways into your system, assessing the resulting losses Inspect

HOW WE DO IT: OUR METHODOLOGY

Evaluate Assess Prioritize

• Facilitate in-depth, onsite data

collection process with business, industry, and security analysts

• Document the current / future

state of your business model, corporate strategy & support

• perations
• Document security control

measures, business practices and technology solutions

• Use an objective ‘white hat’

statistical risk approach to determine the likelihood of asset damage & forecast financial losses

• Leverage proprietary

algorithms to simulate the range of attack campaigns by threat category against your network controls

• Evaluate current cyber

security insurance investments

• Review over 200 aspects of

security controls, network topology, configurations and policies

• Compare industry best

practices to your current security posture and future changes you make

• Quantify the potential

business loss due to cyber risks and threats

• Identify the most valuable

business assets and prioritize security controls most affecting their damage and loss

• Develop a two-prong report

to support strategy meeting between C suite and technical teams

• Recommend next steps that

balances business priorities, risks and vulnerabilities

HOW WE DO IT: OUR APPROACH

The Monte Carlo method is applied to simulate actual network attacks through the organization’s systems using a range of attack characteristics, and inclusion of the broadest possible set of interactive offensive and defensive factors

Threat Attack Module Security Control Module Damage Assessment Module Financial Module

Generates full range of likely threat sets, or campaigns, that will be executed over the next year against the company based on its specific industry segment. Applies effectiveness of your security control measures (SCMs) against the attack vectors, which are individual pathways used by attackers to propagate the assets. Models damage severity curves from past attacks and current attacker tools to determine likelihood level of damages from

• ver 12 asset damage

mechanisms. Projects each asset damage mechanisms and maps this to all categories of financial loss (causes of loss) such as legal, recovery fees, revenue lost and reputation damage.

Standards and Benchmarking

• Global threat

reporting statistics

• White hat security

product/solution testing results

• Inclusive of financial

and insurance levels and requirements across security (ISO, NIST), compliance (HIPAA, PCIDSS, SOX), and privacy (FTC)

Red bubble represents percentage reduction

• f loss if any half of the recommendations for

that specific Security Control Measure (SCM) area are implemented.

Risk Reductions by Implementing Security Controls 3 year recurrence loss

Manage risk and gain visibility into the security controls that will improve our posture. Identify quick wins aligned to your budget.

Blue bubble represents accumulated loss reduction if any half of the preceding SCM recommendations and any half of that individual SCM area recommendations are implemented

Representative Example

PRIORITIZE YOUR INVESTMENTS BASED ON THE MOST VALUABLE AND VULNERABLE BUSINESS ASSETS

Critical High

*Bubble size represents the impact and cost weighted towards impact.

Priority Value

X=Cost Y=Impact Size= $ Value HIGH COST HIGH IMPACT LOW COST LOW IMPACT LOW COST HIGH IMPACT HIGH COST LOW IMPACT

Representative Example

CONFIDENTIAL