Cyber Security Threats y y Shehzad Mirza Director of the MS ISAC - - PowerPoint PPT Presentation

Cyber Security Threats y y

Shehzad Mirza Director of the MS‐ISAC SOC Will Pelgrin CIS President and CEO CIS President and CEO MS‐ISAC Chair

2.6 Billion Internet Users 2.6 Billion Internet Users

10% 6% 3% 1%

Asia 44% Europe 22 7%

44% 13% 10%

Europe 22.7% North America 13.0% Lat Am / Carib 10.3%

23%

Africa 5.7% Middle East 3.3% Oceania / Australia 1.0%

Connect with constituents

Learn new ideas

Connect with constituents

Learn new ideas

The Internet is a t d t l

Broadcast public functions live

tremendous tool for governments

Broadcast public functions live Pay employees easily Allows your constituents to register online register online

Criminals look for data… and state and local governments have a lot of it!

From Cradle To Grave And Beyond!

Confidential Informants

Leon Panetta, Secretary of Defense

“The next Pearl Harbor that we confront could very well be a b k h l cyber attack that cripples our power systems, our grid, our security systems, our y y government systems… Cyber war could paralyze the U S ” U.S.

Who Is Behind The Threats? Who Is Behind The Threats?

Cyber Criminals Hacktivists N i S Nation States

Cyber Threats

Hacktivism Mobile Devices Insider Threats & Human Error Phishing Old Infrastructure

Hacktivism Hacktivism

H kti i Hacktivism

“Attacking corporations governments Attacking corporations, governments,

• rganizations and individuals…to make a point”

Sophos 2012 Sophos 2012

Hacktivist groups target:

• Private corporations
• Federal Government

St t G t

• State Government
• Local Government
• Education
• Education
• Law enforcement groups

User Account Compromise A k S i Attack Scenario

• 1. Law Enforcement Association (i.e. Sheriff

i i P li B l S i ) association, Police Benevolent Society, etc) gets compromised

• 2. Attackers gather the stolen credentials and either

post to sharing website (i.e. Pastebin) or keep the login information for themselves

• 3. Either the hackers themselves or other malicious

actors then download and use the credentials from sharing website to login and access local and federal law enforcement systems

• 4. The compromise of the "association" system may

lead to the compromise of the SLTT government systems

What Can You Do To Prevent This? What Can You Do To Prevent This?

• Perform regular vulnerability assessments of all

Perform regular vulnerability assessments of all Internet facing systems

• Remind employees not to re‐use work passwords
• Monitor Webmail for:

– Failed logins – Logins from out of the area or country dd h – Logins at odd hours

Mobile Devices Mobile Devices Mobile Devices Mobile Devices

Smartphone and Tablet Security Risks

Too Many Individuals Still Too Many Individuals Still… – Don’t use encryption, passwords, time-out settings or any other security time out settings or any other security protection – Store their sensitive corporate information on smartphones – Lose one of these devices at some point point

Mobile Devices – Targets of Attack Mobile Devices Targets of Attack

“The number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year” – U.S. Government Accountability Office

Leaving your l t laptop or smartphone tt d d unattended can lead to big bl problems…

More than 10,000 laptops are reported lost every week at 36 of the p p p y largest U.S. airports, and 65 percent of those laptops are not reclaimed.

Ponemon Institute

Insider Threats Insider Threats and Human Error and Human Error

Insider Threats are Real…

Can be intentional or accidental

• WikiLeaks – Hundreds of thousands of

confidential documents leaked by military employee

• Inadvertent posting of the Social Security

numbers and birth dates of 22,000 government retirees on a state procurement website

• Disgruntled city employee tampers with city

t k t d t t d i i t t network to deny access to top administrators

Human Error – Weak Passwords

tomshardware.com

A longer password is a better password

Strong passwords should be 9-12 h t d characters and possess a combination of letters, numbers, , , and special characters.

Example of Strong Password Example of Strong Password

• This

I

• Is
• A
• Better

Better

• Password
• Which

Password = T1@bPwWBH2C

• Would
• Be
• Harder

T1@bPwWBH2C

• Harder
• To
• Crack

Crack

Most Dangerous Cyber Celebrity!!!! g y y

Phi hi Phi hi Phishing Phishing

Gone Phishing…

Phishing scams entice email recipients into

g

clicking on a link or

• pening an attachment

which is malicious. c s a c ous

• WELL WRITTEN
• APPEARS CREDIBLE
• ENTICING OR SHOCKING

SUBJECT SUBJECT

• APPARENT TRUSTED SOURCE

Protect Yourself Protect Yourself

• Never click on a link in a suspicious e‐mail.

Never click on a link in a suspicious e mail.

• Open a new web browser and manually go to the

vendors website to log into your account. g y

• Call your vendor using a phone number from an
• fficial source to get the information you need.

g y

Old Infrastructure Old Infrastructure Old Infrastructure Old Infrastructure

• Old hardware and software that is beyond the end of its support

lif i ft till i t d life is often still in use today

• No longer supported by the vendors
• Using them after end of life places your organization at great risk

since any security vulnerability will NOT be fixed, making it easy for hackers to launch a successful cyber attack

Industrial Control Systems

Internet Facing Industrial Control Systems

Approximately 7,200 Internet Facing Control System Devices Source: US Department of Homeland Security ICS‐CERT Monthly Oct‐Dec2012

Case Studies Case Studies

South Carolina 2012 South Carolina 2012

• More than 3.3 million unencrypted bank account

numbers and 3.8 million tax returns were stolen in an attack against the South Carolina Department

• f Revenue.
• Data lost: SSNs, bank account numbers and credit

card numbers.

• Breach due to a state employee falling for a

phishing attack that enabled hackers to leverage p g g that employee's access rights to gain access to the government entity's systems and databases.

State of Utah 2012

• 280,000 Social Security numbers were stolen,

and another 500 000 people lost personal and another 500,000 people lost personal information.

• Eastern European hackers broke into the server

maintained by the Utah Department of maintained by the Utah Department of Technology Services in the spring of 2012 by taking advantage of a misconfiguration. g g g

What Can You Do? What Can You Do?

• Keep your systems patched

Keep your systems patched

• Have cyber security policies

i li i h h li i

• Monitor compliance with the policies
• Log and monitor network traffic
• Backup your systems on a regular basis and

check them before storing off site g

• Train employees on good cyber security

practices practices

Zeus Financial Fraud Zeus Financial Fraud

A bank informed a School District that $758,758.70 was to be transferred overseas was to be transferred overseas The School District cancelled the transaction The Bank than asked about the $1,190,400 that was already sent overseas And the $1,862,400… also already sent overseas already sent overseas

What Can You Do? What Can You Do?

• Have a dedicated computer for financial

Have a dedicated computer for financial transactions

• IP Filtering/white list
• IP Filtering/white list
• Limit software programs (no java, flash, email,

t ) etc.)

• Set up “non‐privileged user” account
• Take advantage of two factor authentication

where available where available

Stats Stats

Number of Infections – All MSS Partners Number of Infections All MSS Partners

400 450

Dec‐12 Jan‐13

300 350

Feb‐13 Mar‐13

200 250 100 150 50

Daily Activity Summary – All MSS Partners

300 350

Dec‐12 Jan‐13 Feb 13

250 300

Feb‐13 Mar‐13

200 100 150 50 100 Accepted Inbound Port Scans Peer‐to‐Peer Usage SQL Injection Exploit Attempts System File Access Attempts Login Brute Forcing Server Attack: Web Server Spyware Traffic Events

Notifications Notifications

300

Dec‐12 Jan‐13 Feb‐13

250

Mar‐13

150 200 100 150 50 Darknet Keylogger Defacement Credentials

The MS-ISAC is here to help!

What is the MS‐ISAC? What is the MS ISAC?

The Multi‐State Information Sharing and l i C ( S S C) i h f l i f Analysis Center (MS‐ISAC) is the focal point for cyber threat prevention, protection, response d f h i ’ l l and recovery for the nation’s state, local, territorial and tribal (SLTT) governments.

MS-ISAC Is Built On A Strong Foundation

Situational Awareness Federal Government Homeland Security Advisors

SHARE

Situational Awareness

States & US Territories SHARE

Local Governments COLLABORATE Local Governments TRUST

AK MS-ISAC Member AK MS-ISAC Member MS-ISAC Member MS-ISAC Member MS ISAC MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS ISAC MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC MS-ISAC MS-ISAC MS-ISAC Member MS ISAC MS-ISAC Member Member MS-ISAC Member Member Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC MS ISAC MS-ISAC Member MS-ISAC Member MS-ISAC Member S S C Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC Member MS-ISAC MS-ISAC Member MS-ISAC Member MS ISAC Member

A Trusted Model for Collaboration and Cooperation across All States, L l G t d S l U S T it i B ilt 10

American Samoa HI

Local Governments and Several U.S. Territories—Built on over 10 years

• f Centralized Outreach, Awareness and Bidirectional Information

Sharing.

Local Governments

MS-ISAC Local Government members represent 33% of the U.S. population

MS‐ISAC Monitoring Partners

Washington Lane Co. Connectic t Idaho Maine Massachusetts Michigan Minnesota Montana New Hampshire New York North Dakota Oregon Rhode Island South Dakota Vermont Wisconsin Wyoming Johnson Co. NYC California Colorado Connecticut Delaware Illinois Indiana Iowa Kansas Maryland g Missouri Nebraska Nevada New Jersey Ohio Pennsylvania Utah Virginia West Virginia y g S Di LAWA Brentwood Cary Arizona Arkansas Georgia Kentucky Missouri New Mexico North Carolina Oklahoma South Carolina Tennessee San Diego Goodyear Alabama Georgia Louisiana Mississippi Texas Florida Alaska Hawaii

Security Operations Center Security Operations Center

ff h Staff at the NCCIC

24x7 Cyber Security Operations Center

• Central location to report any cyber security incident, staffed 24x7
• 24x7 support for:

– Albert and Managed Security Services – Albert and Managed Security Services – Vulnerability Assessments – Research and analysis

• 24x7 analysis and monitoring of:

– Threats – Vulnerabilities A k – Attacks

• 24x7 reporting:

– Web Defacements Web Defacements – Account Compromises

CERT Capabilities CERT Capabilities

• Incident Response

p

– Includes on‐site assistance

• Malware Analysis
• Computer Forensics
• Network Forensics

L A l i

• Log Analysis
• Statistical Data Analysis
• Netflow Monitoring / Albert
• Netflow Monitoring / Albert
• Rapid Sensor Deployment
• Penetration Testing
• Penetration Testing

MS‐ISAC Intelligence Sources MS ISAC Intelligence Sources

• 7x24 Monitoring

7x24 Monitoring

– Analysis of 12 billion logs/records per week

• Intelligence Partners
• Intelligence Partners
• Federal Government
• Private Sector
• Internet Research

Multi-State Information Sharing and Analysis Center Products and Services

24/7 C b S it A l i N ti l W b t I iti ti

Products and Services

• 24/7 Cyber Security Analysis

Center

• Cyber Security Alerts and
• National Webcast Initiative
• National Cyber Security

Awareness Month Cyber Security Alerts and Advisories

• Public and Secure MS-ISAC

W b it Awareness Month

• Monthly Conference Calls

Websites

• Participation in cyber exercises
• Annual Meeting
• Ensuring collaboration with all

ti

• Common cyber alert level map

necessary parties

MS-ISAC Public Website

Take advantage of our RSS feed!

Connect to our Cyber Security Advisories to provide greater awareness to those awareness to those agencies,

• rganizations and

business that frequent your website Connect to our Daily Cyber Security Tip to provide greater provide greater awareness for your employees, constituents and

• thers

Monthly Newsletters

The MS-ISAC The MS-ISAC distributes the newsletters in a template form so they can be re-branded and distributed broadly throughout states and local governments local governments

Cyber Security Guides Cyber Security Guides

Cyber Security Awareness Toolkit

How can you join? How can you join?

Summary Summary

• There is no “silver bullet” for cyber security

e e s o s e bu et

• cybe secu ty
• Don’t become complacent
• Have policies and methodologies in place to

Have policies and methodologies in place to monitor compliance

• Log and monitor all traffic

g

• Be a cyber security champion in your organization

Thank You Thank You

Questions??? Questions???

Contact Information:

brian calkin@msisac org brian.calkin@msisac.org

• r

info@msisac org info@msisac.org 1‐866‐787‐4722