STATE OF NEW YORK PUBLIC SERVICE COMMISSION



Similar documents
Network and Workstation Acceptable Use Policy

Top tips for improved network security

OCIE CYBERSECURITY INITIATIVE

Desktop and Laptop Security Policy

Cyber Essentials Scheme

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

Malware & Botnets. Botnets

Attachment A. Identification of Risks/Cybersecurity Governance

SPEAR PHISHING UNDERSTANDING THE THREAT

Anti-Phishing Best Practices for ISPs and Mailbox Providers

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Small businesses: What you need to know about cyber security

The Ministry of Information & Communication Technology MICT

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Small businesses: What you need to know about cyber security

GOING BEYOND BLOCKING AN ATTACK

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

Security Management. Keeping the IT Security Administrator Busy

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Information Security

How To Audit The Mint'S Information Technology

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

DATA BREACH COVERAGE

Protect Your Business and Customers from Online Fraud

Retention & Destruction

KEY STEPS FOLLOWING A DATA BREACH

V ISA SECURITY ALERT 13 November 2015

Best Practices Guide to Electronic Banking

Data Management Policies. Sage ERP Online

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Remote Deposit Quick Start Guide

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Monitoring and Logging Policy. Document Status. Security Classification. Level 1 - PUBLIC. Version 1.0. Approval. Review By June 2012

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Network Security Policy

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

Information Security Incident Management Policy

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

User Documentation Web Traffic Security. University of Stavanger

Privilege Gone Wild: The State of Privileged Account Management in 2015

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

Presentation Objectives

WRITTEN TESTIMONY BEFORE THE HEARING ON PROTECTING PERSONAL CONSUMER INFORMATION FROM CYBER ATTACKS AND DATA BREACHES MARCH 26, :30 PM

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Symantec Advanced Threat Protection: Network

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

Information Technology Services Information Security Incident Response Plan

Know the Risks. Protect Yourself. Protect Your Business.

STATEMENT OF RANDY S. MISKANIC VICE PRESIDENT, SECURE DIGITAL SOLUTIONS U.S. POSTAL SERVICE BEFORE THE SUBCOMMITTEE ON FEDERAL WORKFORCE, U.

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Information Technology Policy

Oakland Family Services - Was Your Hacked?

Managing Information Stanford

A practical guide to IT security

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

INDUSTRY OVERVIEW: HEALTHCARE

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

How To Find Out If You Were Hacked By An Employee Of Ancient.Com

PORTABLE DATA STORAGE SECURITY INFORMATION FOR CIOs/CSOs Best Before November

How To Monitor The Internet In Idaho

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Environmental Management Consolidated Business Center (EMCBC) Subject: Cyber Security Incident Response

The Home Depot Provides Update on Breach Investigation

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

Best Practices: Reducing the Risks of Corporate Account Takeovers

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Becoming PCI Compliant

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Why The Security You Bought Yesterday, Won t Save You Today

2012 Data Breach Investigations Report

ENABLING FAST RESPONSES THREAT MONITORING

Stop advanced targeted attacks, identify high risk users and control Insider Threats

How To Protect A Network From Attack From A Hacker (Hbss)

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Sample Data Security Policies

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Incident Response Plan for PCI-DSS Compliance

Web DLP Quick Start. To get started with your Web DLP policy

CITY OF BOULDER *** POLICIES AND PROCEDURES

Safety precautions for Internet banking or shopping How to avoid identity theft online

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Information Security Incident Management Guidelines

Using Tofino to control the spread of Stuxnet Malware

TRIPWIRE NERC SOLUTION SUITE

Information Technology Cyber Security Policy

Supplier Security Assessment Questionnaire

Transcription:

COMMISSIONERS PRESENT: Garry A. Brown, Chairman Patricia L. Acampora Gregg C. Sayre Diane X. Burman STATE OF NEW YORK PUBLIC SERVICE COMMISSION At a session of the Public Service Commission held in the City of Albany on August 15, 2013 CASE 13-M-0178 - In the Matter of a Comprehensive Review of Security for the Protection of Personally Identifiable Customer Information. Review of Central Hudson Gas and Electric Corporation Breach Incident. BY THE COMMISSION: ORDER DIRECTING THE CREATION OF AN IMPLEMENTATION PLAN (Issued and Effective August 19, 2013) BACKGROUND On February 16, 2013 Information Technology (IT) personnel at Central Hudson Gas and Electric Corporation (Central Hudson) discovered anomalous activity on the company s business systems computer network. The activity indicated that malicious software may have been introduced, possibly resulting in a breach of company network security. Monitoring of this activity revealed that a company desktop computer connected to a cash and check processing system for customer bill payment management was attempting to log onto other Central Hudson network systems using local accounts. Over the next three days investigation by company IT employees determined that malware had in fact made its way into the company network and that the malware had disabled antivirus software on a company desktop computer. Central Hudson immediately identified all internet addresses that could be

associated with the anomalous traffic and blocked those addresses in an effort to contain the problem. On February 19, 2013, Central Hudson s president informed Chairman Brown of the breach and a company vice president notified Utility Security Section staff (Staff) of the Department of Public Service (Department). INVESTIGATION by DELL SECUREWORKS Central Hudson secured the services of Dell SecureWorks (Dell) to investigate the incident. Dell conducted an on-site investigation commencing on February 19, 2013. 1 Dell concluded from its investigation that the malicious software was of a type popularly known as a worm. This particular malware has the capability of avoiding detection of its presence by disabling antivirus and malware detection software and spreading itself over an organization s network. It even has the ability to update itself as it is gathering information and securing persistent illegal remote access to a computer. This worm was designed to steal user information, and then look for avenues by which to send the information it has found, out of the company network. This malware typically infects networks by lurking on legitimate websites and through the hacking technique of phishing (sending e-mails soliciting a user click). With this design capability, the malware found by Dell in the Central Hudson network is an ideal identity theft tool. Dell was unable to conclusively determine when or how the malware gained entry to the Central Hudson network. Dell 1 Central Hudson also notified the New York State Police. Forensic information gathered by Dell was shared with the State Police. -2-

did confirm that the malware had been present within the Central Hudson network at least six months prior to the discovery and possibly earlier. Dell was not able to determine from its forensic analysis precisely when or by whom the malware was introduced. Nor has it been possible to determine the quantity and the content of the data that may have been transferred out of Central Hudson s control during the file transfer connections that were self-initiated by the worm. Due to the fact that the malware is known to have infected a company system that processes customer payment made by personal check, together with scans and other records of the information printed on the check, the personally identifiable information (PII) found on the face of those checks had to be considered compromised. CENTRAL HUDSON RESPONSE TO CUSTOMERS On February 22, 2013, Central Hudson began to notify customers of the incident by issuing press releases, posting information on its website and making outbound automatic phone calls. Additionally, the Company sent two sets of mailings to the approximately 110,000 potentially affected residential and non-residential customers to provide information about the breach, how customers may be affected and the actions that customers should take to determine if their confidential information has been misused. The Department s Office of Consumer Policy reviewed the second set of correspondence and recommended modifications to stress the importance of the message and to clarify that free credit monitoring services were available for a limited time. The Company announced that it was offering its customers the option of one year of credit monitoring service from Experian, one of the nation s largest credit reporting entities, at no charge. Central Hudson announced that its -3-

customers must enroll in the Experian program by June 30, 2013. The Experian service provides customers with a copy of their credit report, daily monitoring and alerts regarding suspicious activity, and an insurance policy to help cover certain costs in the event that customer identity theft occurs. Central Hudson indicated that it will record costs incurred as operating expenses and will not be requesting separate reimbursement or deferral of such costs for future recovery from customers. The Department requested and received weekly reports containing the number of Central Hudson customers who enrolled in the free credit monitoring service. As of July 7, 2013, 21,405 residential and 1,094 non-residential customers have enrolled in the service. Central Hudson also said that it will provide Staff with immediate notice of any findings by Experian or law enforcement entities that relate to this incident. Central Hudson reports, however, that it has no information indicating that there has been any inappropriate use of customer data attributable to this incident so far. DELL S RECOMMENDATIONS TO CENTRAL HUDSON Dell provided several recommendations to Central Hudson to lessen the possibility of a future breach of company network security from malicious software introduced via the internet. Those recommendations included more frequent changing of employee passwords, rigorous password policy enforcement, frequent antivirus software updates, frequent software security updates of operating system and third-party software, resetting Internet browser settings to make them more restrictive, more frequent inventory and destruction of stored customer -4-

information, and further limiting of removable storage media in the workplace. 2 Dell also emphasized the importance of regular and frequent employee cyber security awareness training, particularly with regard to the increasingly more sophisticated phishing techniques designed to lure unsuspecting employees to innocent appearing web links that are in fact malicious. 3 In addition, Dell offered recommendations for the deployment of less conventional and more comprehensive technical cyber security measures. These measures would allow only use of preapproved software applications recognized and known to be safe, and to block inbound and outbound network traffic on the company network that did not conform to preset specifically configured traffic types. These more advanced technical protective steps included White Listing (a default setting that limits employee access to software applications known to be safe and only to internet traffic that meets certain preset security rules) and the deployment of a Data Loss Prevention (DLP) system solution. Staff met with Central Hudson executives and IT management, along with representatives from Dell SecureWorks to examine the full Dell report. Staff discussed the findings and recommendations included in the report with Central Hudson personnel and with the Dell representatives, along with 2 Portable storage media, such as thumb drives, can be the source of accidental and deliberate malware infections when plugged into a network machine. 3 These recommendations, as well as others that Dell made could be considered basic cyber security measures and were already part of Central Hudson s cyber security program. Dell urged more frequent and rigorous application of such measures. -5-

projected timetables and various means by which Central Hudson would act on the Dell recommendations. In summary, Dell Secureworks submitted 13 recommendations to Central Hudson. Of those: 6 have been adopted and fully implemented. 3 have been partially implemented, with full implementation targeted for 2014 4 are under review, with company projected determinations for action or implementation, by late 2013 or 2014. CONCLUSION Central Hudson is directed to develop an Implementation Plan (the Plan) within 30 days of the issuance of this Order to be maintained at the Company s premises and made available to Department Staff upon request for review and inspection. The Plan should include all actions taken, or planned to be taken, in response to the recommendations submitted to the Company by Dell SecureWorks in March 2013. The Plan should include an overall assessment of the relative priorities for each of the recommendations, implementation action steps taken or yet to be taken, proposed alternative measures, schedules with specific interim milestones, and any Dell recommendations rejected by Central Hudson with a comprehensive explanation as to why such were rejected. If Central Hudson believes a recommendation should not be implemented, full justification supporting the Company s determination should be provided. Central Hudson should consult with Staff during the development of this plan. The Commission orders: 1. Central Hudson is directed to create an implementation plan within 30 days of the issuance of this Order -6-

consistent with the procedures and requirements detailed in the body of this Order. 2. This proceeding is continued. By the Commission, KATHLEEN H. BURGESS Secretary -7-

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information