Association of Minnesota Counties Threats to Local Governments and What You Can Do to Mitigate the Risks Andrew Dolan Director of Government Affairs Multi-State Information Sharing and Analysis Center()
Center for Internet Security CEO William Pelgrin The mission of the Center for Internet Security (CIS) is to enhance the cyber security readiness and response of public and private sector entities, with a commitment to excellence through collaboration.
Great partnerships with US DHS, USSS, FBI, HSAs and more!
The Internet
2.6 Billion Internet Users 1% 10% 6% 3% 44% Asia 44% Europe 22.7% 13% North America 13.0% Lat Am / Carib 10.3% Africa 5.7% 23% Middle East 3.3% Oceania / Australia 1.0%
2012 Top Attacking Countries Top Attacking Countries FRANCE 2% UKRAINE RUSSIAN FEDERATION 2% 2% TURKEY GERMANY 2% 3% POLAND 1% BRAZIL 1% NETHERLANDS 1% KOREA 1% UNITED KINGDOM 3% CHINA 14% UNITED STATES 68% Analysis of 10,496 Attacks
FBI Director James Comey The cyber threat both cyber espionage, cyber crime, and cyber terrorism is an enormous and an exponentially growing threat, and so will certainly be a key part of the next 10 years.
Former Head of Counter Intelligence for the Director of National Intelligence Joel Brenner The U.S. cannot defend the electric networks that control our energy supply, keep aircraft from colliding in mid-air, clear financial transactions, or make it possible for the President to communicate with his cabinet secretaries. America The Vulnerable
Our Security Posture Has Changed Homeland Security National Security Cyber Security Economic Security
Presidential Executive Order Critical Infrastructure Protection Directs federal authorities to improve information sharing on cyber threats with companies that provide support to CI Participation is voluntary New program to ease the delivery of classified information to eligible companies Expedited security clearances
Who Is Behind The Threats? Cyber Criminals Corporate Espionage Hacktivists Nation States
International
Emergency Alert Systems Compromised
How do they get into our networks? Software Vulnerabilities Unsecure Applications Phishing User Error
Traditional IT Infrastructure
Industrial Control Systems
Mobile Device Security
The New Frontier of Cyber Security
Critical Infrastructure
Connect with constituents quickly Allows your constituents to access government services online The Internet is a tremendous tool for governments Broadcast public functions live Pay employees easily
Criminals look for data
And local governments have a lot of it! From Cradle To Grave And Beyond! Confidential Informants
Recent Attack Trends Content Management Systems
Content Management Systems CIS/ recently uncovered an APT campaign that exploited CMS vulnerabilities to compromise networks. Attackers identified sites running vulnerable Ektron CMS. Vulnerability was only couple months old and allowed arbitrary file upload By uploading a webshell, attackers took control of the webserver Installed mimikatz/gsecdump to gain access to the cached credentials on the server Used the newly acquired credentials to pivot into the internal network of an organization Gained access to and exfiltrated significant amount of sensitive data
Attackers Use search tools to identify vulnerable systems Write scripts to attacks systems Then they own the system Use your bandwidth to DDoS other systems Compromise data Compromise visitors/customers/citizens
Content Management Systems Mitigation Patch Your Systems!!!!!!
And as always Watch out for phish! Phishing scams entice email recipients into clicking on a link or attachment which is malicious. WELL WRITTEN APPEARS CREDIBLE ENTICING OR SHOCKING SUBJECT APPARENT TRUSTED SOURCE
Recent Attack Trends Ransomware / CryptoLocker
Cryptolocker Spreads through phishing emails Attached zip file or straight executable Also installed after a Zeus infection After infection Connects to C2 server (DGA) for 2048bit encryption key If successful, encrypts all personal files on local hard drive and file shares focusing on office documents Demands $200-$600 for the decryption key Payment must be made within 72hrs-100hrs otherwise the decryption key is destroyed
Cryptolocker Mitigation User awareness and training is the first line of defense Make sure you have backups DGA is broken so blocking the IP addresses for the C2 server is effectively preventing the encryption process to start Subset of files may be recovered from the restore points and volume shadow copies Pushing out a domain policy that prevents an executable to run from Document&Settings folder may be effective but this may also break other programs
Areas of Concern For Local Governments Weak/Reused Passwords Unprotected Health Records/Citizen PII $ $ Ransomware/Financial Fraud Unprotected Critical Infrastructure
What can you do?
Be Proactive! Be a Champion of Cyber Security Institute/Support Policies Provide Resources to Monitor Compliance Training
There s no such thing as 100% cyber security Harden systems Keep your systems patched Update cyber security policies Monitor compliance with the policies Regularly scan systems Backup your systems on a regular basis and store off site Encrypt your mobile devices Train your users
Free Resources Daily tips Monthly newsletters Webcasts Guides Security Services CIS Can Help! 24x7 Managed/Monitored Security Services Vulnerability Assessments Penetration Testing www.cisecurity.org
AK American Samoa HI A Trusted Model for Collaboration and Cooperation for 10 years
The
Nationwide Cyber Security Review What is the NCSR? The NCSR, or Nationwide Cyber Security Review, is a voluntary self-assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments. The Senate Appropriations Committee has requested an ongoing effort to chart nationwide progress in cybersecurity and identify emerging areas of concern. In response, the U.S. Department of Homeland Security (DHS) has partnered with the Center for Internet Security's Multi-State Information Sharing and Analysis Center (), the National Association of State Chief Information Officers (NASCIO), and the National Association of Counties (NACo) to develop and conduct the second NCSR. Who can participate? All States (and all agencies within), Local government jurisdictions (and all departments within), Tribal and Territorial governments. When does the Survey take place? The survey will start October 1, to coincide with National Cyber Security Awareness Month, and must be completed by November 30, 2013.
What should I expect on the survey? Survey Question set and standards: 85 Total Questions: o 15 Demographic Questions o 59 Survey Questions o 4 Emerging Technology Questions o 7 Post Survey Based on security program maturity scale Closely aligned with standards and best practices including o Control Objectives for Information Technology (CoBIT) o Statement on Auditing Standards Number 6 (SAS 6), o Sans 20 Critical Security Controls o National Institute of Standards and Technology (NIST) Special Publication 800 Survey Question Areas: Security Program Risk Management Physical Access Controls Logical Access Controls Personnel and Vendor Contracts Security Within Technology Lifecycles Information Disposition Malicious Code Monitoring and Audit Trails Incident Management Business Continuity Security Testing Privacy
47 What happens after the survey closes? Summary Report The first NCSR Summary Report was released to respondents on March 16, 2012. The Summary Report to Congress for the second NCSR will be completed during the first quarter of 2014. The Summary Report highlighted key findings from the 2011 Review including identifiable gaps and recommendations on how States and Local governments can increase their risk awareness. The Summary Report was not attributable to specific respondents or organizations. The Summary Report allowed respondents to compare their answers against the national averages and determine their individual strengths & weaknesses.
Key Findings Summary: Capabilities and Gaps Strengths 81% of all respondents have adopted cyber security control frameworks and/or security methodologies 52% have implemented and/or validated protective measures for the detection and removal of malicious code 42% have implemented and/or validated logical access controls (e.g., termination/transfer procedures, ACLs, remote access) Weaknesses 46% of respondents stated they have not implemented Monitoring and Audit Trails which is important to determine if an incident is occurring or has occurred. 45% of respondents stated they have not implemented a formal risk management program (e.g., risk assessments, security categorization) 42% of respondents stated they do not have independent testing and/or audit program established 31% of all respondents have never performed a contingency exercise
Thank You Andrew Dolan Questions? Contact Information Andrew.Dolan@cisecurity.org or info@msisac.org www.cisecurity.org 518-880-0699