Preparing for Cyber Threats Against Your City

Transcription

1 Preparing for Cyber Threats Against Your City Andrew Dolan Director of Stakeholder Engagement Kateri Gill Program Specialist Florida League of Cities

2 State, Local, Tribal, or Territorial Government Entity 2

3 Multi-State Information Sharing and Analysis Center The MS-ISAC is the focal point for cyber threat prevention, protection, response and recovery for the nation's SLTT governments. 3

4 Who We Serve MS-ISAC Members include: All 56 US States and Territories All 78 federally recognized fusion centers More than 1,300 local governments and tribal nations State, Local, Tribal, and Territorial Cities, counties, towns, airports, public education, police departments, ports, transit associations, and more 4

5 3.7 Billion Internet Users as of December % 9% 9% 4% 1% 50% Asia Europe Latin Am / Carib Africa 17% North America Middle East Oceania / Australia 5

6 Why Government? Criminals look for data... and governments have a lot of it! 6

7 The Value of Stolen Information and the costs of a breach Record Type Estimated Underground Value pre record (McAfee and World Privacy Forum) Financial Account $14-$25 Credit/Debit Card $4-$5 Medical Account Data $0.03-$2.42 Full Medical Record with $50 supporting documents Record Type Estimated Breach Cost Per Record (Ponemon Institute 2016 Report) Health $355 Education $246 Financial $221 7

8 Cyber Threat Actors Nation-states Cyber Criminals Hacktivists Insiders TLP: GREEN 8

9 Nation-State Actors (APT) Political Leverage Competitive Insight Intellectual Capital Cyber Warfare TLP: GREEN 9

10 Nation-State Spear Phishing Agency Director Agency Deputy Director Work related Expected business need Expected topic Unknown person Government employee Expected business need Implied relationship TLP: AMBER 10

11 Hacktivists Doxing DDoS Attacks Social, Political & Ideological Agenda Opportunistic System Compromise Targeted Web Defacements TLP: GREEN 11

12 Common Motives Against SLTTs Alleged Use of Excessive Force by LEO Perceived Injustice Alleged Animal Cruelty by LEO Alleged Offensive Comments Anti-Government Opportunistic TLP: GREEN 12

13 Cyber Threat Actor Attack Types Compromised Server 1% 1% DDos 20% 4% 7% Data Dump/ breach Defacement 1% 1% 7% 9% 49% Doxing Hoax Malicious Actor Activity Scanning SQLi XXS TLP: AMBER 13

14 Bitcoin Baron December January 2015 claimed responsibility for 11 DDoS attacks against SLTTs March 2015 claimed responsibility for 11 DDoS attacks against SLTTs March 23, 2015 accidentally posts an unrelated charge sheet on Twitter; pulls it offline almost immediately; but not before MS-ISAC sees it! April 9, 2015 charges announced Sept Indicted TLP: AMBER 14

15 Cyber Criminals Zeus Locky Financial Motivation Varying Expertise Upatre/ Dyre Vawtrak Bedep Dridex TLP: GREEN 15

16 Ransomware Ransomware Infection Vectors 1. Visiting a malicious or compromised site 2. Opening a malicious attachment Recent Trends 1. New Variants / TTPs 2. Ransomware-as-a-Service 3. Used in extortion schemes Prevention Mechanisms 1. Keep your systems patched 2. Keep your AV up-to-date 3. filtering 4. End user training and awareness 5. Have backups 16

17 Los Angeles Valley College Los Angeles Valley College had servers compromised by Ransomware LAVC Network, , and phone systems were brought down $28,000 in BTC was paid to restore service A claim has been opened with their cybersecurity insurance provider 17

18 Database Dumps TLP: GREEN 18

19 Out of 117 Million Passwords: # of users password 1,135, ,488 linkedin 188,380 password 149, , , , , ,870 qwerty 51,535 sunshine 2,094,243 Source: PandaLabs Q Report 19

20 Password Reuse In 2016, Intuit identified that over 40% of accounts taken over by cyber threat actors, were accessed through reused credentials. 20

21 Insiders Revenge Accidental Financial Motivation Power & Control Varying Expertise Guests Former Employees Trusted 3 rd parties TLP: GREEN 21

22 Employee Mistakes TLP: GREEN 22

23 2 Computers in the Prison Ceiling Used parts from a computer recycling program Detected July 3, 2015, when contractor s Internet threshold was exceeded Previously tried to access file-sharing sites Looked for ways around the proxies Network cable led to the ceiling Forensic analysis of the hard drives found pornography, articles about making drugs, explosives and credit card fraud 23

24 What Can You Do? Patch Training Backups Harden Systems Update Policies Compliance Scan Systems Encrypt Mobile Devices Take part in information sharing Critical Security Controls 1. Identify authorized and unauthorized devices 2. Inventory authorized and unauthorized software 3. Secure configurations for hardware and software 4. Continuous vulnerability assessment and remediation 5. Controlled use of admin privileges 24

25 About MS-ISAC Membership Free and Voluntary No Mandated Information Sharing One Membership Document Required To join or get more information: 25

26 24 x 7 Security Operations Center Central location to report any cybersecurity incident Support: Network Monitoring Services Research and Analysis Analysis and Monitoring: Threats Vulnerabilities Attacks Reporting: Cyber Alerts & Advisories Web Defacements Account Compromises Hacktivist Notifications To report an incident or request assistance: Phone: soc@msisac.org 26

27 Computer Emergency Response Team Incident Response (includes on-site assistance) Network & Web Application Vulnerability Assessments Malware Analysis Computer & Network Forensics Log Analysis Statistical Data Analysis To report an incident or request assistance: Phone:

28 MS-ISAC Advisories 28

29 Monitoring of IP Range & Domain Space IP Monitoring IPs connecting to malicious C&Cs Compromised IPs Indicators of compromise from the MS-ISAC network monitoring (Albert) Notifications from Spamhaus Domain Monitoring Notifications on compromised user credentials, open source and third party information Vulnerability Management Program (VMP) Send domains, IP ranges, and contact info to: 29

30 Vulnerability Management Program What Data Are We Collecting? Server type and version (IIS, Apache, etc.) Web programming language and version (PHP, ASP, etc.) Content Management System and version (WordPress, Joomla, Drupal, etc.) notifications are sent with 2 attachments containing information on out-of-date and up-to-date systems: Out-of-Date systems should be patched/updated and could potentially have a vulnerability associated with it Up-to-Date systems have the most current patches 30

31 Time-to-Patch % of Patched Word Press Instances Following A New Version 78.65% 80.72% 81.63% 81.69% 81.98% 82.02% 54.60% 59.24% 61.40% 62.70% 64.72% 65.63% Week 1 Week 2 Week 3 Week 4 Week 5 Week

32 Malicious Code Analysis Platform A web based service that enables members to submit and analyze suspicious files in a controlled and non-public fashion Executables DLLs Documents Quarantine files Archives To gain an account contact: mcap@msisac.org 32

33 Monthly Newsletter Distributed in template form to allow for re-branding and redistribution by your agency 33

34 National Webcasts a collaborative effort between DHS and MS-ISAC to provide timely and relevant cybersecurity education and information Cybersecurity While Traveling (February 2017) Cybersecurity Year in Review and 2017 Preview (December 2016) National Cybersecurity Awareness Month Be a Part of Something Big (October 2016) State and Local Roundtable Effective Cyber Disruption Strategies (August 2016) Prioritize Your NIST CSF Implementation with the CIS Critical Security Controls (June 2016) 34

35 Weekly Malware IPs and Domains Automated Threat Indicator Sharing via Anomali To gain an Anomali account contact: 35

36 HSIN Community of Interest Access to: MS-ISAC Cyber Alert Map Archived webcasts & products Cyber table top exercises Guides and templates Message boards Secure Messaging 36

37 Additional Benefits Situational Awareness Resources Insider access to federal information Product and Training Discounts Cybersecurity Exercise Participation Workgroups Hot Topics Webcasts 37

38 Federal Resources Free to State and Locals Cyber Resiliency Review Stop.Think.Connect FedVTE and FedVTE Live! 38

39 MS-ISAC Members in the State of Florida Palm Beach State College Florida Gulf Coast University Tampa Bay Water City of Leesburg City of Jacksonville Beach Orange County Clerk of Courts Greater Orlando Aviation Authority Citrus County Clerk of Courts and Comptroller City of Winter Springs Police Department City of Tallahassee City of Palm Beach Gardens City of Punta Gorda City of Bradenton City of Sarasota Hillsborough County Clerk Lee County Clerk of Courts Leon County Supervisor of Elections City of Winter Park Collier County City of South Daytona City of Atlantic Beach Clay County Utility Authority Miami Dade International Airport Marion County Sheriff's Office City of Venice Marion County Sheriff's Office Florida Orlando Utilities Commission City of West Palm Beach Palm Beach County Tallahassee Community College Broward County Broward County Aviation Department City of Fernandina Beach St. Johns County Tax Collector Town of Palm Beach Collier County Sheriffs Department City of Ocoee City of North Port Miami Dade County City of St. Petersburg Alachua County City of Largo Martin County Clerk of Court and Comptroller City of North Port City of Miramar St. Lucie County Clerk of Circuit Court Clay County Supervisor of Elections Hillsborough County Aviation Authority Hillsborough County Marion County Supervisor of Elections City of Mount Dora Florida Atlantic University Sarasota County City of Orlando City of Pensacola Escambia County City of Miami Beach Sarasota County Sheriff's Office City of Cocoa Beach Manatee County Orange County Palm Beach County Clerk & Comptroller City of Cocoa Charlotte County St. Lucie County City of Tamarac Seacoast Utility Authority City of Sunny Isles Beach Florida Florida State University Clay County Clerk of Circuit Court Miami Dade College 11th Judicial Circuit of Florida City of Lauderhill Lake County Clerk of Courts City of Marco Island Florida International University Village of Palmetto Bay City of Tamarac Leon County Supervisor of Elections City of Sanford University of Central Florida City of Stuart Citrus County Sheriff's Office Osceola County Charlotte County Clerk of Court and County Comptroller Brevard County State of Florida City of Port St. Lucie City of Boynton Beach Marion County Supervisor of Elections Hardee County City of North Port City of North Lauderdale Florida Department of Law Enforcement Martin County City of Lakeland University of West Florida City of Cape Coral City of Fort Lauderdale Charlotte County Sheriff s Office Town of Jupiter City of Tampa Monroe County Sheriff's Office Lee County Port Authority Florida League of Cities University of South Florida Broward County Clerk of Courts Citrus County Supervisor of Elections City of Deltona 39

40 MS-ISAC 24x7 Security Operations Center Andrew Dolan, Director of Stakeholder Engagement Kateri Gill, Program Specialist