Preparing for Cyber Threats Against Your City Andrew Dolan Director of Stakeholder Engagement Kateri Gill Program Specialist Florida League of Cities
State, Local, Tribal, or Territorial Government Entity 2
Multi-State Information Sharing and Analysis Center The MS-ISAC is the focal point for cyber threat prevention, protection, response and recovery for the nation's SLTT governments. 3
Who We Serve MS-ISAC Members include: All 56 US States and Territories All 78 federally recognized fusion centers More than 1,300 local governments and tribal nations State, Local, Tribal, and Territorial Cities, counties, towns, airports, public education, police departments, ports, transit associations, and more 4
3.7 Billion Internet Users as of December 2016 10% 9% 9% 4% 1% 50% Asia Europe Latin Am / Carib Africa 17% North America Middle East Oceania / Australia 5
Why Government? Criminals look for data... and governments have a lot of it! 6
The Value of Stolen Information and the costs of a breach Record Type Estimated Underground Value pre record (McAfee and World Privacy Forum) Financial Account $14-$25 Credit/Debit Card $4-$5 Medical Account Data $0.03-$2.42 Full Medical Record with $50 supporting documents Record Type Estimated Breach Cost Per Record (Ponemon Institute 2016 Report) Health $355 Education $246 Financial $221 7
Cyber Threat Actors Nation-states Cyber Criminals Hacktivists Insiders TLP: GREEN 8
Nation-State Actors (APT) Political Leverage Competitive Insight Intellectual Capital Cyber Warfare TLP: GREEN 9
Nation-State Spear Phishing Agency Director Agency Deputy Director Work related Expected business need Expected topic Unknown person Government employee Expected business need Implied relationship TLP: AMBER 10
Hacktivists Doxing DDoS Attacks Social, Political & Ideological Agenda Opportunistic System Compromise Targeted Web Defacements TLP: GREEN 11
Common Motives Against SLTTs Alleged Use of Excessive Force by LEO Perceived Injustice Alleged Animal Cruelty by LEO Alleged Offensive Comments Anti-Government Opportunistic TLP: GREEN 12
Cyber Threat Actor Attack Types - 2016 Compromised Server 1% 1% DDos 20% 4% 7% Data Dump/ breach Defacement 1% 1% 7% 9% 49% Doxing Hoax Malicious Actor Activity Scanning SQLi XXS TLP: AMBER 13
Bitcoin Baron December 2014 - January 2015 claimed responsibility for 11 DDoS attacks against SLTTs March 2015 claimed responsibility for 11 DDoS attacks against SLTTs March 23, 2015 accidentally posts an unrelated charge sheet on Twitter; pulls it offline almost immediately; but not before MS-ISAC sees it! April 9, 2015 charges announced Sept 2016 - Indicted TLP: AMBER 14
Cyber Criminals Zeus Locky Financial Motivation Varying Expertise Upatre/ Dyre Vawtrak Bedep Dridex TLP: GREEN 15
Ransomware Ransomware Infection Vectors 1. Visiting a malicious or compromised site 2. Opening a malicious email attachment Recent Trends 1. New Variants / TTPs 2. Ransomware-as-a-Service 3. Used in extortion schemes Prevention Mechanisms 1. Keep your systems patched 2. Keep your AV up-to-date 3. Email filtering 4. End user training and awareness 5. Have backups 16
Los Angeles Valley College Los Angeles Valley College had servers compromised by Ransomware LAVC Network, email, and phone systems were brought down $28,000 in BTC was paid to restore service A claim has been opened with their cybersecurity insurance provider 17
Database Dumps TLP: GREEN 18
Out of 117 Million Passwords: # of users password 1,135,936 123456 207,488 linkedin 188,380 password 149,916 123456789 95,854 12345678 85,515 111111 75,780 1234567 51,969 654321 51,870 qwerty 51,535 sunshine 2,094,243 Source: PandaLabs Q2 2016 Report 19
Password Reuse In 2016, Intuit identified that over 40% of accounts taken over by cyber threat actors, were accessed through reused credentials. 20
Insiders Revenge Accidental Financial Motivation Power & Control Varying Expertise Guests Former Employees Trusted 3 rd parties TLP: GREEN 21
Employee Mistakes TLP: GREEN 22
2 Computers in the Prison Ceiling - 2015 Used parts from a computer recycling program Detected July 3, 2015, when contractor s Internet threshold was exceeded Previously tried to access file-sharing sites Looked for ways around the proxies Network cable led to the ceiling Forensic analysis of the hard drives found pornography, articles about making drugs, explosives and credit card fraud 23
What Can You Do? Patch Training Backups Harden Systems Update Policies Compliance Scan Systems Encrypt Mobile Devices Take part in information sharing Critical Security Controls 1. Identify authorized and unauthorized devices 2. Inventory authorized and unauthorized software 3. Secure configurations for hardware and software 4. Continuous vulnerability assessment and remediation 5. Controlled use of admin privileges 24
About MS-ISAC Membership Free and Voluntary No Mandated Information Sharing One Membership Document Required To join or get more information: https://msisac.cisecurity.org/members/register 25
24 x 7 Security Operations Center Central location to report any cybersecurity incident Support: Network Monitoring Services Research and Analysis Analysis and Monitoring: Threats Vulnerabilities Attacks Reporting: Cyber Alerts & Advisories Web Defacements Account Compromises Hacktivist Notifications To report an incident or request assistance: Phone: 1-866-787-4722 Email: soc@msisac.org 26
Computer Emergency Response Team Incident Response (includes on-site assistance) Network & Web Application Vulnerability Assessments Malware Analysis Computer & Network Forensics Log Analysis Statistical Data Analysis To report an incident or request assistance: Phone: 1-866-787-4722 Email: soc@msisac.org 27
MS-ISAC Advisories 28
Monitoring of IP Range & Domain Space IP Monitoring IPs connecting to malicious C&Cs Compromised IPs Indicators of compromise from the MS-ISAC network monitoring (Albert) Notifications from Spamhaus Domain Monitoring Notifications on compromised user credentials, open source and third party information Vulnerability Management Program (VMP) Send domains, IP ranges, and contact info to: soc@msisac.org 29
Vulnerability Management Program What Data Are We Collecting? Server type and version (IIS, Apache, etc.) Web programming language and version (PHP, ASP, etc.) Content Management System and version (WordPress, Joomla, Drupal, etc.) Email notifications are sent with 2 attachments containing information on out-of-date and up-to-date systems: Out-of-Date systems should be patched/updated and could potentially have a vulnerability associated with it Up-to-Date systems have the most current patches 30
Time-to-Patch % of Patched Word Press Instances Following A New Version 78.65% 80.72% 81.63% 81.69% 81.98% 82.02% 54.60% 59.24% 61.40% 62.70% 64.72% 65.63% Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 2015 2016 31
Malicious Code Analysis Platform A web based service that enables members to submit and analyze suspicious files in a controlled and non-public fashion Executables DLLs Documents Quarantine files Archives To gain an account contact: mcap@msisac.org 32
Monthly Newsletter Distributed in template form to allow for re-branding and redistribution by your agency 33
National Webcasts a collaborative effort between DHS and MS-ISAC to provide timely and relevant cybersecurity education and information Cybersecurity While Traveling (February 2017) Cybersecurity Year in Review and 2017 Preview (December 2016) National Cybersecurity Awareness Month Be a Part of Something Big (October 2016) State and Local Roundtable Effective Cyber Disruption Strategies (August 2016) Prioritize Your NIST CSF Implementation with the CIS Critical Security Controls (June 2016) https://msisac.cisecurity.org/webcast/ 34
Weekly Malware IPs and Domains Automated Threat Indicator Sharing via Anomali To gain an Anomali account contact: VMP@cisecurity.org 35
HSIN Community of Interest Access to: MS-ISAC Cyber Alert Map Archived webcasts & products Cyber table top exercises Guides and templates Message boards Secure Messaging 36
Additional Benefits Situational Awareness Resources Insider access to federal information Product and Training Discounts Cybersecurity Exercise Participation Workgroups Hot Topics Webcasts 37
Federal Resources Free to State and Locals Cyber Resiliency Review Stop.Think.Connect FedVTE and FedVTE Live! 38
MS-ISAC Members in the State of Florida Palm Beach State College Florida Gulf Coast University Tampa Bay Water City of Leesburg City of Jacksonville Beach Orange County Clerk of Courts Greater Orlando Aviation Authority Citrus County Clerk of Courts and Comptroller City of Winter Springs Police Department City of Tallahassee City of Palm Beach Gardens City of Punta Gorda City of Bradenton City of Sarasota Hillsborough County Clerk Lee County Clerk of Courts Leon County Supervisor of Elections City of Winter Park Collier County City of South Daytona City of Atlantic Beach Clay County Utility Authority Miami Dade International Airport Marion County Sheriff's Office City of Venice Marion County Sheriff's Office Florida Orlando Utilities Commission City of West Palm Beach Palm Beach County Tallahassee Community College Broward County Broward County Aviation Department City of Fernandina Beach St. Johns County Tax Collector Town of Palm Beach Collier County Sheriffs Department City of Ocoee City of North Port Miami Dade County City of St. Petersburg Alachua County City of Largo Martin County Clerk of Court and Comptroller City of North Port City of Miramar St. Lucie County Clerk of Circuit Court Clay County Supervisor of Elections Hillsborough County Aviation Authority Hillsborough County Marion County Supervisor of Elections City of Mount Dora Florida Atlantic University Sarasota County City of Orlando City of Pensacola Escambia County City of Miami Beach Sarasota County Sheriff's Office City of Cocoa Beach Manatee County Orange County Palm Beach County Clerk & Comptroller City of Cocoa Charlotte County St. Lucie County City of Tamarac Seacoast Utility Authority City of Sunny Isles Beach Florida Florida State University Clay County Clerk of Circuit Court Miami Dade College 11th Judicial Circuit of Florida City of Lauderhill Lake County Clerk of Courts City of Marco Island Florida International University Village of Palmetto Bay City of Tamarac Leon County Supervisor of Elections City of Sanford University of Central Florida City of Stuart Citrus County Sheriff's Office Osceola County Charlotte County Clerk of Court and County Comptroller Brevard County State of Florida City of Port St. Lucie City of Boynton Beach Marion County Supervisor of Elections Hardee County City of North Port City of North Lauderdale Florida Department of Law Enforcement Martin County City of Lakeland University of West Florida City of Cape Coral City of Fort Lauderdale Charlotte County Sheriff s Office Town of Jupiter City of Tampa Monroe County Sheriff's Office Lee County Port Authority Florida League of Cities University of South Florida Broward County Clerk of Courts Citrus County Supervisor of Elections City of Deltona 39
MS-ISAC 24x7 Security Operations Center 1-866-787-4722 SOC@cisecurity.org Andrew Dolan, Director of Stakeholder Engagement Kateri Gill, Program Specialist info@msisac.org