Loading...
HomeMy WebLinkAboutLATE PPP Item No. 10 Ops 2018 OCSD Cybersecurity.• ••� �����. fir. _� ' � r OCSD Cyber Security Update { , ;l ir-a��OF 0 Introductions • John Swindler • IT Systems & Operations Manager • Sang Paik • Principal IT Analyst • Man Nguyen • IT Analyst III Agenda • Cyber Trends - The Changing Face of IT Security in the Government Sector • Accomplishments • Security Assessments • Defense in Depth strategy • Security Awareness Program • Underway • Incident Response • Top 20 Critical Security Controls • Shifting from Prevention to Detection & Response • Sensitive Data Classification & Handling Policy 14 S MI,A r 9 t • SummarySecurity of Best Practices Fcr/ TMF ENv\Po Russian Hackers Reach U. S. Utility Control Rooms, Homeland Security Officials Say Blackouts could have been caused after the networks of trusted vendors were easily penetrated pT�PA _ V/ G AND � Officials of the Department of Homeland Security said hackers have reached the control rooms of U.S.electric utilities. PHOTO: ANDREW HARRER/BLOOMBERG NEWS `Warning Lights Are Blinking Red, ' Top Intelligence Officer Says of Russian Attacks The comments by Dan Coats, the director of national intelligence, demonstrate the persistent divisions within the Trump administration on Russia. Al Drago for The New York Times WASHINGTON The nation's top intelligence officer said on Friday that the persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks. "The warning lights are blinking red again," Mr. Coats said as he cautioned of cyberth rests. "Today, the digital infrastructure that serves this country is literally under attack." Jv S MI i / W r 9 t h 9i a,r Fcr/// THE ENv\Po TLP:W H ITE NCCIC I NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER AWARENESS BRIEFING: RUSSIAN ACTI AGAINST C R INFRASTR 7123118 10 Campaign Summary • HUNDREDS of victims • Energy (focus) • Nuclear, Aviation, Critical manufacturing • Government entities • Tradecraft • Vendor compromised - remained dormant > year • Vendor victim leveraged to phish U.S. utilities • Credential harvesting through remote SMB • Tools used were available on GitHub (Mimikatz, CrackMapExec, Angry IP, Hydra, etc.) • Recommendations • Block all external SMB traffic `OJN'V S MI tl/N • Require multi-factor authentication for all external r -p interfaces ¢ • Continual monitoring of behaviors 9 � a Fcr/ TMF ENV\Po CONTROL MODE MAIN FUEL VALVE PILI Speed ]I][]- Ramp Command S3 %Open Comman Max T5 Position 53 %Open Position T/G MODE I Engin 241 Psig 00.14 0111-/ Flow 2431 Lb/Hr 0 0 0 Flow 52_3 Mscth :D 19.5 Psid I Inlet DP 2_6•f 120d T5 TURBINE 1349 'F r PCD 1 va o� 1 60 Topping SIR 1400 _ .. GV T5 SP ON 1350 r L S1 f il'I'IP T5 Avg 1351 'F GENERATOR GB • • - COMBUSTOR TURBINE EXH li JEHI Speed 100.0 X %Max kW for T1 50% Command 32 %Open I Impc mps G Position NE %60pe,r kW SP GUIDE VANES BLEED VALVE •• Volt, Voltage Freq CLR SIR 125.0 'F Power Factor .yU SYNC Speed 100% 137.8 'F 139.5 UTILITY GENERATOR SyncAa wow SELECTED Volts Me Frog Match Phase Match PUMP Post 240 m U s AC OFF DC OFF 166:0 8' OIL TANKHTR OFF REDACTED The DNC Hack Go gle ti Someone has your password Hi William Someone just used your password to try to sign in to your Google Account &-gmail.com. Details: Tuesday, 22 March, 14:9:25 UTC IP Address: 134.249.139.239 Location: Ukraine Google stopped this sign-in attempt. You should change your password immediately. CHANGE PASSWORD] Best, The Gmail Team From: Charles Delavan <cdelavaii((:,hillaaclinton.crnin> Date: Marc 1119, 2016 at 9:54:05 AEI EDT To: Sara Latham <slatham(klilllaryclinton.conix Shane Hable <shah1e('(1. hillai31clinton.com> Subject: Re: Someone has your password Sara, This is a legitimate email. John needs to chanoe his password and ensure that two- factor authentication Is turned on his account. He can Qo to this link: https:llm}�accotint.Qocx)ole.com)lsectirity to do both. It is absolutely imperative that this is done ASAP. DNC Hack • Phishing is the targeted method in 90% of APTs • Invest in phishing education • Invest in phishing filters in the email gateway • Create a playbook for responding to phishing • Admin credentials are critical resources, adopt privileged account and session management • Restrict the usage of Powershell aV S MI i> 4 � N 9 n h cr/' TMF ENv\Po RISK ASSESSMENT Security • DHS Assessment • Design Architecture Review ( DAR) • Network Architecture Verification and Validation ( NAVV) • Microsoft Active Directory Security • Microsoft Security Incident Management • Microsoft Securing Lateral Account Movement • CIS Top 20 Security Controls a, S Ml ii N 9 n h cr/' hE ENv\Po Defense in Depth • Network F i rewa I I • Intrusion Prevention System F • Web Filtering Gateway • Next-gen Antimalware • Patch Management • Backups • Security Awareness Training 4 � N 9 n h THE ENv\Po� Threat • Fire Eye iSight Intelligence • Water Information Sharing and Analysis Center (WaterISAC) • Municipal Information Systems Association of California ( MISAC) • National Cybersecurity and Communications Integration Center ( NCCIC) • Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT) • Multi-State Information Sharing and Analysis Center N, SAH,Tq J ( MS-ISAC) 4. N 2 9 o ti 9aj 2 FCr'NC THE ENV`QJP It Social Engineering 'r � f Are You Being Manipulated? -- understand the lures -- Greed Curiosity Self Interest Urgency Fear Helpfulness Business Email Compromise • 91% of cyberattacks start with email Insurer Slapped With $2.2 Million HIPAA Settlement • 5-20% of emails are suspicious the Perfect (Weapon:Now Russian Cyberpower Invaded the U.S. • 50 to 80% increase in attacks each quarter Everyone Is falling for This frighteningly • 2,370% increase in losses due to BEC Effective Gmail Scam 2 forms for Russian hackers targeted lust one Yahoo a Software HR employee sends Vd" as CEO employee in order to breach 500M accounts Coup posing all 2016 employees to an attacker p ~0111111"W" Seagate sued by its own statf for leaking Personal into to identity thieves Sources: VALIMAIL. PhishMe, Proofpoint's Human Factor Report, FBI S Nit W r 9 t h TMF tNv\Po� What are we currentlydetecting ? Total Q Email malware Email phish 100 10 C 1 W )T02 07 09 07i16 07,23 07+30 08,06 08113 08 20 08'27 09;03 09 10 • Phishing emails per day: 100+ average • 1 in every 101 emails had malicious intent 4 � N 9 n h THE ENv\Po� Security Awareness & Training Program • Several phishing security tests per month • Quarterly security training videos • Post cyber security best practices & tips • Implemented Industrial Control Systems ( ICS) Engineer Security Training 0 1 Simulated Phishing Emails 41W' 11 -� Z - Do Breaking:Putin Admits Deliberate Russian Hacking 0 x FileMessageHelp Tell me what you want to do y a Thank you! — X Zoom Phish Alert 0 Congratulations! The email you reported was a simulated phishing attack initiated by Zoom security OCSD Good job! it Election OK - ® NBC NEWS BREAKING NEWS: Report email as a phishing email — X ntial Are you sure you want to report this as a phishing email? says the hacking d Russia. Yes No - r - 9 t S ❑ Do not show confirmations again 0 TMF ENv\Po� Simulated Phishing Email Review From: M NBC News< walerts@nbcnew.com> Reply-to: NBC News<alerts@nbcnew.com> Subject: I"Breaking:Putin Admits Deliberate Russian Hacking of U.S.Presidential Election n 411L NBC NEWS BREAKING NEWS: I•Putin Admits Deliberate Russian Hacking of U.S. Presidential Election The shocking news was announced on a Russian State broadcast this morning.Putin says the hacking was orchestrated to ensure diplomatic ties would be strengthened between the U.S.and Russia. "frump is a old friend of mine and I can trust him,"he said publicly_ READ MORE 4�JN1 4 This email was sent to:MNguyen@OCSD-COM = 9 This email was sent by: o NBC News h One Click Unsubscribe I Manage Your Subscription Preferences cr/��� THE EN��PO Oops! You clicked on a simulated phishing test. Remember these three Rules to Stay Safe Online. • Stop, Look, Think! • Use that delete ke • ed • Verify suspicious email with the sender via differ ediu •' en in doubt, row it out." There are a thousand ways that internet criminals will try to scam you, and only one way to stay safe: Stay alert as YOU are the last line of defense! Simulated PhishingReportEmail Phishing Security Tests 03/25/2018 - 09j25; 2018 181 Clicks 0 Replies 0 Attachment Open 0 Macro Enabled 0 Data Entered 3063 Reported Industry Benchmark Data Q 16% 480 YOUR LAST PHISH-PRONE 0/'0 0.3% 12% 360 INDUSTRY PHISH-PRONE °'o OD/O�. N v S% 240 CID D Industry: Government • 4% 120 Company Size: Medium(250-1000 users) • 0% —; 0 Program t0aturity 90 Day • Clicks Replies Attachment Open Macro Enabled Data Entered Exploited Reported f Phish-Prone% 4 � N 9 n h Industrial Control Systems Engineer Security Training Training Modules ICS Security Awareness Training • Overview of ICS • ICS Drivers and Constraints • Overview of ICS Attacks • ICS Attack Surfaces • ICS Server Security ICS Network Security • ICS System Maintenance i • ICS Information Assurance • ICS Incident Handling • Attack Scenario JN,4 SANIiAT/O 4. N 2 � 9 C+ ti 9aj ��2 FCr'NC THE ENV`Q�P � 'r T i r� � � A �1 1_ What is Incident Response ?. • Organized approach to handle a cyber attack • Goal is to limit damage, recovery time and costs • Ponemon Institute estimates an average breach cost of $3 . 5 million in 2017 aV S MI i> 4 � N 9 n h cr/' hE ENv\Po 1I �1 I SPENT S2, 61,111 � I RIIE� COII ER FROAiill , 2�000 R,AXS0A,,,111,1 ,`,1R-E SCARE Atlanta ransomware attack may cost another $9.5 million to fix It also affected some 'mission critical' services. Cyberattack cost OCTA $660,000 to fix, held servers for ransom JN,4 SANIiAT/o 4. N 2 � 9 C+ ti 9aj ��2 FCr'NC THE ENV`Q�P Atlanta's Mayor Keisha Lance Bottoms speaks at a press conference in Atlanta, Thursday, Jan. 4, 2018. David Goldman/AP Jv S MI i / W r 9 t. h 9i a,r Fcr/ hE ENv\Po� Need • FBI • Department of Homeland Security • Mandiant • Cylance Incident Containment Team • Microsoft 4 � N 9 n h Basic CIS Controls 0 Inventory and Control of Hardware Assets © Inventory and Control of Software Assets © Continuous Vulnerability Management O Controlled Use of Administrative Privileges © Secure Configuration for Hardware and Software on O Maintenance, Monitoring and Analysis of Audit Logs Mobile Devices,Laptops,Workstations and Servers Foundational CIS Controls OEmail and Web Browser Protections O Malware Defenses OLimitation and Control of Network Ports, Protocols and Data Recovery Capabilities Services Secure Configuration for Network Devices,such as ® Boundary Defense Rrewalls,Routers and Switches ® Data Protection 0 Controlled Access Based on the Need to Know ® Wireless Access Control 0 Account Monitoring and Control Organizational CIS Controls Implement a Security Awareness and Training Program Application Software Security ....1 a) Incident Response and Management 0) Penetration Tests and Red Team Exercises .+: Best • Defense in Depth strategy • Security Training & Awareness programs • Patch Management processes • Backups — 3-2-1 strategy • Critical Security Controls & Frameworks • Incident Response • Sensitive Data Classification & Handling Policy • Develop close relationship with OT 4a5Mll,N 9 n h cr/' THE ENv\Po 0 S ? Question - THF ENv\Po� Security Operations Center (SOC) Essential Functions Network Learn how to design,build,operate,and mature a Security Security Operations Center(SOC) Wal Monitoring MGTS 17:Managwtg Security Operations:Detection,Response,and Intelligence www.sans.org/MGTS 17 WRIE WflMALLI .� .a Incident Response - - - Threat �o • • Inte■igence IN SUPFUH AID A1111.71'so win r U •o ` SECURITY OPERATIONS CENTER I b — Network Security Threat " 4FIncident Response Intelligence Configuration Monitoring P.--o—Testing Monitoring Management Command �� —I Center �,, Command Self 1 INK 11"k. a rro�Io Forensics Center Assessment sJIN �■■■ Vulnerability A—surionnt Assessment E-r— � catuff NZ AID MINE TABLETOP SCRAM DWIQ r ►�: Command •�rI• Center Building a SOC What do you need to consider when utilizing a Mawged Sociality Servlca Prouirler(MSSPI n.eulding a SOC.n house! Ou.....ng Prot Ouaourcing cons M SSP Onboarding CnetkliSt • Polntld tat wails-Down?a 9Y.b apetha 11ihmlur•lb Mationet Ituma Irma-illmm Organintional Rrq ulrcmenn Wing Prato— Repertr Ith valid al?maid it'llGnnd a depth of aron W ap+blle ■ Gehed a•aer>hp of seantl ■ Dial nm III Hill.ad nslmatd, bpm IaMHQ ("ftsid utnraara olnnas is span to sale rail limit a hug zdme • fzlenea,Indiq alt trya of actntl enm elkmery of catooen ■ and alnra 11 ■ laniawp ngsketlean ■ Stan,M"n fogaan ad ekenly LRr amt—baa,bzb aime[e ktaokdle ■ • PIM,PMI PM Data.:DaWrAl, Supplier,.Partnrn,and Rrtrllrn lupnn mot?malft gals in hrke,wl,paksuadt Ixk of ddnrtd reouma k uppon fa mr ing—it., Hiring Sundard, ■ A(=to stow,data orgy i-banal stability Ihna lerelitn(t-kaw eau arnot on em?kq Ihm fo(tad a innnuitt porn ■ gxigoo+rd(heft ■ wtatant to oarod ■Jan it bavnu - SOHelp rot ll"V a(un ItellQexe uaat bdevas Ixk of sled+lnma,melt at pnaidail tondaM wuntl ■ (sedt Ueda —on n.(atmu-ed ■ le-ty clan+¢ Cornmun—tlon Tool, ■ SW and hionr apbin luwet oguir7oe ra fan oa art osw National olponuinn or aminait inkss d data ■ hNnim ■ (rat roupnnr.hint aft an ID the pup ■ Idaroma dum nl ■ E»r smatr wds lam Ives n al?alc+lUn•hrt vbt anal ■ ('takanas t W Otaaurod din aialiQaae ha a dun lilnle ■ Seart d+t Getting C-Level Support to Ensure a High-Impact SOC Rollout h+wn.Juzd65 rtgorenot Adequarcly StuRrd http:/hv".sa ro.orglulranD paoNet Ut of hill sem,nl be paodM Ib aaemn a help mpon w(prams, ■ b6q umber nnaa ey John ikscntore •'.14A M as bak Gnnd ahln to sine dill • - a • S ECU R I TY OP ER T I O N S C ENTER Incident Networ . Threat Security- -' Response Intelligence -� Monitoring , �- 1 Forensics Command. Self Center Assessment