TODAYS PUBLIC SECTOR - PDF document

1 1 TODAY’S PUBLIC SECTOR THREAT LANDSC
1 TODAY’S PUBLIC SECTOR THREAT LANDSCAPE AGENCY CHALLENGES, LESSONS LEARNED, THE PATH FORWARD BEN SMITH CISSP CRISC FIELD CTO (US EAST) @BEN_SMITH Agenda 1 2 The four threat actor categories 4 3 A dditional resources Public sector attacks & impact * Things to think about in your agency SAMPLE REFERENCE – “Hunting

2 for Sharks’ Teeth (and Other IOCs)”
for Sharks’ Teeth (and Other IOCs)” https :// blogs.rsa.com/hunting - sharks - teeth - iocs/ RSA’s portfolio Four Categories of Attackers Cybercriminals Nation - States “Hacktivists” Cyber - Terrorists Cybercriminals • Largely financially motivated • Typically target PII, PCI, financial services, retail - PII (pers

3 onally identifiable information); PCI (p
onally identifiable information); PCI (payment card industry) • Large attack scale - Example: thousands of spam emails...and just one enduser click needed • Cybercrime is a proven business model - Organized, sophisticated supply chains - “Affiliate” models - Ransomware - as - a - service Nation - States • Targets - Go

4 vernment , defense industrial base (DIB)
vernment , defense industrial base (DIB), IP - rich organizations - Decision - making intelligence, other business logic, executive emails • Well - researched , narrowly - targeted attacks - Executive spear - phishing - Watering holes - “VOHO,” researched & published by RSA FirstWatch - Expatriates - “ GlassRAT ,”

5 researched & published by RSA Research
researched & published by RSA Research Will Gragido , “Lions at the watering hole – the “VOHO” affair” [2012] https://blogs.rsa.com/lions - at - the - watering - hole - the - voho - affair/ Peter Beardmore, “Peering into GlassRAT ” [2015] https://blogs.rsa.com/peering - into - glassrat/ Hacktivists • Targets -

6 Political targets of opportunity - A
Political targets of opportunity - All verticals • Goals - Further social and political interests - Mass disruption, mercenary • Can be well - researched and/or large - scale • Largely “ doxxing ” activity and website defacement Cyber - Terrorists • ISIL desires to recruit cyber talent - Appeals (both overt a

7 nd covert) to young, tech - savvy indivi
nd covert) to young, tech - savvy individuals - Mention of a “cyber - caliphate” has been noted in ISIL communications • Current activities appear to be limited to account takeover, website defacement, and “ doxxing ” • Unsuccessful power grid attacks have been attributed to ISIL by the US Government - “Embracing th

8 e most convenient attack, rather than th
e most convenient attack, rather than the largest or most gruesome one” - “Low - level attacks of opportunity” POLITICO’s Joseph Marks, “ISIL aims to launch cyberattacks on U.S.” [December 2015] http://www.politico.com/story/2015/12/isil - terrorism - cyber - attacks - 217179 The CIA Triad Integrity Indiana county gove

9 rnment shut down by ransomware to pay u
rnment shut down by ransomware to pay up ; City, streetcar project scammed for $3.2 million ; Ransomware Hackers Blackmail U.S. Police Departments ; E - mail phishing caused county to lose $ 566,000 ; DHS: Over 300 incidents of ransomware on federal networks since June ; 756,000 Warned As L.A. County Workers Fall For Phi

10 shing Attack ; City of Sarasota's syst
shing Attack ; City of Sarasota's system hacked by ransomware, data held hostage ; Hackers hit D.C. police closed - circuit camera network, city officials disclose Indiana county government shut down by ransomware to pay up ; City, streetcar project scammed for $3.2 million ; Ransomware Hackers Blackmail U.S. Police Depa

11 rtments ; E - mail phishing caused coun
rtments ; E - mail phishing caused county to lose $ 566,000 ; DHS: Over 300 incidents of ransomware on federal networks since June ; 756,000 Warned As L.A. County Workers Fall For Phishing Attack ; City of Sarasota's system hacked by ransomware, data held hostage ; Hackers hit D.C. police closed - circuit camera network,

12 city officials disclose 2016 Deloitte -
city officials disclose 2016 Deloitte - NASCIO Cybersecurity Study [32pp] Hactivists • “Early last year, hackers launched a cyberattack against the state of Michigan’s main website to draw attention to the Flint water crisis. In May, they targeted North Carolina government websites to protest a controversial state law

13 requiring transgender people to use bath
requiring transgender people to use bathrooms that match the sex on their birth certificate. And in July, they took aim at the city of Baton Rouge’s website after the fatal police shooting of a black man .” 160 65 Hacktivist incidents directed against U.S. state and local governments, as tracked by MS - ISAC: 2015 2016 ‘H

14 acktivists’ Increasingly Target Local
acktivists’ Increasingly Target Local and State Government Computers Nation - States • “OPM first announced in early June [2015] that the background investigation records of millions of current, former and prospective federal employees and contractors had been stolen in a cyber intrusion that started in early 2014. OPM

15 Hack: Government Finally Starts Notifyin
Hack: Government Finally Starts Notifying 21.5 Million Victims ; Inside the Cyberattack That Shocked the US Government In mid - June, the agency disclosed a second larger attack that targeted information for millions more Americans who applied for security clearances.” Have You Thought About… 1. Third - party accounts & acce

16 ss to your network 2. Personal email acc
ss to your network 2. Personal email accounts associated with your executives 3. Risks associated with traveling laptops, phones, personnel - While away from the agency, after returning to the agency 4. States/provinces and localities with selective purchasing legislation - Targets for hacktivists, foreign entities, “patriotic

17 hackers” 5. What type(s) of visibili
hackers” 5. What type(s) of visibility do you have within your own agency ? Situational Awareness is not an “Easy Button” The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation [241pp] • Comprehensive visibility must include full packet capture • Reactive behavior vs

18 . proactive hunting for adversaries Addi
. proactive hunting for adversaries Additional Public Sector Resources Local Government Cyber Security: Getting Started (A Non - Technical Guide) [ 16pp ] Additional Public Sector Resources Cybersecurity Guide for State and Local Law Enforcement [61pp] Additional Public Sector Resources ICMA Survey Research: Cybersecurity 201

19 6 Survey [12pp] Additional Public Sect
6 Survey [12pp] Additional Public Sector Resources 2016 Deloitte - NASCIO Cybersecurity Study [32pp]; 2014 Deloitte - NASCIO Cybersecurity Study [32pp]; 2012 Deloitte - NASCIO Cybersecurity Study [40pp] Additional Public Sector Resources State of the States on Cybersecurity [42pp] Additional Public Sector Resources State

20 Cybersecurity Resource Guide [60pp] Wee
Cybersecurity Resource Guide [60pp] Weekly WebEx “Lunch and Learn” session Statewide cyber exercises for locals, tribes and private sector Kids Cyber Awareness Poster contest “ CyberGirlz ” workshops to prepare middle - and high - school girls for careers in cybersecurity Food For Thought: Cyber Security Awar

21 eness Food Truck Rally “Ask a Hackerâ€
eness Food Truck Rally “Ask a Hacker” video series Publicize Cyber Security Awareness Month on highway billboards Disabled Veteran Cyber Apprenticeship Program “Spot the Security Gap” Game Additional Public Sector Resources • A recent one - hour panel covered… - Budget constraints associated with maintaining a cyb

22 er framework - Evaluating cybersecurity
er framework - Evaluating cybersecurity vendors - Artificial intelligence’s role in cybersecurity - Cultivating cyber talent Federal News Radio: In Focus: Threat intelligence in the private and public sectors • Ron Carback , Defense Intelligence Officer for Cyber at the Defense Intelligence Agency • Tim Ruland , Chief In

23 formation Security Officer at the U.S. C
formation Security Officer at the U.S. Census Bureau • Shaun Khalfan , Chief Information Security Officer at U.S. Customs and Border Protection • Dr. Zully Ramzan , Chief Technology Officer at RSA Defend Yourself…Wisely! Visibility Identity Risk Fraud Triple the impact of your existing security team NETWITNESS SUITE Accel

24 erate business while mitigating identit
erate business while mitigating identity risk SECURID SUITE Know which risk is worth taking ARCHER SUITE Take command of your evolving security posture RISK & CYBER SECURITY PRACTICE Act faster than the speed of fraud FRAUD & RISK INTELLIGENCE SUITE The RSA Portfolio Incident Response Retainer, Incident Discovery, Incident Res

25 ponse, IR Hunting Services, Breach Mana
ponse, IR Hunting Services, Breach Management Advanced SOC Design & Implementation Future State Design, Technology Acquisition, Advanced SOC Implementation, Residencies, Education Services Incident Management Program Development Incident Management Lifecycle Development, Threat Detection, Use Case Development, Metrics and KPI Mo

26 deling Cyber Threat Intelligence Program
deling Cyber Threat Intelligence Program Development, Portal Implementation & Customization, Threat Research Security Readiness and Strategy Current State & Gap Analysis, Maturity Modeling, NIST CSF Roadmap Development Advanced Cyber Defense (ACD) Archer SecurID NetWitness Take command of your evolving security posture RISK &

27 CYBER SECURITY PRACTICE Fraud & Risk In
CYBER SECURITY PRACTICE Fraud & Risk Intelligence The RSA Portfolio Secure your Infrastructure Endpoint Data Security Network NSX Data Isolated Recovery Improve your Response Done With You Do It Yourself Translate to Business Risk All Risk Cloud DELL TECHNOLOGIES: SECURITY TRANSFORMATION BEN SMITH CISSP CRISC RSA FIELD CT