Embed Size (px)
Citation preview
Case Study: Department of Revenue Data Breach
National Association of State Auditors, Comptrollers and TreasurersMarch 21, 2013
2
Case Study Agenda
Data Breach: A Targeted Attack State Response Lessons Learned
3
Data Breach: A Targeted Attack
Attacker FTPd the files from the agency network.
Attacker accessed a database server and copied/compressed targeted files.
Attacker logged into the network via a Citrix gateway using valid credentials.
Attacker maneuvered laterally within the network to identify potential targets.
Attacker gained access through phishing and obtained privileged user credentials.
4
Data Breach: A Targeted Attack
The attacker compromised a total of 44 systems The attacker used at least 33 unique pieces of malicious software and utilities to perform the
attack and data theft activities The attacker remotely accessed DOR using at least four IP addresses The attacker used at least four valid DOR user accounts during the attack.
This activity occurred over a period of 60 days SCDOR learned of the breach after being notified by law enforcement
Nearly two-thirds of organizations learn they are breached from an external source.
Source: Mandiant
5
Data Breach: A Targeted Attack
On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
Source: Ponemon Institute
In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims.
Source: Mandiant
6
Data Breach: A Targeted Attack
3.8 million Soc. Security Numbers
Compromised
400k Credit Card Numbers
Compromised
Due to the breach, the following were compromised:
7
Avg. Cost Per Breached Record: $194 Avg. Cost of Data Breach for an Organization:
$5.5 million
Source: Ponemon Institute
8
State Response: Executive Order #1 – October 26, 2012
Order: State Inspector General - Determine
state security posture & how to improve it
Interviews conducted, surveys completed
Immediate steps provided to help
prevent attacks ; 11 recommendations
KEY FINDINGS:1. Develop/implement a statewide info management security program.
2. Establish a federated model for governance.3. Implement a CISO position to lead program development.
4. Hire a consultant to help the state develop an INFOSEC program
9
State Response: Executive Order #2 – November 14, 2012
Order: All 16 cabinet agencies to use DSIT monitoring services
Monitor cabinet agencies on a 7x24
basis
Upgrade tools and improve level of
monitoring
Work with agencies to be more proactive;
stop flow of traffic if necessary
10
State Response
• Senate and House established cyber security sub-committees• Senate Bill 334
– Extends Identity Theft Protection (credit monitoring) up to 10 years– Provides tax credits for individuals who choose to purchase independent
identity theft protection and not be covered under the State’s plan– Creates an Identity Theft Unit within the Department of Consumer Affairs– Creates a Division of Information Security within the Budget and Control Board
• Chief Information Security Officer is appointed by the Governor w/ the advice and consent of the Senate
– Creates a Technology Investment Council• Plans, Standards and Architecture
– Creates a Joint Information Security Oversight Committee• Monitor laws, best practices
11
State Actions: RFP Issued
December 2012 – State Budget and
Control Board authorized RFP
Hire a Security Expert to help the State
develop an enterprise security program;
agency assessments
May 1 – Identify most serious vulnerabilities
and provide recommendations; budget estimates
Develop security framework,
governance structure, policies/procedures , training requirements
12
Lessons Learned
1. Management of security needs to be more centralized in SC 2. Overall, state agencies recognize the need to improve their cyber
security program3. Attacks are becoming more frequent and aggressive – state
governments are a target4. We need to work together; share information5. Funding is a key challenge (state governments average 1 to2 % of IT
spend on Security; financial sector is approx. 6%)6. Staffing is a key challenge (50% of state security organizations have 1-5
employees; GFSI Study shows 47% have > 100 employees)7. State agencies must do more to share status/security position with
Leadership
Questions & Comments
Jimmy Earley, Division DirectorDivision of State Information Technology
Phone: (803) 896-0222Email: [email protected]
