Public Facilities and Cyber Security Mike Hamilton 28 September 2018
Critical Infrastructure
On Terrorism DHS is your SSA No sector-specific plan apart from NIPP DHS will evaluate your physical security for free CSA program, local resource
Free services from the Department of Homeland Security
Public Sector Facilities Operate as a business with back operation IT Conduct financial transactions Are subject to some regulatory requirements Operate cameras, access card readers, and likely mobile devices House records that may meet the state's definition of data breach, if disclosed Provide connectivity services for attendees May facilitate communication with law enforcement May act as emergency shelter in a disaster
Three Categories of Bad Outcomes Records disclosure Theft of funds or information Critical service disruption
Extra For Public Facilities Surveillance/Compromise of Attendees “Evil Twin” attack
Financial Impacts Records Breach: $200/record Theft: $75K-$1.2M in our region, multiple millions elsewhere Disruption: Loss of business continuity or operating capacity, loss of life for critical services
Bonus Bummers FTC: Deceptive Trade Practices Claims of Executive Negligence Class-Action Suits
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Threat Actors Unsophisticated criminals of opportunity Insiders Hacktivists Organized crime Nation-States Terrorists Hybrids
Preventive Controls Threat Actors are Good at Defeating These Firewall – exists to poke holes in the network URL filtering – only as good as the reputation list E-mail security – also reputation and signature-based Intrusion Prevention System – automatic blocking can have unintended effects Anti-virus / end point security – about 30% effective User training – best use of limited funding, but not perfect Threat Actors are Good at Defeating These
Detective Controls Intrusion detection system Log aggregation and review Active Directory / Domain Controller Critical / valuable servers DNS traffic Security Information and Event Management Managed Detection and Response
How Malware Works Victim hits bad website, opens bad attachment, inserts bad USB drive Small binary drops, due to vulnerability exploit or user admin privileges Binary beacons out to command and control network Actual payload drops, to: Send SPAM Install a backdoor Monitor keystrokes Seek out and steal data or records Encrypt and extort Etc. Can be broad, unspecific attack or highly targeted
What We’ve Covered So Far An inventory of critical information technology assets An analysis of outcomes we’d like to avoid The estimated cost of those outcomes A review of regulatory requirements we must meet A review of the capabilities and motivations of threat actors that are likely to exploit our vulnerabilities An examination of possible controls to deploy
What’s Left Identifying your vulnerabilities Estimating how likely each can be exploited Selecting the appropriate controls Budgeting Procurement Deployment Operation and Maintenance
How do I know what’s required, reasonable and achievable? Key Questions How likely is it, than any of those threat actors have the capability, motivation, and opportunity to create a bad outcome? What controls are necessary, appropriate, and affordable to reduce that risk? What are the regulatory responsibilities? How do I know what’s required, reasonable and achievable?
Figuring That Out The NIST Cybersecurity Framework
Our stuff keeps your stuff from becoming their stuff Michael.Hamilton@Criticalinformatics.com The IT Security news blast: https://criticalinformatics.com/it-security-news/