Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Slides:

Advertisements

Similar presentations

Cybersecurity Update December 5, Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.

Advertisements

Red Flag Rules: What they are? & What you need to do

EXTERNAL Corruption Prevention NetworkJuly 2007Fraud Control Planning Tax Office Fraud Control Planning: Tools and Techniques PRESENTED BY: Annalissa Hilton.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Protecting Personal Information Guidance for Business.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.

David A. Brown Chief Information Security Officer State of Ohio

Information Security Policies and Standards

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 Information and Systems Security/Compliance Security Day The Information and Systems Security/Compliance Program Dave Kovarik.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

Website Hardening HUIT IT Security | Sep

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

DAA and GEP Orlando Audit & Compliance or Audit vs. Compliance.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Fraud and Prevention: Lessons from the Fire Service August 24,

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

The 2009 HIMSS Security Survey: Insights into the Status of Healthcare Security Implementation sponsored by Symantec Meeting of the HIT Standards Committee,

T r a n s p a r e n t f a s t r e l i a b l e

Information Technology Study Fiscal Crisis and Management Assistance Team (FCMAT) Las Virgenes Unified School District Presented By: Leslie Barnes Steve.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.

Cyber Security in Local Government. One of the Industry’s Most Widely Recognized and Highly Accredited Partners 1.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Deloitte Consulting LLP Commonwealth of Massachusetts IT Consolidation Initiative IT Governance Target State Update Briefing for Statewide Working Group.

The Direction of Information Security and Privacy in State Government Presented by Colleen Pedroza Chief Information Security Officer California State.

Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.

Financial Sector Cyber Attacks Malware Types & Remediation Best Practices

State Perspectives on Coastal and Ocean Management A Review of A Review of Coastal States Organization’s Recommendations to the US Commission on Ocean.

Target State High-level IT Governance Model

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.

Tax Administration Diagnostic Assessment Tool MODULE 11 “POA 9: ACCOUNTABILITY AND TRANSPARENCY”

BUSINESS CLARITY ™ PCI – The Pathway to Compliance.

Staff addresses Availability tradeoffs December 13, 2012.

Carroll County Advisement Program FINANCIAL LITERACY *IDENTITY THEFT *MONEY MANAGEMENT.

Enhanced Wireless Funding through HB 361 Shawn S. Smith Interim Ohio Coordinator.

May 5, 2016 May 5, Reporting obligations for  Investment banks,  Stockbrokers and dealers  FM and Investment advisers 2. Publication financial.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

The Wolf in Sheep’s Clothing: Identity Theft Professional Development Institute Truman State University.

P U B L I C S E R V I C E S State of South Carolina Enterprise Information System Business Case Study SCEIS User Group Briefing Wednesday July 10, 2002.

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Performing Risk Analysis and Testing: Outsource or In-house

Team 1 – Incident Response

Data Compromises: A Tax Practitioners “Nightmare”

MEASURE I CITIZEN’S OVERSIGHT COMMITTEE MEETING

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

CYBER CRIME Matthew Purchase.

Protecting Personal Information Guidance for Business.

Red Flags Rule An Introduction County College of Morris

Clemson University Red Flags Rule Training

Cyber Security: What the Head & Board Need to Know

Information Protection

Anthem Data Breach Group 2: Jing Jiang, Dongjie Wang, Haitao Huang, Binju Gaire, Parneet Toor.

Information Protection

State and Local Executive Branch

Anatomy of a Common Cyber Attack

Presentation transcript:

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013

Case Study Agenda  Data Breach: A Targeted Attack  State Response  Lessons Learned 2

Data Breach: A Targeted Attack Attacker FTPd the files from the agency network. Attacker accessed a database server and copied/compressed targeted files. Attacker logged into the network via a Citrix gateway using valid credentials. Attacker maneuvered laterally within the network to identify potential targets. Attacker gained access through phishing and obtained privileged user credentials. 3

Data Breach: A Targeted Attack  The attacker compromised a total of 44 systems  The attacker used at least 33 unique pieces of malicious software and utilities to perform the attack and data theft activities  The attacker remotely accessed DOR using at least four IP addresses  The attacker used at least four valid DOR user accounts during the attack.  This activity occurred over a period of 60 days  SCDOR learned of the breach after being notified by law enforcement Nearly two-thirds of organizations learn they are breached from an external source. Source: Mandiant 4

Data Breach: A Targeted Attack On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it. Source: Ponemon Institute In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims. Source: Mandiant 5

Data Breach: A Targeted Attack 3.8 million Soc. Security Numbers Compromised 400k Credit Card Numbers Compromised Due to the breach, the following were compromised: 6

Avg. Cost Per Breached Record: $194 Avg. Cost of Data Breach for an Organization: $5.5 million Source: Ponemon Institute 7

State Response: Executive Order #1 – October 26, 2012 Order: State Inspector General - Determine state security posture & how to improve it Interviews conducted, surveys completed Immediate steps provided to help prevent attacks ; 11 recommendations KEY FINDINGS: 1. Develop/implement a statewide info management security program. 2. Establish a federated model for governance. 3. Implement a CISO position to lead program development. 4. Hire a consultant to help the state develop an INFOSEC program 8

State Response: Executive Order #2 – November 14, 2012 Order: All 16 cabinet agencies to use DSIT monitoring services Monitor cabinet agencies on a 7x24 basis Upgrade tools and improve level of monitoring Work with agencies to be more proactive; stop flow of traffic if necessary 9

State Response Senate and House established cyber security sub-committees Senate Bill 334 – Extends Identity Theft Protection (credit monitoring) up to 10 years – Provides tax credits for individuals who choose to purchase independent identity theft protection and not be covered under the State’s plan – Creates an Identity Theft Unit within the Department of Consumer Affairs – Creates a Division of Information Security within the Budget and Control Board Chief Information Security Officer is appointed by the Governor w/ the advice and consent of the Senate – Creates a Technology Investment Council Plans, Standards and Architecture – Creates a Joint Information Security Oversight Committee Monitor laws, best practices 10

State Actions: RFP Issued December 2012 – State Budget and Control Board authorized RFP Hire a Security Expert to help the State develop an enterprise security program; agency assessments May 1 – Identify most serious vulnerabilities and provide recommendations; budget estimates Develop security framework, governance structure, policies/procedures, training requirements 11

Lessons Learned 1.Management of security needs to be more centralized in SC 2.Overall, state agencies recognize the need to improve their cyber security program 3.Attacks are becoming more frequent and aggressive – state governments are a target 4.We need to work together; share information 5.Funding is a key challenge (state governments average 1 to2 % of IT spend on Security; financial sector is approx. 6%) 6.Staffing is a key challenge (50% of state security organizations have 1- 5 employees; GFSI Study shows 47% have > 100 employees) 7.State agencies must do more to share status/security position with Leadership 12

Questions & Comments Jimmy Earley, Division Director Division of State Information Technology Phone: (803)