cyber disruption: probability and response readiness wsema september 18, 2013
TRANSCRIPT
![Page 1: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/1.jpg)
Cyber Disruption: Probability and Cyber Disruption: Probability and Response ReadinessResponse Readiness
WSEMASeptember 18, 2013
![Page 2: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/2.jpg)
SHORT BIOSHORT BIO• Partner, MK Hamilton and Associates
• CISO, City of Seattle
• Managing Consultant, VeriSign GSC
• Senior Principal Consultant, Guardent
• Independent Security Consultant
• CEO, Network Commerce, Inc.
• Ocean Scientist, NASA/JPL
![Page 3: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/3.jpg)
Don’t Try ThisDon’t Try This
• Enabling Kevin Mitnick• JPL, SunOS 4.13, and
SATAN• Accessing credit cards• Oceanographic hacking• FreeBSD and the FWTK • The Bad Guys• Network Commerce Inc.
![Page 4: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/4.jpg)
• Assume breach
• Preventive controls
not good enough
• Detective controls more
imperative as device
population grows
Security PhilosophySecurity Philosophy
• Focus on key assets and
event detection
• Mobile security should be
carefully evaluated
• Prevention on the "network
of things" will not scale
![Page 5: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/5.jpg)
• Emergency response driven by IT disruption
• What it would look like
• What we normally do
• How response is different
• What we know now
• How we are addressing the problem
Cyber Meets Emergency ServicesCyber Meets Emergency Services
![Page 6: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/6.jpg)
Local GovernmentLocal Government
Services that affect quality of life, and lifeWe’d like them to be there
6
![Page 7: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/7.jpg)
• Credit cards, IP, and Infrastructure
• Hacktivists, organized crime, and nation-states
• Capability, meet intent
My PerspectiveMy Perspective
![Page 8: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/8.jpg)
Critical Infrastructure Now the Critical Infrastructure Now the target of most attackstarget of most attacks
Overall cyber attacks are up, but most dramatically in the last year, the type of attack
has shifted away from hacking and financially motivated crime toward cyber
espionage focused on critical infrastructure, such as utilities, according to
research from communications provider Verizon.
“These aren’t about stealing data and fraud, they’re about deny, disrupt and
destroy,” said Bryan Sartin, director of investigative response for Verizon.
In its upcoming Data Breach Investigation Report, a yearly document that is one of the
more noteworthy surveys of attacks released to the public, the company found that
cyber espionage, once a far lesser component of the attack volume, is now
dominating networks.
http://www.federaltimes.com/article/20130227/
SHOWSCOUT01/130227002/Critical-infrastructure-now-target-most-
attacks
![Page 9: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/9.jpg)
CRITICAL INFRASTRUCTURECRITICAL INFRASTRUCTURE
It’s good business sense!
![Page 10: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/10.jpg)
Attack on Fake Control SystemAttack on Fake Control System
![Page 11: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/11.jpg)
Attack on Financial SectorAttack on Financial Sector
![Page 12: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/12.jpg)
Telephony Denial of ServiceTelephony Denial of Service
![Page 13: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/13.jpg)
The Tunisian Cyber ArmyThe Tunisian Cyber Army
![Page 14: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/14.jpg)
#OpBlackSummer#OpBlackSummer
![Page 15: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/15.jpg)
Closer to HomeCloser to Home
![Page 16: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/16.jpg)
Closer…Closer…
![Page 17: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/17.jpg)
Clark County Website DefacementClark County Website Defacement
![Page 18: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/18.jpg)
THREAT PROBAILITY: SIGNIFICANT
![Page 19: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/19.jpg)
• Preparedness exercises
• EOC Activation
• NIMS: ESF2 and Logistics Branch
• WebEOC and other IT-enabled methods
• Role of the National Guard
• Application of the Stafford Act
How We Handle DisastersHow We Handle Disasters
![Page 20: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/20.jpg)
• Escalation path not defined
• NIMS difficult to apply
• Fusion Center as coordination point
• No FEMA resource list, etc.
• Mutual-Aid agreements
• Role of the private sector
What’s DifferentWhat’s Different
![Page 21: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/21.jpg)
• Exercises – Emerald Down, Evergreen, NLE12
• Fusion Center Cyber Analyst ([email protected])
• National Guard and State Response Plan for
Significant Cyber Disruption
• CIRCAS
• FEMA resource typing
• FBI cyber task force
• US Attorney Jenny Durkhan
State of ReadinessState of Readiness
![Page 22: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/22.jpg)
PRISEMPublic Regional Information Security Event Management
Regional Asset for Situational Awareness andCommon Operating Picture
![Page 23: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/23.jpg)
• DHS S&T funding to initiate; Five grants total
• Participants contribute firewall logs, netflow, botnet
alerts (Einstein); arbitrary devices under monitoring
• Commercial SIEM infrastructure at UW APL
• Cities of Seattle, Lynnwood, Bellevue, Kirkland,
Redmond; Thurston and Kitsap Counties; Seattle
Children’s Hospital, Snohomish PUD
PRISEM HistoryPRISEM History
![Page 24: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/24.jpg)
PRISEM IN ACTION: HUNT FOR APT1
![Page 25: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/25.jpg)
• Conduct more exercises on cyber disruption
• Finish the SCIRP
• Cement the role of the Fusion Center
• Continue working with FEMA
• Conduct outreach to the Private Sector
• Improve information sharing and situational
awareness
Before the Real EventBefore the Real Event
![Page 26: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/26.jpg)
• Improved resilience
• Avoiding cascading failures
• Protect regional infrastructure
• We learn to integrate
Benefits of PreparednessBenefits of Preparedness
![Page 27: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/27.jpg)
Is Cybersecurity a Bubble?Is Cybersecurity a Bubble?
![Page 28: Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013](https://reader034.vdocuments.mx/reader034/viewer/2022052522/5513baec55034646298b46c7/html5/thumbnails/28.jpg)
My Contact InformationMy Contact Information
Michael Hamilton Chief Information Security Officer
City of [email protected]
206.684.7971 (D)