this could happen to you! - tml conference
TRANSCRIPT
sanmarcostx.gov sanmarcostx.gov
An evaluation of the City of San Marcos 2017 phishing
incident that led to the release of 800 employee’s W2s
THIS COULD HAPPEN TO YOU!
sanmarcostx.gov sanmarcostx.gov
• Incident
•Response
•What We Learned
sanmarcostx.gov sanmarcostx.gov
Headline
NEWS
sanmarcostx.gov sanmarcostx.gov
Phishing email led to the
release of 800 current & former
employee’s W2s
Incident
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Where it all began….
sanmarcostx.gov sanmarcostx.gov
Red flags
sanmarcostx.gov sanmarcostx.gov
Red flags….
sanmarcostx.gov sanmarcostx.gov
Timeline
Received notice from two employees from
the same department that Turbo Tax rejected their online tax filing
Contacted IRS in reference to
the notice & IT began internal
correlation between two
employees’ computers
IT made Risk Manager aware
of a potential phishing email
that had potentially been
replied to by a City employee
Following business day, received
more notices of online filing rejections
from additional employees in different departments.
IT began an extensive data analysis which
resulted in finding that a response to the phishing email was actually sent to the phisher. Phishing Incident Identified
& City response began
sanmarcostx.gov sanmarcostx.gov
• Cyber Liability coverage – Coverage for data compromise
– Provided expert legal counsel
– Employee Identify Theft Protection
Response
sanmarcostx.gov sanmarcostx.gov
• Provided sample employee communications
• Sample Employee notification language: – Included required wording for Texas residents
– Affected former employees who had relocated out of state
– Provided separate requirements for minors
• Worked with IRS to ‘flag’ affected employees
• Recommended affected individuals file a police
report
Outside Legal Counsel
sanmarcostx.gov sanmarcostx.gov
• Finance
• Human Resources
• Information Technology
• City Manager’s Office
• Communications
• Police
City Response Team
sanmarcostx.gov sanmarcostx.gov
• City Leadership
• Department Staff
• Affected City Employees – Current
– Former
• Interviews with the Media
• Social Media
Communications Get in front of the message
sanmarcostx.gov sanmarcostx.gov
• City Manager’s Office provided initial notification of the incident to employees
• Established an internal single point of contact
• Prepared frequent employee updates
Response
sanmarcostx.gov sanmarcostx.gov
• Cyber Liability Coverage provided one year of
identity theft protection service through online
monitoring
– City added additional 2 years coverage
• All affected employees (current & former) received
notification letters by mail
• Current affected employees received letters in-person
• Computer lab set-up & staffed by City Response Team
for 2 weeks
Identify Theft Protection
sanmarcostx.gov sanmarcostx.gov
• Internal Revenue Service – Online
– In-person
• Employee Assistance Program
Resources
sanmarcostx.gov sanmarcostx.gov
Moving Forward
Steps we have taken to mitigate future incidents
–End User Training
–Email Signatures
–External Source Warning
–O365 Data Loss Prevention Policies
–Online Security Training
–Phishing Test Campaigns
sanmarcostx.gov sanmarcostx.gov
End User Training: In-Person
sanmarcostx.gov sanmarcostx.gov
Awareness Pays Off
…until you hit reply.
O365 sensed fraud
sanmarcostx.gov sanmarcostx.gov
Email Signatures
• Standardization
Benefits:
• Professional appearance
across the organization
sanmarcostx.gov sanmarcostx.gov
External Source Warning
sanmarcostx.gov sanmarcostx.gov
End User Training: Via Email
sanmarcostx.gov sanmarcostx.gov
Microsoft Office 365
Data Loss Prevention Policies
With a DLP policy we can:
• Identify sensitive information across many locations, such as Office 365 emails, SharePoint Online, and OneDrive for Business.
• Detect sensitive information in message attachments, body text,
or subject lines and adjust the confidence level at which Exchange takes action.
• Prevent the accidental sharing of sensitive information.
sanmarcostx.gov sanmarcostx.gov
Data Loss Prevention Policy Options:
• U.S. Financial Data
• U.S. Gramm-Leach-Bliley Act (GLBA)
• U.S. Health Insurance Act (HIPAA)
• U.S. Patriot Act
• U.S. Personally Identifiable Information (PII) Data
• U.S. State Breach Notification Laws • U.S. State Social Security Number Confidentiality Laws
sanmarcostx.gov sanmarcostx.gov
Data Loss Types
we selected to encrypt:
• Credit Card Number
• U.S. / U.K. Passport Number
• U.S. Bank Account Number
• U.S. Driver's License Number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)
• ABA Routing Number
• Drug Enforcement Agency (DEA) Number
sanmarcostx.gov sanmarcostx.gov
Phishing Test Campaigns
sanmarcostx.gov sanmarcostx.gov
Sample Report Phishing Test Campaigns
Reports will show vulnerability
*KnowBe4 graphic
sanmarcostx.gov sanmarcostx.gov
Training Campaigns
sanmarcostx.gov sanmarcostx.gov
Lessons Learned • Assume worst case scenario
• Cyber Liability Coverage
• Single point of contact
• Rapid Response
• Communication, Communication, Communication
– Involve communication department
– Simple, factual and consistent message
– Frequency of message
– Rapidly changing information
sanmarcostx.gov sanmarcostx.gov
–Several employee’s 2017
refunds have not been processed.
–Employees with extensions are
still filing.
–What will employees
experience in filing 2018 taxes?
It’s not over yet…
sanmarcostx.gov sanmarcostx.gov
Questions, Comments
or Concerns?
Heather Hurlbert – Director of Finance [email protected]
Linda Spacek – Director of Human Resources [email protected]
Mike Sturm – Director of Information Technology [email protected]