A Different Type of State Emergency: Cyber!...• Brute force attack (account compromise) - Started the day the server came online - Server was compromised within 48 hours - 40,000

11

A Different Type of State Emergency: Cyber!Deborah Blyth

Chief Information Security Officer, State of Colorado Governor’s Office of Information Technology

2

CDOT Cyber Incident• Details of the ransomware attack• Key response partners• Recommendations for incident response

Communications Lessons Learned

Audience Questions

PREP

ARE

∙ P

ROTE

CT ∙

PAR

TNER Overview

3

Details of the Attack• Attacker discovered system (virtual server)

on the internet• Brute force attack (account compromise)

- Started the day the server came online- Server was compromised within 48 hours- 40,000 password attempts

• Virtual server connected the cloud service to the CDOT network

• Attacker installed and launched the SamSam ransomware within CDOT

4

ImpactImpact to CDOT Business Operations

• ~1,300 workstations

• ~400 servers

• Databases and software applications

• SAP – used for paying vendors & employees

• All VoIP phones

5

Impact Reduction

System backups

assured CDOT recovery

Network segmentation

prevented spreading

6

Key Partners OnsiteState Agencies

• Governor’s Office of Information Technology (OIT)• Colorado Department of Transportation (CDOT)• Colorado Department of Public Safety: Division of Homeland Security &

Emergency Management (DHSEM)• Colorado National Guard

Federal Partners• FBI, DHS, US-CERT, FEMA

Private Sector Partners• Four security tools vendors• Incident Response team

7

Timeline

8

Benefits of Using the:

State Emergency Operations Center (EOC)

I wish I’d engaged

EOC sooner!

Established Unified Command Group

Established priorities

• Posted priorities on the wall as a reminder of the

goals

• Operations team to prioritize new discoveries

Coordinated logistics • How do you feed a roomful of hungry people when

they are sick of pizza?• How do you keep track of who your responders were?

Issued an Emergency Request for Resources(EMAC) to rest tired IT personnel

9

Unified Command Group

10

Unified Command Group

11

Recommendations1. Reach out for help2. Include key partners in

your incident response planning efforts

3. Revisit training and hardening practices for your system administrators

12

CommunicationsLessons

13

#1: You HAVE TO talk to the Media!

What happens if you don’t?

14

#2: Include your Public Information Officer (PIO)

• Have your PIO on speed dial!

• PIO should be aware of incident right away

to prepare communication strategy

• Start educating your PIO on cyber before

the incident!

15

• Daily communication briefings via phone

• Prepare daily press statement

• Keep running list of media follow-up questions and responses

• Log daily media coverage

• Stand up a website• Utilize social media

#3: Be Consistent in Your Messaging

The Denver PostCBS47NEWS | The Denver Channel9NEWSFOX31CPRWall Street JournalNew York TimesCNNNPRBloomberg LawStateScoop

16

• Balance between:• Informing the public / building trust &

confidence / reputation management• Interfering with the investigation /

protecting sensitive information

• Include legal affairs

#4: Communicate with Caution

17

Internal and external lines of communication may be blurred

#4: Communicate with Caution

18

#5: Control theMessage…but know you can’t control everything!

Carefully crafted

statement

19

20

• Revisit crisis communication plan regularly

• Identify potential stakeholders ahead of time

• Educate your PIO on cybersecurity #6: Prepare

It is no longer a question of “if,” but

“when” and “how often.”

- Robert Mueller, FBI Director | RSA Cyber Security Conference | March 1, 2012

Internal stakeholdersGovernor’s Office | Executive Directors/Cabinet | OIT employees | CDOT leadership & employees | DHSEM | National Guard | Customers: 30K+ state employees

External stakeholdersLegislature | Media | Third-party vendors | Federal partners

21

Questions ?