1 1 A Different Type of State Emergency: Cyber! Deborah Blyth Chief Information Security Officer, State of Colorado Governor’s Office of Information Technology
11
A Different Type of State Emergency: Cyber!Deborah Blyth
Chief Information Security Officer, State of Colorado Governor’s Office of Information Technology
2
CDOT Cyber Incident• Details of the ransomware attack• Key response partners• Recommendations for incident response
Communications Lessons Learned
Audience Questions
PREP
ARE
∙ P
ROTE
CT ∙
PAR
TNER Overview
3
Details of the Attack• Attacker discovered system (virtual server)
on the internet• Brute force attack (account compromise)
- Started the day the server came online- Server was compromised within 48 hours- 40,000 password attempts
• Virtual server connected the cloud service to the CDOT network
• Attacker installed and launched the SamSam ransomware within CDOT
4
ImpactImpact to CDOT Business Operations
• ~1,300 workstations
• ~400 servers
• Databases and software applications
• SAP – used for paying vendors & employees
• All VoIP phones
5
Impact Reduction
System backups
assured CDOT recovery
Network segmentation
prevented spreading
6
Key Partners OnsiteState Agencies
• Governor’s Office of Information Technology (OIT)• Colorado Department of Transportation (CDOT)• Colorado Department of Public Safety: Division of Homeland Security &
Emergency Management (DHSEM)• Colorado National Guard
Federal Partners• FBI, DHS, US-CERT, FEMA
Private Sector Partners• Four security tools vendors• Incident Response team
7
Timeline
8
Benefits of Using the:
State Emergency Operations Center (EOC)
I wish I’d engaged
EOC sooner!
Established Unified Command Group
Established priorities
• Posted priorities on the wall as a reminder of the
goals
• Operations team to prioritize new discoveries
Coordinated logistics • How do you feed a roomful of hungry people when
they are sick of pizza?• How do you keep track of who your responders were?
Issued an Emergency Request for Resources(EMAC) to rest tired IT personnel
9
Unified Command Group
10
Unified Command Group
11
Recommendations1. Reach out for help2. Include key partners in
your incident response planning efforts
3. Revisit training and hardening practices for your system administrators
12
CommunicationsLessons
13
#1: You HAVE TO talk to the Media!
What happens if you don’t?
14
#2: Include your Public Information Officer (PIO)
• Have your PIO on speed dial!
• PIO should be aware of incident right away
to prepare communication strategy
• Start educating your PIO on cyber before
the incident!
15
• Daily communication briefings via phone
• Prepare daily press statement
• Keep running list of media follow-up questions and responses
• Log daily media coverage
• Stand up a website• Utilize social media
#3: Be Consistent in Your Messaging
The Denver PostCBS47NEWS | The Denver Channel9NEWSFOX31CPRWall Street JournalNew York TimesCNNNPRBloomberg LawStateScoop
16
• Balance between:• Informing the public / building trust &
confidence / reputation management• Interfering with the investigation /
protecting sensitive information
• Include legal affairs
#4: Communicate with Caution
17
Internal and external lines of communication may be blurred
#4: Communicate with Caution
18
#5: Control theMessage…but know you can’t control everything!
Carefully crafted
statement
19
20
• Revisit crisis communication plan regularly
• Identify potential stakeholders ahead of time
• Educate your PIO on cybersecurity #6: Prepare
It is no longer a question of “if,” but
“when” and “how often.”
- Robert Mueller, FBI Director | RSA Cyber Security Conference | March 1, 2012
Internal stakeholdersGovernor’s Office | Executive Directors/Cabinet | OIT employees | CDOT leadership & employees | DHSEM | National Guard | Customers: 30K+ state employees
External stakeholdersLegislature | Media | Third-party vendors | Federal partners
21
Questions ?