Top Banner

Click here to load reader

of 28

Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013

Mar 26, 2015



  • Slide 1

Cyber Disruption: Probability and Response Readiness WSEMA September 18, 2013 Slide 2 SHORT BIO Partner, MK Hamilton and Associates CISO, City of Seattle Managing Consultant, VeriSign GSC Senior Principal Consultant, Guardent Independent Security Consultant CEO, Network Commerce, Inc. Ocean Scientist, NASA/JPL Slide 3 Dont Try This Enabling Kevin Mitnick JPL, SunOS 4.13, and SATAN Accessing credit cards Oceanographic hacking FreeBSD and the FWTK The Bad Guys Network Commerce Inc. Slide 4 Assume breach Preventive controls not good enough Detective controls more imperative as device population grows Security Philosophy Focus on key assets and event detection Mobile security should be carefully evaluated Prevention on the "network of things" will not scale Slide 5 Emergency response driven by IT disruption What it would look like What we normally do How response is different What we know now How we are addressing the problem Cyber Meets Emergency Services Slide 6 Local Government Services that affect quality of life, and life Wed like them to be there 6 Slide 7 Credit cards, IP, and Infrastructure Hacktivists, organized crime, and nation-states Capability, meet intent My Perspective Slide 8 Critical Infrastructure Now the target of most attacks Overall cyber attacks are up, but most dramatically in the last year, the type of attack has shifted away from hacking and financially motivated crime toward cyber espionage focused on critical infrastructure, such as utilities, according to research from communications provider Verizon. These arent about stealing data and fraud, theyre about deny, disrupt and destroy, said Bryan Sartin, director of investigative response for Verizon. In its upcoming Data Breach Investigation Report, a yearly document that is one of the more noteworthy surveys of attacks released to the public, the company found that cyber espionage, once a far lesser component of the attack volume, is now dominating networks. 227002/Critical-infrastructure-now-target-most-attacks Slide 9 CRITICAL INFRASTRUCTURE Its good business sense! Slide 10 Attack on Fake Control System Slide 11 Attack on Financial Sector Slide 12 Telephony Denial of Service Slide 13 The Tunisian Cyber Army Slide 14 #OpBlackSummer Slide 15 Closer to Home Slide 16 Closer Slide 17 Clark County Website Defacement Slide 18 THREAT PROBAILITY: SIGNIFICANT Slide 19 Preparedness exercises EOC Activation NIMS: ESF2 and Logistics Branch WebEOC and other IT-enabled methods Role of the National Guard Application of the Stafford Act How We Handle Disasters Slide 20 Escalation path not defined NIMS difficult to apply Fusion Center as coordination point No FEMA resource list, etc. Mutual-Aid agreements Role of the private sector Whats Different Slide 21 Exercises Emerald Down, Evergreen, NLE12 Fusion Center Cyber Analyst ([email protected]) National Guard and State Response Plan for Significant Cyber Disruption CIRCAS FEMA resource typing FBI cyber task force US Attorney Jenny Durkhan State of Readiness Slide 22 PRISEM Public Regional Information Security Event Management Regional Asset for Situational Awareness and Common Operating Picture Slide 23 DHS S&T funding to initiate; Five grants total Participants contribute firewall logs, netflow, botnet alerts (Einstein); arbitrary devices under monitoring Commercial SIEM infrastructure at UW APL Cities of Seattle, Lynnwood, Bellevue, Kirkland, Redmond; Thurston and Kitsap Counties; Seattle Childrens Hospital, Snohomish PUD PRISEM History Slide 24 PRISEM IN ACTION: HUNT FOR APT1 Slide 25 Conduct more exercises on cyber disruption Finish the SCIRP Cement the role of the Fusion Center Continue working with FEMA Conduct outreach to the Private Sector Improve information sharing and situational awareness Before the Real Event Slide 26 Improved resilience Avoiding cascading failures Protect regional infrastructure We learn to integrate Benefits of Preparedness Slide 27 Is Cybersecurity a Bubble? Slide 28 My Contact Information Michael Hamilton Chief Information Security Officer City of Seattle [email protected] 206.684.7971 (D)