Cyber Disruption: Probability and
Response Readiness
WSEMA
September 18, 2013
SHORT BIO
•
•
•
•
•
•
•
Partner, MK Hamilton and Associates
CISO, City of Seattle
Managing Consultant, VeriSign GSC
Senior Principal Consultant, Guardent
Independent Security Consultant
CEO, Network Commerce, Inc.
Ocean Scientist, NASA/JPL
Don’t Try This
• Enabling Kevin Mitnick
• JPL, SunOS 4.13, and
SATAN
• Accessing credit cards
• Oceanographic hacking
• FreeBSD and the FWTK
• The Bad Guys
• Network Commerce Inc.
Security Philosophy
• Assume breach
• Preventive controls
not good enough
• Detective controls more
imperative as device
population grows
• Focus on key assets and
event detection
• Mobile security should be
carefully evaluated
• Prevention on the "network
of things" will not scale
Cyber Meets Emergency Services
• Emergency response driven by IT disruption
• What it would look like
• What we normally do
• How response is different
• What we know now
• How we are addressing the problem
Local Government
Services that affect quality of life, and life
We’d like them to be there
6
My Perspective
• Credit cards, IP, and Infrastructure
• Hacktivists, organized crime, and nation-states
• Capability, meet intent
Critical Infrastructure Now the
target of most attacks
Overall cyber attacks are up, but most dramatically in the last year, the type of attack
has shifted away from hacking and financially motivated crime toward cyber
espionage focused on critical infrastructure, such as utilities, according to
research from communications provider Verizon.
“These aren’t about stealing data and fraud, they’re about deny, disrupt and
destroy,” said Bryan Sartin, director of investigative response for Verizon.
In its upcoming Data Breach Investigation Report, a yearly document that is one of
the more noteworthy surveys of attacks released to the public, the company found
that cyber espionage, once a far lesser component of the attack volume, is now
dominating networks.
http://www.federaltimes.com/article/20130227/SHOWSCOUT01/130
227002/Critical-infrastructure-now-target-most-attacks
CRITICAL INFRASTRUCTURE
It’s good business sense!
Attack on Fake Control System
Attack on Financial Sector
Telephony Denial of Service
The Tunisian Cyber Army
#OpBlackSummer
Closer to Home
Closer…
Clark County Website Defacement
THREAT PROBAILITY: SIGNIFICANT
How We Handle Disasters
• Preparedness exercises
• EOC Activation
• NIMS: ESF2 and Logistics Branch
• WebEOC and other IT-enabled methods
• Role of the National Guard
• Application of the Stafford Act
What’s Different
• Escalation path not defined
• NIMS difficult to apply
• Fusion Center as coordination point
• No FEMA resource list, etc.
• Mutual-Aid agreements
• Role of the private sector
State of Readiness
• Exercises – Emerald Down, Evergreen, NLE12
• Fusion Center Cyber Analyst (intake@wsfc.wa.gov)
• National Guard and State Response Plan for
Significant Cyber Disruption
• CIRCAS
• FEMA resource typing
• FBI cyber task force
• US Attorney Jenny Durkhan
PRISEM
Public Regional Information Security Event Management
Regional Asset for Situational Awareness and
Common Operating Picture
PRISEM History
• DHS S&T funding to initiate; Five grants total
• Participants contribute firewall logs, netflow, botnet
alerts (Einstein); arbitrary devices under monitoring
• Commercial SIEM infrastructure at UW APL
• Cities of Seattle, Lynnwood, Bellevue, Kirkland,
Redmond; Thurston and Kitsap Counties; Seattle
Children’s Hospital, Snohomish PUD
PRISEM IN ACTION: HUNT FOR APT1
Before the Real Event
• Conduct more exercises on cyber disruption
• Finish the SCIRP
• Cement the role of the Fusion Center
• Continue working with FEMA
• Conduct outreach to the Private Sector
• Improve information sharing and situational
awareness
Benefits of Preparedness
• Improved resilience
• Avoiding cascading failures
• Protect regional infrastructure
• We learn to integrate
Is Cybersecurity a Bubble?
My Contact Information
Michael Hamilton
Chief Information Security Officer
City of Seattle
Michael.Hamilton@Seattle.gov
206.684.7971 (D)