Upload
erepublic
View
16
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Pacific NW DGS 2015 Presentation - Information Battleground by Chris Chidley
Citation preview
Information TechnologyHow we came back from a cyber attack.
By: Chris Chidley
IT Manager @ Skagit Transit
Cyber Insurance Claim
Washington State Transit Insurance Pool (WSTIP)
First cyber claim for the insurance pool
Opened a lot of eyes and brought much needed attention to IT
Not only for Skagit Transit but for other transit agencies as well.
A technology SWAT team composed of insurance picked IT professionals and local vendors who were familiar with Skagit Transit
WSTIP creates best practices policies based on experiences at Skagit Transit
Organization Re-structure
IT was not its own department, the department was created.
New manager reports directly to GM
New IT Policies drafted
More buy in from general management on IT budget increases to catch
technology up
Hire an IT Manager!
The IT Specialist at the time was terminated from employment soon after the
cyber incident.
The search was on almost immediately, action was needed and the right
person was needed.
May 2013 new IT manager began working on core issues identified by the
insurance SWAT team
New firewalls
New networks
Server consolidation with virtualization
Catch up technology
Windows XP to Windows 7
The New Plan
Segment Networks
3rd Party Patches
Content Filtering
Layered Defense
Anti-Virus at internet connection
Anti-Virus on e-mail
Anti-Virus on servers
Anti-virus on workstations
Anti-virus on mobile devices
Continued employee education
Network Segmentation
All external connections except internet were on the same network
Very easy for someone to get single point access to everything
Very easy for network disruptions
No control
New switch, firewall and virtual technologies were utilized to segment a single
network into many
Separating management network
Separating server network
Separating user network
Separating WiFi
Vulnerability Patching
A server specific scan of vulnerabilities was made and a prioritized list of objectives formed from the findings
Software vulnerabilities were determined to be one of the ways into our network for the cyber attack
Attacker go after 3rd party applications a lot now as they are used for most web applications and become a very easy way into remote systems
Adobe
Silverlight
Java
Chrome
Internet Explorer
Firefox
Computer Criminals
Hacker:
Computer-savvy
programmer creates
attack software
Script Kiddies:
Unsophisticated
computer users
who know how to
execute programs
Hacker Bulletin Board
SQL Injection
Buffer overflow
Password Crackers
Password Dictionaries
Successful attacks!
Crazyman broke into CoolCat penetrated
Criminals:
Create & sell bots -> spam
Sell credit card numbers,
System Administrators
Some scripts are useful
to protect networks
Malware package=$1K-2K
1 M Email addresses = $8
10,000 PCs = $1000
Leading Threats
Virus
Worm
Trojan Horse / Logic Bomb
Social Engineering
Rootkits
Botnets / Zombies
Social Engineering
Social engineering manipulates people into performing actions or
divulging confidential information. Similar to a confidence trick or
simple fraud, the term applies to the use of deception to gain
information, commit fraud, or access computer systems.
Phone Call:
This is John,
the System
Admin. What
is your
password?
In Person:
What High School did
you go to?
Your mothers maiden name?
What was your first car?
and have
some
software
patches
I have come
to repair
your
machine
Pattern Calculation Result Time to Guess
(2.6x1018/month)
Personal Info: interests, relatives 20 Manual 5 minutes
Social Engineering 1 Manual 2 minutes
American Dictionary 80,000 < 1 second
4 chars: lower case alpha 264 5x105
8 chars: lower case alpha 268 2x1011
8 chars: alpha 528 5x1013
8 chars: alphanumeric 628 2x1014 3.4 min.
8 chars alphanumeric +10 728 7x1014 12 min.
8 chars: all keyboard 958 7x1015 2 hours
12 chars: alphanumeric 6212 3x1021 96 years
12 chars: alphanumeric + 10 7212 2x1022 500 years
12 chars: all keyboard 9512 5x1023
16 chars: alphanumeric 6216 5x1028
Brute Force Password Cracking
Merry ChristmasBad
Password
Good
Password
Merry Xmas
mErcHr2yOu
MerryChrisToYou
MerChr2You
MerryJul
MaryJul
Mary*Jul
,stuzc,sd Jq46Sjqw
(Keypad shift
Right . Up)
(Abbreviate)
(Lengthen)
(convert vowels
to numeric)
M5rryXm1s
MXemrays
(Intertwine Letters)
Glad*Jes*Birth
(Synonym)
Creating Passwords
Combine 2 unrelated words
Mail + phone = m@!lf0n3
Abbreviate a phrase My favorite color is blue = Mfciblue
Music lyric Happy birthday to you, happy birthday to you, happy birthday dear John, happy birthday to you.
hb2uhb2uhbdJhb2u
Creating Password Examples
Password Manager Software
Password Safe
http://passwordsafe.sourceforge.net/
KeePass Password Safe
http://keepass.info/
Dont Store Passwords in easy to find places!
In Closing
Good passwords are a first level of defense
Buy in from upper management key in IT success
Segmented networks is key to keeping critical information safe
HVAC should not see POS
Layered Defenses
Employee Education
Avoid social engineering and increase awareness
Thank youChris Chidley [email protected] 360-757-1446
Skagit Transit