BENJAMIN BEBERNESS, CHIEF INFORMATION OFFICER SNOHOMISH COUNTY PUBLIC UTILITY DISTRICT
AGENDA • Security Culture • Culture of Collaboration • Culture of Thinking Outside the Box • Culture of Managing Risk - Risk Assessment
WHAT IS SECURITY CULTURE? Results Security Culture - Employees are engaged with, and take responsibility for, security issues - Levels of compliance with protective security measures increase Culture - The risk of security incidents and breaches is reduced by encouraging employees to think and act in more security conscious ways An organization's security culture is A way of thinking, behaving, or the styles, approaches and values that - Employees are more likely to report working that exists in a place or it wishes to adopt towards security, behaviors/activities of concern organization and is essential to an effective - Improved organizational personnel security regime performance through effective management, established reporting mechanisms, increased employee satisfaction and commitment to the organization - The risk of reputational and financial damage to the organization is reduced HTTP://WWW.MERRIAM-WEBSTER.COM/DICTIONARY/CULTURE HTTP://WWW.CPNI.GOV.UK/ADVICE/PERSONNEL-SECURITY1/SECURITY-CULTURE/
“It all starts at the top. SNOPUD'S SECURITY CULTURE Executive management that’s interested in fostering a positive security culture — and does so without fail — is Leadership mandatory if the risks of a • Sponsorship / support and breach are to be minimized.” Communication active engagement “Effective communication is IBM • Training and Awareness • Regular communication to cited as the number one • Training Commission skill necessary for success • Phishing • Bi-monthly meetings with within the CSO job leadership • Flyers function.” • Bi-monthly meetings with • Public Relations Cisco/CSO Magazine subject matter experts across • Community Involvement Research District • Bake security into everything • Discuss cyber security from a you do Risk perspective • Identify the right • Likelihood of a breach communications channel • Average cost of a breach. • Policy Employees • Informing and educating them “Employee error that we are all targets (unintentional) is reported • National Guard operation by respondents as the top • Testing our defenses security threat.” • Policy Cisco/CSO Magazine • Operational Procedures Research • Incident response, DRP, BCP Visible Physical Security presence (cameras, access devices, signage and on-site http://www.cisco.com/c/dam/en_us/about/security/cspo/docs/creating_culture_of_security.pdf Security Officers)
CULTURE OF SECURITY COLLABORATION http://www.snopud.com/AboutUs/cybersummit.ashx?p=2167
TAKE AWAY FROM CYBERSECURITY GUIDE FOR CRITICAL INFRASTRUCTURE FOR THE STATE OF WASHINGTON Conduct a risk assessment that identifies where your Simple actions can be Review and start with the utility has the highest taken to update your Cybersecurity Guide for potential of a cyber systems (upgrade, patch, Critical Infrastructure for attack and prioritize what and control access) the State of Washington actions to take and what cyber products help reduce these risks Work to convince Boards, CEO’s, Executive Share information among Leadership of what peers (build your own probability is and how to trusted networks) reduce risk and cost of cyber attack
CULTURE OF THINKING OUTSIDE THE BOX
NATIONAL GUARD OPERATION • Snohomish PUD and the WA State National Guard planned and conducted the first-ever, joint cybersecurity collaborative exercise. • The scope of work included the National Guard performing penetration and vulnerability testing for SnoPUD over a two- to four-week period. • During this time, the National Guard gained experience with the utility industry and learned about control systems and utility cyber architecture. • SnoPUD observed how hackers might approach attacking our system, and learned how to better monitor our system during an attack. • Emergency response
NATIONAL GUARD PENETRATION TEST – FOUO/PCII Collect and Extract 2FA Domain Admin Shared infrastructure account analyze Token from Memory used to access Firewall Intelligence Search for Phish to Identify and Local Admin Privileged User Create Domain gain Access to Account Admin Account critical systems Privileged Credentials Captured – Back door established Event Detection Response Impact & Lessons Learned Privileged user targeted with phish. Malware Very difficult due to the access by a Too late in the process. Damage was done Annual review of all privileged accounts dropped on machine. Credentials pulled from privileged user to systems normally accessed. and recovery operations hindered by Require management approval for all memory using secondary malware. Anomalous activity not seen on privileged communications being encrypted No internal privileged accounts Other malware used to determine local user’s screen. Persons without access to detection process in place and monitoring was Alert on any newly created accounts. admin accounts. Encrypted tunnel created as sensitive areas granted access, should have either ineffective or not being watched. Once Do not use any shared system accounts well as a persistent back door. Machine used been seen. Admin account creation would compromise was identified, incident response (workstation local admin). as a jump point. New privileged accounts have been identified by logs. No monitoring was initiated and admin user account killed Do not allow interactive login for service created on captured machine. Network in place. Final detection was by clear and process to identify new accounts put in accounts. Mapped and critical systems and non-critical indicators hard to not notice. No notification place. Only allow privileged accounts access for systems identified. Back door remains in by team on their own. privileged actions (no user accounts). place for future use. Physical access systems Limit access of VPNs to only known entities. compromised and access granted to sensitive Set alerts for unusual network activity. areas. ICS access through shared Do not leave local admin accounts, remove infrastructure accounts. from users. 9
UKRAINE ATTACK - FOUO User Accounts harvested Credentials Captured using malware Gain Access to Phish to Multiple Movement Laterally critical systems Users across network Establish VPN Event Detection Response Impact & Lessons Learned The use of spear phishing. Targeted emails Detection very difficult due to the access by a Too late in the process. Damage was done Annual review of all privileged accounts. contained attachments of Microsoft Office privileged user to systems by a normal entry and recovery operations hindered by Require management approval for all Documents with Visual Basic macros point (VPN). No detailed monitoring was in sabotage of systems. Activity only discovered privileged accounts. embedded in them. The adversary harvested place, so no unusual traffic was seen or after operations were not possible. No Use two factor authentication. credentials of operators and likely other logged for later discovery. User training was internal detection process in place and Alert on any newly created accounts. users. In most of the successful attacks in this not adequate if even done. No two factor monitoring was either ineffective or not being Do not use shared accounts. event, legitimate credentials were used to authentication was used, so access was simple watched. All responses were after the Do not allow interactive login for service authenticate via Virtual Private Network after credentials stolen. No detection damage was done. accounts. (VPN). Once credentials were harvested, the capabilities or poorly managed. Only allow privileged accounts access for attackers could move laterally making it very privileged actions. difficult to detect their presence without Limit access of VPNs to only known entities. sophisticated log correlation and analysis. Set alerts for unusual activity no normal for system function. Train users continually. 10
CULTURE OF MANAGING RISK - RISK ASSESSMENT
THE CHALLENGE OF Likelihood of a Key Missing Strategy to Mitigate Major Asset Loss Security Controls Different Losses MANAGING TODAY’S ” ” ” CYBER RISK… How can I prioritize Where do my Which control areas my security budget? corporate assets lead to my largest reside? loss? How do I track loss How often will each Which security reduction from year to be damaged and by controls am I missing, year? how much? and which controls are least effective? How can my resources What is maximum What can I expect to most reduce losses? probable loss to the realistically achieve in company? loss reduction?
Recommend
More recommend