Cyber Disruption: Probability and Cyber Disruption: Probability and Response ReadinessResponse Readiness

WSEMASeptember 18, 2013

SHORT BIOSHORT BIO• Partner, MK Hamilton and Associates

• CISO, City of Seattle

• Managing Consultant, VeriSign GSC

• Senior Principal Consultant, Guardent

• Independent Security Consultant

• CEO, Network Commerce, Inc.

• Ocean Scientist, NASA/JPL

Don’t Try ThisDon’t Try This

• Enabling Kevin Mitnick• JPL, SunOS 4.13, and

SATAN• Accessing credit cards• Oceanographic hacking• FreeBSD and the FWTK • The Bad Guys• Network Commerce Inc.

• Assume breach

• Preventive controls

not good enough

• Detective controls more

imperative as device

population grows

Security PhilosophySecurity Philosophy

• Focus on key assets and

event detection

• Mobile security should be

carefully evaluated

• Prevention on the "network

of things" will not scale

• Emergency response driven by IT disruption

• What it would look like

• What we normally do

• How response is different

• What we know now

• How we are addressing the problem

Cyber Meets Emergency ServicesCyber Meets Emergency Services

Local GovernmentLocal Government

Services that affect quality of life, and lifeWe’d like them to be there

6

• Credit cards, IP, and Infrastructure

• Hacktivists, organized crime, and nation-states

• Capability, meet intent

My PerspectiveMy Perspective

Critical Infrastructure Now the Critical Infrastructure Now the target of most attackstarget of most attacks

Overall cyber attacks are up, but most dramatically in the last year, the type of attack

has shifted away from hacking and financially motivated crime toward cyber

espionage focused on critical infrastructure, such as utilities, according to

research from communications provider Verizon.

“These aren’t about stealing data and fraud, they’re about deny, disrupt and

destroy,” said Bryan Sartin, director of investigative response for Verizon.

In its upcoming Data Breach Investigation Report, a yearly document that is one of the

more noteworthy surveys of attacks released to the public, the company found that

cyber espionage, once a far lesser component of the attack volume, is now

dominating networks.

http://www.federaltimes.com/article/20130227/

SHOWSCOUT01/130227002/Critical-infrastructure-now-target-most-

attacks

CRITICAL INFRASTRUCTURECRITICAL INFRASTRUCTURE

It’s good business sense!

Attack on Fake Control SystemAttack on Fake Control System

Attack on Financial SectorAttack on Financial Sector

Telephony Denial of ServiceTelephony Denial of Service

The Tunisian Cyber ArmyThe Tunisian Cyber Army

#OpBlackSummer#OpBlackSummer

Closer to HomeCloser to Home

Closer…Closer…

Clark County Website DefacementClark County Website Defacement

THREAT PROBAILITY: SIGNIFICANT

• Preparedness exercises

• EOC Activation

• NIMS: ESF2 and Logistics Branch

• WebEOC and other IT-enabled methods

• Role of the National Guard

• Application of the Stafford Act

How We Handle DisastersHow We Handle Disasters

• Escalation path not defined

• NIMS difficult to apply

• Fusion Center as coordination point

• No FEMA resource list, etc.

• Mutual-Aid agreements

• Role of the private sector

What’s DifferentWhat’s Different

• Exercises – Emerald Down, Evergreen, NLE12

• Fusion Center Cyber Analyst (intake@wsfc.wa.gov)

• National Guard and State Response Plan for

Significant Cyber Disruption

• CIRCAS

• FEMA resource typing

• FBI cyber task force

• US Attorney Jenny Durkhan

State of ReadinessState of Readiness

PRISEMPublic Regional Information Security Event Management

Regional Asset for Situational Awareness andCommon Operating Picture

• DHS S&T funding to initiate; Five grants total

• Participants contribute firewall logs, netflow, botnet

alerts (Einstein); arbitrary devices under monitoring

• Commercial SIEM infrastructure at UW APL

• Cities of Seattle, Lynnwood, Bellevue, Kirkland,

Redmond; Thurston and Kitsap Counties; Seattle

Children’s Hospital, Snohomish PUD

PRISEM HistoryPRISEM History

PRISEM IN ACTION: HUNT FOR APT1

• Conduct more exercises on cyber disruption

• Finish the SCIRP

• Cement the role of the Fusion Center

• Continue working with FEMA

• Conduct outreach to the Private Sector

• Improve information sharing and situational

awareness

Before the Real EventBefore the Real Event

• Improved resilience

• Avoiding cascading failures

• Protect regional infrastructure

• We learn to integrate

Benefits of PreparednessBenefits of Preparedness

Is Cybersecurity a Bubble?Is Cybersecurity a Bubble?

My Contact InformationMy Contact Information

Michael Hamilton Chief Information Security Officer

City of SeattleMichael.Hamilton@Seattle.gov

206.684.7971 (D)