Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Published byMaryann Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013."— Presentation transcript:

1 Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013

2 Case Study Agenda  Data Breach: A Targeted Attack  State Response  Lessons Learned 2

3 Data Breach: A Targeted Attack Attacker FTPd the files from the agency network. Attacker accessed a database server and copied/compressed targeted files. Attacker logged into the network via a Citrix gateway using valid credentials. Attacker maneuvered laterally within the network to identify potential targets. Attacker gained access through phishing and obtained privileged user credentials. 3

4 Data Breach: A Targeted Attack  The attacker compromised a total of 44 systems  The attacker used at least 33 unique pieces of malicious software and utilities to perform the attack and data theft activities  The attacker remotely accessed DOR using at least four IP addresses  The attacker used at least four valid DOR user accounts during the attack.  This activity occurred over a period of 60 days  SCDOR learned of the breach after being notified by law enforcement Nearly two-thirds of organizations learn they are breached from an external source. Source: Mandiant 4

5 Data Breach: A Targeted Attack On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it. Source: Ponemon Institute In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims. Source: Mandiant 5

6 Data Breach: A Targeted Attack 3.8 million Soc. Security Numbers Compromised 400k Credit Card Numbers Compromised Due to the breach, the following were compromised: 6

7 Avg. Cost Per Breached Record: $194 Avg. Cost of Data Breach for an Organization: $5.5 million Source: Ponemon Institute 7

8 State Response: Executive Order #1 – October 26, 2012 Order: State Inspector General - Determine state security posture & how to improve it Interviews conducted, surveys completed Immediate steps provided to help prevent attacks ; 11 recommendations KEY FINDINGS: 1. Develop/implement a statewide info management security program. 2. Establish a federated model for governance. 3. Implement a CISO position to lead program development. 4. Hire a consultant to help the state develop an INFOSEC program 8

9 State Response: Executive Order #2 – November 14, 2012 Order: All 16 cabinet agencies to use DSIT monitoring services Monitor cabinet agencies on a 7x24 basis Upgrade tools and improve level of monitoring Work with agencies to be more proactive; stop flow of traffic if necessary 9

10 State Response Senate and House established cyber security sub-committees Senate Bill 334 – Extends Identity Theft Protection (credit monitoring) up to 10 years – Provides tax credits for individuals who choose to purchase independent identity theft protection and not be covered under the State’s plan – Creates an Identity Theft Unit within the Department of Consumer Affairs – Creates a Division of Information Security within the Budget and Control Board Chief Information Security Officer is appointed by the Governor w/ the advice and consent of the Senate – Creates a Technology Investment Council Plans, Standards and Architecture – Creates a Joint Information Security Oversight Committee Monitor laws, best practices 10

11 State Actions: RFP Issued December 2012 – State Budget and Control Board authorized RFP Hire a Security Expert to help the State develop an enterprise security program; agency assessments May 1 – Identify most serious vulnerabilities and provide recommendations; budget estimates Develop security framework, governance structure, policies/procedures, training requirements 11

12 Lessons Learned 1.Management of security needs to be more centralized in SC 2.Overall, state agencies recognize the need to improve their cyber security program 3.Attacks are becoming more frequent and aggressive – state governments are a target 4.We need to work together; share information 5.Funding is a key challenge (state governments average 1 to2 % of IT spend on Security; financial sector is approx. 6%) 6.Staffing is a key challenge (50% of state security organizations have 1- 5 employees; GFSI Study shows 47% have > 100 employees) 7.State agencies must do more to share status/security position with Leadership 12

13 Questions & Comments Jimmy Earley, Division Director Division of State Information Technology Phone: (803) 896-0222 Email: jearley@cio.sc.govjearley@cio.sc.gov

Download ppt "Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013."

Similar presentations

Cybersecurity Update December 5, 2012. Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.

Cybersecurity Update December 5, Agenda Cybersecurity – A growing problem Cybersecurity in other states (NASCIO/Deloitte Study) Structure Challenges.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
EXTERNAL Corruption Prevention NetworkJuly 2007Fraud Control Planning Tax Office Fraud Control Planning: Tools and Techniques PRESENTED BY: Annalissa Hilton.

EXTERNAL Corruption Prevention NetworkJuly 2007Fraud Control Planning Tax Office Fraud Control Planning: Tools and Techniques PRESENTED BY: Annalissa Hilton.
Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.

BEWARE! IDENTITY THEFT CARL JOHNSON FINANCIAL LITERACY JENKS HIGH CSHOOL.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.

Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Information Security Policies and Standards

Information Security Policies and Standards
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.
1 Information and Systems Security/Compliance Security Day - 2005 The Information and Systems Security/Compliance Program Dave Kovarik.

1 Information and Systems Security/Compliance Security Day The Information and Systems Security/Compliance Program Dave Kovarik.
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.

SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations

Ads by Google