2007 Colorado Digital Government and Cyber Security

Summit

September 18, 2007

Mark WeatherfordChief Information Security Officer

State of Colorado

The Cyber Security Threatscape&

the Colorado Response

Copyright Mark Weatherford 2007

Agenda

• The Cyber Security Threat • The Cost of Insecurity• BOTS, BOTNETS, BOTHERDERS –

it’s not a foreign language• Dumb thing USERS (still?) do• What we are doing in Colorado State

Government

IDENTITY THEFT HELP

» State Employees can call a hot line to get more information on the records theft at 543-0073.

 Article URL: http://denverposte.com/2006/04/14/news/story01.html

© 1996-2006 The Denver Poste | www.denverposte.com

 

Tuesday, September 18, 2007 - Denver, Colorado8:06:18 AM MDT

State reports mass identity record theftEmployees are warned to track their credit scores after the disclosure

By Ima Hoaximahoax@denverposte.com

State Attorney General Barney Rubble said federal authorities notified his office of the theft in January but asked that the information be withheld while an unrelated cyber crime investigation was ongoing.   In letters sent yesterday, state officials warned Colorado Government Employees Association and United Public Workers members whose names were on the stolen list or who were enrolled in union-sponsored health and group life insurance plans between July and December 1999 that they could be at risk of identity theft.

Records containing the names, Social Security numbers and birth dates of more than 40,000 individuals were illegally reproduced at a copying business sometime before January while they were waiting to be put onto a compact disc for the state.

H O A H O A X XRecords containing the names, Social Security numbers and birth dates of more than 40,000 individuals were illegally reproduced

Do a Google “search on Hacking Tools.” As you can see here, in 0.18 seconds there were

26.5M hits.

Tools of the Trade

The Threat in Context

Low High

High

Low

PotentialDamage

Probability of occurrence

2000

2003

2007

Hacker

CriminalEspionage

Terrorist

State Sponsored

JihadistsMobsters

2006 – Veterans Administration laptop with personal information

on 26.5M veterans is stolen. “Total losses could top $500M.” –

VA Secretary Nicholson

Hackers stole data from at

least 45.7 million credit and debit cards at retailer T.J.Maxx – total

costs could exceed $1.0B

California’s Health and Human Services Agency will spend $691,000.00 to notify

1.4 million people that their personal information may have been stolen in an August attack on a computer belonging

to the University of California – Berkeley.

Hackers “data mining” results in a $7,000,000.00 computer security upgrade in the state of Alaska. The attack resulted in a $41M

proposal for additional upgrades over the next five

years.-Anchorage Daily News

The Cost of Insecurity

• If you think the Internet neighborhood is safe…you’re WRONG!

• Hackers are looking for YOU and want to take advantage of YOUR organization!

• Hackers used to look for the big hit for notoriety in the Black Hat community

• No More! It’s all about the money!

• Mob. Terrorists. Criminals.

The Neighborhood has Changed

Bad guys don’t always wear black hats

But they are getting very organized!

It’s a battleground out there• And a business:

– Overtly advertise criminal activity to maximize profits

– Extortion– Gambling site Denial Of Service attack can

cost up to $50,000 a day to be off-line

• Serious Stuff– Some experts won’t even talk publicly for fear of family safety

BOTS and BOTNETS

• A BOT is a compromised computer (called a zombie) and a BOTNET is a collection of zombies that have been infected with remote-control software.

Evil Botherder

BOTs – the next Killer App?

A BOTNET is an infrastructure for criminals to commit crime and make money by:

• Spamming• DDoS• Phishing Attacks• Worms

• Sniffing Passwords • Keystroke Logging• ID theft• Hosting Illegal Software

Who’s the Botherder?• Ruthless Hackers who infect, control, buy, and

sell BOTNETS.

• Digital Gang warfare – mostly from Russia, Eastern Europe, Brazil, and Asia

• Steal each others infected computers

• Knock each others BOTNETS off-line

• Use stolen A/V software to stop all attacks except their own on their infected computers.

Identity Theft

• Fastest growing crime in America• Big Business

– Average cost of a Data Breach$182.00 per lost record

– 2006 – average cost per company - $4.8M ($226,000 - $22,000,000)

• Typical Cause– Stolen laptops– Compromised Databases– Lost Back-up Tapes– Mismanaged email

- Ponemon Institute

Credit Cards for Sale

They are playing for real!

Hacker confirms price – “You wanna buy an 0”

Vulnerabilities for sale!

• Add slide for

Old News . . . but it still works!• From: Peter Wallace [peterwallace_821@msn.com]• Sent: Sunday, September 12, 2007 12:53 PM• Subject: Classified-Proposition•

• HELLO FRIEND,•  

• PLEASE BEAR WITH ME FOR NOW AND DO NOT ASK MY NAME.•

• WHAT I HAVE MAY BE OF INTEREST TO YOU. IT IS A BUSINESS PROPOSAL THAT WILL BE BENEFICIAL TO YOU AND I. I LIVE IN LONDON, UNITED KINGDOM. I AM 51 YEARS OLD AND I HAVE BEEN WORKING IN A BANK IN LONDON FOR THE PAST 17 YEARS WHERE I AM PRESENTLY AN ACCOUNTS MANAGER. I WILL GIVE YOU MY FULL DETAILS ON YOUR REPLY TO THIS LETTER. MY AIM OF CONTACTING YOU IS TO SOLICIT YOUR CO-OPERATION AND ASSISTANCE BASED ON ONE OF THE ACCOUNTS UNDER MY MANAGEMENT CONTAINING $18.5 MILLION (EIGHTEEN MILLION & FIVE HUNDRED DOLLARS) WHICH HAS REMAINED DORMANT FOR THE LAST TWELVE YEARS.  

• THIS ACCOUNT WAS OWNED BY THE LATE MRS. JOVITA JASMINE CARERRA AND FOLLOWING MY INVESTIGATION, I FOUND OUT THAT SHE DIED ON MAY 1992 VIA A CAR CRASH IN THE BAHAMAS AND SHE LEFT NO CHILDREN OR NEXT OF KIN.

• I WILL INFORM YOU MORE ON HOW WE CAN GET THE MONEY IN HER ACCOUNT TRANSFERED INTO YOUR ACCOUNT IF YOU AGREE TO CO-OPERATE WITH ME ON THIS ON YOUR REPLY TO THIS MAIL.  

• I WILL ALSO GIVE YOU MORE PERSONAL DETAILS OF ME AND THE TRANSACTION ON YOUR REPLY.

•  

• PLEASE TREAT THIS AS CONFIDENTIAL, URGENT AND OF UTMOST IMPORTANCE.

• PLEASE RESPOND ONLY VIA: plz_w7@freemail.net.ru

The following two screens demonstrate the capabilities of Back Orifice.

• The first screen shows a pop-up message a hacker sent to a victim.

• The second screen shows the view from the victim’s camera as he received the message.

Example of a Hacker Tool

Dumb Things User’s (Still) Do

• Click on email attachments from unknown senders

Dumb Things User’s (Still) Do (2)• Installing unauthorized applications

• Turning off or disabling automated security tools

• Saving sensitive and private data where it doesn’t belong – memory sticks, laptops, etc.

• Surfing to gambling, pornographic, or other legally risky websites

• Sharing passwords

• Attaching to untrustworthy public WiFi networks

• Filling out on-line forms or registration pages

• Chat rooms and social networking sites

HB06-1157–IT Security in Public Agencies

HB 06-1157 signed in June 2006. The legislation established the Colorado Information Security Act with the following provisions:

• Created the Chief Information Security Officer (CISO)

• Created the Colorado Cyber Security Program (CCSP)

• Required Security Policies as Rules• Required a Plan of Action and Milestones

(POAM) with a three (3) year phase-in period

Colorado Cyber Security Program

What are we doing?– Enterprise Cyber Security Policies

– Incident Response Program

– Critical System Inventory - Risk Based Gap Analysis

– Laptop Encryption Project

– Intrusion Detection System (IDS) Deployment

– Firewall Management and Monitoring

– Security Event Management – Centralized Log Collection

– Threat and Vulnerability Assessment - WASP

– Cyber Security Training and Awareness

– Information Security Operations Center (ISOC)

Our Challenge…

Colorado Outreach

• Multi-State Information Sharing and Analysis Center (MS-ISAC)

• Colorado Government Association of Information Technology (CGAIT)

• Colorado Information Managers Association (CIMA)• Incident Response Summits• Cyber Security Advisories• Cyber Storm II

Questions?mark.weatherford@state.co.us303-866-6229www.colorado.gov/cybersecurity