homeland security lessons learned · self-replicating code password cracking exploiting known...
TRANSCRIPT
BradfordJ.Willke,CISSPProgramManager,CyberSecurityAdvisorProgramOfficeofCybersecurityandCommunications(CS&C)NationalProtectionandProgramsDirectorate(NPPD)
March2014
Homeland Security Lessons Learned: An Analysis from Cyber Security Evaluations
Presenter’s Name June 17, 2003
Capabilities: CS&Cworkscollaborativelywithpublic,private,andinternationalentitiestosecure,assess,andmitigatecyberrisk;andpreparefor,prevent,andrespondtocyberincidents.
CS&Cleadseffortstoprotectthefederal“.gov”domainofciviliangovernmentnetworksandtocollaboratewiththeprivatesector—the“.com”domain—toincreasethesecurityofcriticalnetworks.
Buildandmaintainaworld‐classorganizationtoadvancetheNation’scybersecuritypreparednessandraiseawarenessacrosstheNationoncybersecurity
Sector‐SpecificAgencyfortheCommunicationsandInformationTechnology(IT)sectors,CS&Ccoordinatesnational‐levelreportingthatisconsistentwiththeNationalResponseFramework(NRF).
OfficeofCybersecurityandCommunicationsMISSION:
To enhance the security, resilience, and reliability of the Nation’s cyberand communications infrastructure.
2
Presenter’s Name June 17, 2003
CyberSecurityAdvisors(CSA)RolesandResponsibilities RaiseawarenessofCS&Cactivities Assistinidentificationofcriticalcyber/informationinfrastructuressupportingCI/KR,andinterdependencies
Coordinateandleadcybersecurityevaluations ofcriticalinfrastructure
FunctionasaregionalCS&Cadvisortoplanning,operational,andstrategiccybersecurityeffortsandcommunities‐of‐interest–privateandpublicsector
Establishworkingrelationshipandrapportwithhomelandsecurityofficialsandcybersecurityprincipalswithinhomelandsecurity,IToperations,andemergencymanagementagencies
CoordinatewithFederalpersonnelwithinregiontointegrate cyberpreparedness,strategiccommunications,incidentresponse,andevaluations(i.e.,PSAs,FEMA,FederalLE– FBI,USSS,etc)
Coordinatestrategicoutreach andcollectstrategicrequirements– topromoteCS&Coperationalenhancementsandpolicyinitiatives
33
Improve CI/KR Cyber
& Operational Resilience
Engage Cyber
Security Communities
-of-Interest
Coordinate Coordinate Incident
Response & Requests
for Technical
Assistance
Provide Strategic
Feedback on CS&C
Programs
Presenter’s Name June 17, 2003
Critical Infrastructure Cyber Community (C3)
DHS launched the C3 Program in February 2014 to complement the launch of the NIST CSF
The C³ Voluntary Program helps sectors and organizations that want to use the CSF by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations, and the private sector.
The C3 website (http://www.us-cert.gov/ccubedvp) describes the various programs DHS offers to critical infrastructure partners, including Federal, State, local, and private sector organizations
Many of the programs described on the following slides can also be found on the website
Website:
http://www.us-cert.gov/ccubedvp
General C3 inquiries: [email protected]
C3 VP (Pre-Recorded) Webinar: https://share.dhs.gov/p4k4bp51kx7/
4
Presenter’s Name June 17, 2003
CYBER THREAT TRENDS AND SPECIFIC ATTACKS
5
Presenter’s Name June 17, 2003 6
GrowthofCyberThreats
1980 1985 1990 1995 2000 2012
Password guessingSelf-replicating code
Password crackingExploiting known vulnerabilities
Disabling audits
Burglaries
Back doors
Hijacking sessions
Sweepers
Sniffers
Packet spoofing
Network mngt. diagnostics
GUIAutomated probes/scans
Staging
www attacks
“Stealth”/advanced scanning techniques
Distributed attack toolsCross site scripting / PhishingDenial of Service
Sophisticated C2
Convergence
Estonia DoSRussia invades Georgia
SophisticationRequired of Actors
Declining
Sophisticationof Available Tools
Growing
Soph
istic
atio
n
Low
High
Stuxnet
DNS exploits
DDOS
Presenter’s Name June 17, 2003
InsiderThreat Insidershaveauniqueadvantageduetoaccess/trust Theycanbemotivatedbyrevenge,organizationaldisputes,personalproblems,boredom,curiosity,orto“proveapoint”
MalwareAuthors Individualsororganizationswithmaliciousintentcarryoutattacksagainstusersbyproducinganddistributingspywareandmalware
Phishers Individuals,orsmallgroupswhoattempttostealidentitiesorinformationformonetarygain
Spammers Individualsororganizationswhodistributeunsolicitede‐mailwithhiddenorfalseinformationtosellproducts,conductphishingschemes,distributespyware/malware,orattackorganizations
Terrorists Cyberattackshavethepotentialtocrippleunsecuredinfrastructures Cyber‐linkagesbetweensectorsraisetheriskofcascadingfailure
CyberThreat:HumanThreatsWhoisbehindtheseintentionalthreats?
Putting Cybersecurity in Perspective7
Presenter’s Name June 17, 2003
CyberAttack:StepbyStep
8
Presenter’s Name June 17, 2003
ShodanHQ
9
ShodanHQhasidentified:
~500,000devicesconnectedtotheinternet
98,415werelocatedintheU.S.
7,257wereassociatedwithIndustrialControlSystems
ShodanHQisthefirstsearchenginedesignedtosearchforcomputersanddevices.
Recommendation:RunasearchusingyournetworkIPrangetoidentifyorvalidate:devices,misconfigurations,location,services,HW/SWversions,etc.
9
HomelandSecurity Office of Cybersecurity and Communications
UNCLASSIFIED
UNCLASSIFIED
2012:Targetedcyberattackonpipelines Over 20 targeted pipeline operators
(December 2011 – June 2012) Confirmed intrusions and near misses Adversary is targeting industrial control
systems information Document searches: “SCAD*”
Personnel Lists Usernames/Passwords Dial-Up access information System manuals
Exfiltrated ICS access credentials The data exfiltrated could provide an
adversary with the capability to access US ONG ICS including performing unauthorized operations
10
HomelandSecurity Office of Cybersecurity and Communications
UNCLASSIFIED
UNCLASSIFIED
Whatwastaken? All_gate_meter.xls <station>_SCADA8‐23‐2002.vsd ContactListGasScada.xls <redacted>_Area_RTUs.xls DialUp####VectorLists.xls SCADA_Server_UsersGuide.pdf GasControlNumbers.xls GasSCADAProfilesDefined10‐22‐03.xls Gas‐ControlAssetlist.xls <station>Dialup.xls PASS1.xls <station>datapoints forlog.xls RTUpointlist.xls RTUSITES.xls SCADADivisionOptions.ppt
SCADAHARDWAREUPGRADE.ppt SCADASites.xls Scada UsersManual.zip SCADA_logons.doc Security.zip StandardColors&Symbols.xls StationControlTestingProcedures.ppt DIALUP.DOC DISPLAYS.DOC <station>Comm CardConverterpinout.pdf Comm PortsforAirlink.pdf D‐SubtoRJ45ModularAdapters.pdf SCADAPersonnel.html
11
AWideRangeofOfferingsforCriticalInfrastructure NationalCybersecurityand
CommunicationsIntegrationCenter(NCCIC)– US‐CERTOperationsCenter
• RemoteandOn‐SiteAssistance• MalwareAnalysis• IncidentResponseTeams
– ICS‐CERTOperationsCenter• ICS‐CERTMalwareLab• CyberSecurityEvaluationTool• IncidentResponseTeams
– NCATS• CyberHygieneservice• RiskandVulnerabilityAssessment
US‐CERT– NationalCyberAwarenessSystem– VulnerabilityNotesDatabase– SecurityPublications
ControlSystemsSecurityProgram– CybersecurityTraining– InformationProductsand
RecommendedPractices CyberExerciseProgram CyberSecurityEvaluations
Program– CyberResilienceReview– CyberInfrastructureSurveyTool
12
Presenter’s Name June 17, 2003
• CyberHygiene(CH)Evaluation• PenTest(aka RVA)• CyberResilienceReview(CRR)• CyberSecurityEvaluationTool(CSET)
OtherEvaluations:• CyberInfrastructureSurveyTool(C‐IST)• SupplyChainRiskManagement(SCRM)Assessment• ICSDesignArchitectureReview• ICSNetworkAnalysisVerification&Validation
DHSCyberSecurityEvaluations
1313
Presenter’s Name June 17, 2003
CYBERHYGIENE(CH)
14FOUO / UNCLASS
Overview:
Cyber hygiene (CH) refers to steps that computer users can take to improve their cybersecurity and better protect themselves online. It may include reorganizing the IT infrastructure, hardware and devices; patching authorized software and removing unauthorized software; continuous monitoring, training and awareness; and formalizing existing informal information security controls.
HomelandSecurity Office of Cybersecurity and Communications
CyberHygiene
• AssessInternetaccessiblesystemsforknownvulnerabilitiesandconfigurationerrors.
• Workwithorganizationtoproactivelymitigatethreatsandriskstosystems. Activitiesinclude:
• NetworkMapping• Identify public IP address space• Identify hosts that are active on IP addressspace
• Determine the O/S and Services running• Re‐run scans to determine any changes• Graphically represent address space on a map
• NetworkVulnerability&ConfigurationScanning• Identify network vulnerabilities and weakness
FOUO / UNCLASS
A4
Slide 15
A4 Reomved the DNSSEC language as right now it is a manual process and we have a difficult time doing 140 Federal agenices.Author, 12/18/2013
Presenter’s Name June 17, 2003
PENETRATIONTESTS(AKANETWORKRISKANDVULNERABILITYASSESSMENTS)
16FOUO / UNCLASS
Overview:
A penetration test, or the short form pentest, is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
The process involves identifying the target systems and the goal, then reviewing the information available and undertaking available means to attain the goal. A penetration test target may be a white box (where all background and system information is provided) or black box (where only basic or no information is provided except the company name). A penetration test will advise if a system is vulnerable to attack, if the defenses were sufficient and which defenses (if any) were defeated in the penetration test.
HomelandSecurity Office of Cybersecurity and Communications
RiskandVulnerabilityAssessment(RVA)• Conductsred‐teamassessmentsandprovidesremediationrecommendations.
• Identifyrisks,andprovideriskmitigationandremediationstrategies• Improvesanagency’scybersecurity posture,limitsexposure,reducesratesofexploitation,andincreasesthespeedandeffectivenessoffuturecyberattackresponses.
• ServicesInclude:Service Description
Vulnerability Scanning and Testing Conduct Vulnerability Assessments
Penetration Testing Exploit weakness or test responses in systems, applications, network and security controls
Social Engineering Crafted e-mail at targeted audience to test Security Awareness / Used as an attack sector to internal network
Wireless Discovery & Identification
Identify wireless signals (to include identification of rogue wireless devices) and exploit access points
Web Application Scanning and Testing
Identify web application vulnerabilities
Database Scanning Security Scan of database settings and controls
Operating System Scanning Security Scan of Operating System to do Compliance Checks
FOUO / UNCLASS
Presenter’s Name June 17, 2003
CYBERRESILIENCEREVIEW(CRR)
18FOUO / UNCLASS
Overview:
The Cyber Security Evaluation Program (CSEP), within the Department of Homeland Security’s (DHS) National Cyber Security Division (NCSD), conducts a no-cost, voluntary Cyber Resilience Review (CRR) to evaluate and enhance cyber security capacities and capabilities within all 16 Critical Infrastructure and Key Resources (CIKR) Sectors, as well as State, Local, Tribal, and Territorial (SLTT) governments. The CRR seeks to understand cyber security management of services (and associated assets) critical for an organization’s mission success by focusing on protection and sustainment practices within ten key domains that contribute to the overall cyber resilience of an organization.
Presenter’s Name June 17, 2003
One‐day,no‐cost,facilitatedcybersecurityevaluation
Deploymentacrossall16CIKRsectorsaswellasState,local,tribal,andterritorialgovernments
BasedontheCERT®ResilienceManagementModel(RMM),aprocessimprovementmodelformanagingoperationalresilience
Primarygoal:EvaluatehowCIKRprovidersmanagecybersecurityofsignificantinformationservicesandassets(information,technology,facilities,andpersonnel)
Secondarygoal:Identifyopportunitiesforimprovementincybersecuritymanagementandreduceoperationalrisksrelatedtocybersecurity
19
Cyber Resilience Review (CRR)
FOUO / UNCLASS
Presenter’s Name June 17, 2003
CyberResilience Definition: TheabilityofanorganizationtocontinuevitalITservicesandinformationmanagementfunctionsinaless‐than‐idealsituationwhilereactingandadaptingtostresses
20
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
FOUO / UNCLASS
Presenter’s Name June 17, 2003
CRR Domains These represent key areas that typically contribute to an organization’s
cyber resilience— each domain focuses on: Documentation in place, and periodically reviewed & updated Communication & notification to all those who need to know Execution/Implementation & analysis in a consistent, repeatable manner Alignment of goals and practices within & across CRR domains
AM
AssetManagementidentify,document,andmanageassetsduringtheirlifecycle SC
M ServiceContinuityManagementensurecontinuityofIToperationsintheeventofdisruptions
CCM ConfigurationandChangeManagementensuretheintegrityofITsystemsandnetworks
RISK
RiskManagementidentify,analyze,andmitigateriskstoservicesandITassets
CNTL ControlsManagementidentify,analyze,andmanageITandsecuritycontrols EXD ExternalDependencyManagement
manageIT,security,contractual,andorganizationalcontrolsthataredependentontheactionsofexternalentities
VM
VulnerabilityManagementidentify,analyze,andmanagevulnerabilities
TRNG TrainingandAwareness
promoteawarenessanddevelopskillsandknowledge
IM
IncidentManagementidentifyandanalyzeITevents,detectcybersecurityincidents,anddetermineanorganizationalresponse
SA
SituationalAwarenessactivelydiscoverandanalyzeinformationrelatedtoimmediateoperationalstabilityandsecurity
FOUO / UNCLASS
MaturityNotJustCapability AMIL(MaturityIndicatorLevel)measuresprocessinstitutionalization,
anddescribesattributesindicativeofmaturecapabilities.
MILLevel5– DefinedAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);measured(MIL‐4);andconsistentacrossallinternalconstituencieswhohaveavestedinterest— processes/practicesaredefinedbytheorganizationandtailoredbyorganizationalunitsfortheiruse,andsupportedbyimprovementinformationsharedamongstorganizationalunits.
MILLevel4– MeasuredAllpracticesareperformed(MIL‐1);planned(MIL‐2);managed(MIL‐3);andperiodicallyevaluatedforeffectiveness,monitored&controlled,evaluatedagainstitspracticedescription&plan,andreviewedwithhigher‐levelmanagement.
MILLevel3– ManagedAllpracticesareperformed(MIL‐1);planned(MIL‐2);andgovernedbytheorganization,appropriatelystaffed/funded,assignedtostaffwhoareresponsible/accountable&adequatelytrained,producesexpectedworkproducts,placedunderappropriateconfigurationcontrol,andmanagedforrisk.
MILLevel2– PlannedAllpracticesareperformed(MIL‐1);andestablished,planned,supportedbystakeholders,standardsandguidelines.
MILLevel1– PerformedAllpracticesareperformed,andthereissufficientandsubstantialsupportfortheexistenceofthepractices.
MILLevel0– IncompletePracticesarenotbeingperformed,orincompletelyperformed.
22FOUO / UNCLASS
Cyber Resilience Reviews (CRR) A no-cost, voluntary, interview-based review producing a formal report
– Takes one (1) day (i.e., 5-6 hours excluding lunch and breaks) to complete Helps CIKR and SLTT partners understand and measure cyber security
capabilities as they relate to operational resilience and cyber risk during:– normal operations (i.e., protection & sustainment)– times of operational stress and crisis (i.e., survivability & resilience)
Based on the CERT ® Resilience Management Model (CERT® RMM), a process improvement model for managing operational resilience– Cross-referenced and compatible with the NIST Security Management
Framework (i.e., EO 13636) Information provided during the CRR is afforded protection under the
DHS Protected Critical Infrastructure Information Program Scheduling or general inquiries to: [email protected]
– Sean McCloskey ([email protected]), Program Manager, Cyber Security Evaluations
23
FOUO / UNCLASS
Presenter’s Name June 17, 2003
CYBERSECURITYEVALUATIONTOOL(CSET)
24FOUO / UNCLASS
Overview:
The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) by cybersecurity experts and with assistance from the National Institute of Standards and Technology (NIST). This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
Cyber Security Evaluation Tool (CSET )
25
Stand-alone software application
Self-assessment using recognized standards
Tool for integrating cybersecurity into existing corporate risk management strategy
CSET Download:http:/us-cert.gov/control_systems/csetdownload.html
R
FOUO / UNCLASS
CSET Standards
NIST Special Publication 800-53 Recommended Security Controls for Federal Information SystemsRev 3 and with Appendix I, ICS Controls
TSA Pipeline Security Guidelines Transportation Security Administration (TSA) Pipeline Security Guidelines, April 2011
NERC Critical Infrastructure Protection (CIP) Reliability Standards CIP-002 through CIP-009, Revisions 2 and 3
DoD Instruction 8500.2 Information Assurance Implementation, February 6, 2003
NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011
NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010
CFATS RBPS 8- Cyber Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 – Cyber, 6 CFR Part 27
DHS Catalog of Recommendations DHS Catalog of Control Systems Security, Recommendations for Standards Developers, Versions 6 and 7
Requirements Derived from Widely Recognized Standards
R
FOUO / UNCLASS
FOUO / UNCLASS
FOUO / UNCLASS
Hard‐copyReports
29FOUO / UNCLASS
FOUO / UNCLASS
Presenter’s Name June 17, 2003
DHSEVALUATIONFINDINGS&LESSONS‐LEARNED
31
Presenter’s Name June 17, 2003
DataPoints:2011NationwideCyberSecurityReview
32
Rank Process Area Ad‐Hoc
DocumentedPolicy‐DocumentedStandardsandProcedures
RiskMeasured ‐RiskValidated
1 MaliciousCode 12% 36% 52%2 PhysicalAccessControl 16% 39% 46%3 LogicalAccessControl 18% 40% 42%4 SecurityTesting 42% 22% 36%5 IncidentManagement 32% 38% 31%6 BusinessContinuity 33% 36% 31%7 PersonnelandContracts 29% 41% 30%8 SecurityProgram 30% 40% 30%9 InformationDisposition 27% 44% 29%
10 SecuritywithinTechnologyLifecycle 36% 35% 29%
11 RiskManagement 45% 26% 29%12 MonitoringandAuditTrails 46% 27% 28%
These results are based on the 162 responses
32
Strengths: 52%haveimplementedand/orvalidatedprotectivemeasuresforthedetectionandremovalofmaliciouscode
81%ofallrespondentshaveadoptedcybersecuritycontrolframeworksand/orsecuritymethodologies
42%haveimplementedand/orvalidatedlogicalaccesscontrols(e.g.,termination/transferprocedures,ACLs,remoteaccess)
Weaknesses: 42%ofrespondentsstatedtheydonothaveindependenttestingand/orauditprogramestablished
45%ofrespondentsstatedtheyhavenotimplementedaformalriskmanagementprogram(e.g.,riskassessments,securitycategorization)
46%ofrespondentsstatedtheyhavenotimplementedMonitoringandAuditTrailswhichisimportanttodetermineifanincidentisoccurringorhasoccurred.
31%ofallrespondentshaveneverperformedacontingencyexercise
67%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirInformationSecurityPlan
66%ofallrespondentsstatedithasbeenatleasttwoyearssincetheyupdatedtheirDisasterRecoveryPlansFOUO / UNCLASS
DHSCRRAnalyticalFindings Fromananalysisofatotalof115organizationsin43statesacross12sectors
participatinginevaluationsofcybersecuritymanagementandoperationalpracticesinCriticalInfrastructures/KeyResources(CIKR),DHSfound:
Only 14% of organizations have a documented plan for performing situational awareness activities.
Only 14% of organizations have a documented plan for performing situational awareness activities.
A majority (70%) of organizations do not have a documented risk management plan.
A majority (70%) of organizations do not have a documented risk management plan.
50% of organizations do not have a formal strategy to ensure continuity of the critical service, and even fewer (<40%) execute a formal test of these continuity plans.
50% of organizations do not have a formal strategy to ensure continuity of the critical service, and even fewer (<40%) execute a formal test of these continuity plans.
A majority (65%) of organizations lack a process to escalate and resolve incidents.
A majority (65%) of organizations lack a process to escalate and resolve incidents.
55% to 65% of organizations have not developed a strategy to guide their vulnerability management effort.
55% to 65% of organizations have not developed a strategy to guide their vulnerability management effort.
Nearly half of the organizations assessed do not document which assets support critical services.
Nearly half of the organizations assessed do not document which assets support critical services.
Less than half of organizations identify control objectives, and worse yet less than half of those that do actually implement security control to meet those objectives
Less than half of organizations identify control objectives, and worse yet less than half of those that do actually implement security control to meet those objectives
A large majority (>80%) of organizations identify external dependencies, but nearly half fail to identify risks associated with these dependencies.
A large majority (>80%) of organizations identify external dependencies, but nearly half fail to identify risks associated with these dependencies.
Source: U.S. Department of Homeland Security. Cyber Resilience Review Data Analysis. Office of Cybersecurity and Communications. Washington: September 2013.
33
DHSCRRAnalyticalFindings– Cont.
34
DHSCRRAnalyticalFindings– Cont.
35
DHSCRRAnalyticalFindings– Cont.
36
Key Resilience DomainsAM
AssetManagementidentify,document,andmanageassetsduringtheirlifecycle IM
IncidentManagementidentifyandanalyzeITevents,detectcybersecurityincidents,anddetermineanorganizationalresponse
CCM
ConfigurationandChangeManagementensuretheintegrityofITsystemsandnetworks SC
M
ServiceContinuityManagementensurethecontinuityofessentialIToperationsifadisruptionoccurs
RISK
RiskManagementidentify,analyze,andmitigateriskstocriticalserviceandITassets
EXD
ExternalDependenciesManagementestablishprocessestomanageanappropriatelevelofIT,security,contractual,andorganizationalcontrolsthataredependentontheactionsofexternalentities
CNTL
ControlsManagementidentify,analyze,andmanageITandsecuritycontrols TR
NG TrainingandAwareness
promoteawarenessanddevelopskillsandknowledgeofpeople
VM
VulnerabilityManagementidentify,analyze,andmanagevulnerabilities SA
SituationalAwarenessactivelydiscoverandanalyzeinformationrelatedtoimmediateoperationalstabilityandsecurity
37
When Resilience Fails – NE Power Outage – August 14, 2003
DHS Cyber Resources – Operations Focused NationalCybersecurityandCommunicationsIntegrationCenter(NCCIC)
Servesasanationalcenterforreportingandmitigatingcommunicationsandcybersecurityincidents.http://www.dhs.gov/about‐national‐cybersecurity‐communications‐integration‐center
Provides: 24x7real‐timethreatanalysisandincidentreportingcapabilities,at1‐888‐282‐0870 MalwareSubmissionProcess:
Pleasesendallsubmissionsto:[email protected]‐cert.gov Mustbeprovidedinpassword‐protectedzipfilesusingpassword“infected” Web‐submission:https://malware.us‐cert.gov
ICS‐CERTTraining:http://ics‐cert.us‐cert.gov/cscalendar.html
CyberSecurityEvaluationsProgram([email protected]) Providesno‐cost,voluntarycybersecurityevaluationsandassessments,including:
CyberResilienceReview(CRR) One‐day,facilitatedevaluationfocusedoncriticalITservicesandthesecuritymanagement
process CyberSecurityEvaluationTool(CSET) Stand‐alonesoftwareapplication,usedasaself‐assessmentagainstrecognizedstandardsand
atoolforcreatingabaselineofcybersecuritypractices Downloadableat:http:/us‐cert.gov/control_systems/csetdownload.html
38
NCCIC provides real-time threat analysis and incident reporting capabilities• 24x7 contact number: 1-888-282-0870 https://forms.us-
cert.gov/report/When to Report:If there is a suspected or confirmed cyber attack or incident that:-Affects core government or critical infrastructure functions; -Results in the loss of data, system availability; or control of systems; -Indicates malicious software is present on critical systems
Additional - Incident Reporting
Malware Submission Process:• Please send all submissions
to AMAC at: [email protected]
• Must be provided in password-protected zip files using password “infected”
• Web-submission: https://malware.us-cert.gov
39
FOUO / UNCLASS
ContactInformation
DepartmentofHomelandSecurityNationalProtectionandProgramsDirectorateOfficeofCybersecurityandCommunications
General Inquiries
Evaluation Inquiries
DHS Contact InformationBradford WillkeProgram Manager, Cyber Security Advisor Program
[email protected]+1 412 375-4069