Tonia Lediju, PhDChief Audit Executive, City and County of San Francisco Nicole Galloway, CPAMissouri State Auditor, State of Missouri Joe Lyons, PhDDir. Security & Strat. Intelligence & Asst. Prof., Saint Louis UniversityBryan Hurd, CISM, CISA, CISSP, NSA-IAM, CCCI, CCFT, SNSCP Vice President, Stroz Friedberg (Aon Company)Steve Flaherty, CPA, CIA, CFEPrincipal Auditor, City and County of San Francisco

Essentials on Cyber Securitywww.gfoa.org • #GFOA2018

112th Annual ConferenceMay 6-9, 2018 • St. Louis, Missouri

Moderator/Speakers:

10:30 – 12:10 • May 9, 2018 • Room 230 Complex

CyberSecurity:EssentialforGoodGovernment

NicoleGalloway,CPAMissouriStateAuditor

CYBERSECURITY : It’s all about the Data Integrity

Joe Lyons, Ph.D.Director and Assistant Professor

Security and Strategic Intelligence ProgramSaint Louis University

Denial of Service Attack

Ransomware: A $5 Billion Dollar Problem

over 1 million new viruses and pieces of malicious code are sent out each day. 

The times, they are a changing…(Bob Dylan, 1964)

across smartphones, android has 85% of the total OS market…. (IDC May 2017)

FULL IDENTITY ON THE DARK WEB: $5.00

the maintenance of, and the assurance of the accuracy and consistency of, data over its entire life‐cycle.

data integrity

Without Trust,….. the data is just numbers.

John Q. PublicCPA, CYBER WARRIOR

Essential on Cyber SecurityGovernment Financial Officers are FUNDAMENTAL

to Cyber Security

Wednesday, May 9, 201810:30am to 12:10pm

20

Disclaimer

The information contained herein and the statements expressed are of a general nature and may not apply to particular factual or legal circumstances. The materials do not constitute legal advice or opinions and should not be relied upon as such. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Copyright Notice Copyright © 2017 Aon Corporation. All rights reserved. No part of this document may be reproduced in any form, including video recording, photocopying, downloading, broadcasting or electronic transmission, without prior written consent of Aon Corporation.

Trademarks The trademarks, service marks, trade names, and logos (“Marks”) associated with this presentation are owned by Aon Corporation, or third parties who have authorized their use.Nothing contained on this presentation should be construed as granting any license or right to use any Mark displayed in the presentation without the written permission of Aon Corporation or such third party that may own the Mark. Misuse of any Marks, or any other content, displayed on this website is prohibited.

21

Essentials on Cyber Security

Governments are being hit by an ever-increasing number of cyberattacks that range from targeting citizens’ private information to stealing funds.

Without appropriate measures, including risk management, cyber insurance, and business continuity plans, government data are at risk.

In this session, experts will explain how to defend against online fraudsters and detail creative and innovative solutions to cyber security, even if your government faces budget and staffing constraints.

22

Bryan E. Hurd, CISM, CISA, CISSP, NSA-IAM, CCCI, CCFT, SNSCP

Current: Vice President, Stroz Friedberg

– Director of Intelligence, Microsoft Cybercrime Center– Chief of Operations, Directorate of Terrorist Identities, US National

Counterterrorism Center– FOUNDER US Navy Cyber Counterintelligence Program, NCIS– Creator Defensive Information Operations, U.S. European Command– Senior Exec - Machine Learning and Artificial Intelligence Start Up – Enterprise Intelligence Architect for Defense Intelligence Agency, Mantech– Global Program Director for Computer Forensics, EDS– Senior Analyst, Computer Investigations and Operations, NCIS– Board Certified Antiterrorism Officer, U.S. Navy Antiterrorist Alert Center

23

Cyber Threat Environment for Finance Officers

24

Who is the Threat? STATE: “There are no enemies...only emerging

allies.” CIA: “We know who the enemy is, but telling you

would endanger the source.” NSA: “We know who the enemy is, but you

aren’t cleared.” Director of National Intelligence “Whomever the

enemy is, we are in charge of stopping them.” US Marines: “Doesn’t matter. Mess with the best,

die like the rest.”US FBI: “The CIA.”

The Big Intel Question -

25

Financial Crime is Going Cyber…

Criminal groups have skilled technical staff in many areas They innovate their

tools and techniques with every technological era.

Use of digital technology to further traditional crimes New cyber only crimes Banking Trojans =

fraud Ransomware =

extortion DDoS protection

rackets = extortion

26

Transnational Cyber Crime Activities Ransomware Financial Fraud Identity Theft Human Trafficking Child Exploitation Cyber Terrorism Drug Trafficking / Smuggling

Financial Denial of Service Industrial Espionage Intellectual Property Theft Massive Scale Identity Theft And many more…

Cyber Crime as a Service

27

Our New Reality… Cybercrime is evolving and poses a significant threat to consumers,

businesses and governments Global, organized crime rings have embraced cybercrime as a key

tactic The threats range from malware and botnets used to

– Steal critical financial, national or research data – Infiltrate Critical Infrastructure – Interrupt Critical Services via Ransomware

28

The new reality – Increasingly Bold Nation State Activities

NATION STATE CYBER ESPIONAGE AND INFORMATION WAR INFLUENCES GLOBAL POLITICS AND POLICY

Cyber espionage will continue to influence global politics and will spread to the upcoming elections in Latin America and Europe. Russia, China, Iran, and North Korea will be regions of great concern in 2017, as they continue to develop deep pools of cyber-crime talent.

2017 brought about more attacks from countries seeking to access and exploit sensitive information to realize their national interests, whether to wage an information war or conduct other destabilizing attacks such as disrupting networks or utility grids. Cyber espionage and nation-state cyber warfare will escalate.

2929© 2017 Stroz Friedberg. All rights reserved.

Threat landscape

insider ransomwarehack DDoS

# OF RECORDS

As the threat landscape intensifies, the impact of cyber attacks has increased

30

Automation

The Evolving Cyber Threat

Across all industries, our clients are continuing to invest in deploying digital technologies to stay competitive and drive quality and efficiency objectives

Connectivity

Technological Drivers Business Drivers Risk Drivers

Material DamageBusiness

InterruptionProduct Liability

Data BreachMedia Liability

I.P. Infringement

Evolving Cyber

Equation

31

2017 Cyber Exposure Trends

Increasing data integrity attacks

Regulator focus and pressure for in-house red teaming and cybersecurity talent development

Criminal utilization of IoT devices as botnets and launching points for malware

Nation state cyber espionage and information war influences in global an political policy

Spear-phising and social engineering tactics

Pre-M&A cybersecurity due diligence

32

Water Supply

Public Health

Government

Banking & Finance

Telecommunications

EmergencyServices

Transportation

Power

Law Enforcement

Cyber Attacks on Critical Infrastructure

33

Attacks on Critical SERVICES – US City of Atlanta - 2018

Ransomware cyberattack - $51,000 ransom demand Hearings for those in police custody are canceled until

computer systems are functioning.

“This is an attack on our Government, on all of us” Hired a COMMERCIAL company to help with the breach

OFFLINE ARE - all applications for jobs, paying water bills, paying traffic/parking tickets, police reporting. Many have establishing manual workarounds

Good news – Atlanta's public-safety services such as 911, police, and fire-rescue are unaffected, Also safe were

Hartsfield Jackson International Airport systems (except WIFI) and Atlanta City Payroll Mayor “being a national model of how cities can shore themselves up”

34

Banking Trojans and SWIFT Attacks $101 Million Dollars US Bangladeshi Bank Malware issued unauthorized

SWIFT messages AND to conceal the transfer Lazarus Group = possibly

North Korea Dillinger quote Picture - $200 Million USD

Attacks on SWIFT continue

35

Cyberattack ‘Wake-Up Call’ for Pipeline Industry

• Companies weren’t required to report attack to regulator U.S. Transportation Security Administration (TSA)

•agency urged pipelines to take measures including establishing a cybersecurity plan, limiting network access and changing default passwords.

• Congressman sees ‘bad actors’ looking to weaken U.S

• Did not interrupt flow of natural gas (Targeted I.T. systems not O.T systems)•Interruptions are EXTREMELY DIFFICULT to recover from

36

Cyber Attack on Baku-Tbilisi-Ceyhan (BTC) - 2008

a massive explosion in Refahiye Turkey in 2008.

EXTERNAL? Infrared camera that caught two individuals with laptop computers walking near the pipeline– Over 60 hours of BTC video surveillance DELETED

Hackers, probably acting under the direction of Russia, had shut down alarms, cut off communications and then super-pressurized the crude oil in the line.

Business impact of the attack = billions of dollars. Also, Australian Sewage Incident - 2001

37

Our 2018 Predictions:

3Optional Footer

A shift to managing cyber as an enterprise risk

38

2018 Cybersecurity Predictions – Stroz Friedberg

https://content.strozfriedberg.com/2018-cybersecurity-trends-predictions-report

39

The CFO ScamHave plans in place for Business Email Compromise (BEC)?

A BEC occurs when a “bad actor” impersonates a senior executive and orders expedited transfers of funds to first-time vendors, likely located overseas. The BEC is typically preceded by a phishing scheme or social engineering to gain information from company staff. Accounts are often emptied within hours after the initiation of the wire transfer and the full financial losses tend to fall to the companies.• How can you rapidly confirm requests, especially when rank and urgency

abused in BEC?• How will you communicate in a way that the adversary cannot control?

• Solution starts with FINANCIAL PROCESS controls, not technology!

40

What Can Government Finance Officers Do Today…

To support on the TECHNICAL LEVEL

– According to Essye Miller, Acting CIO and Senior Information Security Officer (SISO), Department of Defense, studies of hacks into DoD networks indicate one area to bring significant protection…

• Start by securing the ENDPOINTS (PCs, Laptops and Devices)• This was where adversaries of all types (from insiders to nation state programs) got their foothold

– But the technical level is not where finance officers will have the most impact…

– It will be at the enterprise business level!

So lets LEVEL IT UP!

41

Government Financial Officers and the “Boardroom Discussion”

42

Don’t Dumb it Down…

• It’s tempting for security professionals to focus all of their attention on the technical details:

– Threats, Vulnerabilities, Exploits, IT Solutions, Indicators of Compromise

But LEADERS should talk about – BUDGET, Mission, Business, Strategy, Regulatory, Legal– Balancing between attackers, defenders, regulators, and citizens

… Level It Up!

43

What Can Government Finance Officers Do Today… FRAMEWORKS

Identify and protect your critical assets and balance sheet by aligning your cyber enterprise risk management strategy with your corporate culture and risk tolerance.

Finance officers can ask for the framework your team is using and then ask for a “business level” explanation of budget allocation in cyber discussions

Discussion Example ONLY – not recommended allocation• 30% to security architecture development and deployment (protect)• 10% to Assess and Test• 10% to Improve• 15% to Detect• 10% to Quantify and Mitigation (Continuity Plans, COOP, Backups, etc.)• 20% to Respond• 5% to Training, Awareness and other areas

What does your financial allocation framework look like?

Goal, Lower Total Mission Impact of Risk

44

Developing Security Program Overview – Think RISK not technology!

• Review existing policies and compare against policy framework• Develop/update policies, standards, procedures and supporting documentation • Develop/update policy framework definitions

• Identify high-level assessment and id gaps in the current information security program to your selected framework

• Conduct risk assessment and develop risk assessment methodology in accordance with requirements

• Based on the asset universe, perform a threat, vulnerability and likelihood analysis on the asset groups

• Prepare risk treatment and remediation plan and identify controls to address high risk areas• List responsible individuals and implementation timelines• Maintain project management oversight and guidance

45

IOT, Cloud, eGov, etc. Ask about security BEFORE it deploys…

As new SYSTEM X is developed or deployed, how much of the DEVELOPMENT project budget was focused on ensuring security?

What security checks and balances are there in our PROCUREMENT processes?

How are we supporting that we have funded deployment of a secure solution?

What funds keep the security of this capability UP TO DATE? Patch vulnerabilities, etc.?

46

What Can Government Finance Officers Do Today… Start with FINANCIAL QUESTIONS

What are we allocating in budget to protect our systems directly? How does this compare to other GFOA members in organizations of my size, complexity

and limited budget resources? Is there collective procurement or negation options for solutions or services?

What is our approach to dependencies from suppliers and third parties?

How do we prioritize the systems, services or capabilities that receive increased budget for protection?

47

Incident Response – BEFORE, During and After

Have we budgeted to conduct table tops or incident walk through? Do we have the contracts in place for services we may need during or after an

incident?

What budgetary resources and approvals will be needed to respond to an incident?

What levels of service are expected? How are those services paid for? From which budget?

What are the priorities for recover and restoration of critical services?

48

Don’t Dumb it Down…

• It’s tempting for security professionals to focus all of their attention on the technical details:

– Threats, Vulnerabilities, Exploits, IT Solutions, Indicators of Compromise

But LEADERS should talk about – Diplomacy, Mission, Business, Strategy, Regulatory, Legal– Balancing between attackers, defenders, regulators, and consumers

… Level It Up!

Essential on Cyber SecurityGovernment Financial Officers are FUNDAMENTAL

to Cyber Security

Bryan E. Hurdbhurd@strozfreidberg.com

CITY & COUNTY OF SAN FRANCISCO

Office of the ControllerCity Performance UnitSteve Flaherty, CPA, CIA, CFE 05.09.2018

Essentials on Cyber SecurityAn Auditor’s Perspective

51What Are We Really Talking About?

cybersecuritynoun cy·ber·se·cu·ri·ty \ ˈsī-bər-si-ˌkyu̇r-ə-tē \

measures taken to protect a computer or computer system (as on the Internet) against unauthorized access 

or attack

Popularity: Top 40% of words

“Audit” Popularity: Top 30% of words

Source: merriam‐webster.com

With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse.

Ransomware

• There were an average of 1,242 ransomware detections per day in 2017

Crypto Jacking

• Coin Mining detections have increased by 8,500% in 2017

52

Some Bad News

Your Jurisdiction

Doxing – Exposing and publishing one’s identity and personal information online

DDoS – Distributed Denials of Service is the use of multiple computers to generate excessive amount of network traffic with the intent of rendering a service unusable

Web Defacement - Making unauthorized changes to a targeted website

53

Some Bad News

54

More Bad News

55

But Really, Why Should I Care?

$ Regulatory Fines $

$ Legal Costs $ $ Remediation $

Average Cost of an Attack: $1.3 million

Source: https://www.csoonline.com/article/3227065/security/cyber‐attacks‐cost‐us‐enterprises‐13‐million‐on‐average‐in‐2017.html

56

But Really, Why Should I Care?

• Not my money

• Not my data

• They can’t take their business elsewhere

Avoid bad job consequences!

57

Is There Any Good News?

Local governments can use people, processes, and technology to improve cybersecurity without spending a lot of money.

58

Where Are We?

59

The People

• Get Executive and Senior Management buy‐in

• Start here! 

• Staff training and awareness• Repeat this regularly!

• Hire for experience, qualifications, and attitude

• Easier said than done!

• Collaborate!

60

The Processes

• Adopt a cybersecurity policy and framework

• Align your security framework with your organization

• Continually review processes and communicate• Things change quickly

61

The Processes

Adopt a Cybersecurity Policy and Framework

62

The Processes

The NIST Cybersecurity Framework is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existingprogram.

63

The Processes

Break Your Framework into Cybersecurity Controls You Can Assess

Can’t adopt a framework?

No checkbox – evaluate risks

Does your organization have policies on:• Use of government equipment?• Password length?• How often passwords are changed?• Personal electronic items?• Employee cybersecurity training?• Vendor cybersecurity training?• Cloud-based services?• Breach recovery?

64

The Processes

• Do not skip People and Processes!• Own the program, not the tool

• Focus on the basics:• Are you patching?• Are permissions in place?• Is your password “password”?• Can you identify anomalies?• Do you know what’s on your networks/systems?• Can you recover and restore?

• Identify vulnerabilities and penetration test

65

The Technology

• Take a holistic approach – people, processes, and technology

• Establish a framework

• Identify risks based on your operation – no checkboxes 

• Begin mitigation

66

Final Thoughts

steve.flaherty@sfgov.org

67

Thank you.

Any questions?

Presentation Section