Episode 2 – December 16, 2012
South Carolina released a report on the attack which resulted in the loss of millions of tax payers information
- resulted from an employee clicking on a link or attachment in a phishing email
- compromised the employee’s computer with a remote access trojan
- compromised 44 servers using stolen credentials obtained by stealing hashes
- 33 unique pieces of malware were used
What can we learn?
- People are the weakest link
- Separate networks to limit mobility of attackers once inside
- Apply more rigorous controls to accounts/people/workstations who have administrative access
- Password authentication is weak and getting worse. Stronger alternatives, like 2 factor are really needed
- Hackers are becoming sophisticated. Tools and techniques are becoming refined. It’s time to take this seriously.
- Ability to detect intruders and activities of malware is generally weak
- Prepare leaders/spokespeople before they talk about an incident. http://chronicle.augusta.com/news/metro/2012-10-29/haley-defends-not-encrypting-taxpayer-information
- Attribution of attacks is hard – a Chinese IP address does not mean the Chinese government is hacking you.
- Even if the attacker is foreign, that is not an acceptable excuse for having weak controls.
- A laptop with ‘sensitive personally identifiable information’ was stolen from a locked car. The laptop was not encrypted
What can we learn?
Quote from the article:
“As a result of the security breach, Nasa’s chief information officer, Linda Cureton, has said that with immediate effect laptops containing information about the following topics could only leave its buildings if the relevant data was encrypted:
the international sale or transport of weapons, nuclear equipment or other materials that fall under the US’s export administration regulations
information about Nasa’s human resources.”
- That’s the wrong way to think about it.
- Unless you have a damn good way to control what info goes where, encrypt ALL workstation hard drives and portable media
- Thinking about this stuff after having to give a press conference on losing 3.6m taxpayer records or an unencrypted laptop with sensitive data is not the right time.
- Security is about risk management.
- Understand your risks and plan controls accordingly.
The SANS Top 20 Critical Security Controls is something every security practitioner should be intimately familiar with.