Information TechnologyHow we came back from a cyber attack.

By: Chris Chidley

IT Manager @ Skagit Transit

Cyber Insurance Claim

Washington State Transit Insurance Pool (WSTIP)

First cyber claim for the insurance pool

Opened a lot of eyes and brought much needed attention to IT

Not only for Skagit Transit but for other transit agencies as well.

A technology SWAT team composed of insurance picked IT professionals and local vendors who were familiar with Skagit Transit

WSTIP creates best practices policies based on experiences at Skagit Transit

Organization Re-structure

IT was not its own department, the department was created.

New manager reports directly to GM

New IT Policies drafted

More buy in from general management on IT budget increases to catch

technology up

Hire an IT Manager!

The IT Specialist at the time was terminated from employment soon after the

cyber incident.

The search was on almost immediately, action was needed and the right

person was needed.

May 2013 new IT manager began working on core issues identified by the

insurance SWAT team

New firewalls

New networks

Server consolidation with virtualization

Catch up technology

Windows XP to Windows 7

The New Plan

Segment Networks

3rd Party Patches

Content Filtering

Layered Defense

Anti-Virus at internet connection

Anti-Virus on e-mail

Anti-Virus on servers

Anti-virus on workstations

Anti-virus on mobile devices

Continued employee education

Network Segmentation

All external connections except internet were on the same network

Very easy for someone to get single point access to everything

Very easy for network disruptions

No control

New switch, firewall and virtual technologies were utilized to segment a single

network into many

Separating management network

Separating server network

Separating user network

Separating WiFi

Vulnerability Patching

A server specific scan of vulnerabilities was made and a prioritized list of objectives formed from the findings

Software vulnerabilities were determined to be one of the ways into our network for the cyber attack

Attacker go after 3rd party applications a lot now as they are used for most web applications and become a very easy way into remote systems

Adobe

Silverlight

Java

Chrome

Internet Explorer

Firefox

Computer Criminals

Hacker:

Computer-savvy

programmer creates

attack software

Script Kiddies:

Unsophisticated

computer users

who know how to

execute programs

Hacker Bulletin Board

SQL Injection

Buffer overflow

Password Crackers

Password Dictionaries

Successful attacks!

Crazyman broke into CoolCat penetrated

Criminals:

Create & sell bots -> spam

Sell credit card numbers,

System Administrators

Some scripts are useful

to protect networks

Malware package=$1K-2K

1 M Email addresses = $8

10,000 PCs = $1000

Leading Threats

Virus

Worm

Trojan Horse / Logic Bomb

Social Engineering

Rootkits

Botnets / Zombies

Social Engineering

Social engineering manipulates people into performing actions or

divulging confidential information. Similar to a confidence trick or

simple fraud, the term applies to the use of deception to gain

information, commit fraud, or access computer systems.

Phone Call:

This is John,

the System

Admin. What

is your

password?

In Person:

What High School did

you go to?

Your mothers maiden name?

What was your first car?

and have

some

software

patches

I have come

to repair

your

machine

Pattern Calculation Result Time to Guess

(2.6x1018/month)

Personal Info: interests, relatives 20 Manual 5 minutes

Social Engineering 1 Manual 2 minutes

American Dictionary 80,000 < 1 second

4 chars: lower case alpha 264 5x105

8 chars: lower case alpha 268 2x1011

8 chars: alpha 528 5x1013

8 chars: alphanumeric 628 2x1014 3.4 min.

8 chars alphanumeric +10 728 7x1014 12 min.

8 chars: all keyboard 958 7x1015 2 hours

12 chars: alphanumeric 6212 3x1021 96 years

12 chars: alphanumeric + 10 7212 2x1022 500 years

12 chars: all keyboard 9512 5x1023

16 chars: alphanumeric 6216 5x1028

Brute Force Password Cracking

Merry ChristmasBad

Password

Good

Password

Merry Xmas

mErcHr2yOu

MerryChrisToYou

MerChr2You

MerryJul

MaryJul

Mary*Jul

,stuzc,sd Jq46Sjqw

(Keypad shift

Right . Up)

(Abbreviate)

(Lengthen)

(convert vowels

to numeric)

M5rryXm1s

MXemrays

(Intertwine Letters)

Glad*Jes*Birth

(Synonym)

Creating Passwords

Combine 2 unrelated words

Mail + phone = m@!lf0n3

Abbreviate a phrase My favorite color is blue = Mfciblue

Music lyric Happy birthday to you, happy birthday to you, happy birthday dear John, happy birthday to you.

hb2uhb2uhbdJhb2u

Creating Password Examples

Password Manager Software

Password Safe

http://passwordsafe.sourceforge.net/

KeePass Password Safe

http://keepass.info/

Dont Store Passwords in easy to find places!

In Closing

Good passwords are a first level of defense

Buy in from upper management key in IT success

Segmented networks is key to keeping critical information safe

HVAC should not see POS

Layered Defenses

Employee Education

Avoid social engineering and increase awareness

Thank youChris Chidley cchidley@skagittransit.org 360-757-1446

Skagit Transit