[oagitm] South Carolina Department of Revenue Breach - Public Incident Response Report
- From: "MASSE Theresa A * CIO" <theresa.a.masse@xxxxxxxxxxx>
- To: "oagitm@xxxxxxxxxxxxx" <oagitm@xxxxxxxxxxxxx>
- Date: Wed, 21 Nov 2012 17:26:04 +0000
OAGITM Members:
As you have all probably already read, the South Carolina Department of Revenue
suffered a major information security breach, resulting in the theft of
millions of citizen SSNs and credit card numbers.
Attached is the publicly-released incident response report prepared for them by
Mandiant, the incident response and forensic services contractor that
investigated the incident. Although this report contains quite a bit of
technical detail about how the attack progressed, a key takeaway is the
methodology used by the attackers. This is a summary of that methodology:
1. Phishing email was sent to several S.C. Revenue employees. At least one
employee clicked on the link in the email, infecting their computer with
credential-stealing malware
2. Using credentials stolen by malware, the attacker logged into an S.C.
Revenue remote-access solution and attacked internal servers, stealing
additional valid credentials and installing a backdoor to allow further access
3. Using several sets of valid credentials, the attacker was able to
infiltrate the S.C. Revenue server infrastructure, locate a database server
with sensitive information, then copy that information off to servers under
their control on the Internet
This is a common attack methodology, one that has been successful against all
sizes and types of organizations. Defenses against this attack include:
* Employee training. Phishing is very common and it occurs all the time at
the State. All employees should receive training on how to recognize and
respond to phishing attempts, including spear phishing;
* Desktop patching and anti-virus. Up-to-date software is more resistant
to malware than older, more vulnerable versions;
* Internal monitoring and anomaly detection. In South Carolina's case,
attackers were active in their internal networks for almost two months and were
never detected - an external party notified them that they had a problem;
* Incident response processes. Agency staff need to know how to respond
quickly and efficiently if they detect this type of attack.
None of these defenses are sufficient to stop all attacks like this by itself
but a combination of them will make these types of attacks less successful and
allow agencies to reduce damage quickly in the event of a successful attack.
Having an illustration of a successful attack against another state provides a
valuable opportunity to learn from their experience. You may want to share
this example with your leadership, business partners, and staff.
Regards,
Theresa A. Masse
Chief Information Security Officer
State of Oregon
Department of Administrative Services
Enterprise Security Office
503-378-4896
Data Classification 2 - Limited
Confidentiality Notice: This message, including any attachments or links, may
contain privileged, confidential and/or legally protected information. Any
distribution or use of this communication by anyone other than the
intended recipient(s) is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this message and then delete all copies of the original communication,
including any attachments and/or links.
Other related posts:
- » [oagitm] South Carolina Department of Revenue Breach - Public Incident Response Report - MASSE Theresa A * CIO
