OAGITM Members: As you have all probably already read, the South Carolina Department of Revenue suffered a major information security breach, resulting in the theft of millions of citizen SSNs and credit card numbers. Attached is the publicly-released incident response report prepared for them by Mandiant, the incident response and forensic services contractor that investigated the incident. Although this report contains quite a bit of technical detail about how the attack progressed, a key takeaway is the methodology used by the attackers. This is a summary of that methodology: 1. Phishing email was sent to several S.C. Revenue employees. At least one employee clicked on the link in the email, infecting their computer with credential-stealing malware 2. Using credentials stolen by malware, the attacker logged into an S.C. Revenue remote-access solution and attacked internal servers, stealing additional valid credentials and installing a backdoor to allow further access 3. Using several sets of valid credentials, the attacker was able to infiltrate the S.C. Revenue server infrastructure, locate a database server with sensitive information, then copy that information off to servers under their control on the Internet This is a common attack methodology, one that has been successful against all sizes and types of organizations. Defenses against this attack include: * Employee training. Phishing is very common and it occurs all the time at the State. All employees should receive training on how to recognize and respond to phishing attempts, including spear phishing; * Desktop patching and anti-virus. Up-to-date software is more resistant to malware than older, more vulnerable versions; * Internal monitoring and anomaly detection. In South Carolina's case, attackers were active in their internal networks for almost two months and were never detected - an external party notified them that they had a problem; * Incident response processes. Agency staff need to know how to respond quickly and efficiently if they detect this type of attack. None of these defenses are sufficient to stop all attacks like this by itself but a combination of them will make these types of attacks less successful and allow agencies to reduce damage quickly in the event of a successful attack. Having an illustration of a successful attack against another state provides a valuable opportunity to learn from their experience. You may want to share this example with your leadership, business partners, and staff. Regards, Theresa A. Masse Chief Information Security Officer State of Oregon Department of Administrative Services Enterprise Security Office 503-378-4896 Data Classification 2 - Limited Confidentiality Notice: This message, including any attachments or links, may contain privileged, confidential and/or legally protected information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this message and then delete all copies of the original communication, including any attachments and/or links.