Information Technology

How we came back from a cyber attack.

By: Chris Chidley
IT Manager @ Skagit Transit

Cyber Insurance Claim

Washington State Transit Insurance Pool (WSTIP)

First cyber claim for the insurance pool

Opened a lot of eyes and brought much needed attention to IT

Not only for Skagit Transit but for other transit agencies as well.

A technology SWAT team composed of insurance picked IT professionals and

local vendors who were familiar with Skagit Transit

WSTIP creates best practices policies based on experiences at Skagit Transit

Organization Re-structure

IT was not its own department, the department was created.

New manager reports directly to GM

New IT Policies drafted

More buy in from general management on IT budget increases to catch

technology up

Hire an IT Manager!

The IT Specialist at the time was terminated from employment soon after the
cyber incident.

The search was on almost immediately, action was needed and the right
person was needed.

May 2013 new IT manager began working on core issues identified by the
insurance SWAT team

New firewalls

New networks

Server consolidation with virtualization

Catch up technology

Windows XP to Windows 7

The New Plan

Segment Networks

3rd Party Patches

Content Filtering

Layered Defense

Anti-Virus at internet connection

Anti-Virus on e-mail

Anti-Virus on servers

Anti-virus on workstations

Anti-virus on mobile devices

Continued employee education

Network Segmentation

All external connections except internet were on the same network

Very easy for someone to get single point access to everything

Very easy for network disruptions

No control

New switch, firewall and virtual technologies were utilized to segment a single
network into many

Separating management network

Separating server network

Separating user network

Separating WiFi

Vulnerability Patching

A server specific scan of vulnerabilities was made and a prioritized list of

objectives formed from the findings

Software vulnerabilities were determined to be one of the ways into our

network for the cyber attack

Attacker go after 3rd party applications a lot now as they are used for most
web applications and become a very easy way into remote systems

Adobe

Silverlight

Java

Chrome

Internet Explorer

Firefox

Computer Criminals
Hacker:
Computer-savvy
programmer creates
attack software

Script Kiddies:
Unsophisticated
computer users
who know how to
execute programs
Criminals:
Create & sell bots -> spam
Sell credit card numbers,

System Administrators
Some scripts are useful
to protect networks

Hacker Bulletin Board

SQL Injection
Buffer overflow
Password Crackers
Password Dictionaries

Successful attacks!
Crazyman broke into
CoolCat penetrated

Malware package=$1K-2K
1 M Email addresses = $8
10,000 PCs = $1000

Leading Threats

Virus

Worm

Trojan Horse / Logic Bomb

Social Engineering

Rootkits

Botnets / Zombies

Social Engineering

Phone Call:
This is John,
the System
Admin. What
is your
password?

Social engineering manipulates people into performing actions or

divulging confidential information. Similar to a confidence trick or
simple fraud, the term applies to the use of deception to gain
information, commit fraud, or access computer systems.
In Person:
What High School did
you go to?
Your mothers maiden
name?
What was your first car?

and have
some
software
patches

I have come
to repair
your
machine

Brute Force Password Cracking

Pattern

Calculation

Result

Time to Guess
(2.6x1018/month)

Personal Info: interests, relatives

20

Manual 5 minutes

Social Engineering

Manual 2 minutes

80,000

< 1 second

American Dictionary
4 chars: lower case alpha

264

5x105

8 chars: lower case alpha

268

2x1011

8 chars: alpha

528

5x1013

8 chars: alphanumeric

628

2x1014

3.4 min.

8 chars alphanumeric +10

728

7x1014

12 min.

8 chars: all keyboard

958

7x1015

2 hours

12 chars: alphanumeric

6212

3x1021

96 years

12 chars: alphanumeric + 10

7212

2x1022

500 years

12 chars: all keyboard

9512

5x1023

16 chars: alphanumeric

6216

5x1028

Creating Passwords
Bad
Password

Merry Christmas
(Lengthen)
Merry Xmas
MerryChrisToYou
(Synonym)

(Intertwine Letters)
(convert vowels
to numeric)

MerryJul
(Abbreviate)
MaryJul

MerChr2You

(Keypad shift
Right . Up)

MXemrays

Good
Password ,stuzc,sd

Glad*Jes*Birth
M5rryXm1s
Jq46Sjqw

Mary*Jul
mErcHr2yOu

Creating Password Examples

Combine 2 unrelated Mail + phone = m@!lf0n3
words
Abbreviate a phrase My favorite color is blue = Mfciblue
Music lyric Happy birthday to you, happy
birthday to you, happy birthday dear
John, happy birthday to you.
hb2uhb2uhbdJhb2u

Password Manager Software

Password Safe
http://passwordsafe.sourceforge.net/

KeePass Password Safe

http://keepass.info/

Dont Store Passwords in easy to find places!

In Closing

Good passwords are a first level of defense

Buy in from upper management key in IT success

Segmented networks is key to keeping critical information safe

HVAC should not see POS

Layered Defenses

Employee Education

Avoid social engineering and increase awareness

Thank you
Chris Chidley

Skagit Transit

cchidley@skagittransit.org

360-757-1446