this could happen to you! - tml conference · sanmarcostx.gov an evaluation of the city of san...
TRANSCRIPT
sanmarcostx.gov sanmarcostx.gov
An evaluation of the City of San Marcos 2017 phishing
incident that led to the release of 800 employee’s W2s
THIS COULD HAPPEN TO YOU!
sanmarcostx.gov sanmarcostx.gov
Phishing email led to the
release of 800 current & former
employee’s W2s
Incident
sanmarcostx.gov sanmarcostx.gov
• Finance
• Human Resources
• Information Technology
• City Manager’s Office
• Communications
• Police
City Response Team
sanmarcostx.gov sanmarcostx.gov
Timeline
Received notice from two employees from
the same department that Turbo Tax rejected their online tax filing
Contacted IRS in reference to
the notice & IT began internal
correlation between two
employees’ computers
IT made Risk Manager aware
of a potential phishing email
that had potentially been
replied to by a City employee
Following business day, received
more notices of online filing rejections
from additional employees in different departments.
IT began an extensive data analysis which
resulted in finding that a response to the phishing email was actually sent to the phisher. Phishing Incident Identified
& City response began
sanmarcostx.gov sanmarcostx.gov
• City Leadership
• Department Staff
• Affected City Employees – Current
– Former
• Interviews with the Media
• Social Media
Communications
sanmarcostx.gov sanmarcostx.gov
• City Manager’s Office notification to employees – Email sent by CMO notifying employees of incident
• Risk Manager contacted Cyber Liability carrier – Carrier provided contact for a Breech Response Services
Company
– Coverage included outside legal counsel & Identity
Theft Protection
Response
sanmarcostx.gov sanmarcostx.gov
• Established internal single point of contact
• Distributed FAQs & Q&As to employees via email
• Developed detailed web page on employee portal
Response
sanmarcostx.gov sanmarcostx.gov
• Provided sample employee communications – Included required wording for Texas residents
– Provided separate requirements for minors or affected
former employees who had relocated out of state
• Suggested affected employees file a police report
• Worked with IRS to ‘flag’ affected employees
Outside Legal Counsel
sanmarcostx.gov sanmarcostx.gov
• Cyber Liability Coverage provided one year of
identity theft protection service through online
monitoring
– City added additional 2 years coverage
• All affected employees (current & former) received
notification letters by mail
• Current affected employees received letters in-person
• Computer lab set-up & staffed by City Response Team
for 2 weeks
Identify Theft Protection
sanmarcostx.gov sanmarcostx.gov
• Internal Revenue Service – Online
– In-person
• Employee Assistance Program
Resources
sanmarcostx.gov sanmarcostx.gov
Moving Forward
Steps we have taken to mitigate future incidents
–Email Signatures
–External Source Warning
–End User Training
–O365 Data Loss Prevention Policies
–Online Security Training
–Phishing Test Campaigns
sanmarcostx.gov sanmarcostx.gov
Email Signatures
• Standardization
Benefits:
• Professional appearance
across the organization
sanmarcostx.gov sanmarcostx.gov
End User Training: Via Email
sanmarcostx.gov sanmarcostx.gov
Microsoft Office 365
Data Loss Prevention Policies
With a DLP policy we can:
• Identify sensitive information across many locations, such as Office 365 emails, SharePoint Online, and OneDrive for Business.
• Detect sensitive information in message attachments, body text,
or subject lines and adjust the confidence level at which Exchange takes action.
• Prevent the accidental sharing of sensitive information.
sanmarcostx.gov sanmarcostx.gov
Data Loss Prevention Policy Options:
• U.S. Financial Data
• U.S. Gramm-Leach-Bliley Act (GLBA)
• U.S. Health Insurance Act (HIPAA)
• U.S. Patriot Act
• U.S. Personally Identifiable Information (PII) Data
• U.S. State Breach Notification Laws • U.S. State Social Security Number Confidentiality Laws
sanmarcostx.gov sanmarcostx.gov
Data Loss Types
we selected to encrypt:
• Credit Card Number
• U.S. / U.K. Passport Number
• U.S. Bank Account Number
• U.S. Driver's License Number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)
• ABA Routing Number
• Drug Enforcement Agency (DEA) Number
sanmarcostx.gov sanmarcostx.gov
Sample Report Phishing Test Campaigns
Reports will show vulnerability
*KnowBe4 graphic
sanmarcostx.gov sanmarcostx.gov
Lessons Learned • Assume worst case scenario
• Single point of contact
• Having Cyber Liability Coverage
• Rapid Response
• Communication, Communication, Communication
– Involve communication department
– Consistency of message
– Frequency of message
– Rapidly changing information