THIS COULD HAPPEN TO YOU! - TML Conference
Transcript of THIS COULD HAPPEN TO YOU! - TML Conference
![Page 1: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/1.jpg)
sanmarcostx.gov sanmarcostx.gov
An evaluation of the City of San Marcos 2017 phishing
incident that led to the release of 800 employee’s W2s
THIS COULD HAPPEN TO YOU!
![Page 2: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/2.jpg)
sanmarcostx.gov sanmarcostx.gov
• Incident
•Response
•What We Learned
![Page 3: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/3.jpg)
sanmarcostx.gov sanmarcostx.gov
Headline
NEWS
![Page 4: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/4.jpg)
sanmarcostx.gov sanmarcostx.gov
Phishing email led to the
release of 800 current & former
employee’s W2s
Incident
![Page 5: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/5.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 6: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/6.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 7: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/7.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 8: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/8.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 9: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/9.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 10: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/10.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 11: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/11.jpg)
sanmarcostx.gov sanmarcostx.gov
Where it all began….
![Page 12: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/12.jpg)
sanmarcostx.gov sanmarcostx.gov
Red flags
![Page 13: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/13.jpg)
sanmarcostx.gov sanmarcostx.gov
Red flags….
![Page 14: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/14.jpg)
sanmarcostx.gov sanmarcostx.gov
Timeline
Received notice from two employees from
the same department that Turbo Tax rejected their online tax filing
Contacted IRS in reference to
the notice & IT began internal
correlation between two
employees’ computers
IT made Risk Manager aware
of a potential phishing email
that had potentially been
replied to by a City employee
Following business day, received
more notices of online filing rejections
from additional employees in different departments.
IT began an extensive data analysis which
resulted in finding that a response to the phishing email was actually sent to the phisher. Phishing Incident Identified
& City response began
![Page 15: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/15.jpg)
sanmarcostx.gov sanmarcostx.gov
• Cyber Liability coverage – Coverage for data compromise
– Provided expert legal counsel
– Employee Identify Theft Protection
Response
![Page 16: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/16.jpg)
sanmarcostx.gov sanmarcostx.gov
• Provided sample employee communications
• Sample Employee notification language: – Included required wording for Texas residents
– Affected former employees who had relocated out of state
– Provided separate requirements for minors
• Worked with IRS to ‘flag’ affected employees
• Recommended affected individuals file a police
report
Outside Legal Counsel
![Page 17: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/17.jpg)
sanmarcostx.gov sanmarcostx.gov
• Finance
• Human Resources
• Information Technology
• City Manager’s Office
• Communications
• Police
City Response Team
![Page 18: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/18.jpg)
sanmarcostx.gov sanmarcostx.gov
• City Leadership
• Department Staff
• Affected City Employees – Current
– Former
• Interviews with the Media
• Social Media
Communications Get in front of the message
![Page 19: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/19.jpg)
sanmarcostx.gov sanmarcostx.gov
• City Manager’s Office provided initial notification of the incident to employees
• Established an internal single point of contact
• Prepared frequent employee updates
Response
![Page 20: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/20.jpg)
sanmarcostx.gov sanmarcostx.gov
• Cyber Liability Coverage provided one year of
identity theft protection service through online
monitoring
– City added additional 2 years coverage
• All affected employees (current & former) received
notification letters by mail
• Current affected employees received letters in-person
• Computer lab set-up & staffed by City Response Team
for 2 weeks
Identify Theft Protection
![Page 21: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/21.jpg)
sanmarcostx.gov sanmarcostx.gov
• Internal Revenue Service – Online
– In-person
• Employee Assistance Program
Resources
![Page 22: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/22.jpg)
![Page 23: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/23.jpg)
sanmarcostx.gov sanmarcostx.gov
Moving Forward
Steps we have taken to mitigate future incidents
–End User Training
–Email Signatures
–External Source Warning
–O365 Data Loss Prevention Policies
–Online Security Training
–Phishing Test Campaigns
![Page 24: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/24.jpg)
sanmarcostx.gov sanmarcostx.gov
End User Training: In-Person
![Page 26: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/26.jpg)
sanmarcostx.gov sanmarcostx.gov
Awareness Pays Off
…until you hit reply.
O365 sensed fraud
![Page 27: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/27.jpg)
sanmarcostx.gov sanmarcostx.gov
Email Signatures
• Standardization
Benefits:
• Professional appearance
across the organization
![Page 28: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/28.jpg)
sanmarcostx.gov sanmarcostx.gov
External Source Warning
![Page 29: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/29.jpg)
sanmarcostx.gov sanmarcostx.gov
End User Training: Via Email
![Page 30: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/30.jpg)
sanmarcostx.gov sanmarcostx.gov
Microsoft Office 365
Data Loss Prevention Policies
With a DLP policy we can:
• Identify sensitive information across many locations, such as Office 365 emails, SharePoint Online, and OneDrive for Business.
• Detect sensitive information in message attachments, body text,
or subject lines and adjust the confidence level at which Exchange takes action.
• Prevent the accidental sharing of sensitive information.
![Page 31: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/31.jpg)
sanmarcostx.gov sanmarcostx.gov
Data Loss Prevention Policy Options:
• U.S. Financial Data
• U.S. Gramm-Leach-Bliley Act (GLBA)
• U.S. Health Insurance Act (HIPAA)
• U.S. Patriot Act
• U.S. Personally Identifiable Information (PII) Data
• U.S. State Breach Notification Laws • U.S. State Social Security Number Confidentiality Laws
![Page 32: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/32.jpg)
sanmarcostx.gov sanmarcostx.gov
Data Loss Types
we selected to encrypt:
• Credit Card Number
• U.S. / U.K. Passport Number
• U.S. Bank Account Number
• U.S. Driver's License Number
• U.S. Individual Taxpayer Identification Number (ITIN)
• U.S. Social Security Number (SSN)
• ABA Routing Number
• Drug Enforcement Agency (DEA) Number
![Page 33: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/33.jpg)
sanmarcostx.gov sanmarcostx.gov
Phishing Test Campaigns
![Page 34: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/34.jpg)
sanmarcostx.gov sanmarcostx.gov
Sample Report Phishing Test Campaigns
Reports will show vulnerability
*KnowBe4 graphic
![Page 35: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/35.jpg)
sanmarcostx.gov sanmarcostx.gov
Training Campaigns
![Page 36: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/36.jpg)
sanmarcostx.gov sanmarcostx.gov
Lessons Learned • Assume worst case scenario
• Cyber Liability Coverage
• Single point of contact
• Rapid Response
• Communication, Communication, Communication
– Involve communication department
– Simple, factual and consistent message
– Frequency of message
– Rapidly changing information
![Page 37: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/37.jpg)
sanmarcostx.gov sanmarcostx.gov
–Several employee’s 2017
refunds have not been processed.
–Employees with extensions are
still filing.
–What will employees
experience in filing 2018 taxes?
It’s not over yet…
![Page 38: THIS COULD HAPPEN TO YOU! - TML Conference](https://reader031.fdocuments.net/reader031/viewer/2022012407/616a2ad011a7b741a34f89d0/html5/thumbnails/38.jpg)
sanmarcostx.gov sanmarcostx.gov
Questions, Comments
or Concerns?
Heather Hurlbert – Director of Finance [email protected]
Linda Spacek – Director of Human Resources [email protected]
Mike Sturm – Director of Information Technology [email protected]