Cyber security in Sin City – and elsewhere (Part 1 of 2)
In the City of Sin, you have to take a gamble. After all, that's what it means to go to Las Vegas. Roll the dice, play the slots, put everything on the line. Walk away with everything – or nothing. In Las Vegas, this is the name of the game, and it's the addictive nature of the city – which is a literal desert oasis of bright lights and indulgence (what happens there does stay there, after all) – that keeps people coming back.
When it comes to Vegas, people go there knowing the stakes. Every year, more than 40 million visitors descend on Vegas, many in pursuit of gambling and the quick cash that could come with it. Some visitors are successful while many others fail, but there's one entity that always comes out on top: The city itself, which last year netted a gaming revenue of $6.4 billion, hardly chump change for any city. In addition, the many conventions held in Vegas – 22,103 last year, for a collective 5.1 million+ attendees – keep the city at a high level of activity and commerce.
Gambling is a modern American pastime, and Las Vegas is the city for it. But there's one thing that visitors to Vegas don't want to have to gamble with (nor should they have to): The safety of their personal data. But unfortunately, that seems to be happening anyway, since Las Vegas seems to have itself a cyber security problem.
An unconventional experiment
In mid-August, several armed men wearing janitor costumes made their way into the Las Vegas City Hall. From there, it was on to the city's data center – a vast repository of highly classified data that serves many key functions in Las Vegas. Once the apparent janitors – who, once again, were armed – were inside the data center, they got down to the task at hand: breaching the city's servers.
Elsewhere in City Hall, IT staffers began to get wind that something was amiss, and set about attempting to get to the bottom of what appeared to be a breach of the internal system. Meanwhile, back in the nerve center, the disguised men did what so many hackers do due to the relative ease of the operation: They hacked their way into a single city email account. Once the imposters were in the account, they unleashed a phishing scam from the account, which they were able to send to 12 other city employees. This is how phishing-based infections begin: with a single vulnerable target.
But the janitor-hackers didn't get very far, because by the time they'd sent the phishing email to the 12 recipients, the city's IT staffers had gotten to the root of the problem. But as it was later revealed, the situation wasn't as it had first appeared. Fortunately for everyone involved, the janitors in disguise weren't real armed hackers. Instead, they were city contractors. Their elaborate get-up was part of a clandestine effort to test the efficacy of the city's data center, and it had been commissioned by City Manager Betsy Fretwell and others as a "practical hack" aimed at uncovering the city's approach to cyber security.
Gambling with cyber security
That's exactly what the little experiment did – though definitely not in the way it was intended. Fretwell and others ran the experiment as a practice round for the real thing. The idea was, if they sent in apparent hackers who were actually government workers, they could measure how such an attack would take place without actually having to suffer any damages – and be able to prepare better for the real thing.
The only problem was that not enough people knew the August intrusion event wasn't the real thing. The rather unorthodox experiment was conducted even though certain leaders were not informed beforehand. Yes, Fretwell and others knew about it, but many other city leaders did not, and this generated an enormous amount of confusion when the event was carried out.
When you imagine a city getting ready to carry out a clandestine fake attack to test the strength of its internal infrastructure, what you imagine first and foremost is an organized effort. But a retrospective look at the August incident reveals that there was nothing particularly organized about the event. For example, then-Chief Information Officer and IT Director Joe Marcella was not informed of the phony attack in advance of it happening. Given that Marcella was a longtime city worker and the CIO/IT Director, he's one person who absolutely should have known about the drill. Instead, he was kept in the dark, and consequently responded by deploying his own staffers to get to the bottom of the incident. In the wake of the story, Marcella was apparently forced into retirement, with many pointing to him as a scapegoat.
However, the unconventional experiment was hardly a failure. In its own indirect way, it did expose cracks in the city's cyber security approach. When the sheer level of disorganization and confusion surrounding the effort emerged, this, in effect, revealed the state of the city's cyber security efforts: Marked by miscommunication and misunderstanding. After all, one of the key characteristics that needs to be present in any citywide cyber security plan is good communication, and this is something that Vegas clearly needs to improve upon.
Vegas isn't the only city with cyber security issues
As a city, Las Vegas isn't alone in having to deal with the cyber threat landscape of today. Across the country, other cities are coping with the issues that arise from cyber threats. The truth is that cyber security is a problem no matter what city we're talking about. In the second part of this piece, we'll look at some other regions beyond Vegas that are dealing with cyber security issues of their own. And whether it's a town, city, or state we're discussing, all should be taking the proper steps to bolster their cyber defenses.
from Trend Micro Simply Security http://ift.tt/1HQoKEn
via IFTTT