USA: +1(669)289-8683 
Sign in
each question is to be answered seperately
due Sunday 2/11/18
if you have any questions please message me
South Carolina Department of
Revenue
Public Incident Response Report
November 20, 2012
Page 2
This public incident response report and its publication is not intended nor should it be construed as a waiver of any
privilege or immunity from disclosure that may attach to Mandiant’s privileged work, investigation, and reports.
EXECUTIVE SUMMARY
BACKGROUND
On October 10, 2012, a law enforcement agency contacted the South Carolina Department of Revenue
(DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen.
The Department of Revenue reviewed the data provided and identified that the data provided would
have been stored within databases managed by the Department of Revenue. On October 12, 2012,
Mandiant was contracted by the Department of Revenue to perform an incident response.
Mandiant’s objectives were to:
Determine if the attack was ongoing.
Confirm the initial method of intrusion and its timing.
Determine the scope of the compromise.
Determine data loss/exposure.
Perform immediate remediation activities.
Develop short and long term remediation plans.
Mandiant performed the following activities to achieve these objectives:
Met with the South Carolina Department of Revenue and Division of State Information
Technology (DSIT) representatives to discuss initial evidence preservation requirements.
Reviewed log data, created forensic images and performed forensic analysis of the web,
application, and database systems that housed the PII data provided in the law enforcement
notification.
Analyzed Department of Revenue computer systems with the Mandiant Intelligent Response
(MIR) technology for indicators of compromise (IOCs). MIR is a tool used by experienced
investigators to look for evidence of malicious activities across a large number of systems.
Monitored all network traffic from the Department of Revenue’s single Internet egress point for
evidence of ongoing malicious activity.
Reviewed available network and security device logs for indicators of compromise.
Collected live response data and forensic images from key systems as well as network and
system logs.
Analyzed malware to identify additional indicators of compromise.
Analyzed evidence to identify attacker activities and additional indicators of compromise.
Documented findings and remediation recommendations.
Performed a PCI Forensics Investigation (PFI) as required by the Department of Revenue’s
acquiring bank, First Data.
Mandiant performed both on-site and off-site incident response activities from October 13, 2012
through November 16, 2012.
FINDINGS
Mandiant’s major findings are provided below.
Summary of the Attack
A high level understanding of the most important aspects of the compromise are detailed below.
1. August 13, 2012: A malicious (phishing) email was sent to multiple Department of Revenue
employees. At least one Department of Revenue user clicked on the embedded link,
unwittingly executed malware, and became compromised. The malware likely stole the user’s
username and password. This theory is based on other facts discovered during the
investigation; however, Mandiant was unable to conclusively determine if this is how the
user’s credentials were obtained by the attacker.
Page 3
This public incident response report and its publication is not intended nor should it be construed as a waiver of any
privilege or immunity from disclosure that may attach to Mandiant’s privileged work, investigation, and reports.
2. August 27, 2012: The attacker logged into the remote access service (Citrix) using legitimate
Department of Revenue user credentials. The credentials used belonged to one of the users
who had received and opened the malicious email on August 13, 2012. The attacker used the
Citrix portal to log into the user’s workstation and then leveraged the user’s access rights to
access other Department of Revenue systems and databases with the user’s credentials.
3. August 29, 2012: The attacker executed utilities designed to obtain user account passwords
on six servers.
4. September 1, 2012: The attacker executed a utility to obtain user account passwords for all
Windows user accounts. The attacker also installed malicious software (“backdoor”) on one
server.
5. September 2, 2012: The attacker interacted with twenty one servers using a compromised
account and performed reconnaissance activities. The attacker also authenticated to a web
server that handled payment maintenance information for the Department of Revenue, but
was not able to accomplish anything malicious.
6. September 3, 2012: The attacker interacted with eight servers using a compromised account
and performed reconnaissance activities. The attacker again authenticated to a web server
that handled payment maintenance information for the Department of Revenue, but was not
able to accomplish anything malicious.
7. September 4, 2012: The attacker interacted with six systems using a compromised account
and performed reconnaissance activities.
8. September 5 – 10, 2012: No evidence of attacker activity was identified.
9. September 11, 2012: The attacker interacted with three systems using a compromised
account and performed reconnaissance activities.
10. September 12, 2012: The attacker copied database backup files to a staging directory.
11. September 13 and 14, 2012: The attacker compressed the database backup files into fourteen
(of the fifteen total) encrypted 7-zip
1
archives. The attacker then moved the 7-zip archives
from the database server to another server and sent the data to a system on the Internet.
The attacker then deleted the backup files and 7-zip archives.
12. September 15, 2012: The attacker interacted with ten systems using a compromised account
and performed reconnaissance activities.
13. September 16, 2012 – October 16, 2012: No evidence of attacker activity was identified.
14. October 17, 2012: The attacker checked connectivity to a server using the backdoor
previously installed on September 1, 2012. No evidence of additional activity was discovered.
15. October 19 and 20, 2012: The Department of Revenue executed remediation activities based
on short term recommendations provided by Mandiant. The intent of the remediation
activities was to remove the attacker’s access to the environment and detect a re-
compromise.
16. October 21, 2012 – Present: No evidence of related malicious activity post-remediation has
been discovered.
Extent of Compromise
The following points describe the extent of the compromise:
1. The attacker compromised a total of 44 systems:
One system had malicious software (“backdoor”) installed
Three systems had database backups or files stolen
One system was used to send data out of the environment to the attacker
Thirty nine systems were accessed by the attacker (the attacker performed such
activities as reconnaissance and password hash dumping)
2. The attacker used at least 33 unique pieces of malicious software and utilities to perform the
attack and data theft activities including:
A backdoor
Multiple password dumping tools
Multiple administrative utilities
Multiple Windows batch scripts to perform scripted actions
Multiple generic utilities to execute commands against databases
1 A publicly available utility used to compress and decompress files (http://www.7-zip.org/)
Page 4
This public incident response report and its publication is not intended nor should it be construed as a waiver of any
privilege or immunity from disclosure that may attach to Mandiant’s privileged work, investigation, and reports.
3. The attacker remotely accessed the Department of Revenue environment using at least four IP
addresses.
4. The attacker used at least four valid Department of Revenue user accounts during the attack.
Information Exposure
A high level description of stolen or potentially stolen information is provided below.
1. The attacker created fifteen encrypted 7-zip archives totaling approximately 8.2 GB of
compressed data. The data decompressed into approximately 74.7 GB of data. The data was
comprised of:
Fourteen total 7-zip archives that contained twenty three database backup files
One 7-zip archive that contained ~1,200 files related to the sctax.org web site and an
encrypted version of the data encryption key
2. The twenty three database backup files contained a combination of encrypted and
unencrypted data. According to the Department of Revenue, all instances of encrypted data
within the various databases were encrypted using an industry standard two-key method that
leveraged the AES 256-bit encryption standard. One key was used to encrypt the data
(“encryption key”); the second key was used to protect the encryption key by encrypting it
(“key encrypting key” or KEK).
The attacker stole the encrypted version of the data encryption key
No evidence was discovered to suggest that the attacker stole, or accessed, the key
encrypting key
REMEDIATION
Mandiant developed an immediate containment plan to deny the attacker access to the environment
using the known methods of access. A containment plan is critical in a compromise involving potential
PII and/or cardholder data loss. The Department of Revenue started implementing the containment
plan on October 19, 2012 and completed containment activities on October 20, 2012. Mandiant then
developed a plan to implement intermediate and longer term recommendations to enhance the
Department of Revenue’s security against future compromise. Those longer term recommendations
are in the process of being implemented. No evidence of ongoing attacker activity post-remediation
has been identified.
Public Incident Response Report Submitted By:
Marshall Heilman
Director
Christopher Glyer
Manager
THEPOLITICS OF DISASTER
(Principles for Local Emergency Managers and Elected Officials)
Michael D. Selves, CEM, CPM
Director, Emergency Management/Homeland Security
Johnson County, Kansas
INTRODUCTION:
This is how most members of the Emergency Management and Emergency Services
disciplines typically view politicians during disasters. And, while it may be a popular
attitude, it is certainly not a very practical one if we expect to achieve everything we can
for our communities when disasters strike. Why should this be so?
First, we need special powers and authorities to deal with disaster situations and elected
officials have the ability to provide them. As much as professional emergency managers,
emergency services chiefs and other staff would like to believe we operate with
autonomy, we all realize we are really just the “hired help” when it comes to many
aspects of disaster response and recovery. Virtually every state has disaster legislation
which allows for special powers and authorities to be exercised by duly elected officials.
The general rule of thumb here is that if we have to take actions during a disaster which
will infringe on the ordinary rights and privileges of the citizens, only a duly elected
representative of those citizens may authorize such extraordinary measures.
Secondly, we need all the help we can get. Elected officials can expedite assistance. As
I’ll discuss later, most outside resources which come to a community are accessed
through a governmental (political) process. The process of requesting, justifying and
acquiring such assistance is one of the most “political” of all disaster actions. Generally,
elected officials are the most effective persons we have in expediting this assistance.
Finally, we need public support. Elected officials represent the people and in a
democratic republic, the people’s representatives hold the ultimate authority. The also
are the most appropriate spokespersons when it comes to providing guidance to the
public and obtaining public support for disaster related actions. The bottom line is that
we work for them and the people hold them accountable and they hold us accountable.
PRINCIPLES:
All Disasters are Political: Whether we want to believe it or not, political
considerations are a significant factor in the preparation for, response to, recovery from
and mitigation of disaster events. Think back to disasters you have personally been
involved in or you’ve seen in other parts of the country. Has there ever been one where
there was no political involvement? Is it likely that there every will be one? I ‘m quite
sure the answer to both questions is “no”. If we really analyze the events and issues
surrounding disasters, we readily see that politics is an integral element of the disaster
and that element has to be dealt with just like any other disaster impact.
If we are to adequately discuss this principle, it is necessary to look into why disasters are
naturally so fraught with political considerations and to consider the factors which
determine how political a disaster might become.
There are at least three basic reasons why disasters are political in nature. First and most
important, disasters affect people. Basic Emergency Management doctrine tells us that
the determination of what constitutes a disaster is the impact it has on people. The
impact of a disaster is measured with regard to how people are affected. In situations
where there is no impact, there is no disaster regardless of the actual occurrence of a
hazardous event (e.g. an extremely violent and large tornado occurs in a totally
uninhabited area of the country.)
When we do hazard analyses, we look at two elements, probability and vulnerability.
Vulnerability is almost always expressed in terms of the potential impact on people. A
disaster then, by definition, involves people, and any event which significantly affects the
lives and property of people is political.
Secondly, disaster are political because the involve public policy. How well or how
poorly we mitigate, prepare for, respond to and recover from disasters is directly related
to how well emergency management/disaster policy is created, maintained and
implemented. By definition, politics is the process of establishing and carrying out
public policy. Failures in policy or its implementation is the stuff around which political
debates revolve and of which political campaigns are made. A disaster event brings this
policy debate squarely into the political arena.
Third, and related to the first two reasons, is the fact that disasters invariably invite public
(read media) interest. In our modern culture of all-pervasive mass communications,
disasters are dramatic, newsworthy events which compel intense public interest.
Politicians appropriately have to respond to that kind of interest and scrutiny.
There are a number of very important factors which can determine how “political” a
particular disaster situation can become. First there is the nature of the disaster itself.
Generally speaking a violent event tends to be more political that slow growing events
which do not initially attract as much attention. In the era of terrorism, such events as
Oklahoma City and 9/11 are incredibly political. The very definition of terrorism
assumes an intent to affect political attitudes. If the cause of an event is such as to
involve potential blame, the politicization of the event is significantly increased. We
don’t tend to blame nature (or God) for natural events. We do, however, increase the
media (and therefore the political) “feeding frenzy” when there is potentially a human
cause for the disaster. Events such as Three-Mile Island or the Bohpal chemical release
are only the most obvious examples. The scope of the disaster affects the political nature
of it. Obviously, an event which involves local, state and federal actions has more
potential for political implications.
A second factor is the degree to which public policies become a part of the disaster event.
This can be affected by such things as the level of response involved and the requirement
to deal with difficult or uncharacteristic issues which adversely affect or irritate the
public (e.g. evacuations, seizure of private property, curfews and quarantines.) Events or
potential events which could have been prevented or lessened by mitigation actions (e.g.
flooding, earthquakes, etc.) will necessarily bring policy questions into the disaster event.
A third factor involves the quality of decisions and response actions. Such considerations
as: Were response efforts handled adequately or in a timely fashion? Were mistakes
made or was the response slow and poorly coordinated? What is the level of perceived
public dissatisfaction? Such elements combined with public (or media) questions and
controversy will increase the political aspect of the event significantly.
Fourth, the nature of the political environment in the community will have an impact on
the disaster situation. Such things as whether the political players are on the same
“team”, whether previous partisan divisions existed or whether disaster policy
disagreements have been a factor in the past all affect, to one degree or another the
disaster’s political climate. Are the political players adversaries generally and disinclined
to cooperate or do they share a common political agenda? Two different scenarios come
to mind. During the Loma Prieta earthquake, the national administration was Republican
and the city of San Francisco was Democrat. There was significant conflict regarding
response and recovery issues attributable to this political reality. Conversely, when the
Republican Mayor of New York City, the Republican Governor of New York and the
Republican President were from the same party, that fact also had an (in this case a
positive) impact on the aftermath of the World Trade Center attack. Of course (and this
is meant sincerely, not cynically) the fact that a disaster occurs during an election year is
not an insignificant consideration.
Disaster Policy is Difficult to Create and Maintain: One very frustrating factor
confronting emergency managers at all levels of government is that it is often difficult to
get policy support for senior elected officials before a disaster event occurs. The problem
is that disaster policy issues are often monumental and very complicated, involving
conflicting interests at every level of government. Generally there is a real reluctance on
the part of elected officials to create controversy and debate until the need is immediate
and unavoidable. Obviously this reluctance is at odds with the emergency manager’s
requirement to establish the “ground rules” regarding disaster activities in advance of an
actual disaster occurrence. At the local level, this problem is compounded by the fact
that local jurisdictions are the most immediately affected, but tend to be the least
interested in disaster issues. Beverly Cigler has observed, for example, that “…the
governments least likely to perceive emergency management as a key priority – local
governments – are at center stage in terms of responsibility for emergency management.”
Even when the need to establish policy in advance of disasters is accepted and
understood, the process of establishing and maintaining such policy is a challenging
undertaking. It is virtually impossible to design policies and programs that meet all needs
and satisfy all of the competing interests. These conflicting interests can be about broad
national policy, for example, should we mitigate the impacts of flooding by the use of
flood management structures (dikes, levees, stream clearance/widening, etc.) or by
buyouts of flood prone properties and/or relocation of communities in the floodplain?
They are often about specific local issues which often are of great political and economic
import to the communities involved. (I once knew of a small county emergency manager
who almost lost her job because she proposed to open the local armory to blizzard-
stranded travelers before the local motels were full!) Of course, during the current fiscal
difficulties, this complex process must constantly attempt to balance the need to provide
disaster services while being fiscally responsible with tax dollars. Add to this complexity
the fact that needs are constantly changing and that public expectations in response to a
disaster are invariably (and often unreasonably) high, perhaps it is amazing that we can
get politicians to tackle disaster policy making at all.
Disasters have Political Consequences: One widely observed but not fully understood
principle of the disaster/politics relationship is the fact that disasters and their aftermath
have significant potential to affect the political environment of a community, state or
nation. A disaster can alter the public’s perceptions about the ability and concern of the
political players. It also causes them to be more sensitive to criticism of response/relief
efforts. Each of us can relate instances where political futures and political landscapes
were changed by a disaster event and the resulting leadership (or lack thereof). Perhaps
the current political result of the attacks on the World Trade Center is the most striking in
recent history. An American President is elected by the barest of electoral majorities and
actually looses the popular vote, is perceived to be weak with questionable leadership
skills. September 11, 2001 occurs, that same President handling of the resulting impact
of the attack is perceived as masterful and, as of this writing, enjoys one of the most
popular presidencies of modern times. A “lame duck” mayor of New York, beset by
personal problems, becomes the very symbol of political leadership and is immensely
popular both in New York and nationally. Approximately a decade earlier, the father of
the current President was perceived to have been slow and insensitive in response to the
catastrophic impact of Hurricane Andrew in South Florida. This perception coupled with
a sluggish economy changed the political fortunes of that administration in exactly the
opposite direction. Similar examples at all levels of government also exist. Sometimes
the political impact of a disaster can have mixed results over time. In one midwestern
community which experienced massive flooding, the mayor was initially hailed as
providing excellent leadership. As the problems of the recovery began to mount,
however, she became so unpopular that she failed reelection just two years later.
While these examples are of Presidents and mayors, all elected political leaders are
subject to the political impact of disasters. Who are the major political players in a
disaster and how can they be affected? The political impacts differ most notably between
executives and legislators. In a crisis the initial stress is on elected executives (President,
governors, county commission chairs, mayors, etc.) They are the decision makers who
must act and communicate in a crisis. The primary challenge for such executives is the
constant need to balance what is necessary to deal with a crisis as opposed to what is
“popular”. While good response is usually a positive thing, sometimes decisions
necessary to a good response must infringe upon the rights, convenience and interests of
members of the public. Decisions to impose curfews, limit sales of certain items, force
evacuation or closure of businesses, and, certainly, involuntary quarantine, are significant
measures which may be necessary, but extremely unpopular.
While the role of members of Congress and state and local legislative bodies is less
direct, they are key players as well. This is especially true when it comes to policy issues
and recovery efforts. One of the most important roles of congressional members involves
the process of obtaining Federal declarations after disasters. Congressional and
legislative officials also play a critical role in constituent services after a disaster in
helping citizens and local governments deal with the rules and policies involved in
recovery programs. Ultimately, any changes related to disaster policy become a
legislative initiative and the interest and understanding of the implications of such policy
by these elected officials is critical.
Likewise, the involvement of political staffers and policy assistants in disaster-related
activities and discussions is an important factor. Most political staff members are not
routinely involved in such matters and only become so when the attention of their elected
boss is directed there as a result of an event. The ability of state and local emergency
managers to make contact with and provide valuable information and insights to staff
members is an often-overlooked strategy which will bear considerable benefit during
future disasters.
Politics can have Disastrous Consequences: Just as politicians and the political
environment can be affected by a disaster, our response and recovery actions are almost
inevitably driven, in part, by political considerations. Sometimes these political
considerations can produce very negative consequences. These consequences can range
from mere inconveniences (tours by elected officials of disaster sites) to major
interference in the accomplishment of response and recovery objectives (lack of funds,
refusal to grant necessary authority, etc.) On rare occasions, these consequences can
result in illegal or unethical actions (use of disaster powers for personal gain or
influence.)
It is important for local emergency managers to become aware of the potential for such
political consideration to get out of hand and be able to devise tactful strategies for
dealing with them. Well-established emergency operating plans and processes, for
example, go a long way toward lessening the “politicization” of disaster response and
recovery act ivies. Frequent orientation, training and exercising also will help elected
officials understand the importance of pre-established roles, responsibilities and
relationships and the necessity of operating as a team with a plan when disaster strikes.
This necessity of having a plan brings us to the final principle.
Politicians, Like Nature, Abhor a Vacuum: For an emergency manager working to
“get a handle” on the political dimensions of a disaster situation, this principle may be the
most important. While in a minority of cases, there may be unwanted and excessive
political interference in disaster operations, experience of most of our colleagues is that
as long as things are under control and there is a cogent, integrated effort during the
response and recovery, political operatives are content to “play by the rules”. It is
generally when there is a real or perceived lack of control or coordination and things
either are or appear to be in chaos, that political leaders tend to “take charge”. On some
occasions, this might even be beneficial, but more often than not, the results are not
positive.
Most often, we, as emergency managers, have the power to determine our own fate in
dealing with the political side of disaster activities. This power is relatively simple. We
need to be as professional as we can be. We need to understand the emergency
management process and principles and be able to communicate them – before, during
and after the disaster strikes. We need to make sure that our plans are sound, complete
and flexible to deal with the contingencies which inevitably occur during a disaster event.
In this respect, as in all of emergency management work, the establishment of good
relationships prior to the event is crucial. This is no less true when it comes to the
political players. An additional consideration is to establish good prior relationships with
the local media, since political actions are most often reactions to public perceptions as
influenced by the media.
The bottom line is that we need to do our jobs professionally and have developed a strong
framework of coordination and understanding before disaster strikes. Remember, if you
provide a leadership vacuum during times of crises, the political leadership will, either by
desire or necessity, fill it. We ignore these political principles at our own and our
communities’ peril.
Question1
When it comes to disasters, some contend that governments still largely play the role of arriving like the cavalry after the fact. Assuming this might be at least partially true, how can emergency management policies (local, state and/or federal) be more proactive? What barriers, if any, to such proposals might exist? (For instance, should local jurisdictions consider additional efforts to regulate building, land-use, development, and other activities that may cause hazards and/or increase risk to members of the community? What lessons should we learn from the flooding that took place in South Carolina in 2015?)
Question 2
Define in your own words the term “benchmarking” used in our textbook and compare it to the terms “lessons learned” or “best practices”, which are often used in emergency management. Include at least one example that you think represents one or more of these terms.
Question 3
Your response to each of the questions below should be at least one brief paragraph.
After reading the
South Carolina Public Incident Report
, consider how recent large data security breaches affects public administration.
a.) How would you recommend improving policy and practice with regard to information security? (At least one paragraph)
b.) Provide a statement of the problem and at least two recommendations; support your points with additional detail and references (in APA Style). (At least one paragraph)
Question 4
https://www.ecfr.gov/cgi-bin
/ECFR
website to external link
After reading Chapter 11 in the textbook, go to the online
Code of Federal Regulations (CFR) (Links to an external site.)Links to an external site.
, which is the compendium of federal agency regulations. Explore to find regulations of one or more of the following agencies. Select one regulation that you think has an impact on or is related to the phases of emergency management. (Click on “Browse parts” links, if needed, to access regulations.) Write a short summary of the purpose of the regulation you chose, including its context (what kind of regulation is it part of and what agency enforces it) and how it is related to or could impact emergency/disaster management at the local or state level; include a citation to the CFR section (for example 9 CFR 56.10).
Other link for this question. Once you get to this page you can access the other external links listed.
https://www.ecfr.gov/cgi-bin/
·
Environmental Protection Agency (EPA) (Links to an external site.)Links to an external site.
·
Nuclear Regulatory Commission (NRC) (Links to an external site.)Links to an external site.
· U.
S. Department of Transportation Pipeline and Hazardous Material Safety Administration (PHMSA) (Links to an external site.)Links to an external site.
· U.
S. Coast Guard (USCG) Maritime Security (Links to an external site.)Links to an external site.
· U.S. Department of Labor
Occupational Safety and Health Administration (OSHA) (Links to an external site.)Links to an external site.
·
(Links to an external site.)Links to an external site.
U.S. Food and Drug Administration
·
Animal and Plant Health Inspection Service (APHIS) (Links to an external site.)Links to an external site.
Question 5
Write a brief essay (at least 250 words) for question 4.
Read the short article,
The Politics of Disaster
, by Michael Selves, former emergency management director, Johnson County, Kansas. In an essay of 250-500 words, tie or relate a point from Selves’ article to one or more concepts in our textbook. Support your points with additional research, as needed, and include references (in-text citations and reference list in APA Style). Submit to Turnitin before uploading the assignment here.
