This white paper examines two recent case studies of criminal attacks against critical financial infrastructure and local government information. Both attacks had direct costs for the victim organizations, and second-order effects were felt by the organizations’ clients that suffered potential identity theft. This paper provides technical recommendations, including practices to mitigate future attacks, to organizational management and information security practitioners. These case studies are cautionary tales – of many in 2019 – that are informative lessons for examination by security professionals who want to improve their defenses, policies, practices and core capabilities.
About the Authors
Travis Howard, CISSP, and (ISC)2 National Capital Region chapter member is an active duty U.S. Naval officer specializing in information warfare, currently assigned to the Pentagon in Washington, D.C. He holds advanced degrees in cybersecurity policy and business administration from the University of Maryland University College, and is a frequent author in professional journals.
Amy N. Thomas, CISSP, and (ISC)2 National Capital Region chapter member, has experience in research, teaching, project management, emergency preparedness, information technology, and information security. Also a CEH(Master) and CompTIA Security+ce, she holds a Masters of Science in Cybersecurity.
Michael Carr, CISSP, CSCS, (ISC)2 National Capital Region chapter member and ISSA member, has worked in various IT positions for the past 20 years. He has recently held positions in security specializing in auditing, vulnerability management, security education training/awareness, encryption and phishing investigations.
Kapil Padwal, CISSP, ITIL Expert, PMP, CEH is the Director of Programs and serves on the Board of Directors of (ISC)2’s National Capital Region chapter. He holds graduate and undergraduate degrees in Computer Science and has 20 years of IT and Cybersecurity experience across the entire SDLC. His expertise is in Program Management, data governance, digital transformation, and security education/training.
