The Badge Archive

City Cyber Attack Roll List

To be used in the Cyber Attack Dice Scenario

Attack Type Roll List

  1. Ransomware
  2. Data Breach
  3. Distributed Denial-of-Service (DDoS)
  4. Phishing
  5. Man-in-the-Middle (MITM)
  6. Social Engineering
  7. Zero-Day Exploits
  8. Advanced Persistent Threat (APT)

1 – Ransomware Damages

A ransomware attack, where malicious software encrypts data and demands payment for its release, can cause severe disruptions across city departments, highlighting the importance of preventive cybersecurity measures and swift response strategies.

  • Police Department: While 9-1-1 services are running, ransomware has locked computers, preventing officers and dispatchers from accessing records, maps, and patrol car locations.
  • Fire Department: Trucks and radios are operational, but encrypted files have rendered dispatchers’ computers useless, disconnecting them from the network.
  • Water and Sanitation: Malware has infected systems, raising concerns about untreated water mixing with fresh water. The department’s website is down, blocking online bill payments.
  • City Court System: Records from the last 10 years are scrambled, making case dockets unreadable and preventing fee payments online.
  • Department of Education: Student records are inaccessible, and schools without backups have lost contact information for students and teachers.
  • Parks and Recreation: On the eve of a tournament, computers and the website are locked out, stopping citizens from signing up for events and threatening permanent data loss if the ransom isn’t paid.
  • Public Transportation: Malware has blocked access to bus logs, halting real-time tracking and communication with drivers about schedules, construction, or delays.

2 – Data Breach Damages

A data breach, where sensitive information is accessed without authorization, can erode trust and compromise the security and privacy of every department, emphasizing the need for robust defenses and timely detection.

  • Police Department: Sensitive law enforcement data, including active investigation details and witness information, has been leaked online, compromising cases and endangering individuals involved.
  • Fire Department: Personnel records, including private information like home addresses, have been exposed, creating privacy concerns for firefighters and their families.
  • Water and Sanitation Department: Records of system vulnerabilities have been shared publicly, increasing the risk of tampering with water supply systems. Payment account data from citizens has also been stolen.
  • City Court System: Confidential court records, including personal details of defendants and plaintiffs, have been leaked. The exposed data raises concerns about identity theft and legal complications.
  • Department of Education: Student and staff records, including grades, contact information, and private documents, have been accessed and shared, violating privacy and jeopardizing security.
  • Parks and Recreation: Budget details and schedules for public events have been leaked, causing cancellations and mistrust among event organizers and participants.
  • Public Transportation System: The attacker stole transit schedules, employee information, and passenger payment records, exposing personal data and creating operational delays.

3 – DDoS Damages

A Distributed Denial-of-Service (DDoS) attack targets systems by overloading them with traffic, rendering services temporarily unavailable and causing significant disruptions across departments.

  • Police Department: The department’s online systems become overwhelmed and inaccessible, preventing citizens from reporting crimes or requesting assistance through digital channels.
  • Fire Department: Dispatch systems are flooded with fake traffic, delaying emergency responders from receiving critical information about ongoing incidents.
  • Water and Sanitation Department: Monitoring systems for water safety are disrupted, making it difficult to maintain clean water distribution or identify potential hazards in the system.
  • City Court System: Online case management tools and payment portals are overloaded, halting operations and creating a backlog of unresolved cases.
  • Department of Education: The school district’s online learning platforms crash, leaving students unable to access lessons or submit assignments.
  • Parks and Recreation: Event registration systems are taken offline, preventing residents from signing up for programs or accessing recreational facilities.
  • Public Transportation System: Scheduling and tracking systems are overwhelmed, making it impossible to coordinate bus and train routes, resulting in widespread delays.

4 – Phishing Damages

Phishing attacks, where attackers trick individuals into providing sensitive information, such as passwords or financial data, through fake emails or websites – rely on deception and can have widespread effects, emphasizing the importance of training employees to recognize and avoid such attempts.

  • Police Department: Officers may unknowingly provide credentials to hackers, compromising access to secure law enforcement databases and investigation details.
  • Fire Department: Staff might fall for fraudulent emails, giving attackers access to emergency communication systems or equipment schedules.
  • Water and Sanitation Department: Hackers could gain control of billing accounts, redirect payments, or tamper with water distribution systems.
  • City Court System: Phishing could lead to unauthorized access to court records and sensitive legal documents, exposing private information.
  • Department of Education: Hackers might steal student and teacher login details, accessing private data and disrupting school operations.
  • Parks and Recreation: Fraudulent emails could target department staff, allowing attackers to manipulate event registrations or financial records.
  • Public Transportation System: Phishing could compromise driver schedules, transit routes, or payment systems, causing operational disruptions.

5 – MITM Damages

A Man-in-the-Middle (MITM) attack, where hackers intercept communication between two parties to steal data or manipulate the interaction – highlight vulnerabilities in unprotected networks and underscore the importance of encrypted communication channels.

  • Police Department: Hackers could intercept secure communications between officers, exposing sensitive information about investigations or patrol plans.
  • Fire Department: Emergency communications might be hijacked, delaying responses or providing false information during critical situations.
  • Water and Sanitation Department: Attackers could interfere with system controls, manipulating water distribution or contaminating supplies.
  • City Court System: Hackers might intercept private communications between legal professionals, compromising case confidentiality and integrity.
  • Department of Education: Communication systems between schools and the district could be disrupted, exposing private data or causing confusion in operations.
  • Parks and Recreation: Intercepted communication could impact event planning or access to reservation systems, creating mistrust and operational delays.
  • Public Transportation System: Hackers could tamper with real-time updates between control centers and vehicle operators, leading to schedule disruptions or unsafe conditions.

6 – Social Engineering Damages

Social Engineering, where hackers manipulate people into revealing sensitive information or granting access to secure systems – relies on human error rather than technical vulnerabilities, making it a powerful and deceptive attack method. Teaching people how to recognize and respond to these tactics is key to preventing such attacks.

  • Police Department: Hackers pose as trusted officials to convince officers to share login credentials, granting unauthorized access to sensitive databases.
  • Fire Department: Attackers impersonate maintenance personnel to gain physical or virtual access to critical communication systems.
  • Water and Sanitation Department: Employees may be tricked into opening phishing emails disguised as utility reports, leading to system compromise.
  • City Court System: Fraudulent phone calls or emails trick staff into transferring confidential legal documents to unauthorized individuals.
  • Department of Education: Hackers impersonate IT staff to gain access to private student and teacher records or alter grades.
  • Parks and Recreation: Attackers convince staff to share event planning details, potentially sabotaging registrations or public events.
  • Public Transportation System: Hackers manipulate transit workers into providing real-time tracking data or access to scheduling systems.

7 – Zero-Day Exploit Damages

A Zero-Day Exploit, when hackers take advantage of a vulnerability in software or hardware that developers have not yet identified or fixed – are particularly dangerous because they strike before anyone knows the vulnerability exists, emphasizing the need for proactive security measures and constant software updates.

  • Police Department: Hackers exploit undiscovered flaws to access sensitive databases, compromising confidential information about investigations and patrol routes.
  • Fire Department: Vulnerabilities in communication software could allow attackers to disrupt emergency coordination or gain unauthorized control over systems.
  • Water and Sanitation Department: Flaws in automated systems might be exploited to tamper with water quality monitoring or disrupt distribution networks.
  • City Court System: Hackers could manipulate court data through unpatched vulnerabilities, affecting records and legal proceedings.
  • Department of Education: Exploits in student data management systems could expose private information or interfere with grading processes.
  • Parks and Recreation: Attackers could exploit weaknesses in event management software, deleting registrations or altering schedules for public programs.
  • Public Transportation System: Unpatched transit tracking software could be targeted to disrupt schedules or provide false location data for buses, trains, or other transit systems.

8 – APT Damages

An Advanced Persistent Threat (APT) attack, where hackers gain unauthorized access to a system and remain undetected for an extended period to steal sensitive information or monitor activity – is stealthy and typically involves highly skilled hackers targeting specific organizations over a prolonged period.

  • Police Department: Hackers could access classified investigation details and gather intelligence on law enforcement operations without detection.
  • Fire Department: Attackers might monitor emergency response systems to identify vulnerabilities or disrupt operations during a critical moment.
  • Water and Sanitation Department: Hackers could silently tamper with water quality systems, posing long-term health risks.
  • City Court System: Sensitive legal documents could be stolen over time, compromising legal processes and exposing personal data.
  • Department of Education: Private student and staff records, as well as testing instruments, might be accessed gradually, risking privacy and data integrity.
  • Parks and Recreation: Hackers could track system activity to disrupt planning for large events or compromise payment details for recreational services.
  • Public Transportation System: Attackers might monitor transit systems for vulnerabilities, waiting to exploit weaknesses that disrupt operations or safety.
Tia Kennard