168 INCH360: Lessons Learned From a Breach

I will start by introducing myself.

My name is Jethro Jones.

I am the host of the Cyber Traps podcast.

Um, and I do a lot of other things.

Um, I have an education background.

I've been a principal for many years.

And currently coach, uh, school leaders
on all kinds of things from leadership

to, uh, curriculum and things like that.

So, I'm excited to be here and
thankful for the opportunity.

Uh, I'd like each of the panelists
first to introduce themselves and

tell, uh, just 30 second overview
of who you are and what you do.

And then, um, then we'll
get into the questions.

And we'll start with you, Nicole.

Hi, my

name is Nicole Tett, and I am a Spokane
native, and I'm actually a GU graduate.

I have been at STCU for about 21 years,
and I'm their Chief Information Security

Officer, and been working in the
security industry, focused primarily on

security for about the past 25 years.

Good afternoon, I'm Ken Brown.

I'm the Vice President and Chief
Operating Officer at Whitworth University.

Uh, a year ago, a year and a half ago,
I was the CIO at Whitworth University.

We went through a cyber breach, and
instead of firing me, they promoted me.

That was probably a mistake on their
part, but, um, you can survive.

It's, uh, a challenge, but you can do it.

I've, I started, uh, in technology
in 1980, so I'm a boomer.

And I've been around for a while
and I've probably got a couple more

years left and then we'll maybe leave
it off to some of you Millennials.

I'm Brian Yamanaka.

Um, I'm the founder and CEO of a
company called Archangelos where

we specialize in GRC and cyber
security consulting for startups and

small to medium sized businesses.

Um, I am a Millennial, um, and
I'm also a Washington Husky.

So, I'm sorry if that disappoints
a majority of you here.

Um, Hey, we're in the FBS, so come on.

Um, Now you got me all mixed up here.

Um, so I guess the reason I'm here
is because, uh, I've lived a lot

of you guys nightmares, uh, of
being in multiple data breaches.

Uh, unlike Ken here, I, I have
not been promoted because of that.

And hello, I'm Aaron Goldstein.

I'm head of security operations
and incident response at Total.

Um, I've got about 15 years of digital
forensics and IR consulting experience,

uh, helping organizations of all
sizes respond, recover, and remediate

from large scale, uh, ransomware, uh,
nego uh, ransomware, business email

compromise, and things of that nature, so.

Handling the negotiation,
payment, and recovery when

those types of things happen.

Thank you.

Uh, I'm excited to chat
with all these people.

I think I could spend two hours with
each of them and just go really deep.

We only have about 30 minutes and
so, uh, we're, the way we're gonna

structure this panel is I'll ask
one question of each person and

then, uh, allow them to respond.

And then, uh, other people if they
want to fill in can, uh, can add

something to that conversation as well.

Um, the, and then if you have questions
we'll leave a little bit of time

at the end, uh, for that as well.

Uh, so we want to start, um,
with Ken first, uh, and talk

specifically about the breach that
happened at Whitworth University.

Um, if you don't know about that, do
a quick Google search on your phone

and, uh, Ken can provide some things.

But I want to start far after the fact.

So this happened, uh, about
13 months ago, is that right?

October of 22?

August of 22.

Uh, so It's been a while.

You've now got promoted, as you
mentioned, and that's great.

Um, but what are some of the things that
people don't think about that happen,

uh, months afterward when it seems
like, you know, we got our systems back

online and everything's good to go now?

What, uh, what, what are some of the
things people don't think about that you,

you want to make sure people know about?

Well, that's a, a challenging question
because mostly you focus on what

you did before or didn't do before,
what happened during the breach, and

then what's, what happened after.

There's, um, quite a bit of work
to be done once you've recovered,

right, once you've restored, right?

So, and we said August, um, actually
the ingress, uh, the part of the

breach happened in April, and many
of the breaches that we're seeing

out there, The, the breach happens
several months in advance of actually

triggering the ransomware attack.

That's something to know.

And it's something to help you, guide
you in how you respond for the future,

and how you're monitoring your systems
so that you can, uh, detect things

that are lurking in your systems that,
um, that you weren't aware of if you

didn't have the right tools in place.

So having a good SIM, good, uh,
endpoint detection in place.

Those are all things that we had to
discuss at length after the event.

So, um, and another thing that, uh,
is always important to understand

is when you're having a, a breach at
the scale that we had, which meant

most of our systems were impacted.

All of our Windows systems, all
of our H, uh, VMware systems and

Hyper V systems were impacted.

Uh, fortunately the threat
actor, uh, didn't hit us until

the day after we ran payroll.

And we still had two weeks before the
semester started, so we had a little

bit of breathing room, but, um, after
the fact, you're talking about how

you, um, how you prepare and mitigate
things that aren't going to happen,

potentially happen in the future.

What kind of investments now do you need
to make beyond what you thought were,

uh, all that you could make before?

You're ending, you're going to
end up making more investments.

Uh, fortunately, leadership's interested
in helping you make those investments.

They don't want to go through
the pain again, if possible.

Uh, but then, uh, communication
is one of the things that,

that comes up all the time.

And there's communication
during the breach.

Multiple audiences that, that are
interested in knowing what's going on.

Uh, and you're, one of the
audiences is the threat actor

themselves who are monitoring
your, uh, public pronouncements.

You gotta be careful about that.

Uh, you gotta be careful about
how you're describing things

to your own internal people.

How you, how you, uh, talk to the press.

How you talk to, uh,
people who are impacted.

And you're required, of course, to
to do a lot of work in notifying, uh,

various, uh, state agencies across
the country based on their rules.

So, several months after the breach,
uh, we were still working with attorneys

general across the nation, uh, and
responding to requests because, uh,

data escaped for people who were from
virtually every state in the nation.

And depending on how
many People are impacted.

Various states have different rules.

If it's only 10, well,
maybe they don't care.

But I can tell you the state of
Colorado cared about the 1, 200 people

that were affected by the breach.

And so we had to respond to the state
of Colorado with a Fairly lengthy

brief, and that means it was important
that we had in place a quality, uh,

insurance package that allowed us to,
uh, engage, uh, attorneys to, I think

Brent said, Brent said about, you gotta
have a good attorney, absolutely you

have to have a good attorney, to make
sure that you're in compliance with all

the state laws around the nation and
being prepared to correspond with them.

And then of course we wanted to
do, uh, Mitigation for anybody

who possibly could be infected.

So there was, uh, first of all, having
to, uh, dig through and understand who

potentially was affected, whose data
PII might've been, uh, that, those,

that, that escaped through the breach.

And, and then how do we, um,
work with, uh, a company to, um.

Pour through that data to make sure
we understand what's going, uh,

what, what, what was lost and by
who, and then how do we notify those

people of, of the, the breach, and
what are we going to do about it?

We're going to provide monitoring.

We went a step further, not
just monitoring services, but

also remediation services.

So if somebody felt like they
were impacted, we would, uh,

provide the means for them to
get recovered from that impact.

So Lots of things

to do.

Yeah, definitely lots of things
and it's something that, uh, if

you haven't been through it, you
don't think that far in advance.

Any other comments from the rest of
the panel about things to do months

after that people aren't thinking of?

Yeah, I would just say that, um, you
know, to your point about going through

all the data, having, you know, a
breach coach and legal counsel that

can actually do this, but what people
don't always recognize is the amount

of time it takes to do the e discovery
looking through all of the stolen data.

Um, oftentimes these threat actors are
stealing hundreds of gigabytes or even

terabytes of data, and by doing so, Um,
you have to go and mine all of that and

determine, you know, what records were
stolen, who, uh, in what states they

need to be notified, and there's just
so much, uh, that can happen there.

Uh, it's a very lengthy process from
both the victim organization and

the, you know, IR firm that you hired
to handle those types of things.

So, it can definitely become a real time
consuming process and very expensive.

Yeah, so, were

you going to add to that?

I was just going to say, from the
victim's standpoint, that adds to delay

and lack of transparency, or that's
the perception, because they feel like

they're withholding, and really the answer
is, we don't know the full answer yet.

Yeah,

and I think that's one of the really
challenging things, is that there's

so much data, and correct me if I'm
wrong, but you don't always know all

the data that's been stolen, especially
at the beginning, and so that can be,

Uh, ex, ex, exceptionally challenging.

Um, so I want to shift the
conversation to preparation now.

And what are the things that we need
to do to prepare specifically for it?

And so, uh, Brian, I want to, uh, ask
you, what are the things that need to

be in place to be prepared for a breach?

Uh, Ken alluded to some of those things,
but what else would you add to that?

Yeah, I think, um, in running, like,
software engineering organizations and

IT teams, it's really understanding,
um, where your areas of risk are

within your technology stack.

Um, I can think back to the breaches
that I was part of at Twilio,

um, ZipWhip, and WatchGuard.

And a lot of the, um, the root
causes for those were, um, sort

of the blind spots that we had.

Um, things that we didn't necessarily
think were a problem, um, but then

became a problem when we were breached.

And so relying on, um, Um, you
know, good hygiene, like, uh,

continuous vulnerability scanning,
right, within your infrastructure.

A lot of this you can get for relatively
cheap now, like in AWS, if that's where

your infrastructure is, or Azure GCP.

They have tools that are there for you
at low cost that you can run these scans.

Now it's up to you, as leaders in
your teams, to be able to take those

scan findings and actually fix them.

Um, I know a lot of times, especially
in software engineering, we're pushed

to develop features, new products.

And things that we can sell, um,
and a lot of times that technical

debt can build up those alerts that
we see in AWS Inspector or other

vulnerability scanning tools get ignored.

And I see a lot of leaders in here,
of teams, and you really gotta

own the fact that that's on you.

It's on you to tackle that technical
debt and to do what's right to

protect your infrastructure.

So I think those are some of the things
that I've learned in terms of prevention.

Yeah, and, uh, anybody want to add to that
before I move on to the next part of that?

I was just going to say, I think
an incident response plan in

advance of an incident, I guess
I go with the perspective of it's

not a matter of if, it's when.

And so it's critically important that
everybody knows what their role is if

they're, if, when the incident does occur.

Because, as Heather alluded to and others
have talked about, when it happens, it's

scary when, you know, it's impactful.

And so, having that plan, and more
importantly, Uh, practicing that plan

throughout and prior, uh, to that
because muscle memory comes into play.

Yeah, I would definitely add to that
that, so we, before the event, we

did a, we had a full scale tabletop
exercise with all department heads

across the organization for four hours.

We spent thinking about what
would happen if we had an event.

We asked every department to
make sure they had an active and

updated business continuity plan.

What are you going to do if you
don't have your systems to operate?

How are you going to do payroll?

How are you going to
register students for class?

So we had done those things.

And then when the incident
occurs, are you prepared to stand

up an incident command team?

Somebody, a team that meets every day.

to, to look at what's happening on the
business side, but then also work with

your mitigation experts on restoration.

So all of those things
have to be done in advance.

And you're also thinking about the
training that was mentioned earlier

and all of the regular types of
threats that you're trying to, uh,

deal with, whether it's phishing
or spear phishing or any of those.

But we weren't, we
weren't breached that way.

We were breached through a previously
unidentified, uh, um, vulnerability in

a, in a system that we, That we got the
patch for a week after we'd been breached.

It's too late.

So, what can you do about that?

You can also have things, better, better
monitoring tools in place that are

surveilling your systems, your networks,
your endpoints to make sure that, that you

become aware of things before they become
the big problem that they did for us.

And just one

thing to add to that, too, because
it is super important to run

those tabletop exercises, but you
also need to take it seriously.

You need to have the teams that are
working on those tabletop exercises

to understand that it isn't just a
check the box for SOC 2 or whatever

kind of compliance you're going for.

There's real meaning and value behind it.

Yeah, that was, that was a question I
wanted to go a little bit deeper on.

And when you say, Ken, you had all
the department heads, do you mean like

you're at a university, so it's not just.

There's the business side, but there's
the education side as well, which

almost exponentially opens up the
vectors that people can come in from.

Even if students may not have access
to specific platforms, they could

get in and get information and then
do social engineering to get more.

When you say department heads,
what are you talking about?

Everybody on both sides of

the fence?

I'm talking about the president was
in the room, all the cabinet members.

And all, uh, all the department
leaders across campus, whether it was

administration, staff, or faculty.

Because it can, it can affect
any part of your business,

whether you're an educational
institution or a bank or whatever.

It can affect anyone.

And so everyone needed to
be involved and be aware.

And we had really good buy in from that.

We also got some help from
the local cyber security.

Uh, team to help us create a cyber
security manual and, and all of

the, the stuff that goes along with
that, that, that you actually need

to help guide you during normal
times, but also during an event.

And you're going to be asked
by your legal team whether you

have those things in place.

What have you done to prepare?

How are we going to answer people
who are questioning whether

or not you did it properly?

Are you going to be able to
get cyber insurance next year?

Uh, have you done the things necessary
to make sure that you are, uh, in

a position to do the best you can
to, to defeat these cybercriminals?

Go ahead, Aaron.

Yeah, I was just gonna, I was just
gonna add to that, you know, when

you mentioned liability insurance
and, um, it's surprisingly becoming

more difficult to get that.

So, when you go to apply for that
now, they're gonna give you a, I joke,

it's like a 50 page questionnaire
that you have to fill out, and they're

gonna ask you lots of questions.

Do you allow external RDP?

Do you have strong passwords?

And all these things, and so when you
fill that out, they're actually going to

use that when you have a, a breach and
you report that to them, they're going to

use that, or try to use it against you.

So if you say, oh, I don't expose RDP
and I have MFA enabled everywhere,

if your, uh, breach is actually
identified, the so the source of

that was one of those areas that you
incorrectly answered, they can reject

your, uh, your claim and not pay out.

Um, so it can be a
really troublesome area.

So, um, it can be a pain to get, you
know, set up, but really setting those

steps ahead of time, that way you know
if there is an issue and an incident,

you can call your liability insurance.

They will assign that IR team.

They will give you that breach coach.

Um, it can be invaluable.

And they're going to tell you
that you have to do training.

Yeah.

On a frequent basis.

They'd like it to be like, uh,
DRIP 7, as frequently as possible.

Yeah.

So, uh, Nicole, as we transition
to you here, uh, you, I want to

talk about some of that training,
and specifically fishing.

Uh, I was in, uh, employed by, uh, A
school district who used what I thought

was unethical practices to get us to be
aware of phishing and they would send

emails pretending to be from the district
that actually were from the district and

they had the ability to make them look.

more official and less suspicious and
made people within the organization

feel like they were trying to,
um, be deceptive and unethical and

how they were training us on that.

Can you speak to that idea of
fishing and practicing on your own?

Uh, employees with your own systems.

Sure, and a lot of what I'm going
to say, honestly, is going to be

redundant of what Heather talked about.

I really strongly believe in the
carrot versus the stick mentality.

The common theme, um, so far during
today has been people are the problem.

And I, I don't like to say that.

That's, that sounds negative.

But in order to Get them
to change their behavior.

You really need to engage them.

And so if it's a punitive or
boring or, you know, not somehow

entertaining engagement, they're
not going to learn from it.

Uh, we do testing, uh, internal
phishing testing, but the intent

there is not to trick people into,
um, I guess getting in trouble and

cause they don't get in trouble,
but it's really to expose them to.

The types of threats they would
see from the real world and that

they do see, we do see internally.

And so, um, combined with
education, I just think that's

really critically important.

And we not only do phishing training,
we also engage with, um, third party

pen testers to come in and, you know,
try and walk into one of our branches

and get behind in a network room.

Or call on the phone and see if they can
get credentials from one of our users.

Um, those are things that
help us to understand.

The baseline of what our staff are
feeling and train towards that.

Yeah, anybody want to add on that, uh,
teaching your employees, training them?

Sure, um, I think, I think also, you know,
there's a lot of great resources out there

that you can pay for to get training,
but there's also internal resources.

There's people within your
organization today that likely have.

Um, some pretty good knowledge, whether
that's secure coding principles and best

practices, if it's how to build cloud
infrastructure, um, in a secure way.

Leverage the talent that you already have
today to train the rest of your staff.

It'll also allow those folks to
step up and be visible within the

organization, which is You know,
another great win for your team.

So, along with the training, you can
train things that, that, where they

can help, uh, our IT department.

So, we've implemented, we
use KnowBe4 and DRIP7 both.

And with KnowBe4, we also have a fish
alert button that we drop on the Outlook,

um, And so we've trained users to, if
you think it's suspicious, hit the phish

alert and it'll take the email away.

And the beauty of that for us, for the IT
team, is they don't have to go and do the

evaluation, it gets done automatically.

And if it was sent to 500 people,
that email will disappear from

500 email boxes immediately.

So, and, I just happened, I start
my day at five in the morning, and I

often get the first phishing emails.

I had two this morning, and so
I phish alerted both of them.

They were both flagged as threats,
and so they were removed before

anybody else went to work.

So that's a good thing.

So, but training people not just
to be aware of phishing, but

also how, what they can do in, in
the, in the moment, uh, to help.

Not only the IT department, but
the entire organization to be,

to be able to withstand that day.

Yesterday also, uh, people got
text messages supposedly from

me asking for, uh, Apple cards.

You know, talk about spear phishing
or, or spear, I don't even know

what they call it, smishing?

Yeah, so, that was, that was yesterday.

Yeah,

so after a breach, um,
Are you more susceptible?

Have you seen an increase in attacks?

Uh, and so this one's for everybody.

Uh, Ken, you were just
out demonstrating that.

So do you have anything
else to add on that topic?

I don't know if we're being
attacked more frequently.

Um, I know that we've added to our
defensive posture and we've added more

sophisticated sim and end point protection
analysis tools to better protect

ourselves, to be better aware and we get
Lots of reports and lots of communication

on those things today, so I suspect it's
probably about the same as before, but

we're catching more of it, and, um, yeah.

And everybody's

probably more aware, at the very least.

Oh, absolutely.

Yeah, Aaron, were you
going to add to that?

Yeah, I was just going to say that,
uh, after dealing with, uh, a very

large amount of ransomware cases,
I see them leaving footholds in the

network in many, many situations.

So, while you gain better visibility
and control and you get that logging

and you get that budget bump to, to
buy all the security controls you need,

Um, often times I do see, you know, re
attack and re extortion, unfortunately,

because, you know, clean up efforts were
good, but not perfect, and, you know,

that screen connect agent is still on
that system, and those threat actors

might wait a couple weeks, or a month
or two, and now they're back in, and,

um, you're right back where you started.

So, yeah, being vigilant and making
sure that, you know, you've secured

your network, and you're also
leveraging that new visibility that

you have to make sure that nothing
stands out is really important.

We, we know that Fear can motivate
people, and sometimes, going back to

the carrot and stick analogy, we, we
motivate people to make better choices

by scaring them about what could happen.

And, uh, that, that's not
always the best course to take.

How do you communicate the seriousness
of The, of a potential breach without, or

a repeat breach happening again without
making everybody panic and think that

their data is not safe with you and that
they can't trust you to manage their,

the information that you have anymore.

And this is open to, to anyone.

But Aaron, do you want to start that one?

Sure.

I think that, um, you know, some of
the most important thing is having

those communications plans, those
incident response plans in place.

Um, you know, being a technical
resource like myself, I'm going to rely

on legal and communications teams to
decide what should be, you know, um,

sent out and, and messaged to, uh, our
internal employees, to customers, to

those that are impacted, um, so making
sure that you can kind of control that

narrative, but also, you know, part of
IR and, and incident planning is going

to be making sure that you have good
classification of different types of

incidents, different types of severities.

That way, as it's happening, you know,
it might get more and more severe as

you kind of understand what's happening,
but you can communicate that and, uh,

help people understand that, you know,
it's an ongoing, uh, issue, and it might

be evolving, and as more information
is available, the appropriate teams

are gonna, you know, decipher and send
that, or disseminate that information.

What I've seen is, um, it kind of goes
back to prevention, like what we were

all talking about, um, executing tabletop
exercises, doing the things in advance.

And the reason I say that is because,
um, as you start building that muscle

of preparation, I think that gives
your teams more trust and confidence

that you'll be able to respond
when a data breach does happen.

We always say it's not if, it's when.

Um, and so that dispels, I've seen a lot
of the fear, um, within an organization.

Just byproduct of being more
prepared and showing that, um,

you know, to your executive

leadership team as well.

So a lot of the training that we do, of
course, is designed to defeat phishing

expeditions and protect email boxes and,
and, and credentials of individuals.

But when you get attacked in the way
that we did, where the threat actor was

in your system for months, and designing
ways to get around, maybe even, uh,

spoofing your antivirus so that it looks
like it's running and it's not, Um,

what you discover is as soon as they've
created their own root level credentials

and they can do whatever they want,
Um, then anything that's in your system

is open to them for, for exploitation.

And one of the things that happens is
You find out after the fact, or after

the data's been taken, that there's
a lot of data that's left around on

hard drives, uh, in file systems,
that really doesn't need to be there.

Um, and so, data cleanliness.

Uh, data, uh, policies around,
uh, archival and deletion of data.

Those are things that also, from
an after the fact perspective,

we've been working on.

Don't keep files in the system
that don't need to be there.

So, oh, we've got five
years of housing data?

Why do we have it?

There.

Are you using it today?

No.

Why didn't you delete it?

I didn't think about it.

Well, so there are, there are, there are
things that we talk to them about with

our employees about how to, how to be
safer, even if we were breached, what,

what, how can we minimize the damage?

How can we minimize and how can
we better protect the PII of

the people that we're serving?

And that's one of the most important
things for us to do and recognize after

the fact that we've got an obligation
to protect the data that we've been.

That we're now the custodians of, and
whether that's in the state of Washington,

that's a, that's your company ID, and your
name, and that's it, that's all it takes.

Um, it seems ludicrous that
your ID, your, your private ID

number is, is considered that.

Um, but it could be anything.

ID, social security number,
credit card information, name,

address, health information.

Do you have fingerprint information?

All of that kind of stuff
is, is, is out there.

So, and then the employees
themselves, uh, will store things.

Uh, their own private data.

Uh, we found tax returns.

We find, you know,
passports that were scanned.

We find driver's licenses
that were scanned.

All, not, we didn't collect
that, the employee did.

So, there's a whole lot of work to be
done, not just on training people about

phishing, and, and, and use of systems,
but also on how we handle our data.

I

was just going to say that, um, I think
coming from a financial institution,

reputational damage, if a breach order
occurs, is tremendously impactful.

And one of the things we're challenged
with, and everybody else is too, is

we rely on third parties quite often
to perform services on our behalf.

And so what that means is we're
sending our data to them, and we do

due diligence on those vendors, but.

Things like move it and other sort of
compromises that don't really are directly

related to their failure are really,
really problematic and that's, that's

one of the bigger fears I have currently.

Yeah, and I would just
add to your responses.

As a school principal, when it was
time for us to do a fire drill, for

example, I would say We're doing a
fire drill today at this time so that

everybody knows and everybody's prepared
and aware so we know how to act.

So rather than this being a surprise
fire drill that could cause more anxiety

for people, we told them about it
and said it's going to be at 2 30 p.

m.

Today.

There's going to be a fire drill and
everybody knows what's going to happen

and In the past, the idea was surprise
people so that you know how they'll act,

and I found that explaining the context,
when it's happening, explaining why we're

doing it, and why it's worthwhile for
us to practice helps people feel better

about it, and certainly in schools,
which is my background, there are lots

of things that we need to practice and
prepare for going wrong, and sometimes

it feels like That's what we're teaching
the kids and and to a certain extent we

are teaching them how to be smart and
prepare um, but we also want to not make

it so that this is like All that you
think about and, and I've certainly seen,

um, some experiences with that as well.

Uh, so the final question for everybody
here is, what is, what is the one lesson

that you would want people to walk away
from after having experienced a breach?

What would you want them to know and, and
they go away from it and you're like, this

is the one thing that you need to know.

Uh, and so we'll start here with
Nicole and go, go down the row.

Put you on the spot first.

No,

that's fine, because I was afraid
someone else was going to steal it.

I think preparation, honestly, is
the one thing that's super important.

Having that instant response plan and
practicing it, um, helps you more, be more

prepared and more effective in mitigating
the damage that any breach might

have.

Okay, so we're going to say preparation
for a breach as your one thing.

Now, you guys aren't allowed to take
hers, so you gotta, you gotta have

a different lesson to go with it.

So, Nicole got the bonus going first.

I would agree with that.

Yes,

you can certainly agree, but no

stealing.

So, I'll tell you what I did after
the fact is, I, we have a small team,

and many of you have small teams.

So, I can't do 24 7, 365 monitoring
of all of my systems with four people.

There's not enough time
for them to do that.

So, we partnered with somebody
who could do that with us.

So that we have a much more assurance that
anything that might happen in our network

in the future, which it will happen.

There will be some either phishing
thing or there will be another

breach through a vulnerability
that hasn't been detected yet.

It will happen, but we are in
a much better position now.

To know that something's happened and been
injected into our network that we can then

take action on and not wait four months
and be hit with a ransomware attack.

So for me, it was, it's, it's, if I feel
much better, I don't feel completely at

ease, but I feel much more at ease that
we have the means now of at least, uh,

improving our ability to detect and then
mitigate before, uh, the crisis occurs.

Okay, so I'm just summarizing.

So we got prepare for the incident and
then we got partner with someone who

can help is what I took away from that.

Did I understand that correctly, Ken?

Okay, just making sure that
I am understanding good.

All right, Brian.

Um,

I would say the one thing to walk
away from, um, as part of this

panel is to not operate from a, a, a
position of fear about data breaches.

Um, if you think about us as humans,
right, when you fear something,

you naturally shy away from it.

You don't want to address it.

You sweep it under the carpet.

And I think with data breaches,
that's very similar to how

a lot of us, um, operate.

So, you know, preparedness,
what we already heard.

Partnering.

Those are all good, great ways to help,
um, build confidence in your team and

in your organization to be able to
handle a data breach when it happens.

Very good.

I, I kind of like the prepare, partner,
and what's a P word for expect it?

Predict.

There we go.

Alright.

Now Aaron, the pressure's on.

If you do something other
than P, everybody's going

to walk out of here upset.

Preparation.

No, just kidding.

Well, the P, I, well, it's, uh, no,
I don't have a P, uh, word here.

So, the way I like to think of
it is, um, you know, all of these

things are incredibly valuable.

Uh, I think of the incident
response life cycle, right?

So, preparation is the
number one thing in that.

We have to be prepared.

Um, but the thing that I think is often
overlooked is, Recovering and after

an incident, the lessons learned, the
root cause, and taking action to make

sure that this doesn't happen again.

So taking the momentum from an incident,
you know, the additional budget, the

additional improvements that you're
making for your network and for

your systems, and use that and learn
about what else you can be doing to

improve your systems and your process.

So taking, you know, everything
that's happened and improving and

taking that existing IR plan and
that preparation that you're doing.

Modify it to make sure that
it meets what just happened.

And now for the next one you
should be more efficient.

You should be able to respond faster
and hopefully save time and money.

That's great.

Ponder.

Huh?

Prepare, partner, predict, and ponder.

Okay, we got four P's that you
can walk away from this with.

Very good.

Uh, so the question is specifically, how
do you leverage, uh, students in your I.

T.

programs to start doing this
stuff for real in, while

they're students at your school?

I think the folks from Eastern would
be in a better position to answer

this, because I know they have
programs specifically designed to help.

Uh, themselves and other organizations
monitor, uh, we haven't gone down that

path per se, but we partner with our
computer science department on, on, uh,

cyber security training and, and teaching.

And so we, we try to build the capability
for, for, um, The gentleman back there

at the table to do a variety of breach
testing and trialing and to teach our

students how to be better prepared to do
some of the things that were talked about

earlier in being able to build systems
that are responsive and capable of of

withstanding certain kinds of activities
that we don't want to have happen.

So, I think that's a valid thing to do,
but we, we have not, uh, part of the

problem that we've had with investing
in students is that they come, and then

they build something, and then they
leave, and then we have to figure out

what they built and how to support it.

Uh, they're not a persistent, uh, Source
of, of, um, of worker that, um, we haven't

cracked that nut for ourselves, but I, I
think you should talk to Eastern because

I know that they've done some of that.

Yeah, that's excellent.

Um, as, uh, our, as a K 12 principal,
we have done that with students

in high school and, uh, middle
school, even asking them how they

would get around our systems.

Um, and in one district I learned that
every student was installing Uh, VPNs

on their phones, so that they could
bypass all the security protocols.

And so, uh, that was a fun conversation
to have with those, with those kids.

Uh, anybody else want to comment
on using internal, uh, people?

I mean, you're not all in
education, but, any thoughts there?

Uh, I'll just add, um, I'm not in
education, but, uh, I train a team

of security professionals that
investigate on a, a daily basis.

And one of the things that we
do is run what we call attack

simulations on a regular basis.

And, uh, So it's kind of like the next
level of a tabletop where rather than

just discuss what's going to happen as an
attack, we actually run, you know, purple

team scenarios where we're running attacks
on test systems and then we have our teams

go and investigate and respond and measure
that response to see how we can improve.

Um, so that might be another way that
you could take some of the students

and get them some hands on training
and, and, um, develop that skill.

Okay, good.

We have time for one more question.

Yes, in the front.

so the question is, uh, as we continue
to be focused on cyber security, what

about physical, physical security and, uh,
are you still paying attention to that?

And is that part of this conversation?

I would say that um, physical security
is an integral part of cyber security.

It's a piece of the puzzle.

Uh, in my case at STCU, we include
physical security in the cyber, or

under the Enterprise Risk Division.

And it's been very beneficial and
there's a lot of synergy because A

lot of the technology behind physical
security has IT components as well.

And so, um, it's been super valuable.

So in our case, it's, um, we
work very closely together.

As a university campus is
naturally an open place.

Students have to come and go.

They, they have access
to, uh, PCs on campus.

They have access to Wi Fi on campus.

So, some of the things that were
mentioned, I think, earlier about,

uh, segmentation of your network,
and, uh, multi factor authentication,

uh, actually both directions,
whether you're on campus or not.

We've had to implement that to better
protect from, um, access from on

campus as well as from off campus.

So we think about that.

We also have, uh, quite a few spaces
that are locked, and you can only

get to them through keycard access.

All of our server spaces Our main, uh,
computer center spaces are, are IT spaces.

And we're small enough that, um,
it would be unlikely, uh, unless

you're brand new, whether you would
not know the person from IT that

showed up at your desk to help you.

But that certainly is something
to be concerned about.

And, and other places I've worked.

People had to wear the badges,
but of course the badge could be

spoofed, physically spoofed as well.

So, there are a lot of things to consider.

You're, you're going to answer
questions on your cyber, uh, insurance

form related to physical security.

Uh, and, and, uh, universities are
also going to, your auditors are

going to ask you the same questions
about physical security and access

to your, your ERP system and your
accounting systems, uh, to make sure

that, uh, those are safe and secure.

So, uh, it has to be part of The
entire, the, the, the overall picture.

It can't just be the, the it side.

Yeah.

To add on to that too, we talk about,
and we have been for a while, this

notion of like zero trust in the cloud.

Right.

I think it definitely applies
to physical security as well

in terms of always verifying.

So I think back to when
the pandemic started.

And we had a physical office
space, and there was hardly

anyone in the office, right?

So it was a perfect target for
someone to come in, and I think they

actually even used a flipper device.

I don't know if you guys know what
flippers are, but you can get those now.

And spoofed a card, was able to get
in, and there were two people in the

support organization, and none of
them asked the person that was in

there, Hey, what are you doing here?

So, I think it does come down to a
very similar principle to zero trust.

Yeah, uh, we try to adopt a policy of
trust but verify, um, so same thing.

Multi factor authentication exists
for physical controls as well, so you

can still have a badge access with
a key code or something else, uh,

making it a little more difficult.

And, you know, as far as, like,
computer equipment, servers, things

like that, if they're gonna be
physically stolen, everybody's using,

uh, disk level encryption, right?

Full disk encryption?

So it shouldn't be a problem, but,
um, unfortunately, if you're not,

you should probably turn that on
just to be safe in case somebody's

walking out with one of your servers.

Yeah.

Alright, well, thank you everybody,
uh, for being here, for your attention.

Thank you to our panel.

Let's give them a round of applause.

Creators and Guests

INCH360
Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.
168 INCH360: Lessons Learned From a Breach