168 INCH360: Lessons Learned From a Breach

I will start by introducing myself. My name is Jethro Jones. I am the host of the Cyber Traps podcast. Um, and I do a lot of other things. Um, I have an education background. I've been a principal for many years. And currently coach, uh, school leaders on all kinds of things from leadership to, uh, curriculum and things like that. So, I'm excited to be here and thankful for the opportunity.

Uh, I'd like each of the panelists first to introduce themselves and tell, uh, just 30 second overview of who you are and what you do. And then, um, then we'll get into the questions. And we'll start with you, Nicole. Hi, my name is Nicole Tett, and I am a Spokane native, and I'm actually a GU graduate. I have been at STCU for about 21 years, and I'm their Chief Information Security Officer, and been working in the security industry, focused primarily on security for about the past 25 years.

Good afternoon, I'm Ken Brown. I'm the Vice President and Chief Operating Officer at Whitworth University. Uh, a year ago, a year and a half ago, I was the CIO at Whitworth University. We went through a cyber breach, and instead of firing me, they promoted me. That was probably a mistake on their part, but, um, you can survive. It's, uh, a challenge, but you can do it. I've, I started, uh, in technology in 1980, so I'm a boomer.

And I've been around for a while and I've probably got a couple more years left and then we'll maybe leave it off to some of you Millennials. I'm Brian Yamanaka. Um, I'm the founder and CEO of a company called Archangelos where we specialize in GRC and cyber security consulting for startups and small to medium sized businesses. Um, I am a Millennial, um, and I'm also a Washington Husky. So, I'm sorry if that disappoints a majority of you here. Um, Hey, we're in the FBS, so come on.

Um, Now you got me all mixed up here. Um, so I guess the reason I'm here is because, uh, I've lived a lot of you guys nightmares, uh, of being in multiple data breaches. Uh, unlike Ken here, I, I have not been promoted because of that. And hello, I'm Aaron Goldstein. I'm head of security operations and incident response at Total.

Um, I've got about 15 years of digital forensics and IR consulting experience, uh, helping organizations of all sizes respond, recover, and remediate from large scale, uh, ransomware, uh, nego uh, ransomware, business email compromise, and things of that nature, so. Handling the negotiation, payment, and recovery when those types of things happen. Thank you. Uh, I'm excited to chat with all these people. I think I could spend two hours with each of them and just go really deep.

We only have about 30 minutes and so, uh, we're, the way we're gonna structure this panel is I'll ask one question of each person and then, uh, allow them to respond. And then, uh, other people if they want to fill in can, uh, can add something to that conversation as well. Um, the, and then if you have questions we'll leave a little bit of time at the end, uh, for that as well.

Uh, so we want to start, um, with Ken first, uh, and talk specifically about the breach that happened at Whitworth University. Um, if you don't know about that, do a quick Google search on your phone and, uh, Ken can provide some things. But I want to start far after the fact. So this happened, uh, about 13 months ago, is that right? October of 22? August of 22. Uh, so It's been a while. You've now got promoted, as you mentioned, and that's great.

Um, but what are some of the things that people don't think about that happen, uh, months afterward when it seems like, you know, we got our systems back online and everything's good to go now? What, uh, what, what are some of the things people don't think about that you, you want to make sure people know about? Well, that's a, a challenging question because mostly you focus on what you did before or didn't do before, what happened during the breach, and then what's, what happened after.

There's, um, quite a bit of work to be done once you've recovered, right, once you've restored, right? So, and we said August, um, actually the ingress, uh, the part of the breach happened in April, and many of the breaches that we're seeing out there, The, the breach happens several months in advance of actually triggering the ransomware attack. That's something to know.

And it's something to help you, guide you in how you respond for the future, and how you're monitoring your systems so that you can, uh, detect things that are lurking in your systems that, um, that you weren't aware of if you didn't have the right tools in place.

So having a good SIM, good, uh, endpoint detection in place. Those are all things that we had to discuss at length after the event. So, um, and another thing that, uh, is always important to understand is when you're having a, a breach at the scale that we had, which meant most of our systems were impacted. All of our Windows systems, all of our H, uh, VMware systems and Hyper V systems were impacted. Uh, fortunately the threat actor, uh, didn't hit us until the day after we ran payroll.

And we still had two weeks before the semester started, so we had a little bit of breathing room, but, um, after the fact, you're talking about how you, um, how you prepare and mitigate things that aren't going to happen, potentially happen in the future. What kind of investments now do you need to make beyond what you thought were, uh, all that you could make before? You're ending, you're going to end up making more investments.

Uh, fortunately, leadership's interested in helping you make those investments. They don't want to go through the pain again, if possible. Uh, but then, uh, communication is one of the things that, that comes up all the time. And there's communication during the breach. Multiple audiences that, that are interested in knowing what's going on. Uh, and you're, one of the audiences is the threat actor themselves who are monitoring your, uh, public pronouncements. You gotta be careful about that.

Uh, you gotta be careful about how you're describing things to your own internal people. How you, how you, uh, talk to the press. How you talk to, uh, people who are impacted. And you're required, of course, to to do a lot of work in notifying, uh, various, uh, state agencies across the country based on their rules.

So, several months after the breach, uh, we were still working with attorneys general across the nation, uh, and responding to requests because, uh, data escaped for people who were from virtually every state in the nation. And depending on how many People are impacted. Various states have different rules. If it's only 10, well, maybe they don't care. But I can tell you the state of Colorado cared about the 1, 200 people that were affected by the breach.

And so we had to respond to the state of Colorado with a Fairly lengthy brief, and that means it was important that we had in place a quality, uh, insurance package that allowed us to, uh, engage, uh, attorneys to, I think Brent said, Brent said about, you gotta have a good attorney, absolutely you have to have a good attorney, to make sure that you're in compliance with all the state laws around the nation and being prepared to correspond with them.

And then of course we wanted to do, uh, Mitigation for anybody who possibly could be infected. So there was, uh, first of all, having to, uh, dig through and understand who potentially was affected, whose data PII might've been, uh, that, those, that, that escaped through the breach. And, and then how do we, um, work with, uh, a company to, um.

Pour through that data to make sure we understand what's going, uh, what, what, what was lost and by who, and then how do we notify those people of, of the, the breach, and what are we going to do about it? We're going to provide monitoring. We went a step further, not just monitoring services, but also remediation services. So if somebody felt like they were impacted, we would, uh, provide the means for them to get recovered from that impact. So Lots of things to do.

Yeah, definitely lots of things and it's something that, uh, if you haven't been through it, you don't think that far in advance. Any other comments from the rest of the panel about things to do months after that people aren't thinking of?

Yeah, I would just say that, um, you know, to your point about going through all the data, having, you know, a breach coach and legal counsel that can actually do this, but what people don't always recognize is the amount of time it takes to do the e discovery looking through all of the stolen data.

Um, oftentimes these threat actors are stealing hundreds of gigabytes or even terabytes of data, and by doing so, Um, you have to go and mine all of that and determine, you know, what records were stolen, who, uh, in what states they need to be notified, and there's just so much, uh, that can happen there. Uh, it's a very lengthy process from both the victim organization and the, you know, IR firm that you hired to handle those types of things.

So, it can definitely become a real time consuming process and very expensive. Yeah, so, were

you going to add to that? I was just going to say, from the victim's standpoint, that adds to delay and lack of transparency, or that's the perception, because they feel like they're withholding, and really the answer is, we don't know the full answer yet.

Yeah, and I think that's one of the really challenging things, is that there's so much data, and correct me if I'm wrong, but you don't always know all the data that's been stolen, especially at the beginning, and so that can be, Uh, ex, ex, exceptionally challenging. Um, so I want to shift the conversation to preparation now. And what are the things that we need to do to prepare specifically for it?

And so, uh, Brian, I want to, uh, ask you, what are the things that need to be in place to be prepared for a breach? Uh, Ken alluded to some of those things, but what else would you add to that? Yeah, I think, um, in running, like, software engineering organizations and IT teams, it's really understanding, um, where your areas of risk are within your technology stack. Um, I can think back to the breaches that I was part of at Twilio, um, ZipWhip, and WatchGuard.

And a lot of the, um, the root causes for those were, um, sort of the blind spots that we had. Um, things that we didn't necessarily think were a problem, um, but then became a problem when we were breached. And so relying on, um, Um, you know, good hygiene, like, uh, continuous vulnerability scanning, right, within your infrastructure. A lot of this you can get for relatively cheap now, like in AWS, if that's where your infrastructure is, or Azure GCP.

They have tools that are there for you at low cost that you can run these scans. Now it's up to you, as leaders in your teams, to be able to take those scan findings and actually fix them. Um, I know a lot of times, especially in software engineering, we're pushed to develop features, new products. And things that we can sell, um, and a lot of times that technical debt can build up those alerts that we see in AWS Inspector or other vulnerability scanning tools get ignored.

And I see a lot of leaders in here, of teams, and you really gotta own the fact that that's on you. It's on you to tackle that technical debt and to do what's right to protect your infrastructure. So I think those are some of the things that I've learned in terms of prevention. Yeah, and, uh, anybody want to add to that before I move on to the next part of that?

I was just going to say, I think an incident response plan in advance of an incident, I guess I go with the perspective of it's not a matter of if, it's when. And so it's critically important that everybody knows what their role is if they're, if, when the incident does occur. Because, as Heather alluded to and others have talked about, when it happens, it's scary when, you know, it's impactful.

And so, having that plan, and more importantly, Uh, practicing that plan throughout and prior, uh, to that because muscle memory comes into play. Yeah, I would definitely add to that that, so we, before the event, we did a, we had a full scale tabletop exercise with all department heads across the organization for four hours. We spent thinking about what would happen if we had an event. We asked every department to make sure they had an active and updated business continuity plan.

What are you going to do if you don't have your systems to operate? How are you going to do payroll? How are you going to register students for class? So we had done those things. And then when the incident occurs, are you prepared to stand up an incident command team? Somebody, a team that meets every day. to, to look at what's happening on the business side, but then also work with your mitigation experts on restoration. So all of those things have to be done in advance.

And you're also thinking about the training that was mentioned earlier and all of the regular types of threats that you're trying to, uh, deal with, whether it's phishing or spear phishing or any of those. But we weren't, we weren't breached that way. We were breached through a previously unidentified, uh, um, vulnerability in a, in a system that we, That we got the patch for a week after we'd been breached. It's too late. So, what can you do about that?

You can also have things, better, better monitoring tools in place that are surveilling your systems, your networks, your endpoints to make sure that, that you become aware of things before they become the big problem that they did for us. And just one thing to add to that, too, because it is super important to run those tabletop exercises, but you also need to take it seriously.

You need to have the teams that are working on those tabletop exercises to understand that it isn't just a check the box for SOC 2 or whatever kind of compliance you're going for. There's real meaning and value behind it. Yeah, that was, that was a question I wanted to go a little bit deeper on. And when you say, Ken, you had all the department heads, do you mean like you're at a university, so it's not just.

There's the business side, but there's the education side as well, which almost exponentially opens up the vectors that people can come in from. Even if students may not have access to specific platforms, they could get in and get information and then do social engineering to get more. When you say department heads, what are you talking about? Everybody on both sides of the fence? I'm talking about the president was in the room, all the cabinet members.

And all, uh, all the department leaders across campus, whether it was administration, staff, or faculty. Because it can, it can affect any part of your business, whether you're an educational institution or a bank or whatever. It can affect anyone. And so everyone needed to be involved and be aware. And we had really good buy in from that. We also got some help from the local cyber security.

Uh, team to help us create a cyber security manual and, and all of the, the stuff that goes along with that, that, that you actually need to help guide you during normal times, but also during an event. And you're going to be asked by your legal team whether you have those things in place. What have you done to prepare? How are we going to answer people who are questioning whether or not you did it properly? Are you going to be able to get cyber insurance next year?

Uh, have you done the things necessary to make sure that you are, uh, in a position to do the best you can to, to defeat these cybercriminals? Go ahead, Aaron. Yeah, I was just gonna, I was just gonna add to that, you know, when you mentioned liability insurance and, um, it's surprisingly becoming more difficult to get that.

So, when you go to apply for that now, they're gonna give you a, I joke, it's like a 50 page questionnaire that you have to fill out, and they're gonna ask you lots of questions. Do you allow external RDP? Do you have strong passwords? And all these things, and so when you fill that out, they're actually going to use that when you have a, a breach and you report that to them, they're going to use that, or try to use it against you.

So if you say, oh, I don't expose RDP and I have MFA enabled everywhere, if your, uh, breach is actually identified, the so the source of that was one of those areas that you incorrectly answered, they can reject your, uh, your claim and not pay out. Um, so it can be a really troublesome area. So, um, it can be a pain to get, you know, set up, but really setting those steps ahead of time, that way you know if there is an issue and an incident, you can call your liability insurance.

They will assign that IR team. They will give you that breach coach. Um, it can be invaluable. And they're going to tell you that you have to do training. Yeah. On a frequent basis. They'd like it to be like, uh, DRIP 7, as frequently as possible. Yeah. So, uh, Nicole, as we transition to you here, uh, you, I want to talk about some of that training, and specifically fishing.

Uh, I was in, uh, employed by, uh, A school district who used what I thought was unethical practices to get us to be aware of phishing and they would send emails pretending to be from the district that actually were from the district and they had the ability to make them look. more official and less suspicious and made people within the organization feel like they were trying to, um, be deceptive and unethical and how they were training us on that.

Can you speak to that idea of fishing and practicing on your own? Uh, employees with your own systems. Sure, and a lot of what I'm going to say, honestly, is going to be redundant of what Heather talked about. I really strongly believe in the carrot versus the stick mentality. The common theme, um, so far during today has been people are the problem. And I, I don't like to say that. That's, that sounds negative. But in order to Get them to change their behavior. You really need to engage them.

And so if it's a punitive or boring or, you know, not somehow entertaining engagement, they're not going to learn from it. Uh, we do testing, uh, internal phishing testing, but the intent there is not to trick people into, um, I guess getting in trouble and cause they don't get in trouble, but it's really to expose them to. The types of threats they would see from the real world and that

they do see, we do see internally. And so, um, combined with education, I just think that's really critically important. And we not only do phishing training, we also engage with, um, third party pen testers to come in and, you know, try and walk into one of our branches and get behind in a network room. Or call on the phone and see if they can get credentials from one of our users. Um, those are things that help us to understand.

The baseline of what our staff are feeling and train towards that. Yeah, anybody want to add on that, uh, teaching your employees, training them? Sure, um, I think, I think also, you know, there's a lot of great resources out there that you can pay for to get training, but there's also internal resources. There's people within your organization today that likely have.

Um, some pretty good knowledge, whether that's secure coding principles and best practices, if it's how to build cloud infrastructure, um, in a secure way. Leverage the talent that you already have today to train the rest of your staff. It'll also allow those folks to step up and be visible within the organization, which is You know, another great win for your team. So, along with the training, you can train things that, that, where they can help, uh, our IT department.

So, we've implemented, we use KnowBe4 and DRIP7 both. And with KnowBe4, we also have a fish alert button that we drop on the Outlook, um, And so we've trained users to, if you think it's suspicious, hit the phish alert and it'll take the email away. And the beauty of that for us, for the IT team, is they don't have to go and do the evaluation, it gets done automatically. And if it was sent to 500 people, that email will disappear from 500 email boxes immediately.

So, and, I just happened, I start my day at five in the morning, and I often get the first phishing emails. I had two this morning, and so I phish alerted both of them. They were both flagged as threats, and so they were removed before anybody else went to work. So that's a good thing. So, but training people not just to be aware of phishing, but also how, what they can do in, in the, in the moment, uh, to help.

Not only the IT department, but the entire organization to be, to be able to withstand that day. Yesterday also, uh, people got text messages supposedly from me asking for, uh, Apple cards. You know, talk about spear phishing or, or spear, I don't even know what they call it, smishing? Yeah, so, that was, that was yesterday. Yeah, so after a breach, um, Are you more susceptible? Have you seen an increase in attacks? Uh, and so this one's for everybody.

Uh, Ken, you were just out demonstrating that. So do you have anything else to add on that topic? I don't know if we're being attacked more frequently.

Um, I know that we've added to our defensive posture and we've added more sophisticated sim and end point protection analysis tools to better protect ourselves, to be better aware and we get Lots of reports and lots of communication on those things today, so I suspect it's probably about the same as before, but we're catching more of it, and, um, yeah. And everybody's probably more aware, at the very least. Oh, absolutely. Yeah, Aaron, were you going to add to that?

Yeah, I was just going to say that, uh, after dealing with, uh, a very large amount of ransomware cases, I see them leaving footholds in the network in many, many situations.

So, while you gain better visibility and control and you get that logging and you get that budget bump to, to buy all the security controls you need, Um, often times I do see, you know, re attack and re extortion, unfortunately, because, you know, clean up efforts were good, but not perfect, and, you know, that screen connect agent is still on that system, and those threat actors might wait a couple weeks, or a month or two, and now they're back in, and, um, you're right back where you started.

So, yeah, being vigilant and making sure that, you know, you've secured your network, and you're also leveraging that new visibility that you have to make sure that nothing stands out is really important. We, we know that Fear can motivate people, and sometimes, going back to the carrot and stick analogy, we, we motivate people to make better choices by scaring them about what could happen. And, uh, that, that's not always the best course to take.

How do you communicate the seriousness of The, of a potential breach without, or a repeat breach happening again without making everybody panic and think that their data is not safe with you and that they can't trust you to manage their, the information that you have anymore. And this is open to, to anyone. But Aaron, do you want to start that one? Sure. I think that, um, you know, some of the most important thing is having those communications plans, those incident response plans in place.

Um, you know, being a technical resource like myself, I'm going to rely on legal and communications teams to decide what should be, you know, um, sent out and, and messaged to, uh, our internal employees, to customers, to those that are impacted, um, so making sure that you can kind of control that narrative, but also, you know, part of IR and, and incident planning is going to be making sure that you have good classification of different types of incidents, different types of severities.

That way, as it's happening, you know, it might get more and more severe as you kind of understand what's happening, but you can communicate that and, uh, help people understand that, you know, it's an ongoing, uh, issue, and it might be evolving, and as more information is available, the appropriate teams

are gonna, you know, decipher and send that, or disseminate that information. What I've seen is, um, it kind of goes back to prevention, like what we were all talking about, um, executing tabletop exercises, doing the things in advance. And the reason I say that is because, um, as you start building that muscle of preparation, I think that gives your teams more trust and confidence that you'll be able to respond when a data breach does happen. We always say it's not if, it's when.

Um, and so that dispels, I've seen a lot of the fear, um, within an organization. Just byproduct of being more prepared and showing that, um, you know, to your executive leadership team as well. So a lot of the training that we do, of course, is designed to defeat phishing expeditions and protect email boxes and, and, and credentials of individuals.

But when you get attacked in the way that we did, where the threat actor was in your system for months, and designing ways to get around, maybe even, uh, spoofing your antivirus so that it looks like it's running and it's not, Um, what you discover is as soon as they've created their own root level credentials and they can do whatever they want, Um, then anything that's in your system is open to them for, for exploitation.

And one of the things that happens is You find out after the fact, or after the data's been taken, that there's a lot of data that's left around on hard drives, uh, in file systems, that really doesn't need to be there. Um, and so, data cleanliness. Uh, data, uh, policies around, uh, archival and deletion of data. Those are things that also, from an after the fact perspective, we've been working on. Don't keep files in the system that don't need to be there.

So, oh, we've got five years of housing data? Why do we have it? There. Are you using it today? No. Why didn't you delete it? I didn't think about it. Well, so there are, there are, there are things that we talk to them about with our employees about how to, how to be safer, even if we were breached, what, what, how can we minimize the damage? How can we minimize and how can we better protect the PII of the people that we're serving?

And that's one of the most important things for us to do and recognize after the fact that we've got an obligation to protect the data that we've been. That we're now the custodians of, and whether that's in the state of Washington, that's a, that's your company ID, and your name, and that's it, that's all it takes. Um, it seems ludicrous that your ID, your, your private ID number is, is considered that. Um, but it could be anything.

ID, social security number, credit card information, name, address, health information. Do you have fingerprint information? All of that kind of stuff is, is, is out there. So, and then the employees themselves, uh, will store things. Uh, their own private data. Uh, we found tax returns. We find, you know, passports that were scanned. We find driver's licenses that were scanned. All, not, we didn't collect that, the employee did.

So, there's a whole lot of work to be done, not just on training people about phishing, and, and, and use of systems, but also on how we handle our data. I was just going to say that, um, I think coming from a financial institution, reputational damage, if a breach order occurs, is tremendously impactful. And one of the things we're challenged with, and everybody else is too, is we rely on third parties quite often to perform services on our behalf.

And so what that means is we're sending our data to them, and we do due diligence on those vendors, but. Things like move it and other sort of compromises that don't really are directly related to their failure are really, really problematic and that's, that's one of the bigger fears I have currently. Yeah, and I would just add to your responses.

As a school principal, when it was time for us to do a fire drill, for example, I would say We're doing a fire drill today at this time so that everybody knows and everybody's prepared and aware so we know how to act. So rather than this being a surprise fire drill that could cause more anxiety for people, we told them about it and said it's going to be at 2 30 p. m. Today.

There's going to be a fire drill and everybody knows what's going to happen and In the past, the idea was surprise people so that you know how they'll act, and I found that explaining the context, when it's happening, explaining why we're doing it, and why it's worthwhile for us to practice helps people feel better about it, and certainly in schools, which is my background, there are lots of things that we need to practice and prepare for going wrong, and sometimes

it feels like That's what we're teaching the kids and and to a certain extent we are teaching them how to be smart and prepare um, but we also want to not make it so that this is like All that you think about and, and I've certainly seen, um, some experiences with that as well. Uh, so the final question for everybody here is, what is, what is the one lesson that you would want people to walk away from after having experienced a breach?

What would you want them to know and, and they go away from it and you're like, this is the one thing that you need to know. Uh, and so we'll start here with Nicole and go, go down the row. Put you on the spot first. No, that's fine, because I was afraid someone else was going to steal it. I think preparation, honestly, is the one thing that's super important.

Having that instant response plan and practicing it, um, helps you more, be more prepared and more effective in mitigating the damage that any breach might have. Okay, so we're going to say preparation for a breach as your one thing. Now, you guys aren't allowed to take hers, so you gotta, you gotta have a different lesson to go with it. So, Nicole got the bonus going first. I would agree with that. Yes, you can certainly agree, but no stealing.

So, I'll tell you what I did after the fact is, I, we have a small team, and many of you have small teams. So, I can't do 24 7, 365 monitoring of all of my systems with four people.

There's not enough time for them to do that. So, we partnered with somebody who could do that with us. So that we have a much more assurance that anything that might happen in our network in the future, which it will happen. There will be some either phishing thing or there will be another breach through a vulnerability that hasn't been detected yet. It will happen, but we are in a much better position now.

To know that something's happened and been injected into our network that we can then take action on and not wait four months and be hit with a ransomware attack. So for me, it was, it's, it's, if I feel much better, I don't feel completely at ease, but I feel much more at ease that we have the means now of at least, uh, improving our ability to detect and then mitigate before, uh, the crisis occurs. Okay, so I'm just summarizing.

So we got prepare for the incident and then we got partner with someone who can help is what I took away from that. Did I understand that correctly, Ken? Okay, just making sure that I am understanding good. All right, Brian. Um, I would say the one thing to walk away from, um, as part of this panel is to not operate from a, a, a position of fear about data breaches. Um, if you think about us as humans, right, when you fear something, you naturally shy away from it. You don't want to address it.

You sweep it under the carpet. And I think with data breaches, that's very similar to how a lot of us, um, operate. So, you know, preparedness, what we already heard. Partnering. Those are all good, great ways to help, um, build confidence in your team and in your organization to be able to handle a data breach when it happens. Very good. I, I kind of like the prepare, partner, and what's a P word for expect it? Predict. There we go. Alright. Now Aaron, the pressure's on.

If you do something other than P, everybody's going to walk out of here upset. Preparation. No, just kidding. Well, the P, I, well, it's, uh, no, I don't have a P, uh, word here. So, the way I like to think of it is, um, you know, all of these things are incredibly valuable. Uh, I think of the incident response life cycle, right? So, preparation is the number one thing in that. We have to be prepared.

Um, but the thing that I think is often overlooked is, Recovering and after an incident, the lessons learned, the root cause, and taking action to make sure that this doesn't happen again. So taking the momentum from an incident, you know, the additional budget, the additional improvements that you're making for your network and for your systems, and use that and learn about what else you can be doing to improve your systems and your process.

So taking, you know, everything that's happened and improving and taking that existing IR plan and that preparation that you're doing. Modify it to make sure that it meets what just happened. And now for the next one you should be more efficient. You should be able to respond faster and hopefully save time and money. That's great. Ponder. Huh? Prepare, partner, predict, and ponder. Okay, we got four P's that you can walk away from this with. Very good.

Uh, so the question is specifically, how do you leverage, uh, students in your I. T. programs to start doing this stuff for real in, while they're students at your school? I think the folks from Eastern would be in a better position to answer this, because I know they have programs specifically designed to help.

Uh, themselves and other organizations monitor, uh, we haven't gone down that path per se, but we partner with our computer science department on, on, uh, cyber security training and, and teaching.

And so we, we try to build the capability for, for, um, The gentleman back there at the table to do a variety of breach testing and trialing and to teach our students how to be better prepared to do some of the things that were talked about earlier in being able to build systems that are responsive and capable of of withstanding certain kinds of activities that we don't want to have happen.

So, I think that's a valid thing to do, but we, we have not, uh, part of the problem that we've had with investing in students is that they come, and then they build something, and then they leave, and then we have to figure out what they built and how to support it. Uh, they're not a persistent, uh, Source of, of, um, of worker that, um, we haven't cracked that nut for ourselves, but I, I think you should talk to Eastern because I know that they've done some of that. Yeah, that's excellent.

Um, as, uh, our, as a K 12 principal, we have done that with students in high school and, uh, middle school, even asking them how they would get around our systems. Um, and in one district I learned that every student was installing Uh, VPNs on their phones, so that they could bypass all the security protocols. And so, uh, that was a fun conversation to have with those, with those kids. Uh, anybody else want to comment on using internal, uh, people?

I mean, you're not all in education, but, any thoughts there? Uh, I'll just add, um, I'm not in education, but, uh, I train a team of security professionals that investigate on a, a daily basis. And one of the things that we do is run what we call attack simulations on a regular basis.

And, uh, So it's kind of like the next level of a tabletop where rather than just discuss what's going to happen as an attack, we actually run, you know, purple team scenarios where we're running attacks on test systems and then we have our teams go and investigate and respond and measure that response to see how we can improve. Um, so that might be another way that you could take some of the students and get them some hands on training and, and, um, develop that skill. Okay, good.

We have time for one more question. Yes, in the front. so the question is, uh, as we continue to be focused on cyber security, what about physical, physical security and, uh, are you still paying attention to that? And is that part of this conversation? I would say that um, physical security is an integral part of cyber security. It's a piece of the puzzle. Uh, in my case at STCU, we include physical security in the cyber, or under the Enterprise Risk Division.

And it's been very beneficial and there's a lot of synergy because A lot of the technology behind physical security has IT components as well. And so, um, it's been super valuable. So in our case, it's, um, we work very closely together. As a university campus is naturally an open place. Students have to come and go. They, they have access to, uh, PCs on campus. They have access to Wi Fi on campus.

So, some of the things that were mentioned, I think, earlier about, uh, segmentation of your network, and, uh, multi factor authentication,

uh, actually both directions, whether you're on campus or not. We've had to implement that to better protect from, um, access from on campus as well as from off campus. So we think about that. We also have, uh, quite a few spaces that are locked, and you can only get to them through keycard access. All of our server spaces Our main, uh, computer center spaces are, are IT spaces.

And we're small enough that, um, it would be unlikely, uh, unless you're brand new, whether you would not know the person from IT that showed up at your desk to help you. But that certainly is something to be concerned about. And, and other places I've worked. People had to wear the badges, but of course the badge could be spoofed, physically spoofed as well. So, there are a lot of things to consider.

You're, you're going to answer questions on your cyber, uh, insurance form related to physical security. Uh, and, and, uh, universities are also going to, your auditors are going to ask you the same questions about physical security and access to your, your ERP system and your accounting systems, uh, to make sure that, uh, those are safe and secure. So, uh, it has to be part of The entire, the, the, the overall picture. It can't just be the, the it side.

Yeah. To add on to that too, we talk about, and we have been for a while, this notion of like zero trust in the cloud. Right. I think it definitely applies to physical security as well in terms of always verifying. So I think back to when the pandemic started. And we had a physical office space, and there was hardly anyone in the office, right? So it was a perfect target for someone to come in, and I think they actually even used a flipper device.

I don't know if you guys know what flippers are, but you can get those now. And spoofed a card, was able to get in, and there were two people in the support organization, and none of them asked the person that was in there, Hey, what are you doing here? So, I think it does come down to a very similar principle to zero trust. Yeah, uh, we try to adopt a policy of trust but verify, um, so same thing.

Multi factor authentication exists for physical controls as well, so you can still have a badge access with a key code or something else, uh, making it a little more difficult. And, you know, as far as, like, computer equipment, servers, things like that, if they're gonna be physically stolen, everybody's using, uh, disk level encryption, right? Full disk encryption?

So it shouldn't be a problem, but, um, unfortunately, if you're not, you should probably turn that on just to be safe in case somebody's walking out with one of your servers. Yeah. Alright, well, thank you everybody, uh, for being here, for your attention. Thank you to our panel. Let's give them a round of applause.