Tips to Build Cyber Resilience in the Public Sector
Tyler Podcast Episode 18, Transcript
Our Tyler Technologies podcast explores a wide range of complex, timely, and important issues facing communities and the public sector. Expect approachable tech talk mixed with insights from subject matter experts and a bit of fun. Host and Content Marketing Director Jeff Harrell – and other guest hosts – highlights the people, places, and technology making a difference. Give us listen today and subscribe.
Episode Summary
The threat environment is high and cyber incidents seem to be on the rise. The public sector has not been immune to cyber attacks. Get some great information plus six tips to build cyber resilience in your organization from Ron Barnier, one of Tyler Technologies' cybersecurity experts.
Transcript
Ron Bernier: So I've got six quick wins, which anybody that is around cybersecurity is going to be like, yeah, those are the easy ones. And the problem is, yeah, they're the easy ones, but they're also the ones that are missed the most and lead to the most incidents. One, stop reusing passwords, right? Your Starbucks app passwords should not be the same as your network logon at your employer.
Jeff Harrell: From Tyler Technologies, it's the Tyler Tech Podcast, where we talk about issues facing communities today and highlight the people, places, and technology making a difference. I'm your host, Jeff Harrell, director of content marketing for Tyler Technologies. And I am so glad that you joined us. Today, we are looking at the threat environment surrounding cybersecurity. Incidents seem to be on the rise and the public sector has not been immune. So we wanted to bring you some great information and very practical tips on how to bring more cybersecurity awareness to your organization. Today, I talk with one of Tyler Cybersecurity's experts, Ron Bernier, who gives us some insight into the threats and some practical tips to be more cyber resilient. Without further ado, here's my conversation with Ron Bernier. Well, Ron, I know cyberattacks continue to plague the public sector. Why are local governments and schools such an attractive target to cyber criminals?
Ron Bernier: Well, first off, and I'm going to speak in generalizations. There's obviously local governments and schools that are taking cybersecurity seriously from a financial as well as a training and staffing et cetera standpoint, but they're a relatively easy target. Not all, but many of these local governments, especially smaller ones and schools are the typical hard shell, soft center style of network. These days, with humans being the easiest thing to attack for hackers, once the attacker has fooled somebody, either with phishing or some other sort of technique, then they can just start moving around a network. The organizations themselves have a lot of useful information that can either be sold to other hackers or sold to competitors, other international entities. They've got personal data, financial data, addresses, payment histories, all this information about people, and they can either resell it or simply use it to extort the organization itself. And schools are really an especially easy target. Education, the free exchange of ideas means that you have an environment designed to allow, not designed to deny. And when you carry that philosophy over to cybersecurity, generally, a recipe for disaster.
Jeff Harrell: And Ron, you talked about hard sell. Could you tell us a little bit more about what that means?
Ron Bernier: The hard shell, soft center, so we've got the firewall that's standing between us, right, between the hacker and the employees, the students, the teachers, et cetera, but once I get past that firewall as the hacker, the rest of the network is wide open. I can go basically wherever I need to go and do whatever I need to do.
Cyber Risks in Local Government
Jeff Harrell: Okay. Got it. And then what is the greatest risk or greatest threat facing local government agencies?
Ron Bernier: So right now, obviously the biggest threat everybody's facing is ransomware. I'm going to touch on another second threat though that I think is going to grow. Everyone's a target, right? Every single PC on the planet is a target for ransomware because everyone wants their data, right? If you didn't want your data, then you don't own a computer. And now, the way hackers are operating, just having backups isn't enough. Back in the day, when we were playing on a slightly more even platform with the hackers, you get infected, all of your data gets encrypted, and encryption is basically taking legitimate data, performing a highly complex, but reversible mathematical calculation against it, and basically turning in into gibberish. So if you get infected and all your data is now gibberish, if you have backups, you just restore your backups and you go about your business, but the hackers have learned that people were... larger organizations especially, were able to recover from infections with their backups. So now what they do is before they encrypt everything, they do some data exfiltration. They basically extort a client infected organization. Not only is your data now encrypted and lost, but even if you have backups, if you don't pay us, we're still going to go to the internet and publish all this data about your citizens, your teachers, your students, et cetera. Not only is it just that literal financial and public relations issue, but there's this tremendous amount of service interruption. Get ransomware under 911 center and it can be literally life or death. Baltimore, everybody knows about Baltimore's infection. They were three months just getting their water billing back up and running. So disruption of services is a very lengthy process. Now, besides ransomware, one other one that I personally think we're going to start to see as we move into 2021 is malicious insiders. COVID-19 has had a severe effect on a lot of people financially. There's a lot more people that potentially are in a very precarious financial situation and are willing to give up access and information from their employer for a dollar amount. So, as this pandemic continues through 2020 and into 2021, we're probably looking at that potentially becoming a bigger issue.
Jeff Harrell: In this internal threat, are people contacted by malicious hackers? I'm just curious on how that transaction actually happens. ]
Ron Bernier: So kind of the typical employee... this isn't a typical insider threat scenario, but the typical hacker reach out to people are to hire them as what's called money mules, which is, basically people are going to set up an account. The hackers are going to get money sent into that account. They're going to withdraw that amount and send 90% of it to the hackers and keep 10% for themselves. So it's a way for the hackers to receive their funds without them being on record as ever having had them. It's been a little less important recently because of all the different cryptocurrencies, where being anonymous is a little bit easier, but it's still not completely possible.
Jeff Harrell: And do hackers look for people within the organization that they can contact, or do people within an organization reach out and say, "Hey, maybe I can make some money with this data"? How does that work?
Ron Bernier: So typically what happens is a hacker will set up a fictitious account, especially, let's say on LinkedIn or Facebook. "Hey, so and so ..." They'll look up ... do some research on this person and see that they went to Notre Dame. So they'll start looking for people that they went to Notre Dame, set up fictitious LinkedIn or Facebook or whatever accounts, and try to contact them, and friend them, and then start this negotiation from there. Sometimes they're forthcoming with what they're really trying to do. Other times, they're literally just trying to defraud that person anyway by just getting them to send money because they're in need. They need a thousand dollars for a plane ticket to get out of whatever foreign country they're talking about, et cetera, but sometimes it's also to do this money mule or for the insider transaction.
Jeff Harrell: So this is really getting kind of elaborate, some of the things that they're doing.
Ron Bernier: Well, and that's the thing, right? The hackers have all the time in the world. That's their job. They're literally getting paid and rewarded to perform criminal acts. They're getting really good at it, and they don't need to be terribly successful at it to make a whole lot more money, especially in some of these countries where A, crime is more acceptable against the West, and B, there's not really much opportunities within those economies to make this amount of money.
Combating Cyberthreats
Jeff Harrell: And that's very interesting. What do you think are some of the challenges that local governments have to combat this kind of activity?
Ron Bernier: Yeah. So first off, they're underfunded. Nobody likes to spend tax dollars on something that is not a quantifiable threat, right? You think of cyber security breaches, it's going to happen to somebody else. And until a local government or a school has it happen to them or happen to a school or government close to them, they don't think it's going to happen to them. Small towns, it's like, "Well, why are we a target? Why is anybody... They're going to go after the big folks." It's like, well, no, they're not because a small time hacker can go after just small communities and make a few thousand dollars a week and make more than what they can do legitimately. These governments and schools are also competing with private companies for the same cybersecurity talent pool that literally is woefully inadequate in numbers. Cybersecurity still has a significant negative unemployment gap. And we likely will for years. Small governments especially have outdated equipment. I was reading... I can't remember where the organization was. It was an HVAC system that was still running off a Commodore 64. Now, when it's that outdated, it's technically more secure than something that's relatively recent because nobody's going to write malware for a Commodore 64, but you get the idea of what these governments and stuff are under with the equipment that they have. And finally, it's just a lack of time dedicated to cybersecurity. Seldom can they find and hire and retain the specific cybersecurity related individual. So then all of these files falls under the IT group, right? IT needs to take care of security because it is closely tied to IT. But most IT folks, really their job is being worried about availability, keeping things up and running and functional, and if we have time, then we'll worry about the security.
Jeff Harrell: If a local government had the time, had the resources, had the budget, what are some optimal ways that they can combat some of these cybersecurity challenges?
Ron Bernier: First off, there's kind of like... there's no silver bullet, right? There's no one control that an organization can implement and say, "Hey, we're secure." You're constantly ... In my mind, you should look at your organization as constantly being in some level of compromise. They obviously are going to throw in antivirus. They're going to have firewalls. They're going to create domains and try to segregate their networks, right? The 911 system is not where people are browsing the internet and buying from eBay, that kind of stuff. But again, there's no real control, so as you start to layer on control, after control, after control, the first one may literally take care of 80% of your problems. To use a sports analogy, Larry Bird, widely regarded as the greatest free throw shooter in the history of the NBA. His free throw percentage was 88.6%. But when you're trying to defend a network, that's about 11.3999% too low. The defenders are constantly having to be right every single time, and the hackers, they just need to be once out of a hundred. And it's financially rewarding for them to do so.
Jeff Harrell: And I'm a big Larry Bird fan. I love that example. I've heard this idea of continuous monitoring. Why is that essential in quickly detecting threats?
Ron Bernier: Probably the easiest way to explain that is Richard Bejtlich is a noted cybersecurity mind and author. He says that prevention eventually fails, detection eventually succeeds. So you have all these preventative controls, like I was talking about earlier, layering, layering all of your controls, your antivirus, your firewall, web proxy, et cetera. Eventually that stuff's going to fail. It's failed in every single breach known to man. If automated systems didn't fail, protective controls didn't fail, then we wouldn't have these incidents like we have. Again, the hackers just need to be right once. The defenders have to review their firewall logs, their windows logs. Every device that they have on their network has to be continuously reviewed for activity. And once you find something that looks suspicious, it really comes down to how well your organization can respond when your prevention fails and your detection doesn't succeed as optimally as you'd like it to. So this continuous monitoring. It only takes one person clicking one bad link. We can never be a hundred percent secure. We're always going to be... Or at least we always should look at our organizations as being in some degree of compromise.
Working From Home and Cybersecurity
Jeff Harrell: And with the pandemic, more people are working from home, and I'm just curious, Ron, how has that changed the threat landscape?
Ron Bernier: In a couple kind of severe ways, actually. Most organizations, when they were building their cybersecurity plans, they view their network as what they need to protect. Again, you build the firewall. You separate yourself from the rest of the internet. But this perimeter that they've established is now expanding. It's going well beyond the firewall. Devices are outside of the control of the network, the organizational network for... in many instances, most, if not all of the day now. So we're looking at both a technological issue, where the location of everything is changing. The availability of that device to the hackers is changing. But also for the defenders who are looking for normal user patterns, time of day has become another issue because people aren't working in that same kind of 8:00 to 5:00 mode. Some people like to work earlier. Some people like to work later. As you expand what is normal, finding anomalies in normal traffic when that normal traffic is becoming itself nothing but a group of anomalies, it gets tougher to find, right? If everything is chaos, finding that malicious chaos gets tougher and tougher.
Jeff Harrell: Yeah, that is lots for organizations to consider. And Ron, I've heard this term endpoint protection, and I'm curious what that is, and why it's important?
Ron Bernier: So endpoint protection basically is putting in layers of control around each individual user's workstation, servers, et cetera. You typically always started out with antivirus, anti-malware, that firewall, that proxy. Back in, when I first started in cybersecurity, which I actually started prior to my employment with Tyler and Sage, hackers used to try to exploit devices more often. It was attacking a web server, getting access to the SQL database behind it, attacking an application server, getting access to its data behind it. Now, they kind of bypass all those technological controls that a company can put in place to protect that and now they just go right after the human. The hacker, using phishing, which is sending an email purporting to be a legitimate person or organization, and trying to get somebody to click on a link. Come early January, typically, maybe not this year, but early January, Patriot's playoff tickets is a great way to get people to click on things. And so the hackers now are kind of bypassing that technological controls and going after the human, so monitoring what's going on on the end point, monitoring what's going on the workstation. What activity is happening there? Looking at, okay, somebody was browsing out to this IP that looks malicious, but the web browser never spawned anything, versus browsed out to that IP that is suspicious and then the Chrome.exe launched gibberish.exe, which launched a PowerShell command, which did this, which did that, two very different scenarios. So monitoring what's going on an endpoint, obviously, is very important these days.
Threat Hunting
Jeff Harrell: I'll be back with my conversation with Ron Bernier in just a moment. Want to get even more great content on the topic of cybersecurity? Then visit our Tyler Tech resource center. Just go to tylertech.com, then hit resources at the top of the page. You'll find the latest blogs, case studies and more on a variety of topics. I think you'll find the information there very helpful. Now, back to my conversation with Ron Bernier. And Ron earlier, you talked about threat hunting, and that just sounds fun and exciting. Talk to me a little bit about what that is.
Ron Bernier: Threat hunting is basically assuming your organization is compromised and reviewing evidence to prove that it either is or that it is not. Back in the day, people would wait for their antivirus to tell them they were infected. Well, their antivirus, if it tells you that you're infected, it's actually blocked it so you're not. So threat hunting is looking at all of the activity from firewall logs, windows logs, SQL database logs, web server logs, et cetera, that are logging everything that was allowed to happen, and looking at everything that was allowed and determining if there's anything in there that's malicious. Again, if these real-time software controls worked all the time, we wouldn't have to do threat hunting. Here at Tyler and Tyler Detect, we do some threat hunting in real-time, but we also then augment it with contextual analysis. Contextual analysis is basically taking instead of each individual event and assessing it for maliciousness, it's looking at the entire activity of a device or a user or a whole network and determining, if this is all done together, is it malicious? Because I can do activity A that's not malicious. I can do activity B that's not malicious. I can do activity C that's not malicious, but when I do all of those together, then it can be malicious. Basically, it's the human element, a person. If you want to think about what we do, in the simplest of terms, we are a security analyst as a service. It is our job to review what's actually been going on, what your real time controls are allowing, and looking for that incident before it becomes something larger than that.
Jeff Harrell: And Ron, this sounds a lot like what a SIEM would do. Could you explain the difference between what a SIEM does and what you guys are doing?
Ron Bernier: Sure. So a SIEM, which is a security incident and event manager basically receives all of these logs from all of these sources, again, the firewalls, the switches, the routers, the SQL database, et cetera. And what a SIEM is really good at, typically, and some obviously are better at starting to equate what we do better than others, but a SIEM essentially is really there to index all of that data so that you can search it very quickly. So an organization can do everything we do, no pretense otherwise. They can install a SIM. They can point all their log data to it, and they can do all of the review that we do, but typically the difference is all of the review that we do is not part of what comes when you purchase the SIM. So in other words, you need to know what you are looking for. The beauty of doing analyst as a service versus trying to do it yourself is if you find something new on your network and you're not sure what it is, you're going to spend time researching what that is, versus using an analyst as a service, if we've seen that before on a certain number of clients and we know it's legitimate, then nobody needs to continue to research it. So having that power of other companies, other organization's data being fed to us as well, I think is a big deal in helping streamline what actually needs to be looked at, what is potentially malicious, and identifying those threats a lot faster.
Jeff Harrell: Well, Ron, you've given us such great information. It's a little bit scary out there, to be honest. I wondered if maybe you could give us at the end here, just some practical tips that could help organizations in the public sector at this time?
Ron Bernier: Sure. So I've got six quick wins, which anybody that is around cybersecurity is going to be like, yeah, those are the easy ones. And the problem is, yeah, they're the easy ones, but they're also the ones that are missed the most and lead to the most incidents. One, stop reusing passwords. Your Starbucks app password should not be the same as your network logon at your employer. So never reuse passwords. In fact, I go as far as, I never reuse usernames. Get a password application like Password Safe or LastPass. I randomly generate all my passwords. I'm really crazy, so I actually randomly generate all my usernames too. So my email address isn't the same across multiple accounts, et cetera. The second thing is, patch everything. Way too many times, it always comes down to, "oh, that device? Yeah, we didn't patch that because that's just a test box", or "it's just a dev box", or "the vendor gave us that and they won't let us patch it." Patch everything. And when I say that, I mean more than just your desktops and your servers. Patch your firewalls, patch your switches, patch your routers. Basically every device you have that connects to your network probably has patches being released that you need to apply.
Yeah they're the easy ones, but they're also the ones that are missed the most and lead to the most incidents.
Ron Bernier
Director of Tyler Detect
Jeff Harrell: And for those of us who need layman's terms, Ron, what does it mean to update patches?
Ron Bernier: So Windows 10 gets released and everybody installs it, and then somebody finds a vulnerability in it. Microsoft will write a small snippet of code that when installed in your... Windows 10 will fix that exploit. So it's not an entire rerelease of your entire code base, it's just fixing a small portion of it instead of having to install an entire whole new release set. The next two really will go a long way to protecting an organization. One, is proxy all of your web traffic. There are some I believe that are even free. A proxy basically is, I'm browsing at my workstation, and instead of going directly to the website, it's going to go to this proxy. And this proxy has metadata about domains and IPs and what's malicious, what type of destination that is. ESPN is sports and entertainment. JC Penney is retail, et cetera. But if you have a proxy, there's going to be a couple categories that are key to be blocked. Number one, obviously all the malicious ones. Anything that looks like malware, malicious site, illegal, immoral, all that kind of stuff, block all that. But there's usually this one category that sits there that nobody instantly thinks that should be blocked and that's unknown. Unknown, not classified, whatever terminology the proxy vendor uses. And basically what that means is that the proxy company has not yet visited that domain and determined what it is. Well, not all new domains and hosts are malicious, but almost always, all malicious hosts are going to be new. So if you block the unknown, yeah, you'll occasionally block some traffic to legitimate sites that people are going to complain about, but for the most part, until it gets classified as malware, it's still going to get blocked. So proxy your traffic. The other thing is, enable multifactor authentication. And a lot of times people think, oh, but I already have multifactor authentication. I have a username, and I have a password. It's like, no, that's not what I'm thinking of. Multifactor usually involves getting a text that you have to reply to, getting a phone call that you have to hit a key, something to validate that yes, you initiated this authentication and you are who you say you are. Biometrics is a way to do multifactor authentication, et cetera. So those two are really big and really will go a long way, especially the MFA from the authentication attacks. We worked with an organization a few years ago, and they wired a half a million dollars out to an account because the person who got exploited, their password was Summer2018, with a capital S. Right now, it's Fall 2020. Autumn 2020, I guess would maybe be a little bit better if you need a longer password. Don't use simple to guess phrases like that. They can cost an organization literally a lot of money.
Two more things I'll give you. One, segment in your network. We kind of talked about this a little bit earlier. We're not going to be browsing. We're not going to be doing email. We're not going to be buying off eBay on the 911 network. And the students should be segmented from the teachers network and the other organizational networks, et cetera.
One last thing, I've seen a lot of organizations do this and it's really cool that every time there's an inbound email, their email gateway adds a disclaimer at the top reminding them it's from the outside. And that's actually pretty useful because a lot of times, people will try to spoof the sender. And if the sender is inside your organization, but yet the email shows that the email came from outside the organization, that's really, really suspicious.
So that's six quick wins. I do have a bonus for you because I like the number seven better than six. Basically, find the control set, like the CIS top 20. If you Google CIS top 20, you'll find it pretty easily. Find a control set and work towards implementing it. It'll walk you through right from the start. Usually the earliest controls are inventory, not only hardware, but also software. What do we have? What are we using? What is potentially vulnerable? And going through from there, working all the way through to the end where you're doing daily or more frequently log review, where you have acceptable use policies, all of these things that you really need to be secure. Keeping in mind that being compliant with those controls is not going to mean you're going to be secure, but it's going to help you do that. And one bit of warning though, Rome was not built in a day, and it will take most organizations a measurement of years probably to work from zero, if that's what they have, to implementing all 20.
Jeff Harrell: Well, Ron, thank you so much for this information. If someone wanted to reach out to you and connect, what's the best way for them to do that?
Ron Bernier: So they can reach out on our website, tylertech.com. They can email me directly. It's ron.bernier, and that's B-E-R-N-I-E-R @tylertech.com. Or I know we have a number of links on our website to contact the various representatives that we have as well.
Jeff Harrell: Well, Ron really knows this stuff. And in a time where we really need some cybersecurity resiliency, he gave us some valuable information and very practical tips. Well, thanks so much for joining us and listening to the podcast. We have episodes that drop every other Monday and lots of great information headed your way. This is our last episode for 2020, but we've got lots of great and exciting things planned for 2021. So please subscribe. Until next time, this is Jeff Harrell for Tyler Technologies. We'll talk to you soon.