How to Manage IT Security Risks - Transcript

Samantha Harkins:

Thank you all for joining us. I’m Samantha Harkins. I’m the CEO of the Michigan Municipal Services Authority. MMSA was created about 11 years ago as a way to incentivize local government innovation and collaboration and creative ways to

work together, and to that end, we’ve been having a series of webinars highlighting a number of different topics that are important to not just local government organizations, especially in this case to all organizations, and so I’m really excited. I will caveat I’m excited and terrified for this presentation because cyber security is scary but Mike Coyne and Mike McGowan from Dewpoint, which is based here in downtown Lansing (and my neighborhood) – they are experts. They’re going to give us some tips – some ways to minimize your organizational security risk, and so I’m really excited to turn it over to Mike and Mike and if you have questions please pop them in the chat or Q&A and if it’s something pertinent I’ll be moderating and we’ll jump in. With that I’m going to turn off my camera and let the Mikes do the talking. Thank you gentlemen so much for being here. 

Mike Coyne:

Thank you, Samantha, and thank you Kristen for helping us organize this, and thanks to MMSA. I’m assuming that everybody can see my screen here. Today we’re going to talk about managing IT security risk, and you’re right Samantha, this is a scary topic, but

we’re going to try to take some of the scare out of it today. My name is Mike Coyne I’m an account executive at Dewpoint. I’ve been an account executive supporting government in Michigan for the past 23 years. Dewpoint is a full-scale IT consulting company. We’re headquartered in Lansing and today I’m talking to you from our office in Grand Rapids. We’ve been in the business for 27 years and we support many local governments today so there’ll be a spin on this particular discussion around local government, but many of the things you hear today apply to all customers wherever they’re at as a small, medium, or large size business. Through our support of local

government at the city level, both large and small, we’ve gained some experience on what those risks are for those particular customers. In 2021, Dewpoint worked through a competitive process with DTMB and the Michigan Cyber Security Group to be named a Cyber Partner qualified to support IT security initiatives in the local government space, and you’ll hear a little bit more about that later in this presentation. Last year we took on a significant effort to do IT security assessments on all of the Friend of the Court offices in our state. There are over 50 of them, so our years of experience plus the project we worked on last year have really given us some insights in what’s going on from cybersecurity within our state. Today I’m fortunate to have a co-presenter, Mike McGowan. As a co-worker, Mike hits all the boxes. He’s super fun to work with he’s passionate about what he does. Today he’s a humble expert in the fields of IT architecture and IT security. Mike – 

Mike McGowan:

Thanks a lot, Mike. Thank you for having us – we’re really happy to share some of these strategies with you, and hopefully in the process, you have a little bit of fun and get some education as well. We’ve all seen these headlines. We’ve been watching them for some time as an integrator, and our clients are watching them, and you know some of these cyber-attacks we’ve seen especially with local governments are they’re pretty scary, especially because the local governments now have modernized in many ways and have become very dependent upon the technology that they have. A lot of times that tends to be about functionality – the quality of services provided, but as we add all that technology and we add our dependency on that technology, we have to start thinking about protecting it, because then when it becomes unavailable or

weaponized, we can suffer a lot of reputational damage or operational damage.

I want to talk about the City of Oakland, and this just happened in February, and part of the reason I want to talk about Oakland is because this is not a small city. These guys have resources, right, so you know this can happen to any municipality – large and small. This gives you an idea of kind of the gravity of the situation that Oakland faced and what happened to them. Like I said, back in February they had a cyber-attack, and after four days they actually had to declare a state of emergency. They were unable to operate. They have a call center that they operate 3-1-1 service, and that was down. This happened to cause an outage right before a series of really severe storms, and the impacts that fell to the constituents of this cyber-attack were pretty significant and operationally challenging. It was a difficult time for the city. It ultimately took

three weeks to restore from this outage. This is a city we expected to be somewhat prepared –  have some resources and some awareness of cyber security, and these are the types of things that can happen to anybody.

We’re seeing a real increase in the tax against municipalities, especially around election time. We work with some of our clients actually to go into kind of a low change mode or a lockdown mode around election times. We get guidance from MS-ISAC and they take the stuff very seriously because you know municipalities are now very juicy targets. We are seeing in 2021, 36 percent of local governments reporting a cyber-attack and of those, 23 lost data and had interruptions to their operations.

Their preparedness is also not great. We’ve been finding that most governments

that we’ve worked with have critical security vulnerabilities in their environments and some know about them, some don’t know about them, but most have them. A small number of municipalities that we work with have actually implemented things that are

basic like multi-factor authentication, so the protections that they have in place right now are behind the private sector.

This sector is less likely to have some of these protections in place, so these attacks can be very damaging. I wanted to talk through how these attacks happen, and I thought it’d be fun if we walked through one from the perspective, and I’m going to pick on

Mike here. I’m going to pretend that he’s the assistant city manager of Mittenville, which is a city I made up. We’re going to walk through a scenario on how this type of thing happens, and you’re probably going to notice there’s a lot of common habits that we find all the time, and we’re going to talk about how attackers exploit those bad habits and get a foothold in your environment. In this case, Mike’s getting ready for a city council meeting. He’s pulling the projector out of the closet. There’s a laptop in the bag. We pull this out for council meetings – it’s out once a month or twice a month, and it’s not patched because it’s off most of the time, and the last time it was used there was a guest presenter that infected the machine when they loaded their presentation, but we didn’t know that we infected the machine because Mittenville has not deployed EDR or antivirus that is monitored. 

So, you know, although there might have been detection on the machine, it had no idea. Because they were able to see that Mike logged into this machine using his Microsoft 365 account, they saw an opportunity to try and steal his credentials. So, they actually executed a phishing attack against Mike, a spearfishing attack. They sent him fake account recovery notifications to his email box. When he logged into his account, it didn’t work. They blocked that attempt. So, he was fairly convinced, while he was trying to get ready for this presentation and focused on getting the room ready, that he needed to get access back to his account. So, you know, kind of thinking about what he was doing, he just quickly clicked on the notification. By doing that, he walked through a forum where he tried to reset his credentials, and in the process gave those credentials to this attacker. So, now this attacker can impersonate Mike and do everything that he can do.

So, next slide, because he’s impersonating Mike, and Mike is a person that wears multiple hats. You know, we’re a small municipality here in Mittenville. He’s also the IT coordinator. He has admin access to their Microsoft 365 tenant. So now, seeing this, this hacker is now able to crawl the entire environment and start exfiltrating data that’s stored in the city’s SharePoint and team site. This person has access to everything Mike does, including financial information, employee information, wire information to pay external lenders, a spreadsheet containing IT systems credentials, and clear text in his OneDrive.

Which they then start using to move laterally across the environment and infect, you know, basically infiltrate other systems and continue to exfiltrate critical data. Then they’re going to start encrypting that data and making it unavailable. So, what happens after a breach can be pretty devastating, especially from a reputational perspective and a business impact perspective. But what’s likely to happen at this point? Now that he has the list of credentials to get into the city’s web hosting, that website gets defaced, and now there’s a banner across the website saying, “haha, we’ve owned the city of Mittenville.” And citizens are now starting to get suspicious emails from the e-billing service that’s tied to the smart meters that we were able to put in a few years ago.

The presenter’s laptop, now on the screen in front of everybody, displays a message demanding four hundred thousand dollars in ransom to not publicly release any data provided and to provide an encryption key. And without an incident response plan, now Mike is basically trying to figure out what he should do. While this is happening, “I think I’m going to work on my resume. That’s what I’m doing right now. I’m working on my resume.” The glass case in the wall, yeah, that yeah. So, this is now starting to turn into a media frenzy. Everybody wants to know what’s going on. They’re getting these suspicious emails, the council meeting is now turning into a circus, and this system outage is now going to last for weeks because we didn’t really have our backups tested. So, we do have backups, but we never tried restoring them. And we found that we actually didn’t have full coverage with our backups. Public interest in this cyber attack is now the main topic for council meetings for the next three months. So, that sounds pretty not fun.

I think that generally in council meetings we want to be focused on doing the business of our constituents and not explaining why we had this terrible cyber attack. So, how do we prevent this in the first place? And the good news is that of all the examples that I listed, there is a corresponding control that can help you reduce the risk of that thing happening. One of the most important that we want to talk about first is multi-factor authentication, specifically phishing-resistant multi-factor authentication. Phishing-resistant basically means that there is going to be some visual indicator of where that request is coming from on the authentication device. You’ll be able to see what application initiated it, and generally speaking, you’re going to have to have some sort of number that you have to type in, something that’s displayed on the screen. So, if the person who’s trying to infiltrate your account is actually not you, you won’t see the number anyway. You can’t type it in. So, that’s a very strong type of authentication that would have prevented, even though Mike gave up his password, this would have prevented that person from logging in even with a good password.

Also, we want to talk about patching. So, you know, this laptop being in the closet was really kind of a problem because there were many vulnerabilities that this person was able to exploit in the first place to get a foothold on the machine. The fewer vulnerabilities we have in the environment, the less likely that is to happen. And most people know by now that this is a pretty big game of cat and mouse. We’re constantly chasing these vulnerabilities, and you need to have a good, automated, and tested way of getting these patches into your environment.

We also want to use endpoint detection response software, also kind of known as EDR. We used to have anti-virus a lot in the past and EDR now is very behavioral in nature. It looks at a lot of what’s going on in the machine rather than just the known software that’s being executed on the machine. Oh hey, we know this is bad, we’ve seen it before, a lot of these things have never been seen before. It’s behavioral tools that are used, tools that are used in combination with one another that we are looking for now, and these EDRs are very good at that. So the second this person tries to discover the network or do any kind of reconnaissance or attempts to move laterally or exploit the vulnerability that might not be patched, we’re going to get bells and whistles telling us right away. That kind of leads into monitoring things in addition to the endpoints, like your network equipment, maybe your servers. You want to capture logs. To do that, you’re going to want to have a security event and Incident Management solution or a SIEM. That’s basically a product that collects all the logs. It collects the detection telemetry from your EDR, and it correlates all that together so that when there’s cross-domain problems like oh hey, we saw a failed attempt at the VPN on the firewall, and then we also saw some activity on this endpoint, the two in combination look bad, and we’re going to send you an alert. The other thing that you want to make sure you do is you break up the environment so it’s not as easy for them to move laterally. So like let’s say this laptop did not have the ability to talk to the e-billing system, it would have been much more difficult for them to infiltrate that system.

Also, if Mike had not been using his personal daily driver account as the administrator account, they would have been able to do significantly less damage. So, we do recommend that you have separate accounts for administrative duties, and that you don’t use your privileged account for your daily duties. We also recommend having immutable backups, which means that once it’s been written, it can never be changed. This is something really common in the finance industry. We used to have write once read many drives, which is now rebranded as immutable storage. It’s now in addition to a compliance technology, it is a security technology to ensure that your backups have not been tampered with. If a breach occurs, the other thing we want to make sure that we do is store multiple copies. There needs to be one off-site, and we would also ideally want one completely out of band, meaning I cannot actually connect to it from within the environment. This could be a cloud-hosted copy by our cloud provider. It could be removable storage that goes off-site, but something that gets stored offline. We also want to make sure that we test these backups. We often want to do restores periodically and make sure they work and also make sure that we’re restoring everything that we need to get back to functional. This is something you’re going to want to do on a regular basis. You’re going to want to work with understanding what data is in your backups and just make sure that if you had to use that restored copy, that you have the business things that you need out of it.

Also, we’re not going to store passwords and spreadsheets in OneDrive. We’re going to recommend that you store those in a password vault of some kind. There are many products available. We don’t endorse a specific one, but if you have questions, we can talk about that later. But some sort of a password vault so that it’s encrypted, you know, it maybe requires dual-factor authentication to get into your passwords, once again making it more difficult to move laterally.

We wanted to develop an incident response plan. So, obviously, it would be ideal if Mike is not figuring this out for the first time in the council meeting in front of the public. And this is going to be in front of the public really quickly when this happens. It doesn’t really matter. You know, there’s going to be some operational impact that’s going to be perceivable. And so, when that happens, you want to have a plan on what to do, who do you engage, do you have cybersecurity insurance, do they have a response team, would they prefer to take over the situation in order to pay your claim, what do you say to the public or not say to the public, who is going to be the person that is talking to the public?

Um, what from a law enforcement perspective do you need to do? Should you contact the FBI? Do you know who your local field agent is? So, these are all these should be kind of exercise in advance put into a plan, and ideally, we want to test this plan. We want to do drills to pretend like we did today that an attack is happening and see if all of the different things that we put in place help prevent that attack, but then if it didn’t, what do we do operationally as a business to respond to that incident so that we can get back to business as quickly as possible? And a really important one is enrolling your users in cybersecurity awareness training.

So, your people are the best line of defense. You have a human being able to detect phishing when it’s happening, or MFA prompts that they didn’t initiate or what have you. They are going to help reduce the likelihood of an attack significantly, and there are great programs available for you to train your staff. It’s well worth it. I think I got one more. Okay, so consider an assessment. A lot of people kind of assume, “Hey, I’ve got a technology provider, I’ve got an IT guy, he patches my stuff, you know, we’re good, right?” And maybe, right? We professionally do assessments to help you understand, in terms that you can see, whether your environment is up to snuff or not, if you have problems that you need to address, risks that you need to address, and also which ones you should do first because there could be a multitude of things that need done. So, don’t let it be a mystery. Dig into it, educate yourself, figure out what you can do better, and that’s going to help reduce your risk a ton. And if you want to go into the next slide, Mike, we can talk about what these assessments look like. We follow a standard methodology. It’s developed by the Center for Internet Security. We mentioned this, one of their entities earlier. They support governments during elections, the MS-ISACs. So, CIS is an active member of the sled space, and that’s part of the reason that we chose the Center for Internet Security as our partner. And we do a standard framework assessment that gets scored by a bunch of different controls. It’s best practices that are taken from the membership which, once again, they’re heavily represented by government institutions.

So, we think this resource is pretty comprehensive. Next slide, a little bit more on CIS. So, CIS, there are lots of security frameworks that different lines of business adhere to, based on really the complexity of your business. CIS is one of those, and CIS has been named by the federal government and our state government as the preferred one for local governments to assess against, right? And that’s why we chose it, especially for these kinds of assessments. In a CIS assessment, it’s a framework that has 43 controls. They’re weighted and scored. We tailor that to the size, scope, and complexity of your organization, so it probably doesn’t make sense for the City of Oakland to be working at the same goals as some village in northern Michigan. So, we do take that into account, and when you get a snapshot back, you’re gonna see scores and basically general ratings, so like red, bad; green, good kind of thing across these 43 controls that you can basically tailor your attention to what needs the most work for the most value. So, like you don’t want to be, I guess, chasing low-value things that are expensive when maybe you could be doing some basics and getting yourself further along. So, that’s also taken into account. Okay, so when these reports come back, sometimes we find that this is the first time you’ve done one, there’s a lot of red. Man, that sounds insurmountable, but don’t worry because you don’t have to tackle it yourself. There are resources available. We’re certainly here to help.

There’s a ton of resources from CIS and in the communities online, but we want to make sure that you guys know that you have someone behind you. I would direct you to Mike to talk about this if you’re at all interested in tackling what comes out on that report afterwards. We have a variety of different types of ways we engage, so maybe we come in, we do a project, maybe you have a team and they need project management support to get through projects, maybe you have no team, you can use ours. We have a bunch of different engagement models to help, but the primary deliverable will be the assessment. Then, we would engage further on helping you tackle some of those findings.

Mike Coyne:

There are a lot of ways for entities to go about an assessment. There are some themes to the assessments that we do, again through our experience. One, it’s not going to feel like an audit. It can’t feel like an audit. It needs to feel like a collaborative effort between an IT provider and a business customer. It’s really a judgment-free zone because in the end of the day, what we will do with our recommendations and findings is present those to you in a way that you can determine the acceptance of business risk. We want you to be as tight as possible on a security end, but we understand that there are factors that probably will not allow you to go from where you are today to implementing all the recommendations.

And as I mentioned, there’s lots of ways to go about this. A lot of people buy what they call penetration tests, where our company will go attempt to get into your system, find ways to get into your systems, and then give you a report out of vulnerabilities. But our findings, especially with mid-small size and local government customers, is there isn’t really a roadmap on what do I do with these findings. So what our kind of secret sauce is in this assessment process is one, it won’t feel like an audit. Two, we’ll build the roadmap. So why not, when a finding is identified and presented, we’re going to take it further because there are other factors here. How big of a bang is completing this? Is removing this risk from your environment in terms of your IT security posture? How long would it take to do that? Is there an organizational change management? Are you doing something behind the scenes in the data center? Your business users may have zero feeling on their day-to-day on whether that’s done or not, but changing the way they log in may have monumental changes. And then the other factor is the financial end. How much is it going to cost me to do this? And what we’ve seen through this kind of an approach at a security assessment is when we develop a partnership with a lot of our customers, is doing this the first time, they go from kind of consciously unaware of where they’re at to finally consciously aware of the scary area, and they have a plan. And that plan can also be used to at least provide data to cyber insurance companies that are raising your premiums, that you can speak to the evolution of where you were and where you are and the plan you have to get there.

So now, I mean that we’re going to get to questions here in a bit about all the content around cyber events that could happen in local government, and what we’re proposing as a best practice to get ahead of that. But we also want to mention something about BitSight, and I just full disclaimer, Dewpoint does not resell BitSight. We’re not saying that this is something that you should invest in. It’s an interesting element into this practice of IT security. What the company BitSight is trying to do is they’re trying to become the credit score of all of us when it comes to IT security, and it’s interesting to see how far they’ve come in the last few years. So, at a high level, what BitSight is able to do through publicly available data and an incredible group of data miners who look into this data, they score us all. But understand they can only see the peripheral of our organizations. So if our organizations represent a castle, they can only see the outside walls. But some of the data that they’re able to look at, and it’s really any company that has a public-facing website, that’s what they start at, and their database of companies is almost endless. What they’re able to do is look at some things: it’s versioning, it’s certificates, but they’re able to look at data on what we publicly face, and they make, in that, the broad assumption on if there’s challenges from an IT security on what’s outside, there’ll be challenges on the inside. And again, you know, we are not proposing that you base your security practice on BitSight, but what is getting very interesting in this space is the insurance companies are able to get to this information, and it’s the easiest piece of information.

So, if we were to go in for a loan, we know that the bank is going to look at our credit score. If we’re going to ensure one of our kids with automotive insurance, they’re going to look at that driving record because it’s the easiest piece of information to get. Does it mean someone’s with good credit, bad, or a good driver, bad? You know, there’s an argument there, and the same with BitSight, but it’s available. Our advice to anyone that’s taking an effort to work on IT security within your entity is to know your BitSight score. So, here’s Dewpoint’s, and we know that we better have a darn good BitSight score because we’re in this field. It’d be very embarrassing to do the work that we do, so we monitor it both for our own health and from a standpoint of referenceability in the IT security consulting space. What’s interesting about BitSight is when you get deep into their report, very similar to a credit score, we will know what happened between last month and this month, and it’ll tell us we dropped five points because a certificate became out of date, or it’ll also tell us if we want to gain 20 points, here are four things we can do to again improve our BitSight score, which we do know is just a very high-level, easy-to-grab figure of IT security for our company. That’s a little bit about BitSight. I also want to talk about the programs that we have, especially in state government. We realize that all you are stewards of taxpayer dollars. We respect that. What both the federal government and the State of Michigan have done over the last few years is encourage local government to do an assessment, and they’ve gone so far as to put up competitive procurement out there, which was done two years ago to define, to identify a handful of companies that they believe are capable to do this work, and that’s where Dewpoint competed in that world and was awarded the moniker of a cyber partner to DTMB and Michigan Cybersecurity.

And that has led us to a contract that is available. It’s tough to contract in government, so we’ve tried to take the, you know, how to demystify that with a leverageable contract and some of our customers use this contract to do assessments with us. Some of them run things through their own, so it’s not kind of a de facto standard, but it’s an availability. And a couple notes on where we’re seeing the federal government and the state government go with cybersecurity in the local government space. Over the past few years, they have been providing levels of incentive. You should really do this kind of thing. Here’s a contract for you to do this, but what we are expecting is that these carrots, if you will, or taking proactive action sooner or later, we’ll turn into sticks at some level. And maybe that stick is a cybersecurity insurance premium rise. We can’t predict exactly what the state is going to do, but we can definitely envision a time where everyone does this on a regular basis, and we’re encouraging those to take advantage of what’s out there today to get ahead of that curve. Recently, we’ve worked with two Michigan municipalities with this process and their emergency manager. There’s five regions of Emergency Management in our state. They have worked with their Emergency Management contact to obtain grant funding for the entire assessment, and these are the kind of carrots we’re mentioning. They’re out there now for you. We have learned how to navigate through that piece, and with further conversations, we’d be happy to help you as well. You know.

So in wrapping up the discussion, we went through a lot of this about Dewpoint and MiDEAL. In the end, we want you to know that we’ve learned a lot about this space over the handful of years we’ve been into it, and specifically, a lot about this space within local government. Then, as we open it up for questions, we want to make sure that you know how you can follow up. A1, there’s my email, there’s my phone number, and there’s a QR code that will go right into my schedule. So, if you want to go right to jump here, you can schedule a meeting with me by following that QR code. We’ll keep this up as we go through questions. Also, if you just want to know what your BitSight score is, please reach out to us because we have that subscription, and we’ll be happy to present that score to you and kind of walk you through what we’re seeing for your score and how it relates to the others we’ve met. We’ve looked through.

Samantha Harkins:

Gentlemen, thank you so much. Just a reminder, if you have questions, you can put those into the Q&A function. And just to follow up on Mike’s point about MiDEAL, you may or may not know, MMSA is a really interesting governmental structure. We were created through an interlocal agreement between two communities, and we have the ability to do competitive bidding for local governments. And so, one of the things we’re putting before our board in a couple of weeks is for MMSA to do an RFP for managed IT services and cybersecurity. So, that communities could, similar to what you do with MiDEAL, go through MMSA. Or even one of the things we’re really interested in looking at is how communities can collaborate. And so, if you’re a smaller community and it may have managed IT or cybersecurity services might be too much for your budget, you could pull together several communities to work together and then contract with an IT organization. That’s something that we’re working on, and we’ll be putting before the board on May 8th. You guys don’t care what the meeting is, but at the main meeting. So, I’m really looking forward to that.

I actually have a question. Mike McGowan, you made a point about people being your best line of defense, and I remember when I worked for the City of Lansing, I worked with dew point. We would have phishing tests all the time. I always pass them for the record, but when you say that, what are the kinds of things that your people should be looking for that would be sort of phishy, for lack of a better term, things that should raise red flags? 

Mike McGowan:

Yeah, that’s a great question. So the first thing that I usually look for to spot phishing is weird senders coming from weird domains. You’ll see something that has a clearly Microsoft graphic, and it’s coming from a sender that has, you know, it’s like Fred at gobbledygoat.com. That’s usually a good one to look for. Also, notifications for platforms that you don’t have. I’ve seen people fished where they receive an email for, you know, like a Zoom thing, and they’re a Teams kind of place. That’s usually a good way to spot them.

But yeah, you gotta look out for there’s like quality problems usually with these emails—spelling problems, grammar issues. Another great practice is to really be careful before you click on links that are coming in these emails. Make sure before you click, you kind of know that this email came from, that it’s for you, and you’re expecting something like an MFA one-time password or something like that. You can often hover over the links and they’ll give you an alternate link text. It’ll tell you where it’s going to go. If that looks like it has nothing to do with Microsoft and it’s a Microsoft notification, there’s a really good chance that it’s a phishing email. Some of these techniques are covered in the trainings, which is really helpful. They test your knowledge by sending you fake emails, and you can even come up with your own templates.

Say you’re a larger organization. You’ve got Assist systems that you’re particularly worried about. You can fake your users out with custom stuff to test them. So, it’s one of those things where spreading awareness, types of things to look for, and then also reminders—frequent reminders. Updating that knowledge because it does change from time to time, too. The techniques do change. 

Samantha Harkins:

That’s all really helpful information. Thank you. You also mentioned having worked in local government at the mayor’s office and gone to City Council meetings every week. Getting before the public and how these things will become public quickly, and that becomes very challenging. So, this is a question to which I genuinely do not know the answer, and I’m just curious. If you’re a small community and you’re working with an organization like Dewpoint, and this situation sort of blows up and you have a public, does Dewpoint work with its customers to help with messaging and help with ways to massage that public piece of it? Or is it like… I’m really just curious.

Mike McGowan:

Yeah, no, so kind of indirectly. I wouldn’t say that we would give you a script or anything like that, but we would be adamant on you understanding the resources that you need to tackle that when the time comes. We talk about cybersecurity insurance being a really important component of this, especially because you’re probably going to need resources that you don’t have on staff when this goes off. You’re going to need a burst of resources. A) They’re going to be able to help you pay for that. B) They’re going to have the Rolodex of firms that can come in and help you from a PR perspective, from maybe a stabilization and forensics perspective. So, they have specialists that come in and just do breaches. As part of the incident response plan, we’ll make sure that there is a clear path to these resources that you need when this happens. 

Mike Coyne:

A couple, excuse me, a couple of other things there. So, when Dewpoint provides a managed level of service to any entity within that service, there are service level agreements, and outages or incidents have different levels. A Sev one, to us, is the highest priority and it’s a massive business interruption. If you were contracted with Dewpoint in that way, we would act accordingly to that Sev one, which would be, you know, we would provide help ASAP according to that service level, and part of that would be getting us involved in the incident response piece.

The other thing we’re seeing, our customers do that really can’t afford to hire a person who is the Chief Information Security Officer, is putting out bids for what they call a virtual CISO. This ends up being a fraction of a person who helps put together that incident response to you, who, on a fee, a kind of retainer fee, is there for you in an incident like this. But also helping you and coaching you through the proactive steps along your journey. That’s a way to mitigate the expense of one full FTE in your organization. We’ve seen Ottawa County, Grand Rapids, Auburn Hills do things like that with an RFP set for a virtual CISO service. 

Mike McGowan:

Yeah, that’s a really great point. Money can, and I think another great point that I wanted to make too is, like as a provider, we can’t necessarily offload everything from a security perspective for the client. And also, we understand that a breach can happen at any time during the relationship. So, just as a good practice, trying to be good stewards of our clients, we also incorporate during our own incident planning what it would look like if different clients were incorporated in that incident. And so, even from an internal perspective, if the client hasn’t necessarily paid us to come in and do an exercise with them, which would kind of be more focused around them and their resources and their planning, we are always thinking about ways that we can be the best stewards of our clients and how we can respond during these incidents regardless of the level of preparedness of the client and just do the best that we can in helping them. But yeah, that’s something that I’m proud to say that we usually do incorporate in our own drills. We were usually picking on clients in those exercises. 

Samantha Harkins:

Okay, so I have a question that could be kind of fun or scary depending. Are you able to share with us, without naming names, of course, in your personal or professional experience, what’s the worst cybersecurity situation you have dealt with? 

Mike McGowan:

Myself personally, actually, it wasn’t cybersecurity, but the preparedness was around the same. It was a total loss. It was a disaster. Their building actually burned down, and it had the same operational impact as a ransomware incident. Basically, they lost their entire environment. The only thing that they had to come back from was off-site replicated cloud backups. And I am proud to say that we were able to help them rebuild their entire environment, though it wasn’t exactly the way it was. It was achievable to do so. And that was one of those cases where we were really happy that we had gone through the process of making sure that they had those capabilities and we tested them, and that we were familiar with what had to happen in that disaster. I’ve also seen a number of lower-level incidents. You might be surprised to know how frequently accounts get broken.

Um, now fortunately, in a lot of the organizations that this has happened in, they were prepared enough to not have all these accounts be very, very privileged. So it was, you know, like lower-level folks that were getting breached. But it still is a problem, though, because even when any individual gets breached in the organization, they can still pull things like the directory from Office 365, and now they’ve got a big juicy contact list to go spamming. So, you know, it’s never good when that stuff happens, but you do the best you can to minimize the damage. Fortunately, I’ve not seen too many capitulation events, but yeah, they do happen. 

Mike Coyne:

And yeah, a full loss has happened to me, you know, and I’ve seen a couple in the municipality space, both with a utility and a local government. And you really see in partnership with them because we were called after the event to help in both of those cases. You really see an entity that’s very proud and, in many cases, very good at what they do, even from an IT security standpoint. They go from this “Okay, something happened, I need to do something about it” to “Okay, what am I legally obligated to do about this?” which is scary. And then they call in, they realize that they are legally obligated to do some things, and these helicopters fly in, we figure figuratively, and they have way too much help than they need, and they really lose control of the activities that are so important to their business. And that level is as scary as the incident itself. And you just feel like you do if you were ever robbed, pickpocketed, whatever it is, you feel violated. And then there’s this level, there’s this financial piece of it where it’s, “What a waste of money, right? That wasn’t allocated for this thing.” A waste of time and money to try to re-image and catch up and figure out your backups and, you know, so many times at the end of that journey, they’re so much better than they were before because of all this remediation. But we all know that if they were ahead of it, you know, the minute, the impact would have been minimal. And every one of those customers said, “I wish I would have.”

Samantha Harkins:

The good news is, local government has tons of money. Would you have a question from the chat from Daniel? He’s asking if Dewpoint has a service to execute your own pen test for customers. I don’t even know what that means. 

Mike McGowan:

Great question! That is one of the things that we recommend, really, to all of our clients to do on a periodic basis. We do offer penetration testing for our clients. And then, a word about penetration testing, though. A lot of clients kind of look at the tests like it’s the total engagement, and I want to make sure that people are thinking about after the test because, actually, 

Samantha Harkins:

can you explain what a penetration test is? I don’t even know what that is.

Mike McGowan:

Oh yeah, sure. So basically, we try to break in on purpose. And there are varying degrees of sophistication. Most of the ones that we conduct are scanner-based. We put a piece of software in the environment that scans everything in the network, and it tries to find all of the vulnerabilities that it can find. It creates reports on like, “Hey, we found this device that has these vulnerabilities on it,” and then it helps, you know, kind of rank the vulnerabilities by criticality. And then, the next level up is you actually bring in real hackers. You could even call them a red team, and they try to break in using all the different techniques that a hacker would. They provide a report on what they were able to do and how they were able to do it and that kind of stuff.

But then, after the test is done, is where this gets really interesting because you’re going to get this big report of things that they were able to do. Some of them are going to be good, you know, some of them are going to be bad, some are going to be really bad. And kind of digging through those results and deciding what to do can be kind of like the iceberg, the below the surface of the water. So, that test is kind of like the tip of the iceberg.

It’s probably going to be 20% of the effort, maybe, to getting that dealt with. So just prepare yourself for it to be real, like a whole program. When you’re doing vulnerability management, you’re going to be doing it all year long, every year. You’ll be constantly finding new ones and dealing with them. So just make sure that you know you’re not thinking about this like a one-time event, but an ongoing, I’m going to do this as an ongoing hygiene type of thing.

Mike Coyne:

A few other things on pen testing. So our advice, especially for entities that haven’t done an assessment before, is to do the assessment first. The analogy there is, you know, again, go back to the castle analogy. If your windows and doors are open, and you just need to realize the impact of that, the assessment will find those low-hanging things. Let’s get you to some level where that penetration test will be a little bit more valuable. We would suggest going through an assessment and six months to 12 months after the assessment and some low-level remediations are done. Now it’s a perfect time for a penetration test.

Those penetration tests can be, you know, to the extent that Mike went, and they can also go further. They have the ability to look at your Wi-Fi environment. They could look at social engineering and they can drop a thumb drive in your parking lot and figure out who really does it. So it kind of fits the work that we do with anti-phishing approaches. But they can really look at the social engineering and help to measure the culture of your organization. Is it ready to really embrace the fact that we’re going to be moving on a perspective of improved cyber hygiene?

Samantha Harkins:

Well, we are. I don’t see any more questions in the Q&A. We’re a few minutes before noon, but if there’s nothing else, I think we’ll go ahead and wrap up. No one minds being done. Gentlemen, thank you so much. This was incredible information, and I’m so grateful that you are here and grateful to have worked with you and know you.

If you are interested in your future webinars, actually, next month we’re going to mix it up a little bit. Instead of the third Thursday, we will be presenting a webinar in conjunction with the Michigan Economic Development Corporation. They’re actually hosting it on Thursday, May 25th. Same time, 11 A.M., and I will be presenting along with Doug Matthews, who is on our board, the Assistant City Manager of the City of Grand Rapids. We’ll be talking about ways to empower your staff to advocate to decision-makers and how that process will work.

So thank you again for joining us. This is fantastic information, and this will be available on our website as well. So if you want to share it with someone or pass it around, and we all have Mike’s schedule now. I didn’t know if, I kind of wanted to be like, “No, I can get access to my schedule anytime.” But Dewpoint’s a wonderful partner, a wonderful resource, so I hope you will all take advantage of that. And thank you again. 

Mike McGowan:

Thank you so much for having us. 

Mike Coyne:

It’s our pleasure.