Cybersecurity in K-12
Ryan Cloutier joins this episode of the UNSECURITY Podcast. Ryan has taken a special interest and focus on cybersecurity in K-12 schools, so he and Evan talk all things K-12 security—including Ryan’s “Awesome Top 5.” Give episode 136 a listen/watch and send questions, comments, and feedback to unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:23] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the un security podcast. This is episode number 136. The date is June 16, 2021. Joining me is my good friend, Ryan Cloutier.
[00:00:39] Ryan Cloutier: How you doing? Doing? Good man. I’m excited for today’s topic.
[00:00:43] Evan Francen: Yeah, Well, it’s right up your alley for sure. Uh, so listeners brands taken out a few weeks off. You know, we’ve all got tons of things to do and he is no exception. So, and that’s not like you and I don’t have tons of things to do. Two, but everybody needs a break once in a while. So brad’s taking his um, Yeah, our topic today figured we talk about K- 12. So we’re security, you know, a thing or two about that, don’t you? Just a little bit. Yeah. So, you know, I’ve been working on state and local government and you know, it’s kind of a Trying to figure out where the lines are, you have that struggle with K- 12.
[00:01:25] Ryan Cloutier: I do. It’s, it’s a very complex environment and, and it can be different state to state and it can be different culture, to culture within the community. So urban districts tend to do things a certain way. Rural districts tend to do them slightly different um, you know, and what’s really interesting is you try to navigate the who’s who? Right? So it’s as we try to implement information and cyber security risk in these institutions, You got to get the right buy in from the right folks. And one of the big challenges that I think we share between K-12 and state government is finding out who the right players in the game are. And it’s not always the ones that you would think it would be. It’s not automatically just the CIA or the sea. So, right. It could be that the sea so needs to buy in of the house chair or, you know, other other players in the legislative space on the state side and the school space it can be and different types of leadership or in some cases even buying from the union from the teachers Union.
[00:02:26] Evan Francen: Yeah, it’s weird because like it seems like in states there’s no two states work the same way. I think it’s even worse in K 12 because, you know, you’ve got who governs K 12 in the United States.
[00:02:42] Ryan Cloutier: So interestingly enough that no one there is no, you would think department that would be your automatic default right. The federal Department of ed. Well know, they set guidelines and standards for curriculum and for, you know, what the students need to learn to be accredited, but they don’t set guidelines for how you manage your district and, you know, in Minnesota here, we have independent school districts. So they could actually span county lines, city lines. But if we look at our friends down in florida, they do it based on county. So each county has a school district, we go to our friends say in texas, texas is also independent schools district set up, but they tend to do it more based around city.
[00:03:30] Evan Francen: Mm. Who decides whether it’s independent or not? Is it a state that kind of sets that piece up?
[00:03:38] Ryan Cloutier: Yeah. So that’s what that comes down to is, is the way that the funding works within a given state. So an independent school district gets its funding based on property tax value from the cities or counties within their defined district boundaries, uh, in all the schools, in all the states do get a small portion of money from the federal government and they get a small portion of money from the state government. The rest of the money has to be made through either bond initiatives, property tax hikes, bake sales. A lot of schools use events as a way of generating revenue for the school to be able to pay for things like laptops and books and books are a little dated out that they actually use those anymore. But you know, what does
[00:04:23] Evan Francen: anybody read anymore?
[00:04:25] Ryan Cloutier: Well, I mean, based on the way I see people behaving no, right. But it’s, it’s a hodgepodge and ultimately it comes down to the local community that that school district is serving ultimately has the most authority and say over how that school district, it’s funded what they’re going to spend that funding on a lot of times. The school board is the one that ultimately carries the authority.
[00:04:52] Evan Francen: Yeah, that’s okay. And I’m gonna take us on a little side track as I remember, um, especially this last year, right? There’s been a lot of this race thing, you know, not race thing. It’s racism and discussions about that. And one of the things, somebody uh, said something about systemic racism, right? And I was like, I don’t really know what that is. So give me an example of that. So that because I think all of us want to be part, not all of us, but all of us should be, should want to be part of the solution, not part of the problem. So they brought up the issue of schools being funded by, like you said, local property taxes. So you take our backyard here. Minneapolis, you know, is mini apple school district is funded by property taxes and where I live in Laconia. Uh, you know, the, I think that income per capita is higher property values are higher. So students in Laconia seemed to get better equipment better, probably better instruction, more opportunities and people in the inner city is that right?
[00:06:10] Ryan Cloutier: It is absolutely right. Uh, you know, we here in Minnesota, we have a couple of districts and I won’t, I won’t name them, but they are what we call the Gold Coast. They have the money, that’s where the majority of wealth and the state is concentrated into a handful of cities on the western edge of the metro and they have the best funded programs. They have the best talent, they have the best equipment and that’s because they’re able to offset that state dollar value. So the state gives every school a flat fee for a student and then the difference has to be made up by the local community. So a community that is or impoverished is going to struggle to overcome that offset where a community that’s wealthy is able to do so more easily. The other thing that I found interesting, I was actually talking with one of those districts who I won’t make and I said, how come you guys seem to always have so much more money left over? And the answer I was given as Ryan, one family can write a check for our entire athletics program and now we don’t have to spend that money. So I, I uh, affluent parents being able to write very large checks to cover things like re turf ng of the football field. That money, then that was allocated for that can then be re allocated to something else. And when you get into an urban setting or an inner city setting, you just, those opportunities are so much more reduced. You don’t have a wealthy families that can come in and just so I’m going to buy new uniforms for a mascot, new lighting for the football field, There’s a couple $100,000. You know, when they have to pay for those things, they have to pay that out of what we call the general fund and the general fund is really used for everything. So when you take away $30,000 to pay the parking lot, well that’s a whole bunch of laptop upgrades. That’s a whole bunch of being able to pay to protect the Internet or things like that.
[00:08:14] Evan Francen: Yeah, that’s mm I mean, that’s probably for another discussion because I mean, that certainly seems like it needs to be fixed, right? I mean, there’s such a, when it comes to information security, what we do, uh, I think the richer become richer. School districts have more leeway, they have more, uh, they can make mistakes and recover more easily, meaning they can misspend, they go by that blinky light, even though it’s not maybe the best thing for them to buy from a security perspective, they can afford to make those mistakes. Whereas rural districts and you know, districts in the inner city urban districts, they can’t afford that.
[00:09:01] Ryan Cloutier: Exactly. And, you know, even fundraising, You know, let’s say they do make that mistake and now they got to recoup $1 million. Well, I know for a fact that one of our richer districts was able to make $1 million dollars selling candy marks, wow, you’re never going to be able to do that in an inner city setting because the families don’t have enough disposable income. So while they, while they want to buy that candy bar, they want to buy them all, they don’t have that financial capability. And so their students ultimately end up suffering. And I think that’s where the systemic just to tie this often or not. That’s where I think the systemic piece comes into play is that you have a disadvantaged group of people who In order to get the advantage, have to be able to take advantage of the advantage and they can’t, so the loop perpetuates itself. So I can’t, I can’t make $1 million dollars in candy bar sales. Therefore we can’t offset that mistake that we made or in the cases to a lot of times, you know, school districts have to pay lawsuits. School districts have to cover staff that, that are inappropriate in some cases or other types of things where they, where they get sued and then that money comes out of that general fund and they’re left with even less. And the bigger the school districts are generally speaking to the largest school districts in the state of Minnesota are also the most impoverished.
[00:10:29] Evan Francen: Yeah, absolutely. And I know that you and I have talked a lot because we, we strategize a lot on different things. And you were telling me about some of the mega districts now mega districts they sort of run themselves like a business. And so that’s one side of the spectrum and then the other side of the spectrum is maybe a rural district where the person who’s the technology director is also the gym teacher is also the baseball coach. You know that’s hard
[00:10:58] Ryan Cloutier: and it’s and it’s very common. Um You know I’ve worked with districts of all sizes and all demographics across the country. I’ve worked with inner city urban districts. I’ve worked with rural districts and predominantly caucasian communities. I’ve worked with southern districts and northern districts and and they all approached things a little different. But the common theme is the rural districts tend to wear more hats, they tend to have to be the security person, the network person, the best top support person. Plus they’ve got to pop out to teach history and they’ve got to go help out on the football field because they’re the coach. You don’t really see that problem in the metropolitan districts. Or especially the mega districts, mega districts really do run like enterprises. They’re funded like enterprises. You know one that comes to mind that’s one of the largest in the nation. You know they have a I. T. Staff of 1500 people that’s more I. T. Staff the most big businesses of of a similar size and budget.
[00:12:02] Evan Francen: Right? Well it seems like so every one of these you know when we talk about protecting data protecting information, uh, I think one of the big really important, you know, types of data to protect our the students, right? And their families, right? Protected personally identifiable information. But then there’s also the whole skill level thing, the skill set. Um, we need more security. People, you know, we’ve said before information security is a life skill. Uh, it’s probably more likely in some of these more affluent school districts that they’re getting those things then, you know, the rest of the students. I mean we have to fix this. I think there’s a lot, a little many issues because let’s say that I am an inner city and it’s not just black and white. It just happens to be that most of the, I think blacks in our country are concentrated in cities, right? There’s also white students there. And if I’m already starting off disadvantaged, right, I’ve got kind of the deck stacked against me meaning I don’t have the same opportunities you do. I don’t have the same equipment, you do it on the same quality construction, you do lots of things couple that with the fact that is probably more likely that my data would be exposed because it’s not being properly protected because you just don’t have the resources to do it maybe. And now, you know, stack that on top. Right now my it’s more like that. My identity will be stored off to deal with that, you know, I mean, it’s just, it’s kind of beating them down a little bit, isn’t it?
[00:13:46] Ryan Cloutier: Well, it is. And the other thing that, You know, I think a lot of folks outside of pay 12 don’t realize Is that a K- 12 school district has all the data all the day, medical data, financial data, behavioral data. They have, they have data on your child and on the Children and staff are responsible for that. That bumps up against him up. But they’re not a medical facility, they’re not an insurance collector provider or doctor’s office. So they’re not regulated by them. The laws that regulate school districts, Traditionally Our laws that were wrote in the 1970s specifically so that families could know what records the schools were keeping about their student. Not so much so that that data needed to be protected. Um, and then what you now have is a hodgepodge across the country of different attempts to create student privacy laws. The best one I’ve seen yet to date is out of Illinois. It’s called Soap up. And what it says is that all school districts in Illinois must maintain reasonable security. What they failed to define was what is reasonable security. So now you have a law that says, you have to do a thing, there is no definition for what that thing is and we, we’ve seen this over and over 20 plus years in this, in this industry word, reasonable gets thrown around, but nobody wants to define what it means. And so now everybody scrambles to try to meet that And you still wind up with 150 different ways that people attempted to hit it. And maybe out of that group 10 actually achieved what a real that would a security professional would would then call.
[00:15:34] Evan Francen: Yeah. Well, one of the things I know that we’re trying to do, you know with security studio and that’s to school and the things you preach is trying to level that playing field a little bit, right? So we can bring as we know that most of, most of the protection, most of the breaches happen because of lack of fundamentals, right? It’s not because I don’t have a i it’s not because I don’t have ah you know, some super sophisticated machine learning device, it’s the basics the fundamentals, right? Uh somebody left rdp open or somebody click the phishing link or you know, it’s stuff like that. So I think without transferring a whole bunch of money, I mean that one thing does need fixed, right? But we don’t do that for security people. I don’t determine how schools get run. They don’t determine, you know, funding stuff. Well what I can do is do my best and we can do is do our best to make sure that school districts aren’t pissing away money that every dollar you’re spending on information, security is being spent wisely, it’s being spent towards those fundamentals. So things are really, really important that you do.
[00:16:48] Ryan Cloutier: Yeah. And you know, I just published a article, you can find it on security studio’s blog. It’s the top five things that schools need to do to prepare for ransom. Um, I’ve started preaching, not prevention, but recovery. Prevention has seemed not to work. We’ve tried prevention, it didn’t work. So now I’m, I’m pivoting to say, you know, prevention, we still need to do it. It’s still important. But what’s more important right now, what’s more helpful to where you invest? That next dollar is making sure your recoverable, making sure that you’re ready for the event when it happens and you’re able to get back on your feet. There’s, you know, and part of this is, uh, two things that are going on in schools today that don’t go on at the same volume outside of school. And the first is insider threat. So insider threat exists within a company, uh, private business. And when you discover that person, you fire them, you call the police and you prosecute. But in a K- 12 setting, that’s not what happens because really you’re talking about a curious child, a child who is now demonstrating some skills and talents and curiosities that should be shepherded towards the right things towards, Hey, I’m, well, I’m not happy that you hacked us. I’m not happy that you took down the firewall. That’s actually a job skill, let us redirect you and schools are the only place where the inside attacker is invited back three days later and handed back their computing equipped and and so you have that factor in play and that’s that’s actually a bigger factor that really makes the news for a handful of different reasons. A lot of which is because it involves a juvenile and potential crime and so that’s why it’s not hitting the um And the other the other challenge there is that in a lot of cases those students are actually helping the I. T. Staff to secure the network and so we’re using
[00:18:47] Evan Francen: Children
[00:18:48] Ryan Cloutier: to secure the network of the school and you don’t see that in in the in the business side. So I think you know that’s where a lot of schools Struggle when it comes to where to spend the next dollar because let’s be honest they’re getting their cybersecurity advice from a 14 year old.
[00:19:07] Evan Francen: Yeah good point. Good point when I love you brought up a couple of other good points. So and I do want to talk about you know your article. I think it’s awesome. I love the fact that she kept at five, it’s simple, it’s straightforward and that’s one of the things that is our mantra right simplicity is your best friend complexity is your worst enemy. So keeping things simple. So the more stuff you add into the environment, the more networks the more devices the more technologies the harder it gets to secure those things. So if you are in a rural community or you know, an inner city where you do struggle with funding the wrong, wrong place to spend, it is probably on technology, you probably need to spend more time figure out where you’re at right and being make sure you are recovering. You know, this has never been about risk elimination. It’s always been about risk management. And if you understand what risk management means, it means you can’t eliminate the likelihood and or impact of something bad happening, it will happen, it happens to everybody. It’s just a matter of time.
[00:20:15] Ryan Cloutier: Well in schools, you know, it’s interesting because schools, no, this for everything outside of information. So they have very robust plans for dealing with severe weather fire, active shooter vastly. You know, whatever name a scenario that could potentially jeopardize life or limb. And they’ve got a plan for it. They’ve got a plan that they’ve, they’ve documented that they’ve tested, that’s got 18 copies around the building. Everybody knows where it is and they know what to do where we have fallen down is by treating information security is somehow separate of those other activities, somehow not related to or associated to those activities. And and so when I’m consulting and coaching these schools, I tell them don’t do this separate, make it part of involved the same humans by the way who helped you figure out your severe weather plant. Let’s talk to them to, they’ve got a role to play. This isn’t all just about computers. Now you brought up a point earlier, I just want to circle back on which is complexity. So I just got the latest stats or wireless access point planning or K 12. So as they just figure out how much coverage do I need and how many devices or the new number per student is nine devices per student
[00:21:30] Evan Francen: who? So what
[00:21:32] Ryan Cloutier: nine devices for students. So when they’re planning their wireless access uh volume, but they’re trying to decide how many access points they need and what kind of coverage volume they’re going to need to support from a device perspective, The current guidance is advising them to account for nine devices for human being in the building.
[00:21:58] Evan Francen: How How can I have nine devices,
[00:22:00] Ryan Cloutier: wearables I suppose. So we ignore the wearables. Right? So we’ve got, we’ve got wearables, you’ve got smartphone, you’ve got district issued equipment. So they could have a laptop. They could also have, there’s some some Ed tech technology, they might have a laptop and also have kind of a smart device. Um you know, part of that is when they’re doing the per student there. Also factoring what happens when mom and dad comes to school. So now I’ve got an auditorium, I’ve got mom, dad, brother, sister nephew grandma. Yeah, they’ve all got 2-4 devices on the beach all connected up to the wifi. So it’s just, it’s fascinating because The K- 12 building has more technology inside of it. And some of the most sophisticated businesses in the world. It’s amazing when I started doing these device counts. Even in a rural community, Let’s say they have what we call 1-1 initiative. So what this means is there’s one piece of technology per student. A lot of cases it’s a Chromebook or an ipad or something like that. But each student has their own dedicated device. So if I’ve got 1200 students, that’s 1200 devices, that’s not including the management network, that’s not including the backbone infrastructure. That’s not including any of my switches and pours and routers or any of that stuff. It’s not including my staff. It’s not including my transportation services, uh, technology, my food service technology, my athletics technologies that maybe my athletics field is using or my athletics department. You know, and so when you start looking at that, you’re like wait one human being, One singular human beings is responsible for 5000 devices. And when you have that many devices and the listeners who have worked to support no, this, um, you don’t have any time left to do the right thing because you’re constantly in a break fit site. You’re constantly replacing a laptop fixing a screen, Rebooting something jiggering the RJ 45 port that’s too worn out. But you don’t have time to replace it. So you slash the Scotch tape on it and hope that it holds right. That’s the reality. That’s what are poor rural schools are dealing with today as thousands of devices even at the smallest size And no time or ability to even if they know the right things to do they can’t do it because they’re too busy doing the day to day support work of making sure that Johnny’s iPad that he just drop kicked for the 14th time today is going to work. Right.
[00:24:32] Evan Francen: Well that does go back to the you know better funding for schools. It doesn’t mean more funding. I said better funding. Right? I mean if you’ve got some schools and I’m not a Socialist but anything that you have the the government provides for you you’re already a Socialist that’s a Socialist enterprise right? The government is providing something for me that is what socialism essentially is. And schools are already there anyway so sort of but I don’t we have to figure out a better way to distribute income.
[00:25:11] Ryan Cloutier: Well you know what’s interesting is there’s a lot of funding now available. Um So there was some cares money and they could spend the cares money on cyber but the I. T. Team never knew that. And so we got eight up by the other departments then there’s another grant from Homeland that came along but if you don’t know it exists you don’t know to apply for it and they’re not promoting it. Well then we have the whole eric so one great that I’ve had over the years. And working with K. 12 is that the majority of K. 12 schools in the United States today get their internet and the associated hardware to take that fiber and turn it into an available internet source for the students that comes through a grant program from the FCC. That’s called a ring E rate up until recent wasn’t even considering protecting the network that they paid to have installed. So they provided the danger if they paid for the danger to be present. But they did not allow you to spend that money on things like anti virus, anti malware or I. P. S. I. D. S. Or any of the you know, effective Linke lights. There are some blinky lights that you help you. Uh Most of them don’t put a couple of them do but they couldn’t use the money for that. They couldn’t use it for managed service. Now there’s been a petition through an organization that I work closely with called chosen or the consortium of school networking to sway FCC to say a rate needs to be made available to spend on site and we’re making some progress in that regard. Well while that’s happening a new funding initiative has come up because there are still schools today that don’t have broadband access. There are schools today. So we talked about this equity and inclusivity right. One of the big challenges between urban and rural, not just from a demographic challenge but from an actual availability is my outer rural communities don’t even have broadband available to them. The best they could hope for is a couple of you know, parent he wants Or maybe maybe some rip roaring 25 megabits a second, you know, DSL connection. Well how do those students in those communities compete with somebody in my neighborhood who’s got a gig fiber connection right to the home. Right. And so they created this new funding stream to be able to bring broadband to the homes into the schools. Uh one of the things I just read about is uh they’re actually taking the school buses that have like 55 G hotspots on them and their parking them in like the shopping mall parking lot so the students can go work off the school bus now, think about the safety element here, you’re leaving in an empty school bus in a shopping center parking lot and just saying, hey kids here’s where you can go get internet because you don’t have it at home. No, no one is monitoring that no one supervising that, there’s no staff member present to ensure the student safety or crazy idea the safety of the wireless hotspot itself. Right?
[00:28:27] Evan Francen: And so but so all those things are good but they were all more funding,
[00:28:34] Ryan Cloutier: you know, I mean more funding but none of the funding actually focusing on fixing the core fundamentals.
[00:28:41] Evan Francen: Right? And the and sort of leveling the playing field right? I mean, it’s just the problem continues to get worse worse when, you know, this goes up and this stays the same, right? I mean, simple geometry would tell you that. So that’s a challenge because even if I told you all, like you said, even if I told you all the things or you knew all the things to do to secure your environment, you don’t have the staff the time. You probably, I mean most of the stuff you don’t need equipment right in which more people would learn to use the equipment. They have better as opposed to going out and getting more equipment. So to me that’s not the big problem. The problem is you need to use it. Right? Mhm. And so and then it goes and it goes hand in hand with what you said before about information security being a life skill. It’s not all this, you the basics, the fundamentals. You don’t need an expert, You don’t need me or you to go do this stuff for you. You can do it yourself assuming you have the time of the staff
[00:29:50] Ryan Cloutier: well and that and that therein lies. The thing. I just actually was talking with one of the districts that I mentor today and It took us two years two years and this is with dedicated people, dedicated focused and dedicated dollars. Leadership, support all the things that you need to make a successful security program. And it still took us two years to get to the point we were today where I said, we’re now ready for our first tabletop. We’ve done enough block of tackling. We know what we’ve got for the most part. We will never be perfect, but we’re about 97% accuracy. We’ve got plans for responding. We’ve got the right phone numbers of the right people and we printed it off and took it off site, right. We’ve done these basic blocks and tackles, but it took us two years. Um, and the biggest reason for that was they were so far away from the start line at the beginning of our journey. And there was, there were tools that have been purchased that they weren’t using effectively or correctly, tools that you know, they were sold at a conference that this is the answer to your problem and the vendor maybe forgot to mention you need two FTS to configure this thing and five FPs to run this thing I
[00:31:05] Evan Francen: forgot to mention.
[00:31:06] Ryan Cloutier: I forgot to mention. Right. Um, and now we’re there and what’s nice though is and, and keep your eye on security studio because we’re going to continue to publish some stuff out in the next coming weeks. We’re gonna be doing a case study on this district. We’re going to give you the recipe. I’m going to tell you what we did and how we did it, why we did it, why we picked the order of things that we did and how we built support within the leadership within the non technical community. How we got the community at large to be on board with that. Because I think that is where everybody could be doing something today. That doesn’t require a knowledge of how info sec works. It doesn’t require a bunch of money. Were any money in a lot of cases. But just some basic stuff, how do, how do you start to build support for security culture? Because without that you’re really going to struggle to implement. That was the other thing is, you know, getting something simple, like multi factor implement was part art, part science. And it was a very much a political dance of making sure we had the right by and from the right folks before we even mentioned, we had to build support in the back channel and then we went to the staff with all the support behind us to say we’re doing this for your Mac. And, and it was basically telling the staff, hey, if you want to get paid on friday, we have to do this. If you don’t do this, we can’t guarantee you get paid. And all of a sudden all that resistance went away. Yeah, But it was, it was a creative process. And I think that’s what a lot of schools today and those of you that are listening if you’ve got kids in your school and you know even a little bit about information security go down and see if you can lend an hour, you can probably do more to help your school in one hour of donated time and they will be able to get accomplished on their own in three years.
[00:32:54] Evan Francen: Yeah. Well, and you bring up a mean again, a lot of good wisdom man. I think we have this instant gratification sort of society nowadays where removing so fast, you know, when you do an assessment of an organization or school, there’s this, uh, I don’t know desire to go from, Let’s say 400 to 700. We got to do it by next school school year. Mm Right. But you can’t, that’s not how security works. Right? It takes time. You have to lay the structure. It’s not that those blinky lights that you buy aren’t effective a lot of times. You’re not ready for it. Right? That’s not your blinky light today. You know, you need to do things like asset management and actually that’s a great segway. Let’s go into your article. So like you said, it’s, it’s on the security studio. If you go to wet the website and under resources, go to blog. You see that the article that you wrote, Um, top five things to prepare for ransomware in K 12. The number one thing you have listed here is know what you have in your environment.
[00:34:05] Ryan Cloutier: Hello. Basic basic inventory. Right. What do I have if I don’t know what I have, I can’t protect it. And if I don’t know what I have, I don’t know how critical it is because I’m not necessarily going to apply the same level of protection to everything. Not only does that not make sense from a practicality standpoint, but if I’m pinching pennies I might I might ignore a lower risk thing. I might make that decision. I might decide that the best risk decision for my district is not to worry about the thing that has no P. I. On it. And instead double down on the thing that has all the pia if I don’t know, we don’t know. And actually quick story of what prompted that. Working with the district a few years ago and we did a we did an AD map. We did a network analysis, scan the network, see what we had and we found a network segment that no one could tell me what it was. I said what is this? But we don’t know. Well I see a lot of traffic going to it. What’s going on. So we started digging into it and nobody knew nobody would that have built the network was still there. Well then we started doing some trap and trace and what’s actually going across this below. And behold we find it’s the public library. So then we go to the public library and we found out that they have a V land to the fire station. And so here we now have emergency services traffic routing through a public library routing through a school district and no one knew the fire department didn’t know. They figured they just get the internet from the city and the city says, yeah, you get your internet from us. They forgot to mention that we built a bridge off of the library to give you that internet because you guys were physically close in proximity and the library didn’t know that they were getting their because they said, well we get ours from the city. Well it turns out that the school had gotten the grant money to get the big 1010 gig trunk dropped in. And somebody in their infinite wisdom said, yeah, I compare off a few gigs for you forgot to write it down, forgot to tell anybody. So I’ve run into that a few times. That’s the most extreme example I’ve seen. But I’ve run into it a few times and so knowing what the heck you got, especially if you have a high turn environment and a lot of times K 12 tech will have low turn at the senior level. Those folks that got in early but in an Apple two E. And are now the CTO but you tend to have a higher turn at the younger uh 123 years experience because once they get that through your experience there off chasing paychecks, right? And so you lose that, you lose that knowledge. So yeah, they may. I knew what was going on, but then they left to go get that next job
[00:36:48] Evan Francen: and you can’t blame them for that. I mean, and
[00:36:50] Ryan Cloutier: the only thing
[00:36:51] Evan Francen: and the thing is to about your top five Security is security. These same top five applied to the private city, You know what I mean? It’s like and and it’s just logic. I was talking to a friend of mine um today, I don’t mean, you know, some people get, people will get offended, but they always get offended I guess. Um like people get dumber after cove hit, you know, it seems like it because when you talk about just these straightforward logical things and I I mean as I said the same thing to the state of one of the states. You know, I was giving a talk to their blue ribbon commission and you know, they’re talking about zero trust they’re talking about this and that it’s like, can anybody hear tell me what the current state of security is here in the state? Right? No. Well then how the hell would I know where I’m supposed to go and what I’m supposed to do and all that other good stuff. I don’t even know myself. You know, So I did a another one of the organizations that you and I are doing a trial with uh you know, for an integration in the security studio. Uh he he did a just an ascent on using his tool on this state. Mm my God man.
[00:38:10] Ryan Cloutier: 1007. Finding. Yeah. Finding.
[00:38:14] Evan Francen: Oh my gosh, right. And I’m not even going to go and talk to this state C so about that right now because no, you couldn’t do anything with it. Yeah, it would be just alarmist. I think that’s what sometimes they do. Right,
[00:38:30] Ryan Cloutier: right. Well in what I saw in that, by the way, was an overarching theme. Saw the it’s actually not even a security thing. It’s what I observed in the data. They lack of a process. I won’t go into any more details that I want to give away. You know what it is I saw but what I saw was The end result of a lack of a process and had a particular process. But in play, 98% of what I saw would not have been.
[00:39:03] Evan Francen: Well you you mean the same thing applies that states K-12 and at home. Yes. How often how often do you know people just go and buy something plugging into the network and look now I got this thing that does this thing. Oh that’s really cool. And then your friend comes over. I want a thing that does that thing too. And so they go by the thing that does that think meanwhile nobody’s I forgot about the other 11 things are 12-20 things they already have on the network that are doing a bunch of things. And that’s what I was saying back to the complexity of being your worst enemy at some point. You have to stop the the insanity and just take inventory. What do I have? What am I responsible for? What? Networks? What equipment was software? What data? The problem just continues to get worse and worse and worse. Sometimes you have to do it
[00:39:57] Ryan Cloutier: and then if you want to take it to an advanced level, the next question is what does it do for me?
[00:40:02] Evan Francen: Exactly.
[00:40:04] Ryan Cloutier: Yeah, I like that. But then what does it do for me? What is it doing?
[00:40:08] Evan Francen: I love that question. My favorite question to ask is why yes. We want to go by this thing. Why? Well because well because you know how to do that. Why? You know, and you get that too from you know, we do you and I do a lot of mentoring and you know, everybody wants to be
[00:40:26] Ryan Cloutier: a C. So not everybody, but a lot of people do. But yeah, why?
[00:40:30] Evan Francen: Yeah, I love asking that. So why? And then they’re just like mm Yeah. You said don’t know why you might want to think about that
[00:40:40] Ryan Cloutier: when I find most surprising with that question when I challenged back to why I more often than not. The first answer I did is because I want to be able to control the direction of the technology and then I have to break their little hearts and say you do realize that’s not the job that you don’t get to play with attack. That’s your, your so you are a politician, You are a a cheerleader, you’re all these things, but you’re none of those technological things that you love, that you think you’re going to have all this sway and influence and it’s just not how it works. And when they hear that they’re like, wait, I don’t wait, I’m just standing around waiting to get fired. Yeah. That’s kind of your job way.
[00:41:26] Evan Francen: You don’t play it right?
[00:41:28] Ryan Cloutier: Yeah. I don’t know. I don’t want that. I wanted to do the tech
[00:41:31] Evan Francen: search for any new person who’s listening when somebody asks you why you want to be a C. So you can say because I love serving people and I want to do everything I can to protect something like that.
[00:41:43] Ryan Cloutier: That’s a great answer.
[00:41:44] Evan Francen: You know what I mean? Because that’s why I do it and I think that’s why you do it. 200%. Yeah. Alright. So number one in your list is know what you have in your environment. I agree 100% and it asset inventory. It doesn’t sound sexy, It’s not sexy, but you have to do it. And if you’re doing this, you’re going through your asset inventory, keep in mind as you’re conducting that inventory. that you’re going to need to build process to make sure that it continues, that you don’t find yourself in the same crappy position that you’re in right now. So things like acquisition, how do we add new things into our inventory? How do we get rid of things in our industry? It’s not just, what do I have right now? How am I going to maintain this thing I have right now. Right? That’s very important. I Love # one Man. Number two, know your risk level, risk. It’s like the game, the part game kind of risk or what
[00:42:40] Ryan Cloutier: exactly, you know, you gotta know your level of exposure, you know, And just because there is a risk doesn’t mean that it’s a problem. You know, we talk all you and I have talked about this many times, right? It’s it’s it’s impact likelihood. I have uh as a human uh with my jeans, I have like a 70% chance, a risk of getting cancer at some point in my life, it seems to run in the blood. It’s a family thing, right? Um Now the likelihood is pretty high, but because I’m proactive because I have good health care because I go and get my scans and do these things, the impact is greatly reduced. So I don’t need to run around here that I’m going to get the cancer tomorrow and die from it because I’ve got a strategy for identifying, yep, responding right or containing. Yeah, we’re cleaning it up. Right? So ultimately eradicating it and the monitoring, right? And it actually cancer is a great example because it lays directly on top of Incident response process. There are 1-1 relationship you first must identify, right? So, I think, you know, all too often the vendors and I don’t want to just pick on vendors, but all too often our industry as a whole has overblown certain risks while completely ignoring things that, to me are just flat out alarming. Just like whoa, you’re worried about that. But that’s okay. No way. No. How
[00:44:09] Evan Francen: Right. Well, the thing is, and I try to tell people this to you do risk assessments all the time. We all do
[00:44:15] Ryan Cloutier: continuous. It’s hard to be
[00:44:16] Evan Francen: constant. Right? When I put on that seat belt, when I start up that car, when I decided I’m gonna eat this thing or I decide I’m gonna smoke that thing or drink that thing, you’re doing risk assessments all the time when you drive down the road and you come up to you see the light turned yellow, you do this really quick risk assessment. Look around, right? What’s the likely to be getting T boned here or a police officer, you do these things, Those things come natural to you because it’s usually in your physical realm, right? That you’re using. You can touch that stuff. You can see that stuff. He also grew up with that stuff. You and I me more. So I’m not part of that generation where I grew up with technology right? I didn’t have a cell phone. Uh So I I gap this thing so I had to learn it as I went. So that’s why one of the reasons I know that this is a learning herbal thing. This isn’t like, oh you just you were just born into it. No, you learned it. We all learned it. Uh And so the challenge that is taking this new world, this electronic digital world, How do I make that natural to me? It is natural to me because I’ve been doing it for so long and it’s natural to you. So how do we take this thing and Started to others? What 1st? I’ll tell you for sure. It’s mundane. It’s confusing, it’s uncomfortable. It doesn’t feel good when you do your first risk assessment. I think that’s why a lot of people don’t do it. But believe me on the other side of it is safety. You know, I mean
[00:45:56] Ryan Cloutier: well and part of that too is how we look at risk assessments. Um lot of times, especially if you’ve ever had one, I run into this all the time in schools. I’ve actually had people hide the findings from their leadership because they were afraid that it would be interpreted as them failing to do their job and what I try to tell people is just like when you go to the doctor, okay and you go to the doctor to get your physical or in my case, you know, I gotta get colonoscopies every couple of years. It’s totally not a pleasant experience by the way, the procedure, who cares? I don’t remember the procedure but the day before it is awful, right? But I do this as a preventative as as an inspection and when they have found things and they have found a polyps and other such things over time, then they deal with them, right? Because that’s part of the management. Um I don’t get that report and go, Oh God, oh I’ve lived such a horrible lifestyle that I’m now dealing with this and get the report now that the doctor did say maybe I should cut back on sugar a little bit and maybe I need to be thinking about the fact that I’m 40, not 20. So some of my invincibility has worn off and I need to need to maybe eat a few more vegetables and do you know these things, but that’s because that’s what I need to do to continue to ride this ride when we do these risk assessment, that first finding is always going to be awful because you’ve never done it before, Nobody gets there first one and it looks great. It’s just not reality. But instead of looking at it as a negative, as a failure on you and the efforts that you put in your career or your time with this company. Look at it as you’ve just never been at this maturity level before. You’ve just never been 40 before. And now you do have to start worrying about eating those vegetables and you do have to start worrying about doing exercise and not just sitting in a chair in front of the keyboard all day. And so I try to try to shape the message that way to say this isn’t a naughty report. This is our roadmap for improvement because we’ve never been here before. So let’s not use it to look at things retrospectively because I think that’s dangerous. I think if you do that you you create more fear and more hesitance a I think if we use it as a however we got to where we are was good and we’re here but now we need to do things different to go forward I think. Yeah,
[00:48:12] Evan Francen: absolutely man. And it’s like I can’t hold somebody accountable for something that they didn’t know they were accounting right. You know what I mean? You do an assessment so I can hold you accountable for doing an assessment. I can hold you accountable to those things. But that first assessment, the first few assessments, yeah how could I possibly you know bus you know come down hard on you when you didn’t even know that these things were there.
[00:48:35] Ryan Cloutier: But our industry sucks at that because we have come down on them like a stack of bricks. Oh, you better fix all this tomorrow or the apocalypse is upon you. That’s not helping anybody to say I want to invite you in to help me do this. I want it. Right? So we get that resistance. And that’s why we see a lot of times that only compliance driven organizations invite openly invite people into the risk assessment. And if you go to the smaller businesses, you go to the non regulated industries, they’re like, oh, we don’t need all that. We’re doing just fine. Everything’s fine,
[00:49:09] Evan Francen: right? Right. Well I am until and, and that’s another reason why if you’re going to do well, eventually you’re going to do a risk assessment because there’s no other way to do security. It’s part of the equation when you do it, uh, do it yourself. Right? There’s so much good education in there. And we talked, you know, I’ve mentioned it numerous times about this being a life skill. It’s a new world, right? This is how this is how we operate. Uh, you know, it’s not just about risk in making things better. It’s also about learning, there’s such a good learning experience. Yeah.
[00:49:49] Ryan Cloutier: Well, it’s about making sure I got baked, let’s be honest. We’ll start fixing things here. There’s gonna be less vacant available. So for no other reason do it for that.
[00:49:59] Evan Francen: You do not want to see me without bacon. That’s not good. Number three. Okay, so number one just to recap real quick and then we’ll get through this last three. Pretty I think pretty quick. Number one was No what you have in your environment for sure. You can’t can’t protect things. You don’t, you don’t know you have. It’s just how it works. Number two, know your risk level, do a risk assessment. Obviously security studio, that’s what we do. But if you want to do it on a sheet of paper with you know with a group of staff members in a over lunch fine. That’s a start right. You have to start. You have to do it and I banged people please. Number three is air gapped your system and data backups. Why would ask people to do that?
[00:50:47] Ryan Cloutier: So the only way to guarantee that a backup is safe from cyber criminals is to have it completely physically offline truly Air gap, not just not just in a box that’s connected to a wake on land and turned off actually removing the data media physically out of the technology and placing it in a cardboard box and a locked filing cabinet taking into your neighbor’s house, whatever that looks like. But it’s the only way to guarantee that that backup is safe from cyber criminals. If you put it in the cloud then you can get to it, they can get to it. If you have it on an as I don’t care how many V lands and multi factors are in between. If you can get to it, they can get to it. The only way they can’t get to it is if it has been physically removed and start separate. And I, you know when I say that, I also encourage you to store that securely because if you don’t encrypt that backup that maybe you have an employee who decides to go rogue it can get to it. But doing that will reduce the amount of time that you’re down with ransomware and it will speed up your ability to recover and get back to an operational status.
[00:52:03] Evan Francen: 100%. Yeah. and ransom where schools are getting tagged all over the place all the time. So you need to protect just they know that they’re going to get paid right and now insurances more and more likely to not cover you if you’re not doing these things, you know, and what I’ve been telling people, you know, go check that back storage, that storage room that everybody has, you know, and see if you’ve got the tape library and they’re still, if you do dust up reactivates. Yes, because I don’t know why we decided. I mean I do know why it’s because of convenience
[00:52:41] Ryan Cloutier: and
[00:52:41] Evan Francen: right and we’re such, we’re still addicted to convenience. It’s nuts. You know, So, but t backup was it worked from a security perspective there was no need to ever change it other than, you know, deterioration of the media over time, blah blah blah. But that was, you could account for that, right?
[00:53:04] Ryan Cloutier: Plummets back in fashion. So if you don’t have something, you can go buy some brand new ones. They’re pretty sweet.
[00:53:11] Evan Francen: I’m tired. I have fond memories, man of, of Iron Mountain coming, you know, every so often, you know, the same time, every time is it with them? Hey, I it’s going, you know, whatever you remember those and we’re taping even taking tapes home with me, although that’s not the best place to store it. It certainly protects it from grand somewhere. Right? You know, Excuse me. uh number four is implement multifactor authentication. So we and for listeners who don’t know what multifactor authentication is just real quick. There are three factors to authentication. It’s something, you know, something you have and something you are right. Those are the three factors. Something, you know, an example would be a pin, number of passport, something in the head, something you have would be something physical, whether it be a phone that you get a text message on, there will be a dongle that you put into the USB port, whatever it’s something you physically have and then there’s something you are would be, yeah, you know, biometric, maybe a fingerprint scan when we say multifactor, usually referring to something that you have, something that, you know, right, that’s the most common implementation of multifactor. The reason why this is really, really important is because fishing is still the number one way to get into your environment. All I have to do is talk you out of your password right? It’s really hard to talk you out of your phone. I can do that but it’s a lot more work and it’s probably not going to happen.
[00:54:40] Ryan Cloutier: Exactly. And you know, it’s it’s a good stopgap measure. And the reason I put that on the list is because multi factor, if you have implemented it can be the first indicator that something funny is going on. And so not only is it act as a as a uh why can I not do this? We just thought that preventative preventative control but it’s also a detective control,
[00:55:10] Evan Francen: yep. Yeah, good point. Which then leads into your number five. So where two use multifactor authentication in my opinion, there’s absolutely zero excuse anywhere at any time that any externally exposed resource not secured with multifactor authentication. So the remote access to be your email, you know, if you have remote access to your email, uh all your logins, you know, for what are the one of those school most technologies,
[00:55:40] Ryan Cloutier: the information system.
[00:55:41] Evan Francen: There you go. All should be multi factor And it’s gonna like you said you have a ton of experience, you’re going to write this case study. I’m super excited to see that because you went through the process of getting a school district that didn’t do it to doing it and embracing it so huge success. It can be done
[00:56:03] Ryan Cloutier: and we actually just announced today we’re going to be wrote mandating uh, VPN with multi factor for all access to district resources going forward. Hard stop. Oh don’t expose district resources that are not public resources. There are some that have to be public for mom and dad and the community at large. But when it comes to anything that has sensitive data no longer will those be allowed to be publicly exposed in any way shape reported the internet. You will have to be PM then you will have to M. F. A. Every single time you won’t be able to do to remember me. So I’m very, very excited about that because let me tell you that was, that was a hard sell.
[00:56:45] Evan Francen: Those are huge winds man for a lot of times the work that we do, we never get thanked for because the people that were protecting never know that we’re protecting them right doing the best job we possibly can so that all that hard work will pay off. I know that there are some listeners, you know, in some, you know, leaked hackers well, but I can still hack it. That’s not the point when people, when people say that stuff, it makes me laugh as you don’t understand what the goal is. The goal is. Risk management math stopping all you little hackers. Uh, so I always think that’s funny, but you mentioned multifactor authentication can be used as a detective control, which then, you know, it’s what I can’t prevent. I’d better be able to detect and what I once I detected, I better have your number five a response plan. No excuse for not having a response plan.
[00:57:36] Ryan Cloutier: Well. And you don’t have to start out with some crazy overblown plan. The other thing that I do with this district that will be in this case study is we walked our way into it. As a matter of fact, there are still about three sections in our I. R. P. That need to be filled in. Hey, we’re not done, but we’re ready. We’re functional. We’ll be able to manage an incident. We’ll be able to get the right folks engaged in the, in a timely fashion and get our hands around it way better than we would have say two years ago. There’s always room to improve and its continuous improvement where I have seen folks fail time and time again is trying to achieve perfection out of the gate Trying to create this incident response plan that is 977 pages long and completely ineffective because of it. A three pager is a great starting position. A three pager can do more to get response happening and start activating the other legs of the stool. If you will Then going with this good, we do the same thing with our d our plan. We started out with critical assets first. We started out with about 35 assets. Let’s just make sure we know how to turn them back on. And then because we got that hurt. Good, got the process. Good was small subset. We were able to then scale that equities.
[00:58:57] Evan Francen: Yeah, absolutely man. I mean you can start, you can start with your incident response plan on a map Yellow, you know, and start with a phone number. Who would you call? Yeah. And that’s, that’s a plan. That’s the start. Then start expanding out from that. Right. Start talking about, well, what inputs might I have into this plan meaning what are the detective mechanisms? Is it a person who called the help desk? Is it, you know, because you have to work through the workflow. Right. But yeah, trying to get that. And there’s no such thing as a perfect plan. There’s no such thing as a perfect policy. There’s no such thing as a perfect risk assessment. Perfection. Would, would, would imply risk elimination. Again, that’s not the goal. So having a plan that is functional and having a plan that lives. It continues to mature where you eventually want to get with a good incident response plan is to make it an operational plan. Meaning you’re always using your incident response plan because you’re always having incidents right? Because an incident doesn’t mean it’s like a breach. There’s low severity incidents, medium severity incidents and high severity incidents. Usually only the high ones where you bring the incident response team in, but you’re having incidents all the time. People are losing their passwords. You know, those things need to be noted, but that’s, that’s the other end of the maturity spectrum. Right. Right. Start here. But having that in mind as helpful as you march down the path. Right.
[01:00:26] Ryan Cloutier: Exactly. And, and you know, it’s defendable, I can assure you by middle of 2022 if you do not have some type of cobble together incident response plan, if you don’t have multi factor authentication place, if you are not air damping your backups and you can’t say what’s on your network, you probably are not insurable. You may very well start if some of this legislation passes that I’ve seen, you will be found to be grossly and willfully negligent. Especially uh for those of you listening, if you work in critical infrastructure or you work in anything that looks like it might turn into critical infrastructure, you guys are gonna get it first and they’re not going to be nice about it. I’ve seen some of the initial stuff that they’re talking about doing it. It is very much a boot on the neck approach,
[01:01:17] Evan Francen: which should be because one of the things we’ve been missing for so long. His accountability who’s responsible for what and then just saying it and not actually holding them accountable is like, you know threatening to punish a child and never actually punishing them, there’s no consequences to their bad behavior. So they’re never going to stop it. I love the fact that they’re doing a lot of those things, but I also think when I think of education and I had this discussion today with the state of New Jersey there folks, um we don’t do this for the money.
[01:01:49] Ryan Cloutier: No,
[01:01:49] Evan Francen: I mean when you work in education, when you work in state and local government, you can get paid more in other places, you do this because there’s something special about you, Something special about the people you’re serving. So even beyond like the negligence, when you don’t do these things, at least these top five start here. You’re actually hurting the people you’re trying to serve versus serving them. You’re kind of going against your whole purpose. So look at it that way. Maybe that’s not really, Yeah, will help you. I mean crap man. My wife yells at me all the time because I failed you. I wanted to say no, I’m like, I can’t, I’m addicted to Yes,
[01:02:36] Ryan Cloutier: that’s probably, you know, I’m catching grief, you know, it’s not the weekend with me. I caught grief for working on a workday. I
[01:02:44] Evan Francen: know man on my wife, my wife doesn’t listen to podcasts, so that’s good and don’t you tell her about this in there, but I was so engrossed in my work on monday evening, I didn’t go to bed looks yeah, So I was up from 6:30 AM and it wasn’t because I was, you know, it wasn’t like an incident. I was just getting into my jam man. I was I was it was a good good night. And before I knew it it’s three o’clock in the morning And I have my meeting with Antennas for 30 Tuesday. I’m like, well I can just cancel or I’m here. Well I guess I’ll just take the meeting. Yeah. One thing led to another
[01:03:24] Ryan Cloutier: careful with that about, yeah, I got some catching up to you.
[01:03:29] Evan Francen: Oh it does, it does. My body tells me like this morning when I got up at seven a.m. My first thing I thought was, but I do yesterday afternoon. And did I make any sense? Mhm. So I replied by my meetings. I’m like, I think I’m good. I don’t think I said anything stupid because you do. One of things people don’t realize maybe some people do is you make really make a lot worse decisions when you’re super tired, you just don’t make the decision. Alright, awesome man. I love this episode. I’m excited about next week. Uh You and I got a chemistry just like me and brad. Got a chemistry just coal. So thanks for thanks for that. Any shout outs for you this week real quick.
[01:04:13] Ryan Cloutier: Uh if you’re in the Miami area, come find me next week. I’ll be down at the MSP expo and the I? T expo at the Miami Beach Convention center. Come find us. Security studio will be there were in booth number six something. We’ll get it into the show notes. Look at the booth number. But come find us, stop. I say hi, I’d love to chat with you. We’ll have some of Evans books that will be giving away. So for no other reason, come get your free copy of insecurity
[01:04:49] Evan Francen: and if you don’t know how to read, it’s good Kinley.
[01:04:51] Ryan Cloutier: Well, I mean you could I guess, but Oh yeah. So come, come find us. We’re gonna be there, having a good time.
[01:04:59] Evan Francen: Love to chat
[01:05:00] Ryan Cloutier: with you. Good to meet some of you guys.
[01:05:02] Evan Francen: So you’ll be in Miami and next week I’ll be in Orlando on a panel with some really good guys connectwise there. Uh 80 nation
[01:05:14] Ryan Cloutier: or whatever. Yeah, I know those guys. Yeah.
[01:05:16] Evan Francen: Yeah. But everything they got going on down there. So somehow I got into that. I didn’t say yes. I think someone just volunteered me. And next thing I know I was there. So
[01:05:25] Ryan Cloutier: how that happens.
[01:05:26] Evan Francen: Yeah, that is what it is. Uh thank you to our listeners again. Thank you Ryan, being a great conversation as always. And I love, I love talking to you. Uh, if you have something like tell us or you know, feel free to email the show at unsecurity@protonmail.com. You’re the social type and socialize with us on twitter. I’m @EvanFrancenh, that’s it. We’ll talk to you next week.
