0.5 Business Acumen
Our Guest This Episode: Andy Sauer
The goal of cybersecurity is to protect the data and integrity of your computing from malicious digital attacks. The challenge for a project manager is to implement effective cybersecurity measures to secure yourself, your team, your clients, and your projects as attackers become more innovative. Our guest is Andy Sauer a cybersecurity leader who helps organizations build cybersecurity maturity. This episode is for every project manager who is controlling many moving parts to complete projects on time. We’ve packed this conversation with loads of advice and helpful tips to address this critical project area.
Andy shares a case study with us about a medium-sized defense contractor that faced a ransomware attack. The malicious attack caused 2 weeks of major downtime, months of restoration work, and a total of $500k in direct costs. As Andy shares the lessons-learned from this case study, he explains how the passwords were compromised via phishing, and how the attackers exploited that weakness to threaten the entire company. Listen in as Andy recommends 10 practical steps you can take to build better cybersecurity.
In his role as CISO with Sentinel Blue, Andy oversees cybersecurity operations, managed security services, security engineering, and compliance. As a cybersecurity consultant, Andy works closely with client organizations to develop cybersecurity strategy, make risk-informed decisions, and improve cybersecurity posture. Andy specializes in helping defense and federal contractors meet compliance obligations (DFARS, CMMC).
Favorite Quotes from Our Talk:
"...it’s very easy to look at cybersecurity concerns and think, that is not my problem. We have a security team. We have an IT team. But I promise you when the compromise happens, the folks in the IT and cybersecurity teams are often focused on the technical and getting the systems back up. They’re not particularly concerned about your specific project and your workload. You have to take that responsibility."
"Cybersecurity is a process, not an implementation."
"...security is your responsibility as much as it is the CISO’s. ... You have more visibility into what’s going on; right? You’re in the day-to-day. ... So you’re the one who’s going to see things first. You’re really the front line. So I would advise everyone in those types of roles to keep that awareness. Understand you are part of the security team."
The goal of cybersecurity is to protect the data and integrity of your computing from malicious digital attacks. The challenge for a project manager is to implement effective cybersecurity measures to secure yourself, your team, your clients, and your projects as attackers become more innovative. Our guest is Andy Sauer a cybersecurity leader who helps organizations build cybersecurity maturity.
01:47 … Meet Andy
02:29 … Raising Awareness of Cybersecurity for PMs
03:34 … A Case Study
06:55 … Lessons Learned from a Cyber Attack
09:23 … “Least Privilege Necessary” Model
10:48 … Lack of Multifactor Authentication
11:39 … Staying Ahead of Attackers
13:35 … 10 Steps to Better Cybersecurity
13:42 … Training for Phishing
15:25 … Multifactor Authentication
16:14 … Least Privilege Necessary
17:34 … Apply Patches to Systems and Applications
18:40 … Delete Old Accounts
19:53 … Kevin & Kyle
21:13 … Adopt Cloud Services
22:15 … Building an Incident Response Plan
25:16 … Establish Hardened System Baselines
26:13 … Keep Your Backups Air Gapped
27:21 … Store Security Logs and Watch for Unusual Behavior.
30:18 … Security is Your Responsibility
31:09 … External Cybersecurity
32:25 … Concerning Emerging Technologies
34:31 … Evolving Cybersecurity Threats
36:32 … Get in Touch with Andy
37:38 … Closing
ANDY SAUER: …it’s very easy to look at cybersecurity concerns and think, that is not my problem. We have a security team. We have an IT team. But I promise you when the compromise happens, the folks in the IT and cybersecurity teams are often focused on the technical and getting the systems back up. They’re not particularly concerned about your specific project and your workload. You have to take that responsibility.
WENDY GROUNDS: Hello, and welcome to Manage This, the podcast by project managers for project managers. Thank you for joining us today. My name is Wendy Grounds, and joining me is Bill Yates. If you like what you hear, we’d love to hear from you. You can leave us a comment on our website Velociteach.com, on social media, or whichever podcast listening app you use.
Today our guest is Andy Sauer. Andy’s a cybersecurity leader who helps organizations build cybersecurity maturity. Now, this was someone that Bill had been in touch with.
BILL YATES: Yeah. This is how I came across Andy. I heard him speaking to a group of CEOs. And what struck me was, okay, not only does he know cybersecurity, but he’s having an impact on this group. I watched the CEOs taking notes, and some were texting. It was funny, they were apologizing to Andy after his presentation. “Hey, I wasn’t ignoring you. You said something that struck me, so I was texting members of our team to see if we had done that yet.” You know, I felt like, okay, for project managers, this is something we need to hear. It’s something we need to be reminded of and raise our awareness. So Andy’s going to be a great resource for that.
WENDY GROUNDS: We talked to Don Hunt before on cybersecurity, and that was a few years ago.
BILL YATES: Yes, yeah.
WENDY GROUNDS: So I think it’s good that we retouch the topic again.
BILL YATES: Right.
WENDY GROUNDS: Hi, Andy. Welcome to Manage This. Thanks for joining us.
ANDY SAUER: Hey, there. Thanks for having me on.
WENDY GROUNDS: So tell us a little bit about your background in cybersecurity before we get into talking about this topic. And something about your role at Sentinel Blue.
ANDY SAUER: Sure. I’m the CISO, the Chief Information Security Officer, for a small company called Sentinel Blue. I’ve been in IT and cybersecurity for about 13 years, with the last five years really being focused in on cybersecurity, rather than IT. Sentinel Blue is a cybersecurity services firm that works with small and medium-sized businesses, particular in the U.S. defense industry. And our main focus is really on building cybersecurity maturity for those businesses. And cybersecurity maturity can mean many things, which I imagine we’ll get into here.
BILL YATES: That’s true. Yeah, I appreciate the fact that, Andy, you’ve worked with small and medium-size companies. And like we were talking about before we started recording, I think that’s really powerful for our project managers because many times they’re looking at their situation like, okay, I have to run this like a CEO of a small company. I need to run this project team. I need to be responsible for their behaviors. And there’s just a lot at stake with cybersecurity.
So we think, you know, the more we can talk about this topic and just raise awareness, it raises everybody’s game and helps them know. Plus you’re on the cutting edge. When I was thinking about, all right, Andy not only is in cybersecurity, but he’s doing this for defense contractors, that’s where the stakes are so high.
ANDY SAUER: I think, you know, your project managers might be often not thought about in a cybersecurity context in terms of their contributions and their responsibilities. It’s often so focused on the guys like me, the technical guys and whatnot, where what you bring up, a PM’s basically a CEO of that project they’re managing. And security is a major component that I’m excited to talk to the audience about.
BILL YATES: Yeah. I think maybe the best thing for us to do is to jump into a case study. You’ve got one that we’ve talked about before.
ANDY SAUER: Yeah, I do.
BILL YATES: Walk us through that. That’ll kind of give us a construct to build off of.
ANDY SAUER: Sure. So everyone will have, you know, read about incidents in the news and whatnot. But it can feel pretty distant when you read about what’s happening to Uber. For small-medium businesses, Uber means nothing to us in terms of being able to relate to how things are run there. So I’m going to share a story from a company that I’ve worked with a couple years ago, about two years ago. They’re a defense contractor of about 500 to a thousand people. They kind of ebb and flow. A well-funded, doing well kind of contractor business, with an IT team, with a small security team, sort of all the things you want to see from an IT standpoint. A mature company, making all the right moves.
And in the middle of 2020, on a summer night, on a Friday night, after everyone goes home, something happened, and Saturday morning everything’s down. And all the alarm bells are going off, all the phones are ringing, including my personal phone. On my way down to the beach, in fact, I got a call, a very panicked call from the IT director there and said, “Hey, you’ve done some work for us in the past and some cybersecurity consulting. We’re having what we think is an incident. Can you jump on and help us out?” And I ended up spending the next several days of my beach vacation listening in on conference calls in the war room that was established to respond to this incident.
Now, they were hit by ransomware, which is something I think pretty much everyone in the business world has heard of at this point. And you’ve heard some pretty horrific stories of businesses shutting doors. Essentially what ransomware does is an attacker gets in, they drop some software in your environment, and that software encrypts your data. And encryption’s going to prevent you from accessing it unless you basically have the key, the password to unlock it. But the attackers have the password. And the ransom is they drop some notes in there that say, “Hey, send us money, we’ll give you that password.” And they hold your data for ransom.
And that’s what happened here. They were being held for ransom to the amount of about a quarter million dollars in bitcoin. All of their systems were down. All of their backups that they had made were gone. This affected all their locations. They have several locations across the United States. Pretty rough situation for them, and they ended up paying out that ransom. So just like that, a quarter of a million dollars in cash gone from the business. Then the attackers returned the key, but it’s often a gamble whether or not they’re going to. These are criminals. They don’t have any code to follow. But in general, you know, they’ll return the key, and which they did in this case. But it was partially functional, so it didn’t get everything back up and running.
So this company still suffered several weeks of downtime of critical systems, bleeding into months of restore work where their IT team was completely wrapped up in this. They had to bring in external consultants to help with all manner of things. So in total, you know, when I spoke to him in the aftermath, it was somewhere around half a million dollars that was spent that they were able to track in terms of cash moving off their books. The opportunity cost, the lost time, the lost trust in that business, the fact that they had to go to all their partners and say, “Hey, look, this happened to us.” You know, a lot of that’s intangible, but meaningful. So very serious for them.
BILL YATES: And the impact on the team, you know, I’m just thinking of that, too, Andy. It’s so frustrating when your work gets stopped. And you have to let the customer know, or you have to let somebody else, you know, many times there are external stakeholders. And it’s just such a point of frustration for the entire company. So you’re right, that opportunity cost, it’s hard to put a dollar amount on that. So talk us through what are some of the lessons learned from this particular incident.
ANDY SAUER: Sure. So I think maybe the smartest thing to kind of go through is the sequence of events. And, you know, what started as something that could be small and contained, exploded into this giant thing, is a very common story that happens to lots of businesses that you see publicly and that happen behind closed doors. The way it all started was with a fun little thing called “phishing,” which if you haven’t heard of phishing, it’s like of like ransomware in terms of terminology we throw around. You see a lot of it.
Phishing is how this started. Now, phishing, if you’re not aware, is basically, if I’m an attacker, I dangle some bait. It’s why we call it phishing. I dangle some bait to try to get you, my victim, to bite. Now I’m going to dangle some kind of bait to get you to bite and give me your password. I’m going to send you an email that says, hey, this is Google. Your Google account’s been compromised. Please click here to sign in to see what happened.
Now you click it, you don’t realize it, but they’ve sent you to their own website that looks like Google. But when you look at the URL bar, it’s not. You might not realize that, and put in your username and password. And now they have it. And that’s exactly what happened in this case. One of their IT administrators got an email where he was prompted to sign in to his Office 365 account. He did so.
Unbeknownst to him an attacker was sitting right in the middle, intercepted it and then spent the next several weeks infiltrating their systems, mapping it all out, scoping it all out after hours, looking around. And they built a whole map of this pretty large network, built out their software to prime it to deploy. And then they said, hey, on Friday night when everyone’s trying to go home for the weekend, it’s go time for them. That’s the entry point.
BILL YATES: Yeah. You’ve shared that phishing is like the upwards of 80, 90% of incidents start with something like phishing, yeah.
ANDY SAUER: Yes. Consistently, year over year, for all the years I’ve been paying attention to it, and certainly in the business, phishing remains the majority, across all industries, including the defense industry. It is the primary way attackers establish their initial access and get in.
BILL YATES: Okay. We’ll come back to that. Go ahead, what are some other lessons that you learned from this attack?
ANDY SAUER: So a common concern that we have now is IT administrators and security teams having privileges in environments that are permanent. So they’ll have the rights to do, you know, do their jobs, essentially, to be able to access user accounts and turn things on and off and reset passwords and whatnot. But a lot of times that’s excessive. We’re moving toward a model called “least privilege necessary,” where on your day to day you shouldn’t have all these rights to do with all that stuff. It should be a special case to do it. But in this case, as is very common in a lot of companies and a lot of departments, this person had full rights on their daily driver account.
So when I say “daily driver,” I mean the account you sign into your email with, the account you do everything with. The account you’re most likely to get phished on. When you have those administrative rights tied to that account, and they’re on 24/7/365, all I have to do is compromise that account, and I’m an administrator. And that’s exactly what happened in that case. So a great lesson learned for them was, hey, let’s separate that. Let’s move to a model where we either have dedicated administrator accounts that don’t have email, or let’s go to a model where people have to temporarily promote themselves to a role to do those functions. And then it automatically reverses, and those privileges go back off after a certain amount of time.
Second biggest was lack of multifactor authentication. This is another one most folks are becoming very familiar with because your bank is starting to require it. They want you to put in the code that you get via text message when you sign in. And businesses are having to add this to things like email accounts. And in this case, they had to add multifactor to their VPN. So a VPN, as many folks will know, is a way of accessing your internal network from outside via the Internet. They had a VPN that allowed their IT administrators to access the network from outside the company. But it was not protected by multifactor authentication.
So all you need to get in was a username and password. So again, the attackers just had to get, you know, this individual’s password, and now they’re able to VPN in as an administrator, which means they had the keys to the kingdom and could see everything.
WENDY GROUNDS: Did this company just really have slack security? Was that their problem?
ANDY SAUER: That’s the thing. They are above their peers in terms of what I see and what a lot of folks report. They have a well-funded IT team. And they had folks, a lot of folks in that department. They had folks whose job was IT security. So it wasn’t like the business was ignoring it and didn’t care for it. There was a reason they had my phone number because I had done some cybersecurity consulting work for them. But the thing is, nine out of the 10 companies that we talk to are still doing some of these things that I mentioned in the lessons learned because it’s just – it’s very difficult to make that pivot.
And folks just still don’t really seem to understand how quickly technology moves. The attackers are moving every day. And if we’re not purposely keeping up, you know, they just have to be right that one time. We have to be right a thousand times. Do you know what I mean?
BILL YATES: Mm-hmm. Yeah, that element of diligence and having to stay on top of this, that really strikes me when I hear case studies and the kind of information that you present, which is with cybersecurity, it’s almost like risk planning for project managers. You’re never done. It’s like you’re constantly…
ANDY SAUER: Exactly.
BILL YATES: …having to revisit your plan. You’ve having to constantly look for new threats, new opportunities. Back in the day when I was working projects for utilities, there was a large utility that they thought their backup system was working. Everything, you know, had been scoped out, and they thought, okay, if anything goes bad, if data corrupts or we have some kind of cyberattack, we’ve got a good fallback. And one day the data did corrupt, and they went to that fallback, and those systems would not load. Somehow that corruption had been copied into those, as well. So their backups were bad. It just takes so much discipline to revisit and make sure that your plans are working and that even things like backup files are actually valid and not corrupt.
ANDY SAUER: Cybersecurity is a process, not an implementation.
BILL YATES: Yes, right. All right. So that brings me to the top 10, 10 steps to better cybersecurity.
ANDY SAUER: Sure.
BILL YATES: As I look through this, I know you’ve come up with kind of a hit list of 10 items. Let’s talk about the first one, which is it gets to phishing. So talk more about training and simulation related to that.
ANDY SAUER: Yeah, so as your project managers are going to know, these are folks that are familiar with risk management. Let’s take on the number one risk, our biggest risk, the most common way that we get compromised. It’s phishing. So what we need to do to address phishing is training. Phishing is an attack on people. There are technical tools in place, but attackers are savvy. They learn how to beat the tools very quickly.
The most effective way of dealing with phishing is training your user base to recognize signs of phishing. To look at an email and say, hey, I’m being asked to do something abnormal. There’s a pressure of time and urgency. It’s someone claiming to be an authority to me in some way. Either it’s, you know, a boss, a CEO, someone like that, or it’s a company that is applying pressure. You have to look at that, take a breath, realize what it is. And that’s a most effective thing to do.
Now, you can do that through video-based training, through webinars, things like that, and then increasingly through simulation. A lot of companies do phishing simulation where they send phishing emails to their employees that, when the employee clicks, they just get taken to a site that says, hey, you clicked on what was a phishing email. Here are the signs that you could have recognized to learn that was phishing. And then more broadly a process for people to report phishing. If people in your organization don’t know who to report the phishing to, that’s a problem. They need to know when I receive an email I’m concerned about, I need to have a resource to forward it to that can tell me whether that’s legitimate or not.
WENDY GROUNDS: The second one, if we go through the 10 steps, is multifactor authentication. You mentioned this. Can you just give us a little bit more information about that?
ANDY SAUER: Yeah. So multifactor authentication is an additional factor. Everyone’s got a single factor. Your username and password, that’s a factor, your password is something you know. Multifactor is adding an additional factor where it’s something you have or something you are. So think of biometrics, a fingerprint. That’s something you are that we can use in combination with a password. Something you have would be your phone. So very commonly you can get a text message that sends a code, and that’s something you have. We know that device is something associated with you. So now it’s a password and a phone. A lot harder to compromise an account that has two factors of authentication, especially that are so tied to a person rather than just a username and a password.
BILL YATES: This third one, I think you hit on this. You talked about least privilege necessary in that movement. Talk about inventorying systems and accounts and maybe suggest a frequency for how often we should be reviewing that.
ANDY SAUER: Yeah, so the first two, the phishing multifactor, that’s something you could do today. That’s going to be broadly effective. This third one, accounting for everything you have, is before you can really progress anything else we’re going to talk about, you have to know what you’re protecting. Right? Can’t effectively build a castle wall if you don’t know what the castle is.
So you really need to spend time and energy and invest in an early understanding, in a holistic understanding, of your environment. That’s the computer systems. That’s the people. And most importantly, it’s the data and where that data is at. A lot of people sort of assume, hey, once the data leaves our system and goes into whatever cloud system, it’s off my books. I don’t have to worry about it. But no, it is part of the conversation that you have to keep an inventory of. And, yeah, I’d say at least quarterly someone in the organization, or some ones, whether it’s a committee or an individual, has to be wearing that rose that says this is their responsibility. We have to keep an accurate and up-to-date inventory. Otherwise everything else can start to cascade into a problem.
WENDY GROUNDS: Number four is apply patches to systems and applications. Can you first tell me what a patch is, and how do we apply it?
ANDY SAUER: Yeah, so software is written by people. And as everyone listening here will know, people are quite imperfect. Software developers themselves will admit, infrequently, that they’re imperfect. So we write software, and software will have vulnerabilities in it. And a vulnerability is simply a way that I can bypass some feature of the software to do something malicious. Patching is the delivery of software fixes; right? Most common experience for everyone is going to be like, your computer gets updates from the vendor, whether it’s Microsoft or Apple. Those are generally resolving vulnerabilities that are found by security researchers.
So applying patches is sort of an umbrella fix for things. It’s a great way, if you’re up to date on patching, it’s a great way of protecting against the most common compromise mechanisms, the most common ways attackers are able to get into a system. If you’re up to date on your patches, you’re way less likely to suffer an external attack where someone is able to breach your network outside of something like phishing.
BILL YATES: That’s good. That’s helpful. And here’s another one of those admin type items, which is to lock or delete old accounts.
ANDY SAUER: Oh, yes.
BILL YATES: What’s your recommendation here, and what’s the vulnerability there?
ANDY SAUER: So everyone should be looking at least once a month at all of the accounts in their system. And again, that’s either a team or somebody gets assigned that responsibility. But you’d be surprised, or maybe you wouldn’t be, how often we come into a company’s environment and find accounts for people that are many years removed from the business who still have access. And if you do any real searching or listening in the cybersecurity world on this, it’s one of the most common ways of an insider threat – who’s really no longer an insider gets revenge on a company that’s terminated them. They’ll come back two years later and say I wonder if my sign-in still works for this company, see that it does, sign in and say, oh, I’ll just delete everything that I have access to.
So very common that we come in and people still have access. And that’s the exposure. One is that they could come do something malicious. But, two, a malicious attacker could target their account, and that’s one more account for them to try to guess a password in. You really want to reduce that, so every month look at it, make sure everyone who has an account that’s enabled is someone who needs that account to be there.
WENDY GROUNDS: We’ve going to hear from Kevin and Kyle and what they’ve got for us.
KYLE: Hi Kevin, feel like breaking for lunch?
KEVIN: I can’t I’m swamped right now. I’ve just started a new project and it could take weeks. To be honest, I’m really overwhelmed about all the tasks and deliverables of this project.
KYLE: Maybe I could I help … what all do you need to do? Show me your project requirements and I’ll see what I can get working on?
KEVIN: OK, um.. here’s a list of what I need to do…
KYLE: Hmm, this looks confusing. Let’s make sure we don’t have the cart before the horse here. We should start by defining your project scope and requirements. It’s an important step in project planning and management. Once we’ve determined the scope then we can figure out other key elements such as your budget, success criteria, quality and schedule, those sort of things
Scope helps drive key project plans. Like a product backlog or work breakdown structure. Having a detailed scope statement really helps the team stay focused and on task.
KEVIN: OK! This is helpful, I think my first step is to complete the project scope statement, get it approved, and then I can plan with the team. That approved scope will be huge – we can use that to determine next steps, assign tasks and give my team directions on what they need to do to meet our targets.
KYLE: There’s actually a Velociteach course called MASTERING SCOPE & REQUIREMENTS MANAGEMENT it teaches you how to apply the specific techniques that will put you in control of the project’s scope from its inception all the way through its delivery. You should check it out.
KEVIN: Ok Thanks, I’ll take a look! Let’s go get that lunch.
WENDY GROUNDS: Thanks, Kevin and Kyle. Let’s get back to our conversation with Andy. All right. Next one is adopt cloud services.
ANDY SAUER: This is one of my favorite pet topics. So I’m a major proponent of use of cloud services in small businesses from a security standpoint and from a business use case. There’s a lot to be said for leveraging cloud services. But from a security standpoint, it’s not a fix-all. You can still have your own infrastructure. But it’s a vast risk reduction to use a reputable cloud service to accomplish a similar task. The common use case might be email. You can host your own email server, and you can deal with all of the spam and junk that gets sent to every email server ever on the Internet.
Or for a reasonable cost, you can offload all of that security responsibility to a reputable security company like a Microsoft or a Google and let them and their massive billion-dollar security team deal with that, while you just worry about the email coming in and out. There’s a lot to be said for that reduction there.
BILL YATES: This next one is going to be, I think it’s something that project managers will relate to, which is building a team and an incident response plan. And I think it’d be good to talk about this because this is something where project managers should not wash their hands of it and go, eh, somebody else has got to deal with that. I’m not worried about it. So let’s talk first of all just about building that team and how to represent different areas of the company so that there’s communication, and people all stay onboard.
ANDY SAUER: So in looking at this list and thinking about project managers, this is the one that excites me the most because I think this is where project managers can really do the most. You can be a champion for everything else we’ve mentioned and make sure the things that we’ve talked about are happening on the projects you manage. But this is one you can lead. You can establish this team, and you can facilitate this process.
So an incident response team is a group of people, generally with broad experience and broad application across an organization who would come together at the time of a potential cybersecurity incident, whether it’s affecting a single project or whether it’s like the case study we talked about where the whole company is impacted. It’s a team of folks who are business leaders, decision-makers, people who can cut checks when there’s money that needs to be moved, or deal with human resources issues, or make executive decisions, bring all those folks together who should potentially be able to handle an incident.
Now, the incident response plan is the real power because if you sit down, and you talk through some of the incidents that you’re likely to have, we call them tabletop exercises, you get these people together, especially on your projects, you get folks together, you talk about what are the risks that we could face? What would happen if the major platform we use to deliver on this project is compromised? What’s our backup plan? Where is that data? What would we do if right now we lost access to that?
If you talk through all that, you lay all that out, you could start to put together a plan so that when it does happen, whatever the degree of pain you’re going to suffer is, it’s going to be vastly reduced because you’ll have already, in a calm time, talked through it and built out the plan so you’re not dealing with all the stress decision-making.
BILL YATES: Yeah. And I think one of the advantages to the way that we project managers are wired is we tend to not bury our head in the sand when it comes to risk and risk planning. You know, there’s a human tendency of I don’t want to worry about that. It’ll stress me out. Well, project managers tend to embrace that stress. I don’t know, you know, it’s how we’re wired or the nature of the job. To me this feels like something where we really do have a group of listeners who will roll their sleeves up and get into it and be about it. Let’s take this on.
ANDY SAUER: I can imagine, so, I mean, it’s very easy to look at cybersecurity concerns and think, that is not my problem. We have a security team. We have an IT team. But I promise you when the compromise happens, the folks in the IT and cybersecurity teams are often focused on the technical and getting the systems back up. They’re not particularly concerned about your specific project.
BILL YATES: Yes. Yes.
ANDY SAUER: And your workload.
BILL YATES: That’s right.
ANDY SAUER: Right. You have to take that responsibility.
BILL YATES: Yeah, yeah, there’s a lot at stake.
WENDY GROUNDS: So you talked earlier about limiting administration rights. Your point number eight of our 10 steps to better cybersecurity is establish hardened system baselines. Could you explain how to do that?
ANDY SAUER: On the technical level, hardened baseline is turning off things we don’t need, turning off services we don’t need. A common one could be like a network firewall. We don’t need outsiders accessing our network. There’s nothing here for them that we’re hosting. So we put a firewall that says they can’t come in. And we improve upon that, on your endpoints and in your systems, even in the company, not everyone should have access to it. Right? It should be only be the people on your project who have access to project files.
As we start to harden the baseline, that’s allowable. And then as we need to we can poke holes in that. It’s a much stronger position to have a very thick and strong wall, and occasionally poke a hole in it to let one person through to do something, rather than have a much lower security broadly.
BILL YATES: Another, this is kind of technical, so I want you to describe it, you talk about keep your backups air gapped and out of band. I’ve experienced the downside of that before, so I think I know where you’re coming from. But go ahead and describe that and then give us some practicals on that.
ANDY SAUER: So going back to our case study, that half million dollars of loss could have been avoided very simply by air-gapping a backup. Air-gapping is the process of taking something like a backup and putting it on another network that is not reachable by the originating network. Most commonly we talk about this as offsite backups. In some cases we’ll even do full physical backups where we write stuff to like a tape, and you go put it in a big storage facility.
But it’s removing access to that backup to an attacker. The company that we did the case study with had backups offsite, but it was at their other locations. So each location backed up to the others, but they were all still interconnected through a VPN that that account had access to. So there was no true air gap. They were thinking, okay, we’re protecting against physical loss. But we’re not protecting against the logical capability of crossing over a network and simply accessing those backups.
WENDY GROUNDS: All right. Our last one, number 10, is store security logs and watching for unusual behavior.
ANDY SAUER: This is the bottom of the list. If you do all the other nine things in here, you’re doing phenomenal. This last one is how you’re going to facilitate a good incident response, and hopefully detect something early on, rather than wait till all the systems are down. So going back to our case study, their attacker was in for weeks. Weeks of reconnaissance, weeks of laying out the, you know, the triggers that they wanted to hit so that on that Friday night they probably hit a button, and the whole attack played out for them. All of that was being logged.
So in hindsight, going back and doing and the post-op of that incident, we could see what the attackers did, when, how, the code they wrote, the scripts they ran. We could see it all. But nobody was looking. So it’s a two-part – you need to capture those logs, which in most cases, most computer systems do that by default these days. But someone has to look at them. For a small-medium business, you probably want to look to a partner. It’s hard to build a team, a security team, that focuses in just on doing, you know, log aggregation, log review.
But someone should be looking with regular frequency at what’s going on, and looking for abnormalities in what people are doing and the behavior they’re doing. Doesn’t mean you have to have someone who’s sitting in front of the computer screen like in “The Matrix,” watching the code go flying by. But you need to invest in software and systems that do a lot of that capability, that look for malicious behavior and abnormal behavior and can reduce that and alert you to it.
BILL YATES: Yeah. The forensics that I’ve heard about and then per past incidents, that’s always the case. You know, it’s like, okay, you know, I used to do some coding. And there’s just logging for every type of database that you use. You can go back and look at the logs and go, you know, what user, when did they log in, where did they go, what did they do? What code did they write or compile here? The forensics are there. But it’s too late; right? It’s like you’re locking the barn door after the horse is gone. So again, it goes back to putting something in place, being disciplined and saying on a daily, weekly, monthly, some period, we need to have someone who’s looking over these logs to see if this behavior fits in the normal, or if it’s not.
ANDY SAUER: It’s probably easy to, again, hear this whole security conversation and think of it as the ones and zeroes and the technical guys in the closet doing the coding and whatnot. But for your audience, for a project manager, there is a lot of impact here. Think about big data. And let’s say you have a big repository of data related to a project. Every time somebody manipulates that data, that should be producing a log of some kind. And a very common alert that we now roll out to companies is let’s alert when somebody does a lot of manipulation of a lot of data in a short time.
If somebody downloads the whole repository overnight, it’s a good sign something’s going on there. If we see somebody who only edits one or two documents a week has now suddenly edited a hundred, there’s something to investigate there. And that’s what we can look for in the logs, and someone just has to look and set up that alerting. That’s a very common one, and a big sign of, you know, a malicious insider.
WENDY GROUNDS: Given the nature of projects, project management and the type of work that our project managers are all involved in, what other advice would you have for project managers on how they can stay safe?
ANDY SAUER: My highest level advice to anyone in that role is security is your responsibility as much as it is the CISO’s. You are part of an apparatus where everyone has some responsibility here. You have more visibility into what’s going on; right? You’re in the day-to-day. You’re in the thick of it. So you’re the one who’s going to see things first. You’re really the front line. So I would advise everyone in those types of roles to keep that awareness. Understand you are part of the security team. It’s not in your title. They sneak this in on the job description. They say this is another duty as assigned. And they don’t tell you, but it is. And you can have a major impact with that understanding.
BILL YATES: Yeah. One of the things, you know, just thinking tactically, many of us are doing projects that are internal, but then many of us are doing external projects where our customers are outside the organization, or we have consultants that are outside the organization that we’re sharing information with, we’re sharing files. We may be, you know, using Google Drive or Dropbox or doing other things like that. What warnings do you have, or what advice do you have for situations like that?
ANDY SAUER: My advice would be to keep a high level of visibility on that. If you’re the project manager, and your project is doling out that type of access, don’t assume that the IT and security team is coming in behind you in a month to check that those accounts that have access should still have access. In a lot of cases, ignorance is bliss for everybody involved. Right? My advice would be regularly review that. Make sure that, even if you’re still doing business with the same company, are the same personnel on their side involved? Can we revoke their access? Do they still need access to these confidential and proprietary files? So keep a high level of visibility of what’s going on there.
BILL YATES: That’s a good tip. And I think about all the things we have to do at the end of a project when we’re closing it down, and this is something that needs to be on there is to review who has access to what, and do we need to shut that down.
ANDY SAUER: Definitely.
WENDY GROUNDS: From a security perspective, are there any new technologies or emerging technologies that cause you concern?
ANDY SAUER: Well, the shift to remote work has been a challenge for my industry. A lot of the cybersecurity strategies coming into 2020 were focused on let’s bring everyone to an office and let’s put up a big moat around the office, and a great castle wall, and, you know, watch what’s going on in here. And then COVID hit, and a lot of companies were unprepared to have their entire workforce be working from home. That is probably the biggest shift that has happened where a lot of security teams have lost complete visibility because they weren’t ready. They’d been watching their corporate network. They didn’t have endpoint focus. They weren’t looking at the user level, they were looking at the network. And now everyone is off your network and out in the world.
So that is a major concern. That lack of visibility can really be a detriment because now a lot of what we’ve talked about in terms of seeing stuff in the logs and seeing what people are doing, you don’t have that anymore. So your IT team has to purposefully sort of re-architect that. Additionally, the move to cloud services is a double-edged blade. You know, I advocate for it, and I want companies to do it because there is so much good about it. But it’s very easy to let that get outside of your management. Very easy to suddenly have 20, 30, 50 cloud apps with your company’s data a little bit in every single one. And no one’s got visibility into it. And nobody’s controlling it.
So access is haphazard, and suddenly you’ve got files that are highly controlled in a system that is not rated to handle that type of data, which the government would be very upset to find out you’re doing. Or, you know, you might have client data, PII. You might have, if you’re in the healthcare industry, you might have personal health information, all in systems that shouldn’t be because the person who put it there was able to just freely sign up for a cloud service, and no one had visibility. We call this shadow IT. If you ever are clicking through articles and see someone talking about shadow IT, this is essentially what we mean. It’s services and applications that the IT team isn’t aware of and doesn’t have control over, but the business has adopted, and people are out there doing.
WENDY GROUNDS: If you had a crystal ball in terms of the evolution of a cyberthreat, how do you see things evolving in the next few years?
ANDY SAUER: I don’t need a crystal ball. I know how it’s going to evolve.
WENDY GROUNDS: You’ve seen it.
ANDY SAUER: As do most people in my field. It’s not going to evolve a lot because phishing is going to remain the permitter. It’s just going to continue to be the biggest problem for the foreseeable future because it’s attacking the most vulnerable part of the chain – the people. The software has vulnerabilities. The tools that we roll out have vulnerabilities. The systems do. But those we can patch pretty easily with a couple lines of ones and zeroes. It’s the people and the culture shift that is the slow part of this chain.
So I think the next few years we continue to see 80% of compromises initiated by phishing. I do think things will get a little better because multifactor authentication is really coming into the zeitgeist as required. Way fewer C-Suites are pushing back against things like multifactor authentication. So things will improve in that regard. But attackers will always find a way. So they’ll find some other vulnerability. Given five, 10 years, and I think we’ll have a different conversation.
And if you want to talk the real distant future about a real crystal ball is the rise of quantum computing. And I’m sure everyone’s seen some articles about that. The effect of real quantum computers could be that all that we’ve talked about, all the encryption, everything that sort of underlines all technology today would be at risk. So that could be a problem for us for another day, I’d say.
Yeah, I think a project manager can take this knowledge and facilitate conversation at the very minimum. There’s some practical stuff. Talk about an incident response plan specific to your project. But really take some of this, talk to your IT team about it, ask if any of, you know, the things we’ve about are being done and how they’re being done. You don’t have to really chase after it. You know, it isn’t your job, but it is your responsibility. Have those conversations. See what you can do to help move those things forward.
WENDY GROUNDS: If our listeners want to ask you any questions or get in touch or see something of what you do in your company, how can they reach you?
ANDY SAUER: So they could visit our website. It’s www.sentinelblue.com, and it’s sentinel the word, and the color blue. Pretty straightforward.
BILL YATES: Yeah.
ANDY SAUER: I’m pretty active on LinkedIn. I like to post the goings-on of my industry and share some of the cybersecurity horror stories we see.
BILL YATES: Yeah. They’re juicy. Well, Andy, this has been so beneficial. This is a topic that, again, this is risk management at a deep level where the stakes are high. And I know our project managers will appreciate your insights and just seeing the impacts that you’ve seen on other companies that have had cyberattacks that have impacted projects, impacted ongoing operations. It’s sobering. So I really appreciate you speaking to the tactics and giving advice as we raise awareness on cybersecurity.
ANDY SAUER: It’s always a pleasure and a privilege to be the one who gets to bring the message out there and communicate it. So I really appreciate the opportunity.
WENDY GROUNDS: That’s it for us here on Manage This. You’ve just earned your Professional Development Units toward recertification by listening to this podcast. To claim them, go to Velociteach.com, choose Manage This Podcast from the top of the page, click the button that says Claim PDUs, and click through the steps.
If you have any questions about our podcasts or about project management certifications, we’re here for you. Just reach out to us at Velociteach.com. Until next time, keep calm, shields up, and Manage This.