MISAC Cyber Cities - City of San Luis Obispo - Emerging Technologies
Thank you all again for joining. My name is [inaudible] Timur I'm with Cal Poly sandbars security institute. What we have today is Ms. Sachs cyber seeing emerging technology webinar, the partners, city is San. Most of this photo, so. Thank you. To me tag for another webinar. [SPEAKER] So overview for the webinar, housekeeping notes, today are on emerging technologi es.
We do have a fantastic panel put together and we'll have some conversation on various topics. And indeed there is time towards the end of the webinar for audience Q&A. If you could please drop your questions for the Q&A. Theres a feature of Zoom webinar, it should be available on Zoom webinar below. So drop that question and then the panels will confirm a for about 40 minutes. We have 10 minutes for Q&A at the end.
The webinar will be recorded and it will be posted to our CCI YouTube channel. You'll see a QR code momentarily look the link to that. Another note is there is closed captioning available, so within the same Zoom webinar bar, mou se over to where it says Live transcript get rolling and that should be available to you as well. Fact this I first like to jump into saying thank you to each of our sponsors.
Whether the mean sacks cyber cities, webinar. We connect with a single city for each webinar. So for this webinar, thank you to the city of, San Louis Obispo of our home city. Would do have dug join us today? As one of our panel so thank you, Doug, for joining us. With a PCI that's my home base as well. A couple of highlights here we do have a new website, so please head on over and take a look a t the CCI.com, [inaudible] and task new Training
portal, upcoming [inaudible] you. Can also see that QR codes centered there if you want to take a snip of that or picture that will t ake you to our. Cci youtube channel which will have this. Webinar I, went uploaded as well as the previous webinars with a new sac Cyber cities and the f orce of fantastic partial ownership with me. So thank you to me, sac for all of the efforts and making these webinars possible.
The quote here that's been incorporated on this slide, it really eyes into what we're kind of. In bringing every together here. And the quote from Tim, Williamson, it is literally impossible to put a value on the collective wis dom of a hundreds of millions of people. Just really what we're trying to achieve your being able together, putting different topics and pl ague and get in different insights delivered. So with that. I'd like to pass the [inaudible] off to say to open up, with me, sac. Thank you. Everyone. And thank you again, Matt, might be missed
up. I am the with the City of Roseville. And I have the privilege of serving you as the 2021 me a sec precedence today on behalf of mes ac and also Matt say, all, virtual host city, which has similar was a bespoke. We want. All of you all to our fifth series of our Cyber City webinars that we are so pleased that we are co- sponsoring with the California cybersecurity institute, at Cal Poly State University. Our first for seminars and webinars. Weew actually huge success with every time that's over a 100 positive. I'm sure this one will be very well attended as well to. In this meeting. My personal philosophies, I want to look at
the emerging technologies and its associated cyber risks on IoT, Internet, of Things, unstructured data analytic. 75 days away from today. Don't forget to register for the exciting adventures ahead of you. With that I'm going to turn over to our trust the partner, Matt, from California cybersecurity Ins titute to get this webinar started. All yours [SPEAKER] Thank you very much. I. Appreciate that so.
To bring about a table, I'm panelists we do have a great group of folks here to share their expert ise. Curtis Franklin dominant, discovering Michael [inaudible]. With that, I'd like to give them an opportunity to eat, say hello. If you don't mind jumping in there. [SPEAKER] Good morning, everybody. Just want to say thank you for the opportunity to be a panelists today representing San Louis O bispo. I am Doug Lowenstein, immune Information Security Officer of California, Polytechnic State Uni versity in slot todays security, including oversight of our security program, such as information s ecurity awareness training, third- party reviews, and risk assessments ive worked closely with the slow county and the city of slo w IT staff since we do share some of the same network and resource. I've got 29 years of experience, military,
most of it at the time was in information technology. I retired about six years ago, moved to slow where I worked in the finance sector for a couple of years and joined the Cal Poly team back in 2017 as the slow intro slide said I'm not in a rush. [SPEAKER] Michael, would you like to say Hello?. [SPEAKER] Thank you for having me here.
Appreciate the opportunity to talk to all of you. I'm [inaudible], the city CSF for Sydney, San Francisco. I'm glad to participate here and further the mission of MISAC. Exciting time I've been with the city for 3.5 years now. In work in cyber for the previous 15 plus years before that.
We've got a big mission in San Francisco. As you can imagine. We just rolled out our new years cybersecurity training to 44 South and staff members and 50 p lots, departments. And continue to protect not just the city services of critical to San Francisco the largest sentenc es could be area.
Thanks, everybody. [SPEAKER] Thank you. Michael. Donald Duck?. [SPEAKER] Yes. My name is Dan. I am the cybersecurity manager for the City of Livermore.
I've only been here for eight months now, since. November of 2020 prior to that, I was a cities Auditor working amazing associates for 20 years. I may know many of the audience members as they were my oddities. But I've been in this for a while.
I also taught some classes at [inaudible] college, San Diego City College, coastline community co llege, USF. There's one more in there. Anyways. So I've been around for awhile and doing some training and looking forward to having this discu ssion today. [SPEAKER] All right. Good. Thank you. Would you'd like to join us?.
[SPEAKER] Hey, good afternoon, everybody. Curtis Franklin and I'm the IT manager for regional science. We provide case management services to developmentally [inaudible] disabled across the exam writing Riverside County.
So we cover quite a bit of area and have about just under 800 step right now. [SPEAKER] Very good. Well, with that, that is our panel. And here are the topics that we like to dive into. So emerging technologies is indeed the focus for this MISAC cybercity webinar, opening, with a broad spectrum of IoT and Wi-Fi and vulnerabilities. Would you like to cure us off dig into the Internet of Things and what your thoughts might be. Yeah, you know, one of the things that I think we've talked about emergency emerging technol ogies.
And I almost think that we should have said emerging technologies equals emerging threats, rig ht? Because anytime there's a new technology, there's new threats related to it. And the struggle for us in cybersecurity is to keep up with that constant change. And things that are not traditional in IT. And when we look at Internet of things, many of us have organizations, maybe you have classro om, smart classrooms that have devices in there. Are now on the network.
Here at the City Hall. I know we have a conference room. Devices that connect into the internet. And the interesting thing with them is they're not capable of us installing anti- malware on, right? So the traditional ways that we have in the past tried to secure things. Doesn't necessarily work for those. And so, you know, to kick it off, I was wondering
what has been the impact. Doug, Michael, and Curtis to your organizations with IoT has there been an impact your organiz ation and how are you dealing with trying to maintain an inventory of IoT devices. [SPEAKER] Talk real quick. Inventory of IoT devices. That is an aim point. You know, what was going through and putting together notes for this. I know of the IoT devices and then there's some that I don't know of. Just last week I saw an article talking about a bear was seen on campus.
How did they capture that video with a ring doorbell that happened to be on our network. So knowing what's on our network is one challenge, right? You gotta know what's out there, so you can protect that equipment. But we do know that we have IoT devices on campus.
We actually have a segmented network for IoT devices. Just so we can reduce that blast radius. If something should get compromised or something needs to be patched or 0 if comes out. We can reduce that blast cell. I've got 21 thousand students, every one of them carried anywhere between four to six mobile devices that connect to our Wi-Fi. So we always have to think about them. We have close to probably 8 thousand students that live in housing that have Playstations, TVs, Xboxes. Those smart devices that I won't say the names
to smartphones, tablets, Fitbits, swatches, you name it, they are connected. Network. And we've got to make sure that we protect them. We do have industrial type of IoT devices like rain sensors that are, water watching, for rain wh en it randomly comes to California.
And, you know, turns off, our sprinklers so we are saving water where we can aggregate. Cultural school. I've got IoT devices on cows or monitoring where those cows are grazing. So we can optimize their grazing patterns. We've got the girl, the women's soccer team that [inaudible] during practices. So the coaches can watch screaming the fact see how things were.
Students work. So the campus is rife with IoT devices and it is a challenge. Those are some good points, Douglas, I think that it's interesting that you have cows with it. I heard about that before in the past and I was always, you know, enamored with that idea that we're going to, a cow is going to have an IP address. It's just one of those things that you just
like. I never thought of that. But could totally see where it's useful. And I can totally see this challenge and you had talked about still having that issue with the inve ntory and knowing what's on the network. But then also trying to segment it as much as possible. So that again, you kind of compartmentalize
the damage, right? Anybody else? Michael Curtis, you have any other thoughts on that?. [SPEAKER] Yeah. I mean, there's a lot to talk about that that's a big area to unpack IoT as you can imagine. We've got a lot of Internet of Things. So I mean, it really sounds the gamut from sensors to industrial technology to building manage ment systems as well.
And IT could be a lot of things and think, you know, it's interesting to hear about cows. We have in some of our new smart buildings, each pane of glass has its own IP address. Because it polarizes differently. So then you started talking about not just
kinda understanding what your have, but being over whelmed, you know, kind of in terms of assigning network IP space to some of the devices. So that's a lot of complexity there. A lot of the stuff, you know, think about kind of more of industrial control systems are older rig ht. And some of the new approaches don't work.
For what we've seen. And you've all kind of be hearing this attacks. I think people are realizing how bad an idea it is to connect, you know, kind of some of those co ntrol networks to business networks. In salad that rush to get everything is slowing down, honestly, I'm, my recession with a lot of ou r department says, you know, just because the better says it needs to begin. Jeanette doesn't really need to be connected
to the Internet. I'm actually now turning around and saying, Well, maybe this does not need to be smart, right? You know what's the gain there? Because the risk honestly completely outweighs the game. And a lot of cases you know, we've been challenging. We have a part of Department of Technology, but we have one of those. I don't know if you've seen SoftBank robot graders that just kind of walk to in and we had a har d time a couple of years back with that you know, was that thing it runs Linux, you know, pretty simple. In its kind of the powers, the robot, but
where we've. Known as, you know, you can see, some of those exploits on YouTube. Is that people found all kinds of abilities in that SoftBank robot, right? So we talked to the company. And we tell them, you know, you have this vulnerabilities on your [inaudible].
Basically computer that in this robot, it's publicly known, can we put our agent? In this thing? And the in they tell us flat out now we can't, this things is not going to work. If. You put an agent on it. All right. Well, can we stop it from talking to the Internet? And they say Now you can't stop it from talking to net, but that's what you bought. You can't really, that's not gonna work otherwise and that's connected to the internet all right, so you can't, you know we now we're putting a known vulnerable system. You know, about the Linux system on the network, right? Well? I don't want to just, you, know. Yes. So we can put it in an isolated segment and let it go to the Internet that I noticed while they're both so at least it has to have some kind of firewall in front of it, right. So we can block.
Known attacks because we asked them to patch and they said, Well, you know, we patched eve ry six months or so that's our patching cycle. So even as something as simple as this, where we had direct engagement with the vendor and i n they are basically saying, well, you know, that's, our model. That's innovative new company in robotics. We don't have staff to do this. Cybersecurity thing for you. So that was interesting kind of experience with some other, IT. But beyond that, I think we're in the city are also looking at sensors in a different perspective. I'm involved in part of our privacy and surveillance advisory board is sensors introduce probably see risks.
Right? And so we're validating IT new. You know, whether it's cameras are different types of sensor, aesthetic election, social energy. Very much from a private super spective. And you know, the city has taken one of the you know has really pushed on of the first privacy l egislations at a local level in the country called privacy first legislation. And there was a lot of new innovative stuff and one of the things that really speaks to me is co mmunity involvement in also so the right to remain anonymous, which is not really kind of been talked to when we talked about privacy. When. We think about privacy, we think about data that is collected, being protected or not misused.
But. When we sit and we talked about it, it's also about the right not to have data collected about yo u in the first place. And so, you know, for the right of people to assemble anonymously, to speak anonymously, to walk in the city streets anonymously without being observed, without being monitored. And so we will look at the way that I'm starting to look at IT is really, is show me the value. You know, in the past five years ago, we were like, Let's sensor up, let's get it out there. We'll figure out the use cases we actually had a number of companies come to us and say, we'll put it for free.
We don't have a use case. We'll figure it out. Let's just work together. I flipped completely in the last five years. Now, showing. Me the business case.
Me the value that outweighs the security risks. And the privacy risks of those sensors. And IoT devices. And that's probably, you know, it's really hard for me to say as a technologist, you know, I've al ways been excited by technology, but that's really the reality right now, is that this reading nee ds to be clear value shown. And the risks considered. Thank you, Michael. I appreciate that. It's good to see that cities are starting to look at privacy without having to have a mandate for p rivacy, right? To start that process.
[SPEAKER] Not sure if Curtis had anything to add on, but we wanted to kinda move on to the ne xt topic. Of analytics because we have so much to talk about. So question on that is, how are you using analytics? And what would you like to be able to do with that? You know, we kind of think of a bunch of unstructured data, big data where we have a lot of inf ormation. How can we actually put that to use. In order to make actionable decisions, right? So Curtis, do you want to start off are you using any of that? Are you? Just kinda duck down a little bit up with the IoT things since we are talking a little bit about how data is gathered, I saw a talk not too long ago and one of the things that was brought up in the talk was that and we start talking about. Data.
It's. Kinda beingness new oil and kind of going to what Michael was saying with a lot of these compa nies that are really looking to just get something in there and then they'll figure something out. [SPEAKER] And then the talk basically saying that data is not the new oil it's the new glitter. It lowers humans in with the [inaudible]. It's very easy to accumulate and that's found
in a lot of places that you're not really expecting it. It's almost impossible to get rid of and nobody really anticipates the consequences and they do n't think that through when they start putting some of this stuff in. And I think when we start talking about analytics, what we're really looking at is what data are we collecting? Should we be collecting it to beginning? And then if we are collecting, what are we collecting it for? And I think having a mindset of here's what our business use cases are. Here's the reason that we are collecting this information. Are we collecting the right information of what are we going to do with it? We are kind of late here at IRC and to even looking at things like GIS.
We don't have streets and sewers and things like that, that would typically find a good GIS use- case. But we still have an awful lot of information that is being collected about all of our population t hat we serve and being able to accumulate some of that data and turn it into action items, wher e we can take something instead put it in front of an executive, put it in front of a director front of management and say, here's what we're seeing, and here's the information that we have, an d here's what we think a good decision would be on. Whatever that topic might be. And structuring some of that data and taking it out of all these individual silos and really looking at integrating data from the top to the bottom. We don't have much as far as. First IoT goes necessarily. That's generating a lot of analytics data that we might be looking at using are potentially not ev en having. But we do have enough water data that is going into it and not a whole lot of analytics that is b eing put on top of that.
I think that's really good. Curtis, you brought up something totally popped into my head is, you know, that show hoarder s kinda feel like a lot of organizations are like they treat data that way, right? You know it's, just? Like just, grab all of it, everything we can possibly, get. [SPEAKER] But I think what Michael and you have brought up is what do we need this for? I mean, it just takes up space which costs money. But then can we even turn it into anything that's actually useful? I know that like for our city manager, he likes to get analytics and stuff like that to kind of see, y ou know, about trends and look at things over time. But there's a business case for that, right?
It's all that other data that we have that there is no business case for it, right. It's our to easy cases to accumulate that data. And we can make that decision that ahead of time on whether or not we need it. [SPEAKER] And then probably even more importantly, when we do decide that we needed, how long are we planning on keeping it? At some point where somebody lives? Let's say, from seven years ago and they've moved four times on art and then get our case any way, it probably doesn't make a whole lot of sense for us to be maintaining address information and other and other things that tied somebody back to a place that they're no longer at men so we do run into that quite a bit. [SPEAKER] That's a good point, you know, Donald, if I can step in when Curtis was talking, I was thinking of this topic purely from, you know, security blinders, young view of the data that' s going into our sim, you know, security incident event management tool. But being on a university data, rules, data. You know, if make data decisions, data-
based decisions, those are the ones that are gonna win and trickled to the top. You know we've got data analysis at the research level, university development. They've got list of donors, they've got list and graduates that they can reach out to for looking f or donation. So we're support. We have 65 thousand deaths a year, apply to Cal Poly and 68 thousand gets selected. That pool of 65 thousand is just riddled with data that, the university system, Cal State Universit y system, just loves to see because, you know, they can make.
Decisions about what kind of housing they need to build on campus those types of things. But again, to be honest to this group, I was looking at it from a security perspective. And. You know how we use the log data from all
of our systems to protect our resources. And our data. And as far as getting rid of things. All my goodness you know, nobody wants to get rid of data. Just had a security incident last month where
somebody was cleaning out their office through al l this data into a recycle bin. And it was stuff from the early 80s. There were printed out and it's like data retention policies. We have those policies for reason. So that we don't have to keep everything for so long. And when it comes to electronic data, nobody wants to delete electronic data because in their mind, it doesn't take space up, it doesn't cost a thing. Just there when I need it. [SPEAKER], one thing when it takes up desk
space and it's another thing when it's just on a hard drive somewhere, you, don't see it, right? It's a lot easier when so your desk to say I need to get rid of that. Although some people's desks around here are piled pretty high, you have anything to add to th at, Michael. Yeah. I mean, I think we cover the topic, you know, quite a lot here you know to bring it back to, the s ecurity piece, I think data, does not equal decisions. And decisions equally intelligent decisions
so I always tell my team knowing about something y ou're not taking actions on. That is a reading, that idea. That all do you probably appreciate from the audit perspective, that? Opens up to liability and exposure. So, you know, collected data, if you read a mean to do something with it. You better have people ready to do something. If decision is there because you just don't want to collect it or even worse identify something th at is not actionable.
You know, my mind flashes back to the report of that poor building in Florida. Where data was collected. And the report was created in, you know, clear action was identified and no one took action. Right? I mean, just think I like I think about that and I got a liability and the damage that a horrible da mage that that caused right.
And human life lost. I didn't sound waves. In the security space to find know about something. Then it must take action, right? And so we need to be prepared for any data that we're collecting to take action and have enoug h people to take action comprehensively across the entire environment so we are very sensitive . Very focused, and what we're collecting data, data does help, of course, make the right decision s.
And so, you know, we are engaged, especially with our small team and not very large set of targ ets. With the profile International profile word constantly getting bombarded. You know, the gangs don't sleep seems to be they keep on coming. So we absolutely must use data to, you know, to help us figure out where do we defend how do we we defend found where embarking kind of on more automation based on. That, you know, the date allows us to make in a much more automated fashion. So it's really not just about on analytics
now. It's about analytics that leads to an automated decision. Right? That helps us to protect. So we started talking about kind of, you know, maybe a little later, we you know we can talk a b it more about this artificial intelligence, which is really, just machine- learning, the trigger's actions, right? But it starts with data.
And so we're actively looking at kind of what's the sources that we need. User behavior. User access network, you know, behavior, system behavior. How do. We start? How do we collect all of that? And MD5 the right elements to see, you know if, something's off, if [inaudible] or system, or a u ser has a higher risk. You know, score if you will, risk profile. And how do we take automated actions in the middle of the night to contain a particular syste m, right? Because we must act fast.
You know, we all know kind of, you know the Doctors oftentimes, you know, half of the world t hat it's the tech and us his up. When our teams are in bed so we need to take quick actions. So that's my mindset when I think about analytics. And the data that's triggered some decisions and decisions., we're, we're looking to automate.. [SPEAKER] And I think you segue us into and
so we'll just take artificial intelligences. The next one because I think that it kinda goes hand-in- hand with analytics on the security side of things. We were collecting data that we can use for actionable [inaudible] intelligence for us to, you kn ow, adjust. Our security posture. And I think that's probably one of the best emerging technologies for cybersecurity. I think one of the reasons for that, if you look in the news in the round, you see that there's a cy bersecurity shortage of professionals, right? You know, it's gone up. They were thinking that it was gonna be a
million jobs now it's 3.5 million jobs that are gonna b e vacant because we don't have enough people getting into technology and cyber security. So I think that artificial intelligence is that way to augment our staff and have that autonomous response, right? That Michael was talking about. And so wondering, are you guys looking at and you need your agencies, are you looking at actu ally implementing any artificial intelligent or have you and how is it worked out for you? Doug, I think you are on mute. [SPEAKER] Yeah. As Michael. Mentioned we use machine learning with our Inaudible we haven't. Really dipped our toes into the artificial
space, but we are using, you know, the since orchestrat ion tool. They're sorted. Tool to help automate some of those responses. So if an alert comes in, machine learning looks at it and spits out some playbook that needs to b e taken and the actions that we want to take. You know, freeing up our analysts to dig deep and other issues versus you know the mundane s tuff that we triggered on and fix on the spot automatically.
So we're looking for those ways to optimize. And, I've got, you know, being on campus, I've got the brightest minds just working on this stuff . I've got student assistance in my sock doing tier one activity, setting up alerts, figuring out how they can automate these stuff. And do things more efficiently. So we are learning, we are at the very beginning now.
[SPEAKER] I think we're all kind of at the beginning of that right. And to segue into that, it kind of these topics kind of intertwine with one another. Because artificial intelligence also could be used to monitor IoT devices. And look for strange behavior. At my previous employer, we had a network monitoring system that uses artists visual intellige nce, and it basically learned what each devices, what normal behavior was for devices, IoT, nor mal behavior is very limited, very limited range, right? So it's. Easy to throw a red flag on IoT devices where it's a little bit more difficult.
Right? Iot devices usually only talk to one IP address out on the Internet somewhere wherever their co mmand and control is for whatever the devices. And that's it, right? So if it starts talking to China or Russia, or some other place, then red alert we have a problem ri ght. So I think artificial intelligence can really help out with that kind of stuff.
Curtis, you have any thoughts on that?. [SPEAKER] Yeah. I think that IoT in general is kind of a thing a new enough technology that weren't organization our size, we're not seeing a lot of I'm sorry, about we're not seeing a lot of that just yet come in to anything more than really just the marketing buzz around that I think I think you've been dea lt advertising. They've got AI built into their laptops were something I don't know they didn't quite know what that is. But. We do see a lot of opportunity for an organization our size.
Going back to the same idea of having things look at and find things that we need to look at. So for example, we use a lot of different Azure technologies. And so having Azure look at something and say this is an out of ordinary login for this user who typically only logs in from these devices are these IP addresses. And we can take action either based off of that information or at least getting an alert to say, m aybe we have something here that we need to look at. I think that's probably where we're at as
organization. I don't think we I don't think we're quite to the scale that doesn't like [inaudible], where we're s eeing a lot of gravitation or looking at AI a solution so much, it's just a way of augmenting some of what we already have. [SPEAKER] Yeah. You're.
Starting to see again, there's the marketing hype, right? And then there's the actual really good stuff that actually does stuff. And I started to see everybody has AI, right and everybody has something as a service, you kno w. Everybodys Cloud-based. So sometimes you have to dig into it to kind
of find out, you, know as, this hyper is, this actually something that helps with is it really machine-learning? Is it really being autonomous. And I think that that's an interesting, point and I think Michael, had says something about auton omous cars earlier before the session and I just wanted. The to say though I did see autonomous cars in Yellowstone National Park, they were testing th em out. And I walked right in front of it, stopped and it wouldn't go until I backed up a little bit more ev en though it was on the curve, I had to backup another step before it went. So there is AI there. And in that case it was like overly safe and
that was probably good. It didn't know who I was. And whether I was going to jump out in front of it. So AI is out there and it's something that we're going to have to get used to I think it's great to l everage it.
But again, some of it usually comes at a premium, right now is what I've noticed as far as Costco . And I think go ahead. [SPEAKER] I think it's exactly right., no. I mean, the right now, you can't just have the I do something without a human looking at [inaud ible] all. So it's not, it augments that it's a no way replacement. So. I can't say like, well just because I'm buying AI I do not need an analyst.
Right? Because it doesn't do you know, reading anything out in sound unless somebody's there, it is. So they need the corner cases that it always becomes kind of tuning. But but I do, I do see opportunities to, you know, to look out that needle in a haystack. You know what It's. One of the things that we're doing. Especially on fishing, is using partners. We are looking for partners who are, who know how to use machine learning and [inaudible]. And it's not really artificial intelligence anyway, just actually learning, which is a new way to loo k through data.
Who are masters of, you know, so their partners that are helping us, their partners and machin e learning. And they're using and you know, one of the things that we saw at the beginning of the pandemi c. Is just insane increase in phishing attacks with domains being spun up, you know, almost every second we are trying to fish the, trying to pretend to be CDC or who, and you know, our initial r eaction, it's got a traditional reaction as well Let's put everything on deny list, right? Let's get the new set of domains everyday let us put a denialist And we've worked with our part ner who has been telling us, like don't do that. All right. Which is kind of stopped us and said, Well, why shouldn't we do that and say, well that actually blocks the machine learning from. Creating better models, right?
Because you might put, you know, 20 domains a day. I denialists, but you get a miss the 21st one. And if we allow the machine- learning to do its job and actually look at characteristics of do you know how those domains co me up with the resemble? Then we are likely to detect the 21st one, right? And so we've kind of backed off our traditional response and we've been working with our part ners and we are seeing that machine learning is better, is better at doing this routine. Things identifying, kind of looking at how quickly was this domain created, what is it? Look like? Is sending something, you know, partners also protect many other local governments as well as organizations. And so, they were benefit from this collective knowledge that they bring in collective pool of da ta, not just what we're seeing, but what is what their seeing across the board is. It does take a little bit of a change in your
in the way that we respond, you know, to kind of allo w machine learning to do and to do it's job, and fight the, the anomalous behavior. So that we can adjust. And so we, you know, we're not, we're not there. We just did the beginning of the journey and, you know, we've got another strong. On partner with a lot of machine learning around user behavior. We're trying to kind of adjust and you know,
I tell my team, you know, if we see something, we just, you know, we stop access, it's not always easy that we kind of are on the side of caution. And I have the mandate except for some VAB. You do we have to meet in a separate machine learning model for because we can't stop them l ike and I'm not talking about just elected officials, I'm talking about doctors and nurses, police o fficers. And so we just, you know, where the kind of model of, you know, fail- safe doesn't work because if it stopped [inaudible] something bad could happen. You know, public safety. So we feel open in those cases, we might get an alert, but will allow them to continue doing the work they are. We just call to find them and do something
else. Not, a bit is just, you know, you'd pay you turn the key and it goes, everything needs a human b eing. [SPEAKER] I agree with that. I know that we get alerts when people log in from different outside of the geographical region t hat they normally do. However, just last week when I was going on vacation, I got a bunch of phone calls because eve rybody was saying, oh, it says I'm logging in in Pennsylvania. Well, our ISP arrange IP addresses. And so the geo- location wasn't showing here at City Hall, was showing Pennsylvania, but it was our IP address.
So so yeah, the AI was able to say, Hey, this is anomalous, but it turned out it really wasn't. A normalised it was just the bad data that was put into it. So moving on to the next topic, zero-trust mindset. I know that there's a lot of talk about zero trust too it's still, it's kind of like when Cloud first ca me out is kind of a nebulous concept. Nebulous cloud.
Good but it was not very solidified as to what it is. And I think 0 Trust is still kind of in that area where yeah, we got a good idea of philosophically about how it should run. But on the nuts and bolts side of things, there's still a lot of things that we're working out.
And although there's a lot of vendors out there, say, Hey, we got 0 Trust solution. I haven't seen one that's fully actually 0 trust. So. What are, you guys doing with that? Or are you still into using VPNs? Is that? The way to go? And how do you move to are moving towards this idea of 0 Trust. [SPEAKER] Take a stab at this. I think that from, our, standpoint we do still utilize VPN. What we are finding though is that we are
actually relying on that more for Endpoint Managem ent. Then we are actual. Application access. I think as we embrace the Cloud more and go back to your reference there. We do see that doing things like conditional access and having that a VPN be the front door to a ccess to some of our web applications but instead to have either machine or user or heuristic a nalysis on activity to determine whether or not somebody is actually. Are actually should be getting access to whatever this application. I think works a lot better than just blanket
begin access to if you've got a compromised machine with VPN access it's not really a whole lot of difference in most cases than a compromised mac hine sitting on your, on the inside of your corporate network. And so we do have a machine that's outside of that corporate network and it's going to be som ething that we don't necessarily have [inaudible] as yours on. Having a blockade there makes a whole lot more sense.
And I think. What we found it just supporting remote work over the last 18 months. It's really been the last battle that we thought was to be able to have a bunch of devices that ha ve all this control over because they're all sitting here, there won't be. As we migrated away from that, I think that we've kinda gotta switch mindsets and not be in thi s idea that just because. Here it, means that it should be or they should have access and instead switching to that idea, a ssume breach, assume compromised, and then allow access and those things are proven to be f alse works a lot better when you don't necessarily have a desktop sitting in an office somewher e. And that's the only time that that desktop sees the season network receives the Internet is thro ugh all of these layers of control that we already have.
But we can't assume that anymore. And so having that idea, assuming breach and assuming compromise allows for us to control th at a little better. [SPEAKER] We're probably on the opposite spectrum of Curtis just explained on campus, we're doing or depending a lot on our virtual private network to protect our resources. Six more, six months before COVID kicked off we were right in the throat doing a business conti nuity program, building up from the ground. And the VPN was one of those linchpin devices to that we wanted to ensure our systems were p rotected. So it was one of the very first resources on campus that we enabled fully with multi- factor authentication.
When COVID hit and our campus closed down, everybody worked from home. The VPN was there it was established and people knew that they could use it to get to the camp us resources that they were used to getting when they were on campus. We were working on our identity and access management program. So that we can restrict access to various data based on the goals that the individual uses. We're also looking deeply at tiered network architecture where our most protected crown jewe ls, or at that tier 0 stage in the dataset behind a firewall. The only way you're going to access that here, 00, through a device sits in the data center with i t. Or through some jump box that has certain
level of protection. Maybe a special admin. That only x plus 1 people have access to. And when that implementation at Cal Poly, the zeros. I'm still trying to get my head around it. You know what it is. And you know, best sassy aspect of how you would actually implement it. We're still in that learning and discovery phase. [SPEAKER] Just do a quick.
You know, the topic of reducing risks. I looked at also is looking it up vendors and all the applications and all the devices that we're bri nging onto the campus. So we have a really robust third party process and definitely talk about that a little bit more. But as we're on the 0 trust topic, pass the baton. [SPEAKER] Yeah, perfect segue into the next topic where a lot of this has to do with reducing ris ks right? Moving to a zero-trust mindset is kinda helping to reduce risks using artificial.
Inteligence to kinda help also reduce risks. I think we had specifically listed up here bug bounties and the Mitre attack framework. Not sure if you guys are using any of those things. We don't not being local government and not
actually creating software. Usually it's a software providers that come up with a bug bounties, right? So I'm not sure the government interests on that. So I'm not sure what you guys have as far as thoughts on that or the miter network framework. [SPEAKER] I can say to our security email, I received several emails from bounty hunters, if you will, that are, Hey, we've identified this vulnerability on your network. Do you have a bug bio graph? We're state entity we don't have a book by program. I'd love to know what they found, but I feel we have pretty robust security program when it co mes to checking our code before we go live, you know, we're checking, in depth test prod levels .
Were doing, you know, API scans were doing all the due diligence before we turn a service on t o protect it. There could be. [inaudible] maybe, in our Drupal environment that they've identified a cross- site scripting vulnerability or something like that. But we don't have Bug Bounty. Unfortunately,. [SPEAKER] You know you bring that up because
one of the classes I was teaching, I think it was t eaching Active Directory at one of the colleges and one of my students is like, Hey, did you kno w you can do this on a domain controller. I'm like, What do you mean you could do that? Look at this. I'm drawing this domain controller like you're on the school's domain controller. What are you doing? And then he said, Well, look, I just follow this and it says, you know, on the Internet, go on here and I'm like, oh my goodness. So I'm like, okay, well, let's not touch that one. Let's try it on the ones that are here in
class. Right after class got on the phone call. You've, got a problem. You know, so that wasn't really a bug bounty, but that would be interesting, you know, if someb ody did, find something to have that. But again, not nothing we've done. I don't know if Curtis or Michael if you've had anything along those lines.
[SPEAKER] Yeah. Go ahead Curtis. Nothing here. [SPEAKER] We're also we're not being I mean, maybe that's the future iteration, but we're , not paying for people to come and report on how their government, you know.
It can be improved. I get that all the time. I get those emails and some of them are really good, you know, people just come in and say, He y, I found this and we've taken several actions. Say, don't wanna be bold. Found something. But there was something that was posted accidentally that shouldn't have been posted on som eone. Websites or or issues that they found. I had obviously, the federal authorities, but also private citizens and journalists can, you know, c ontact me and say, we were hearing this or we're seeing this and, you know, but at the same ti me, we also subscribed to both the monitoring by calcic and csa, you know you know they they do with the vulnerability scanning. They tell us if, you know, if they are seeing any.
You know, anything from malicious IPs attack, coming at us. They are telling. Us anything that's publicly facing maybe they are saying any vulnerabilities as well. So I get that from the from both the [inaudible]
here on the state and from and from CSR, who's taken over from MSI sac. [inaudible] scanning program. So I think we have some of those services that we would definitely rely on because we want to know besides what we're doing. If anybody else is seen something, but we're now paying. And the Mitre attack framework is interesting. I mean, it's, it's a good framework. I think that certainly is something that we are talking to our partners about. How, you know, and trying to evaluate.
Do we have the right protections at different steps since like framework. I'll tell you it's, you know, once somebody is inside, you know, that is where, you know, going ba ck to 0 trust, although I really don't like the term, it's not like we are saying something new, It's not like we have complete trust and openness before we had, you know, I think we were said se gregating pretty successfully before. That that's that's the hardest part is that, you know, you know, Mitre attack framework, is that step of eternal economy.
[inaudible] internal movement with somebody's inside, detecting them. And preventing or [inaudible] the data. That's Friday, the hardest part of us for us, as, you know, if you, think about the framework.
But I think, you know, we definitely valued are, protections against the attack framework. And I think it's a useful tool, a lot of maybe that we are using. [SPEAKER] I think that part of that is one I want most of us local governments don't have the sta ff necessarily.
They're gonna go out and learn that framework and be able to be monitoring for that as much a s we probably have outsource that to another party and we're expecting them to use that. As a means of understanding, you know, movement. You know, first infiltration that movement throughout the network. And the one thing about bug bounties. And then we can move on to Q&A really quick.
Is that I've had a number of times where staff has reported e- mails to me that are coming from the domain of an organization, but it definitely isn't that pers on. And so we've actually, I've had to contact them and say, Hey, I think you've been hacked last thr ee phone calls that I've made to the other organization, whether, it was another agency or busi ness, all of them said yes we are aware that we were hacked for working on. So it's. You know, so I go and report it. And as a government official, obviously, I'm not gonna get paid for reporting it to somebody els e, but anyways, so we want to move on to Q&A.
And if we want to move this slide forward to Q&A, and then Matthew, if you want to see what questions we have. [SPEAKER] Of course. Thank you panelists for the That's a conversation. Q&a is open. There is the Q&A feature within Zoom webinar. If you'd like dropping your questions there, you can certainly help those over to the panelists th at the mic is open for any questions. [SPEAKER] We answered them all. I [SPEAKER] Don't see any questions coming. Through. Quite get there was a resource shared within
the, chat a link from Dragos, some of the mitre att ack and how that [inaudible] there. [SPEAKER] And monitor any questions that might come through, any closing thoughts and com ments on the topics that we didn't have time to cover their panelists or any attendees.. [SPEAKER] I think that we've learned a lot today and I think one of the things that's important th at we remember is that, you know, we, we talked about each of these things for eight to five mi nutes or whatever. And there's obviously a whole lot more than we could talk about AI. Analytics Privacy, which really wasn't one of our topics, but it really did become one of our topic s, right.
Because again, like Douglas said, You know, we sometimes as security folks kinda think of it as j ust as a security side of things. And privacy is a whole, another issue that we sort of have to [inaudible] reading an article that s aid that privacy is a whole new set of skill set and it's not necessarily. Should not necessarily reside in cybersecurity that privacy should be its own separate, you kno w, part of the organization. So for a lot of, local governments, getting
cybersecurity, like city Livermore, to have cybersecuri ty separate from IT. This is a major accomplishment I don't know how long it's gonna take us to say, okay privacy ne eds to be in the next one. [SPEAKER] We do have a question from Richard pertaining to any information on the pipeline. [SPEAKER] If we had any, we couldn't share
it. I'm not sure other than what's been in the news. I have no other anything beyond that. [SPEAKER] I don't think Donald for moderating this for us and keeping us on track. But, you know, the conversation like [inaudible] was just really good and you hit it on the head, you know, Donald when I've got my mindset, it's always refreshing to hear other perspectives a nd other ways to think of it. I had my head down probably a couple of times during this because I your taken know, you kno w, these are good things to think about. Private. Those forefront in our students minds, they are always.
Asking about privacy and how their data is. Being used. And, you know, we don't have a privacy officer on our campus. I guess by default, I were to have security officer and the privacy officer.
The Cal State University system has the Privacy Officer for the campus for all the 23 campuses. So yeah privacy is going to become more important. [SPEAKER] Agreed on.. [SPEAKER] Other question. [SPEAKER] No, that was just, a quick thought
here. A link dropped into the chat regarding the type 1 video for any attendees am I want to take a lo ok at that. [SPEAKER] And I agree with my fellow panelists it is a pleasure to come and talk to you. I think privacy is gonna be a big.
We talked about reliance on a lot of ways, on suppliers. As local governments. We have a lot of suppliers and we have a lot of vendors. And I think as we get better and as we tried to get our environment in better shape. The suppliers become such a critical part of the story. We've been focused very much on the risks that could print that. The buyers could present to us.
And what we're seeing through the efforts one. Thing that's coming clear is that a lot of business e- mail, compromise and other attacks, although we put steps in our side to stop them. I mean, because we are public entities in all of our veterans and suppliers are publicly known. They are often get attacked, especially on construction. In other industries that have been traditionally strong suburb, cyber security. And so, you know, we are at the start of a
planning of a campaign to help our suppliers increase their cybersecurity. We need them to also be strong because they support us. And I think the first two key steps that can really help everybody and we're seeing it's a big myt h, is multi-factor on e-mail. And demarc. To help with spoofing of their domains. You know, email is the lifeblood.
Now the way that we communicate with each other with our suppliers, we've taken the step a while ago to make sure that all of our email is protected by multi-factor authentication. And after a long journey, interrupted by COVID. And then on the months San Francisco is about to turn. Fool reject mode for demarc. You know, if anybody's interested, you know, more than happy to help. And that's something that we are going to
start the conversation with you know, tens of thousa nds of suppliers. We have is to say, it doesn't cost you money. And we will help you because we have to help, right actually smaller suppliers that I think those two key steps can really help protect the network, protect, protect our supply of sent them, pro tect us as well. I think you made an excellent point because we didn't really talk about supply chain risks. We were talking about reducing risk, but we didn't talk about supply chain risk and that's one of the the largest areas. [SPEAKER] And I think also the fact that you are reaching out to your different vendors and supp liers and having that conversation with them. We've started having that conversation with all of ours. Anyone that has anything to do with technology?
I get to look at the contract and I have a series of questions like, what are you doing about this? You know, can I get your SSA 18, you know, those types of questions. But we're in the process of starting here at the city to actually roll out cybersecurity awareness to the public as well. And one of the things that we look at from that is if our public and our small businesses in the a rea or more security. We're gonna be more secure overall. If we get that area, those folks, because ultimately a lot of attacks may be coming from, you kn ow, compromised machines that local businesses or the ones that we do business with, right? Or? They contact us about getting permits or whatever. So we interact with those small businesses. But those small businesses have less cybersecurity expertise. And we just all heard, you know, at the beginning of this that there's a shortage of expertise.
So I think it's great that you are looking at that from that point. And I think every city should also help their citizens be Cyber Safe as well. [SPEAKER] Well, thank you again our panel for joining. Their time is very much. Appreciated and insights sharing. What do we do have that coming down the road is additional webinars will be sacked. Our webinar will be focused next on legacy systems.
Ransomware, and acts on by phishing fraud and. And the convergence of space and cyber security. So thank you again for everybody's time. Have a fantastic. Day and we will see you next time. Thank you. [SPEAKER] Thank you. [SPEAKER] Thanks, everybody
2021-07-18 19:13
