WEBVTT

00:00:00.000 --> 00:00:01.860
Well, you know, I'm in cybersecurity incident

00:00:01.860 --> 00:00:03.700
response, so people don't want polio and they

00:00:03.700 --> 00:00:10.000
don't want bolio to show up. That's great. Welcome

00:00:10.000 --> 00:00:12.259
to County Connection, the official podcast of

00:00:12.259 --> 00:00:14.240
the Washington State Association of Counties,

00:00:14.240 --> 00:00:16.640
where we dive into the legislative issues shaping

00:00:16.640 --> 00:00:19.079
the future of our communities. From budgets to

00:00:19.079 --> 00:00:22.019
public safety, infrastructure to elections, we'll

00:00:22.019 --> 00:00:24.660
break down what's happening in Olympia and how

00:00:24.660 --> 00:00:26.640
it impacts counties from across the Evergreen

00:00:26.640 --> 00:00:29.750
State. Stay informed, stay engaged, and join

00:00:29.750 --> 00:00:32.350
us as we amplify the voice of Washington's 39

00:00:32.350 --> 00:00:39.149
counties. Welcome back to County Connections,

00:00:39.210 --> 00:00:41.649
the podcast dedicated to navigating the ever

00:00:41.649 --> 00:00:43.649
-evolving world of county government in Washington.

00:00:43.850 --> 00:00:46.409
I'm Derek Young, Executive Director for the Washington

00:00:46.409 --> 00:00:49.170
State Association of Counties. As a leader in

00:00:49.170 --> 00:00:51.229
county government, you carry the weight of your

00:00:51.229 --> 00:00:53.630
community's trust. You are the steward of the

00:00:53.630 --> 00:00:56.890
most sensitive data, tax records, health information,

00:00:57.439 --> 00:00:59.820
Public safety details. You are the guarantor

00:00:59.820 --> 00:01:02.539
of the essential services that they rely on every

00:01:02.539 --> 00:01:05.500
single day. But what happens when 911 dispatch

00:01:05.500 --> 00:01:07.939
center goes silent? When a ransomware attack

00:01:07.939 --> 00:01:10.480
freezes the county clerk's office, halting property

00:01:10.480 --> 00:01:12.879
sales and marriage licenses? What happens when

00:01:12.879 --> 00:01:16.379
the public's trust begins to erode? Today, county

00:01:16.379 --> 00:01:18.459
governments are in the crosshairs of sophisticated

00:01:18.459 --> 00:01:21.400
cyber criminals. They know you operate with limited

00:01:21.400 --> 00:01:24.299
budgets and legacy technology. We'll see you

00:01:24.299 --> 00:01:54.930
next time. Thank you. I'm glad to be here. It's

00:01:54.930 --> 00:01:57.349
exciting. We've been talking about it for a while

00:01:57.349 --> 00:01:59.769
now, so it's great to finally be able to do this

00:01:59.769 --> 00:02:03.409
partnership. Yeah, I think we first chatted maybe...

00:02:03.790 --> 00:02:06.069
the beginning of the year or even last year at

00:02:06.069 --> 00:02:08.689
some point and finally had the chance to meet

00:02:08.689 --> 00:02:12.349
at our annual conference at NACO and get a chance

00:02:12.349 --> 00:02:14.870
to know a little more about Crow and what you

00:02:14.870 --> 00:02:17.050
all do. So appreciate you taking the time. Yeah,

00:02:17.110 --> 00:02:20.009
I appreciate you answering my cyber stalking.

00:02:20.009 --> 00:02:22.289
So, you know, that's helpful. Well, it's good

00:02:22.289 --> 00:02:24.569
that you mentioned that because we're going to

00:02:24.569 --> 00:02:28.569
get into it. Give us a little bit of a picture

00:02:28.569 --> 00:02:33.229
of what the... The threat landscape looks for

00:02:33.229 --> 00:02:37.229
looks like for cybersecurity and county government

00:02:37.229 --> 00:02:40.189
or in local governments in general. It is wide

00:02:40.189 --> 00:02:45.229
ranging what the threat landscape would look

00:02:45.229 --> 00:02:49.870
like. But our number one successful tactic that

00:02:49.870 --> 00:02:52.490
we're seeing from threat actors is social engineering.

00:02:54.389 --> 00:02:57.250
Unfortunately, that means as from a cybersecurity

00:02:57.250 --> 00:02:59.930
side, what can I do? Not as much. It's more about

00:02:59.930 --> 00:03:02.310
the education. It's listening to this podcast.

00:03:02.509 --> 00:03:05.030
Hopefully everyone's taking it seriously. It's

00:03:05.030 --> 00:03:08.590
every employee, every elected official's responsibility

00:03:08.590 --> 00:03:11.909
to think when it comes to that social engineering

00:03:11.909 --> 00:03:15.050
attack. And when I say social engineering, you

00:03:15.050 --> 00:03:17.849
probably just thought phishing, which is hugely

00:03:17.849 --> 00:03:23.759
successful. normal attack pattern. And so just

00:03:23.759 --> 00:03:27.180
to help define that is, you know, those emails

00:03:27.180 --> 00:03:30.560
that you get that say, Derek, click on this link

00:03:30.560 --> 00:03:35.180
and fill out this form for me that that gives

00:03:35.180 --> 00:03:38.819
me access to our network, basically, that that's

00:03:38.819 --> 00:03:40.699
what you're talking about. Yeah. And it used

00:03:40.699 --> 00:03:44.840
to be very generic and it could have been misspelled

00:03:44.840 --> 00:03:48.819
words. But with the. introduction of artificial

00:03:48.819 --> 00:03:51.539
intelligence, especially generative AI, I think

00:03:51.539 --> 00:03:54.939
like a chat GPT, the threat actors are able to

00:03:54.939 --> 00:03:57.979
write sophisticated emails that make you think

00:03:57.979 --> 00:04:01.479
your password needs to be reset, that your benefits

00:04:01.479 --> 00:04:04.659
are changing, and to log in to see what those

00:04:04.659 --> 00:04:06.400
changes look like. And what they're trying to

00:04:06.400 --> 00:04:10.069
get you to do is click a link. or download something

00:04:10.069 --> 00:04:12.810
to your computer, open up a file, and they're

00:04:12.810 --> 00:04:15.550
doing that through anxiety. They're trying to

00:04:15.550 --> 00:04:18.550
make you concerned or want to know why something's

00:04:18.550 --> 00:04:22.029
happening, creating a sense of urgency, so that

00:04:22.029 --> 00:04:24.750
way they can gain access to your environment,

00:04:24.850 --> 00:04:28.290
whether it's your email and nothing further than

00:04:28.290 --> 00:04:31.629
that, or into the actual county environment.

00:04:34.060 --> 00:04:36.819
That's what we're seeing is the top attack right

00:04:36.819 --> 00:04:40.079
now. But it does go beyond what we were describing

00:04:40.079 --> 00:04:43.500
with those emails. We're really seeing a movement

00:04:43.500 --> 00:04:47.079
towards text messages at this point. Oh, interesting.

00:04:47.240 --> 00:04:50.240
Where you're getting a text message. And the

00:04:50.240 --> 00:04:53.660
latest one we saw is DMV. I don't know if in

00:04:53.660 --> 00:04:55.759
Washington you've been getting those. But over

00:04:55.759 --> 00:04:58.199
the summer, I got a lot of them that said the

00:04:58.199 --> 00:05:02.220
DMV didn't get your records or your registration

00:05:02.220 --> 00:05:08.199
is about to expire. Lots of toll. Yeah, the toll

00:05:08.199 --> 00:05:12.170
one. That's a big one. Somehow, I've never been

00:05:12.170 --> 00:05:15.810
to Mississippi, but I had overdue tolls there

00:05:15.810 --> 00:05:19.790
that I had to pay. That's a two -part attack

00:05:19.790 --> 00:05:22.170
because it's not a link. There's nothing in that

00:05:22.170 --> 00:05:26.149
text. What you do then go to is Google or some

00:05:26.149 --> 00:05:29.930
sort of search engine, and you type in Mississippi

00:05:29.930 --> 00:05:34.329
DMV, and most people just click the first link.

00:05:34.810 --> 00:05:36.970
But that first link is a sponsored link. It's

00:05:36.970 --> 00:05:39.490
a paid link. Oh, wow. Threat actors are paying

00:05:39.490 --> 00:05:43.689
to get their fake links on search engines. So

00:05:43.689 --> 00:05:46.930
what we advise is never click on a sponsored

00:05:46.930 --> 00:05:49.290
or an advertisement. Always look for the ones

00:05:49.290 --> 00:05:52.490
that don't say that on the links. That's incredible

00:05:52.490 --> 00:05:58.930
because they're reducing your distrust of clicking

00:05:58.930 --> 00:06:03.370
on their link by having a secondary step. that

00:06:03.370 --> 00:06:09.689
I'm now taking on my own part. But they've planned

00:06:09.689 --> 00:06:12.069
ahead and get you to click on that link through

00:06:12.069 --> 00:06:16.870
the sponsorship. That's diabolical. Well, threat

00:06:16.870 --> 00:06:19.209
actors, this is a business for them. They're

00:06:19.209 --> 00:06:22.389
millions of dollars a year just from public sector

00:06:22.389 --> 00:06:25.610
alone. They have to keep out. thinking what we're

00:06:25.610 --> 00:06:28.209
doing. So as we're evolving, they have to evolve

00:06:28.209 --> 00:06:32.269
in order to be successful. So you talk about

00:06:32.269 --> 00:06:34.430
it as social engineering. And what that really

00:06:34.430 --> 00:06:38.170
means is that, you know, in the movies, we see,

00:06:38.170 --> 00:06:42.129
you know, the cyber criminals behind a keyboard

00:06:42.129 --> 00:06:45.050
rapidly, like typing out something like, you

00:06:45.050 --> 00:06:47.149
know, that's how you attack it. It's like an

00:06:47.149 --> 00:06:51.810
artillery barrage of keystrokes. When in reality,

00:06:51.910 --> 00:06:56.569
it's more. like uh you know playing on human

00:06:56.569 --> 00:06:59.870
behavior and finding the weak links in the organization

00:06:59.870 --> 00:07:03.610
that are going to um expose the organization

00:07:03.610 --> 00:07:06.509
effectively so that is that what don't you're

00:07:06.509 --> 00:07:08.949
getting in yeah when you say that all i could

00:07:08.949 --> 00:07:11.470
think of is the movies where they're like oh

00:07:11.470 --> 00:07:13.389
they're being rerouted they're bouncing over

00:07:13.389 --> 00:07:15.189
to this part of europe now they're going into

00:07:15.189 --> 00:07:17.550
africa i'm following them i'm almost caught up

00:07:17.550 --> 00:07:20.430
to where they are they keep redirecting uh yeah

00:07:20.430 --> 00:07:23.189
it's none of that what what we're seeing is threat

00:07:23.189 --> 00:07:25.990
actors uh sometimes in english -speaking countries

00:07:25.990 --> 00:07:29.410
most times not uh operating while we're sleeping

00:07:29.410 --> 00:07:31.819
that's their you know because it The change in

00:07:31.819 --> 00:07:34.600
times, that's when they're awake. They're attacking

00:07:34.600 --> 00:07:38.279
through psychological warfare. They're getting

00:07:38.279 --> 00:07:42.279
to the anxieties, our urgencies. When it comes

00:07:42.279 --> 00:07:46.120
to the social engineering attacks, when it comes

00:07:46.120 --> 00:07:48.800
to the threat landscape as far as your networks

00:07:48.800 --> 00:07:52.759
go, they're very... They have very few tactics

00:07:52.759 --> 00:07:55.360
and techniques that are successful and they just

00:07:55.360 --> 00:07:57.620
exploit those same ones over and over. There's

00:07:57.620 --> 00:08:01.100
only about 250 total tactics and techniques that

00:08:01.100 --> 00:08:03.680
threat actors use to get into our environment.

00:08:03.800 --> 00:08:06.000
But they work and they work really well. And

00:08:06.000 --> 00:08:08.600
it's just minor adjustments that they're making,

00:08:08.699 --> 00:08:11.500
not a full on change of how they're operating.

00:08:11.740 --> 00:08:15.860
Gotcha. You know, I kind of reminds me of like

00:08:15.860 --> 00:08:20.740
the way people. rob banks is the the because

00:08:20.740 --> 00:08:24.019
i used to be in banking and uh there's the ones

00:08:24.019 --> 00:08:27.740
you see in a in a movie which usually are takeover

00:08:27.740 --> 00:08:30.420
and those exist uh they're very scary and very

00:08:30.420 --> 00:08:33.899
dangerous um but they're also extremely rare

00:08:33.899 --> 00:08:36.779
uh because you know usually those are the ones

00:08:36.779 --> 00:08:40.200
that get caught uh the person that passes a note

00:08:40.200 --> 00:08:43.019
and is careful about you know you know what they're

00:08:43.019 --> 00:08:45.590
doing to get around your security measures are

00:08:45.590 --> 00:08:48.669
unfortunately often very successful. So it's

00:08:48.669 --> 00:08:53.169
less brute force and more, you know, permissive,

00:08:53.169 --> 00:08:55.309
so to speak. Yeah, the threat actors don't want

00:08:55.309 --> 00:08:57.450
to be caught. So they're going to do what they

00:08:57.450 --> 00:09:00.210
can to be quiet. When it comes to an actual attack

00:09:00.210 --> 00:09:03.669
on the network, the number one technique we're

00:09:03.669 --> 00:09:07.309
seeing right now is through the VPN. So if you

00:09:07.309 --> 00:09:11.309
have remote workers, if your county allows for

00:09:11.309 --> 00:09:13.860
people to work remotely, That is going to be

00:09:13.860 --> 00:09:15.539
the number one way that they're going to try

00:09:15.539 --> 00:09:17.799
and get into your environment outside of that

00:09:17.799 --> 00:09:20.879
social engineering. And it's through either brute

00:09:20.879 --> 00:09:23.039
force password breaking, which is just trying

00:09:23.039 --> 00:09:25.139
passwords over and over again until one works,

00:09:25.240 --> 00:09:28.559
or going on the dark web and seeing if there's

00:09:28.559 --> 00:09:32.070
old passwords that are still usable. for your

00:09:32.070 --> 00:09:35.570
VPN. And I could name an example every single

00:09:35.570 --> 00:09:38.090
month, at least one a month where we're working

00:09:38.090 --> 00:09:42.070
with counties because they had a ransomware.

00:09:42.070 --> 00:09:46.470
So they, their environment gets encrypted through

00:09:46.470 --> 00:09:50.730
them getting in by the VPN. You know, it's a

00:09:50.730 --> 00:09:54.070
necessary danger that we have by those VPNs.

00:09:54.070 --> 00:09:57.419
Yeah. And that's. That's particularly scary since

00:09:57.419 --> 00:09:59.940
these days, almost everyone has a lot of remote

00:09:59.940 --> 00:10:03.399
workers. And so if there's lots of paths in there,

00:10:03.519 --> 00:10:06.259
they have lots of different access that maybe

00:10:06.259 --> 00:10:08.240
in the old days when you needed to be on site

00:10:08.240 --> 00:10:12.519
didn't exist. So you kind of touched on ransomware

00:10:12.519 --> 00:10:14.360
there, which is what I wanted to get to next.

00:10:14.580 --> 00:10:20.080
And talk to me about what. their goal is? Why

00:10:20.080 --> 00:10:22.580
are they breaking into these systems? Or why

00:10:22.580 --> 00:10:25.559
are they injecting in ransomware or malware,

00:10:25.820 --> 00:10:28.639
whatever you want to call it? What's the outcome

00:10:28.639 --> 00:10:30.820
they're looking for? Sure. And it depends on

00:10:30.820 --> 00:10:33.159
the threat actor. If we're talking ransomware,

00:10:33.240 --> 00:10:36.659
most likely it's organized crime. But there are

00:10:36.659 --> 00:10:40.019
other... hackers that are getting into your environment,

00:10:40.139 --> 00:10:43.340
such as nation states like China, Russia, Iran,

00:10:43.539 --> 00:10:45.879
North Korea. I'm happy to talk about those. But

00:10:45.879 --> 00:10:47.919
when it comes to ransomware, that's specifically

00:10:47.919 --> 00:10:51.320
organized crime like Qilin or Scattered Spider.

00:10:51.559 --> 00:10:54.100
Those are two very popular organizations right

00:10:54.100 --> 00:10:57.259
now. And Qilin is the number one that's going

00:10:57.259 --> 00:11:00.779
to hit the public sector, whether it's state,

00:11:00.919 --> 00:11:05.230
local, city, tribal. They are hitting with vengeance

00:11:05.230 --> 00:11:08.990
right now. About 50 a month, Chilean is successfully

00:11:08.990 --> 00:11:12.210
ransoming different entities, whether it's public

00:11:12.210 --> 00:11:14.950
or private sector. So they are the number one

00:11:14.950 --> 00:11:17.450
out there right now, and they're looking for

00:11:17.450 --> 00:11:22.889
a payout. Whether it is you paying directly or

00:11:22.889 --> 00:11:26.789
selling the information to get money from another

00:11:26.789 --> 00:11:29.730
threat actor, it's organized crime. This is a

00:11:29.730 --> 00:11:31.570
business with hierarchy. They have a leader.

00:11:31.690 --> 00:11:34.490
They have KPIs that they have to meet every month.

00:11:34.809 --> 00:11:38.789
They have their own HR team, their own help desk.

00:11:38.929 --> 00:11:44.230
It is very organized crime. a county trying to

00:11:44.230 --> 00:11:46.330
protect against kids in their mom's basement

00:11:46.330 --> 00:11:49.370
kind of hacking. This is a multi -million dollar

00:11:49.370 --> 00:11:52.789
business that we're trying to prevent. I love

00:11:52.789 --> 00:11:57.129
the idea of a gang of cyber criminals going over

00:11:57.129 --> 00:12:01.590
their weekly KPIs just to make sure the team

00:12:01.590 --> 00:12:06.490
is staying profitable. On that note, I love sharing

00:12:06.490 --> 00:12:09.450
stories just to make sure to hit home how real

00:12:09.450 --> 00:12:13.480
it is. Earlier this year, I was working with

00:12:13.480 --> 00:12:19.139
one ransomware with a county, and they were asking

00:12:19.139 --> 00:12:23.179
for $2 million. And we come back and said, no,

00:12:23.399 --> 00:12:27.759
we can do $200 ,000. That's all we can do. And

00:12:27.759 --> 00:12:30.120
they countered, and we're countering back and

00:12:30.120 --> 00:12:33.080
forth. And it got to the point where the threat

00:12:33.080 --> 00:12:36.799
actor that we're talking to said, I have to go

00:12:36.799 --> 00:12:40.100
talk to my boss. Hold on a second. So just to

00:12:40.100 --> 00:12:43.039
think, you know, I have to talk to my boss. It's

00:12:43.039 --> 00:12:46.759
it's a very real organization. And another one

00:12:46.759 --> 00:12:48.919
that we talked about that feels like a car sales

00:12:48.919 --> 00:12:51.940
or like, you know, when you go back and forth

00:12:51.940 --> 00:12:53.440
and like, I'm going to have to go back to my

00:12:53.440 --> 00:12:56.720
sales manager here. Yeah. And it's very. psychological

00:12:56.720 --> 00:13:00.759
back from us to them uh at crow we have a team

00:13:00.759 --> 00:13:02.940
that specializes in talking to threat actors

00:13:02.940 --> 00:13:05.600
because we sometimes have to hurry them up because

00:13:05.600 --> 00:13:09.100
they're too slow uh other times the threat actor

00:13:09.100 --> 00:13:12.419
is anxious and we have to calm them down so that

00:13:12.419 --> 00:13:16.159
way they don't just exploit or put our clients'

00:13:16.240 --> 00:13:20.279
data out on the dark web. So it is very psychological

00:13:20.279 --> 00:13:22.700
when we're trying to work with them. But it goes

00:13:22.700 --> 00:13:25.399
back to that organized crime. They're looking

00:13:25.399 --> 00:13:28.259
to, it used to be what they wanted to do was

00:13:28.259 --> 00:13:31.639
just encrypt the hard drives. And then they would

00:13:31.639 --> 00:13:34.679
say, you know, pay us $500 ,000, we'll give you

00:13:34.679 --> 00:13:37.299
your hard drives back. But thankfully, we've

00:13:37.299 --> 00:13:40.759
been evolving as counties and organizations,

00:13:40.980 --> 00:13:45.100
and we're starting to do better backups. Because

00:13:45.100 --> 00:13:47.159
of that, organized crime needs to figure out

00:13:47.159 --> 00:13:49.340
a way to adapt. And they're now introducing,

00:13:49.340 --> 00:13:51.559
over the last couple of years, double extortion

00:13:51.559 --> 00:13:54.580
is what we call it. Not only do they encrypt

00:13:54.580 --> 00:13:56.740
the devices, they try and delete the backups.

00:13:56.860 --> 00:13:58.799
But if they can't, they're still going to encrypt

00:13:58.799 --> 00:14:01.659
it. But then they threaten to put the data on

00:14:01.659 --> 00:14:04.639
the dark web. And that's where we're seeing just

00:14:04.639 --> 00:14:07.820
as many payouts coming from, is that data being

00:14:07.820 --> 00:14:10.440
threatened to be exploited on the dark web. than

00:14:10.440 --> 00:14:12.399
we are actually because of backups at this point.

00:14:12.500 --> 00:14:15.679
Oh, wow. In August alone, there were three different

00:14:15.679 --> 00:14:17.720
counties that paid, even though they had good

00:14:17.720 --> 00:14:20.639
backups, because of the sensitivity of the data.

00:14:20.899 --> 00:14:25.639
Yeah, that's scary. So that's the organized crime

00:14:25.639 --> 00:14:30.240
aspect of the risk. Profit motive, very clear.

00:14:30.559 --> 00:14:34.519
They want to get paid and get out. You briefly

00:14:34.519 --> 00:14:38.799
touched on the potentially scary one, and that's...

00:14:39.710 --> 00:14:43.669
national actors. Tell me a little bit about what

00:14:43.669 --> 00:14:46.309
their motivations might be and what they might

00:14:46.309 --> 00:14:49.149
be looking for in county government databases.

00:14:49.610 --> 00:14:51.690
From a county perspective, organized crime would

00:14:51.690 --> 00:14:54.210
be your number one target. Threat actors are

00:14:54.210 --> 00:14:57.450
going after the counties. But when it comes to

00:14:57.450 --> 00:14:59.870
nation states, they all act, think, and want

00:14:59.870 --> 00:15:03.529
different things from the United States. Going

00:15:03.529 --> 00:15:06.309
down the list, China is very much interested

00:15:06.309 --> 00:15:11.240
right now. in ISPs, your internet service providers.

00:15:11.740 --> 00:15:14.200
They're always looking to try and get into your

00:15:14.200 --> 00:15:16.580
Department of Defense and anything tangentially

00:15:16.580 --> 00:15:19.860
related. Think F -22s when they stole all that

00:15:19.860 --> 00:15:22.879
information. But when it comes to counties, it's

00:15:22.879 --> 00:15:25.259
the internet service providers. And why they

00:15:25.259 --> 00:15:26.860
want to get in there is they're trying to get

00:15:26.860 --> 00:15:30.500
into your AT &Ts, your Verizons, so that way

00:15:30.500 --> 00:15:33.419
they can monitor that traffic leaving your environment.

00:15:33.679 --> 00:15:36.320
And they can start to see what data is going

00:15:36.320 --> 00:15:40.320
back and forth. spy on us. They're not interested

00:15:40.320 --> 00:15:41.940
in ransomware. They're not trying to get money

00:15:41.940 --> 00:15:44.519
from us. They're just trying to know how we think,

00:15:44.559 --> 00:15:47.419
what we're talking about, and any sensitivities

00:15:47.419 --> 00:15:51.059
that they could exploit at a future time. Russia

00:15:51.059 --> 00:15:54.740
is more in the now. Because of their conflict

00:15:54.740 --> 00:15:58.320
with Ukraine, their focus is on infrastructure.

00:15:58.700 --> 00:16:01.059
Where could they hurt us? Where could they hurt

00:16:01.059 --> 00:16:04.919
Ukraine? And what does that target look like?

00:16:05.480 --> 00:16:08.480
What I find interesting is Iran is not doing

00:16:08.480 --> 00:16:10.700
much of anything. They used to be a bigger player,

00:16:10.840 --> 00:16:13.879
but over the last, we'll say, year, I'm not sure

00:16:13.879 --> 00:16:17.480
exactly how long, they've gone very silent. And

00:16:17.480 --> 00:16:20.299
that's not normal for them. So it's interesting

00:16:20.299 --> 00:16:23.679
to see that they're pretty quiet right now. And

00:16:23.679 --> 00:16:28.320
North Korea is focused on trying to get monetary

00:16:28.320 --> 00:16:31.279
theft from us. With all the sanctions we have

00:16:31.279 --> 00:16:35.279
against North Korea and how... isolated they

00:16:35.279 --> 00:16:36.960
are, they're trying to figure out ways to make

00:16:36.960 --> 00:16:40.279
money. Sure. And I guess you could say they're

00:16:40.279 --> 00:16:43.320
very much more along a criminal enterprise. Yes,

00:16:43.480 --> 00:16:45.820
definitely. It's not just cyber. They're constantly

00:16:45.820 --> 00:16:48.580
stealing other stuff. And which is, you know,

00:16:48.580 --> 00:16:50.360
when you're desperate, I suppose that makes sense.

00:16:50.559 --> 00:16:55.100
Are there are there any countries that people

00:16:55.100 --> 00:16:59.919
would find surprising that that are risk to us

00:16:59.919 --> 00:17:03.299
in our cybersecurity? We do see other nations.

00:17:03.960 --> 00:17:07.559
interested in us. There are some South American

00:17:07.559 --> 00:17:12.160
countries. I'm always cautious because we are

00:17:12.160 --> 00:17:17.730
being in the government for many years. It's

00:17:17.730 --> 00:17:21.170
not one way. Sure. There's an argument that could

00:17:21.170 --> 00:17:24.829
say we started it when it comes to how nation

00:17:24.829 --> 00:17:27.390
states act with the thinking and just trying

00:17:27.390 --> 00:17:29.490
to learn how things are going. But yeah, there

00:17:29.490 --> 00:17:32.289
are countries all over Europe, Africa, South

00:17:32.289 --> 00:17:35.710
America that are interested in learning our secrets

00:17:35.710 --> 00:17:38.970
and trying to get in. But they're very much like

00:17:38.970 --> 00:17:42.089
a China where they're trying to learn. They're

00:17:42.089 --> 00:17:43.970
not trying to be disruptive. Yeah, it's more

00:17:43.970 --> 00:17:46.349
traditional intelligence gathering. Exactly.

00:17:46.859 --> 00:17:49.519
you know, trade secrets, you know, businesses,

00:17:49.599 --> 00:17:53.359
you know, things like that. That makes sense

00:17:53.359 --> 00:17:56.400
to me. Maybe not always something that is on

00:17:56.400 --> 00:17:58.539
a county radar, but in some cases could be, you

00:17:58.539 --> 00:18:01.019
know, we have, you know, members that have relationships

00:18:01.019 --> 00:18:04.599
with large industrial companies that might have

00:18:04.599 --> 00:18:08.019
some information that would be valuable to other

00:18:08.019 --> 00:18:12.019
companies and other countries, but not necessarily,

00:18:12.059 --> 00:18:15.160
you know, what we would see is. dangerous per

00:18:15.160 --> 00:18:18.200
se. Yeah. What we would be looking for also in

00:18:18.200 --> 00:18:22.579
Washington for your counties would be the relationship

00:18:22.579 --> 00:18:26.380
with some businesses. You have some pretty large

00:18:26.380 --> 00:18:29.299
businesses that are well known in Washington.

00:18:29.359 --> 00:18:32.599
And the idea would be if we could get into a

00:18:32.599 --> 00:18:34.980
county which typically doesn't have the same

00:18:34.980 --> 00:18:38.400
resources to prevent it, is there a backdoor

00:18:38.400 --> 00:18:42.190
into those businesses? So I could... I see Washington

00:18:42.190 --> 00:18:44.569
as being an avenue for that also. So that'd be

00:18:44.569 --> 00:18:47.230
something to, you know, what could raise the

00:18:47.230 --> 00:18:51.710
alarm for counties there. Yeah, definitely a

00:18:51.710 --> 00:18:54.250
few large companies that have relationships with

00:18:54.250 --> 00:18:56.869
our members. And you know who I'm talking about.

00:18:56.910 --> 00:19:00.970
I don't want to name any names here. Yes. So

00:19:00.970 --> 00:19:05.009
talk about how counties can protect themselves

00:19:05.009 --> 00:19:08.430
because. This is very much not the normal, like,

00:19:08.529 --> 00:19:11.410
you know, we put up fences to protect ourselves

00:19:11.410 --> 00:19:15.750
from, you know, predators. It's they're using

00:19:15.750 --> 00:19:20.569
us to get into the hen house, so to speak. So

00:19:20.569 --> 00:19:23.450
what can counties do to protect their systems?

00:19:23.609 --> 00:19:27.339
Before going into the systems, it's really. focusing

00:19:27.339 --> 00:19:30.859
on education. I've seen many counties that say,

00:19:30.940 --> 00:19:32.640
you know, I'm a smaller county, I'm a mid -sized

00:19:32.640 --> 00:19:35.359
county. I don't have the resources or I don't

00:19:35.359 --> 00:19:37.720
have the personnel. We're just trying to get

00:19:37.720 --> 00:19:40.519
IT working. We're trying to make sure that everyone

00:19:40.519 --> 00:19:44.559
has the laptops to do their job. That is always

00:19:44.559 --> 00:19:46.519
number one, right? We have to make sure the employees

00:19:46.519 --> 00:19:49.440
are able to meet the expectations of the constituents

00:19:49.440 --> 00:19:55.559
in Washington. But we through education and awareness

00:19:55.559 --> 00:19:59.440
like this podcast and future webinars, hopefully

00:19:59.440 --> 00:20:01.700
that through the association, there's a lot of

00:20:01.700 --> 00:20:04.119
free content out there. Just making sure that

00:20:04.119 --> 00:20:06.420
everyone knows that this is real. This is something

00:20:06.420 --> 00:20:09.519
that involves them directly. Their part goes

00:20:09.519 --> 00:20:11.359
through that social engineering attack. How to

00:20:11.359 --> 00:20:16.940
prevent that. We saw in July that there was a.

00:20:18.039 --> 00:20:20.519
a successful attack through what we call a business

00:20:20.519 --> 00:20:23.859
email compromise, where the accounting department

00:20:23.859 --> 00:20:28.400
paid out $300 ,000 to a threat actor when they

00:20:28.400 --> 00:20:31.960
thought it was to their vendor. So there's nothing

00:20:31.960 --> 00:20:34.880
IT could do to prevent that. That is a education

00:20:34.880 --> 00:20:38.160
and awareness. And that's where it starts from

00:20:38.160 --> 00:20:42.420
a server side or that in the weeds, the geek

00:20:42.420 --> 00:20:46.859
side of things. It's looking at it from a multi,

00:20:48.029 --> 00:20:51.349
approach. We call it a defense in depth strategy.

00:20:52.589 --> 00:20:55.769
Try and keep the threat actors out. But you have

00:20:55.769 --> 00:20:58.869
to assume they're going to get in. When they

00:20:58.869 --> 00:21:01.710
do get in, we're trying to identify that they're

00:21:01.710 --> 00:21:04.289
in there as quickly as possible and make it as

00:21:04.289 --> 00:21:06.849
difficult as possible to move around inside the

00:21:06.849 --> 00:21:09.130
environment. But we have to assume they're going

00:21:09.130 --> 00:21:12.710
to get to the servers themselves. When they are

00:21:12.710 --> 00:21:15.930
on there, how can we isolate that server to keep

00:21:15.930 --> 00:21:18.190
the rest of the environment operating instead

00:21:18.190 --> 00:21:21.549
of the other way around? If the threat actors

00:21:21.549 --> 00:21:25.349
aren't able to do a ransomware on us, but they

00:21:25.349 --> 00:21:27.849
still take down our network because we isolated

00:21:27.849 --> 00:21:31.430
everything, they still won. We're still disrupting

00:21:31.430 --> 00:21:35.460
the counties. And to think of the... Prison systems,

00:21:35.700 --> 00:21:38.099
not being able to access the data that they need

00:21:38.099 --> 00:21:39.700
for the sheriffs, not be able to communicate

00:21:39.700 --> 00:21:43.680
with 911, not being able to pay the employees.

00:21:43.900 --> 00:21:48.059
That is very disruptive to a county. So whether

00:21:48.059 --> 00:21:51.240
or not you paid a ransom doesn't matter at that

00:21:51.240 --> 00:21:54.759
point. They were successful in disrupting our

00:21:54.759 --> 00:21:58.180
way of living. And so being able to isolate the

00:21:58.180 --> 00:22:00.559
problem, not isolate everything else, is really

00:22:00.559 --> 00:22:04.309
that last step that we're looking for. It starts

00:22:04.309 --> 00:22:07.549
with your remote access. When you're dialing

00:22:07.549 --> 00:22:09.869
in, when you're logging in. See, that's how old

00:22:09.869 --> 00:22:12.210
I sound right there. I said dialing in. No one

00:22:12.210 --> 00:22:14.930
knows what a dial -up is anymore. But when you're

00:22:14.930 --> 00:22:18.690
logging in and you're annoyed with that multi

00:22:18.690 --> 00:22:20.730
-factor authentication, and hopefully you do

00:22:20.730 --> 00:22:25.630
have MFA, just be thankful that your county IT...

00:22:26.089 --> 00:22:29.609
put MFA on there, trying to help stop the threat

00:22:29.609 --> 00:22:32.029
actors from being able to enter. When they make

00:22:32.029 --> 00:22:35.109
you reset passwords on a regular basis that are

00:22:35.109 --> 00:22:38.970
complex, 15 characters long, it's to prevent

00:22:38.970 --> 00:22:42.049
a brute force attack. It's to prevent going...

00:22:42.970 --> 00:22:45.170
known passwords that were exploited on the dark

00:22:45.170 --> 00:22:48.190
web from being successful. You know, I'm looking

00:22:48.190 --> 00:22:50.950
at my sheet right here and I'm counting 12 different

00:22:50.950 --> 00:22:54.190
ransomwares over the past six months that were

00:22:54.190 --> 00:22:57.589
from VPNs being exploited and then being able

00:22:57.589 --> 00:23:00.049
to move around inside the environment and that

00:23:00.049 --> 00:23:03.329
they all paid the ransom either because of backups

00:23:03.329 --> 00:23:05.690
or because of that sensitive to the data. Wow.

00:23:05.849 --> 00:23:09.210
That's, that's interesting. So tell me about,

00:23:09.329 --> 00:23:12.420
I'm sure you've got some. great stories and examples

00:23:12.420 --> 00:23:17.420
of, um, uh, of incidents that happened and, you

00:23:17.420 --> 00:23:20.880
know, what was the outcome and give me a couple

00:23:20.880 --> 00:23:23.660
examples, maybe of counties, if you have any

00:23:23.660 --> 00:23:28.900
of, uh, of, uh, successful hacks. Looking through

00:23:28.900 --> 00:23:31.220
the different ways that can happen, I can definitely

00:23:31.220 --> 00:23:35.480
talk to, uh, all sorts of examples, but one that's

00:23:35.480 --> 00:23:38.680
been, I've been focusing a lot on lately. is

00:23:38.680 --> 00:23:40.940
vendors which sounds weird because technically

00:23:40.940 --> 00:23:45.019
i am a vendor but vendor it or a partner however

00:23:45.019 --> 00:23:48.079
you want to use that word we we should be the

00:23:48.079 --> 00:23:51.319
greatest asset to a county and county should

00:23:51.319 --> 00:23:54.059
use vendors but we they also have to be careful

00:23:54.059 --> 00:23:57.700
because they don't control the vendor so whether

00:23:57.700 --> 00:24:01.859
it's another entity connecting uh software a

00:24:01.859 --> 00:24:05.529
server in your environment You need to have some

00:24:05.529 --> 00:24:08.329
sort of protection against things you can't as

00:24:08.329 --> 00:24:11.150
a county control. And an example of that is in

00:24:11.150 --> 00:24:14.150
the Southwest. In March, they got hit with a

00:24:14.150 --> 00:24:16.849
ransomware and took down their entire environment.

00:24:16.970 --> 00:24:18.849
They didn't have any backup solution in place.

00:24:19.049 --> 00:24:21.390
They refused to pay still, so they just rebuilt

00:24:21.390 --> 00:24:24.809
from scratch. But they were taken down because

00:24:24.809 --> 00:24:27.769
of a third -party software. It was exploited.

00:24:28.429 --> 00:24:32.170
That company was ransomed, and by doing so, it

00:24:32.170 --> 00:24:35.509
moved Encrypt into the county environment. The

00:24:35.509 --> 00:24:37.230
threat actor didn't even know they took down

00:24:37.230 --> 00:24:38.569
the county. They thought they were going after

00:24:38.569 --> 00:24:41.470
just a business. Oh, wow. But it ended up crippling

00:24:41.470 --> 00:24:44.410
for three weeks the county from being able to

00:24:44.410 --> 00:24:47.880
do anything. So we had to stand up. laptops from

00:24:47.880 --> 00:24:51.740
Best Buy and wireless routers and, you know,

00:24:51.740 --> 00:24:54.480
connecting to the local cell phone towers to

00:24:54.480 --> 00:24:56.220
be able to give them some sort of business while

00:24:56.220 --> 00:24:59.160
we rebuilt their entire environment from a vendor.

00:24:59.480 --> 00:25:03.019
Wow. So because they didn't end up paying, they

00:25:03.019 --> 00:25:06.039
had to rebuild everything? Like it was literally

00:25:06.039 --> 00:25:09.519
from scratch? Yeah. And even when you have backups,

00:25:09.819 --> 00:25:13.299
not too many people understand how it's still

00:25:13.299 --> 00:25:17.539
a slow process. When you get hit with the ransomware,

00:25:17.700 --> 00:25:21.380
the first step is to call your insurance provider

00:25:21.380 --> 00:25:24.160
and then they're going to get counsel involved.

00:25:24.339 --> 00:25:27.339
And counsel is usually the one that hires companies

00:25:27.339 --> 00:25:29.460
like mine because that way you have that attorney

00:25:29.460 --> 00:25:32.759
client privilege. Right. That will call that

00:25:32.759 --> 00:25:35.880
a day. From there, we have to scope and contain.

00:25:36.019 --> 00:25:38.579
We have to understand where is the threat actor's

00:25:38.579 --> 00:25:40.279
movements in the environment because we don't

00:25:40.279 --> 00:25:42.220
want to bring you back online if the threat actor

00:25:42.220 --> 00:25:43.720
is still in the environment or we don't know

00:25:43.720 --> 00:25:45.619
how they got in because they could just get back

00:25:45.619 --> 00:25:48.440
in a second time. That's a couple more days.

00:25:48.740 --> 00:25:50.339
And then we're going to start to say, what are

00:25:50.339 --> 00:25:53.579
the most critical servers or applications that

00:25:53.579 --> 00:25:55.720
you need brought online? And typically that's

00:25:55.720 --> 00:25:57.880
the sheriff's department and accounting departments.

00:25:58.980 --> 00:26:01.380
You know, best case scenario with good backups,

00:26:01.500 --> 00:26:03.500
you're talking a week before you're back online.

00:26:03.980 --> 00:26:06.240
And that's your best case scenario. So then you

00:26:06.240 --> 00:26:09.259
say, how good are your backups? How quickly did

00:26:09.259 --> 00:26:12.980
you call us? Two, three weeks later, you're finally

00:26:12.980 --> 00:26:18.440
back online. It is, it's a journey. And, you

00:26:18.440 --> 00:26:21.079
know, I think of the city in Texas that chose

00:26:21.079 --> 00:26:23.380
not to pay. We didn't work this one, but we chose,

00:26:23.400 --> 00:26:25.940
they chose not to pay. They didn't have good

00:26:25.940 --> 00:26:28.380
backups. It's been six months and they're still

00:26:28.380 --> 00:26:30.819
rebuilding their infrastructure. Incredible.

00:26:30.920 --> 00:26:33.579
I mean, I can't imagine how disruptive that is,

00:26:33.700 --> 00:26:36.200
you know, not only to the government, but to

00:26:36.200 --> 00:26:38.880
that community, you know, just that relies on

00:26:38.880 --> 00:26:44.339
those services. It just is a local example. The

00:26:44.339 --> 00:26:46.900
I don't know what happened to I never did hear

00:26:46.900 --> 00:26:49.660
them say it publicly, but the our court system,

00:26:49.759 --> 00:26:52.799
the entire court systems websites were down for

00:26:52.799 --> 00:26:56.279
like, I want to say a month and a half. something

00:26:56.279 --> 00:27:00.779
along those lines. And it was just incredibly

00:27:00.779 --> 00:27:04.940
disruptive. And I can't even imagine if you have

00:27:04.940 --> 00:27:07.960
like a whole county system, you know, basically.

00:27:08.670 --> 00:27:11.849
offline for that much time. Yeah, it's very disruptive.

00:27:12.089 --> 00:27:15.349
And unless you experience it, you just truly

00:27:15.349 --> 00:27:18.109
can't understand how long it can take and how

00:27:18.109 --> 00:27:22.250
disruptive it really is. I highly recommend every

00:27:22.250 --> 00:27:25.230
county do tabletop exercises and at least run

00:27:25.230 --> 00:27:28.309
through the scenarios. Bring in your vendors,

00:27:28.410 --> 00:27:31.029
your most reliable or critical vendors. Bring

00:27:31.029 --> 00:27:35.089
in counsel and run through that scenario. If

00:27:35.089 --> 00:27:38.869
you need help, maybe... association or counties

00:27:38.869 --> 00:27:44.029
near you, we can help. But the more you can practice

00:27:44.029 --> 00:27:46.589
bringing everything back online and what that

00:27:46.589 --> 00:27:49.390
looks like and how things are affected, the faster

00:27:49.390 --> 00:27:52.130
you can make the decisions and get to recovery

00:27:52.130 --> 00:27:55.150
in the actual incident when it does occur. What

00:27:55.150 --> 00:27:57.509
I like to remind people is not usually an if,

00:27:57.609 --> 00:28:00.910
it's a when you're going to get hit. And with

00:28:00.910 --> 00:28:02.789
that kind of mentality, you can better prepare

00:28:02.789 --> 00:28:05.640
for that cybersecurity protection. Yeah, that

00:28:05.640 --> 00:28:09.759
seems like a good strategy. So and this is part

00:28:09.759 --> 00:28:12.119
of the part of the conversation that we had at

00:28:12.119 --> 00:28:14.160
the conference that I was most interested in.

00:28:14.819 --> 00:28:20.299
That seems almost absurd, but it's the it's the

00:28:20.299 --> 00:28:23.799
part where you you've you've been you you've

00:28:23.799 --> 00:28:28.319
have a ransom ransomware incident and have received

00:28:28.319 --> 00:28:31.480
some sort of communication with the actor. Talk

00:28:31.480 --> 00:28:35.130
about what those. what those communications with

00:28:35.130 --> 00:28:38.930
them looks like, because it's not at all what

00:28:38.930 --> 00:28:41.970
I expected. I think at one point you said your

00:28:41.970 --> 00:28:44.470
negotiators, you know, earlier you mentioned

00:28:44.470 --> 00:28:46.690
that they they need to speed them up or slow

00:28:46.690 --> 00:28:49.349
them down, depending on. So they're using kind

00:28:49.349 --> 00:28:53.390
of some human engineering, even going the other

00:28:53.390 --> 00:28:55.289
direction. Talk a little bit what that looks

00:28:55.289 --> 00:28:58.049
like. Well, first, I highly encourage if a county

00:28:58.049 --> 00:29:00.900
does get hit. Yeah, you're going to get a ransom

00:29:00.900 --> 00:29:04.640
note with a code to talk to them. Please don't.

00:29:04.940 --> 00:29:07.099
We've had some counties that start to do the

00:29:07.099 --> 00:29:10.200
negotiating on their own. Hold off, bring in

00:29:10.200 --> 00:29:11.940
an incident response team and let us communicate

00:29:11.940 --> 00:29:17.099
with them and through counsel's advice. I can't

00:29:17.099 --> 00:29:20.279
stress that enough. But it is a very interesting

00:29:20.279 --> 00:29:22.519
communication back and forth. And it starts with

00:29:22.519 --> 00:29:27.480
proof of life. Well, when we say we can put in

00:29:27.480 --> 00:29:30.319
the code. We start, we get redirected to someone

00:29:30.319 --> 00:29:32.599
that we can talk to. Think of a chat bot on a

00:29:32.599 --> 00:29:34.440
website. That's going to be what it's going to

00:29:34.440 --> 00:29:37.180
feel like. It's just a chat back and forth. But

00:29:37.180 --> 00:29:40.319
because we're on off hours of a threat actor,

00:29:40.460 --> 00:29:42.740
it's usually one or two chats. Then we have to

00:29:42.740 --> 00:29:44.480
wait another day and then we get, they're going

00:29:44.480 --> 00:29:47.400
to get there. the response, and then we submit

00:29:47.400 --> 00:29:49.200
it. And then usually the next day they send it

00:29:49.200 --> 00:29:51.160
back. So it's a very slow chat back and forth.

00:29:52.259 --> 00:29:55.680
And it starts with us wanting to prove that they

00:29:55.680 --> 00:29:58.240
have to prove to us that they actually have what

00:29:58.240 --> 00:30:00.920
they said they had. So again, double extortion,

00:30:01.000 --> 00:30:04.099
they've taken our data, they've data exfiltrated

00:30:04.099 --> 00:30:07.680
it. to their environment. So we say, show it

00:30:07.680 --> 00:30:09.759
to us, prove it to us. And they're going to give

00:30:09.759 --> 00:30:12.480
us a list. And then we'll take that list and

00:30:12.480 --> 00:30:14.839
go to the county and say, does this look like

00:30:14.839 --> 00:30:17.019
your data? It's just going to be file names.

00:30:17.440 --> 00:30:19.759
And they're going to say, yeah, that looks like

00:30:19.759 --> 00:30:22.319
it could be ours. And then we'll ask the county,

00:30:22.480 --> 00:30:27.059
what file in here do you want to see that would

00:30:27.059 --> 00:30:28.960
actually prove that they have the data, not just

00:30:28.960 --> 00:30:32.400
file names? And the county should be giving us

00:30:32.400 --> 00:30:35.660
three or four. example files and then we'll go

00:30:35.660 --> 00:30:39.299
to the threat actor and ask to say decrypt those

00:30:39.299 --> 00:30:43.400
to one prove you can decrypt them and two so

00:30:43.400 --> 00:30:45.339
we can make sure that you actually have the data

00:30:45.339 --> 00:30:47.640
so that that proof of life they're going to give

00:30:47.640 --> 00:30:49.859
to us and at that point we've established they

00:30:49.859 --> 00:30:54.339
do have the county's data they have we know the

00:30:54.339 --> 00:30:56.819
file structure that they took so we can kind

00:30:56.819 --> 00:31:01.269
of identify how sensitive it is Especially if

00:31:01.269 --> 00:31:03.930
in the sheriff's department or the judicial system,

00:31:04.130 --> 00:31:06.730
you know, we're talking very sensitive data,

00:31:06.970 --> 00:31:12.029
cases with minors, private police that are under

00:31:12.029 --> 00:31:14.210
or sheriffs that are undercover that could be

00:31:14.210 --> 00:31:16.349
affected by this. And that's what we're really

00:31:16.349 --> 00:31:19.910
trying to find out. But then also from a regulatory

00:31:19.910 --> 00:31:24.049
and legal response side of it. Who do we have

00:31:24.049 --> 00:31:26.089
to notify and how quickly do we have to notify

00:31:26.089 --> 00:31:29.630
who is affected by it? And it's that communication

00:31:29.630 --> 00:31:31.529
back and forth where we then start to negotiate

00:31:31.529 --> 00:31:34.630
price. And we may be negotiating price not because

00:31:34.630 --> 00:31:37.549
we're going to pay, but we always negotiate price

00:31:37.549 --> 00:31:40.730
because if you don't negotiate the ransom, they're

00:31:40.730 --> 00:31:44.160
going to expose the data. on the dark web. And

00:31:44.160 --> 00:31:46.900
we may not be ready for that yet. It could be

00:31:46.900 --> 00:31:48.680
that we have backups that we want to test to

00:31:48.680 --> 00:31:51.480
see if the backups truly work. And so we're just

00:31:51.480 --> 00:31:54.940
delaying it and we're slow playing it. We're

00:31:54.940 --> 00:31:57.019
going to lowball them and go back and forth in

00:31:57.019 --> 00:32:00.359
price. It's kind of like a discount store. I'm

00:32:00.359 --> 00:32:01.819
never going to pay full price. I'm always going

00:32:01.819 --> 00:32:03.660
to get some sort of discount off that ransom.

00:32:03.920 --> 00:32:06.460
And if you have good backups, but you want to

00:32:06.460 --> 00:32:09.619
protect the data, that's another argument that

00:32:09.619 --> 00:32:12.480
we can make with them. Give us a price. for you

00:32:12.480 --> 00:32:15.519
not to put the data on the dark web, but don't

00:32:15.519 --> 00:32:18.220
give us the backups. And then they'll give us

00:32:18.220 --> 00:32:20.339
a new price and then we can negotiate from there.

00:32:20.460 --> 00:32:23.240
But threat actors are very smart when it comes

00:32:23.240 --> 00:32:25.940
to the pricing. They're looking at the county

00:32:25.940 --> 00:32:28.319
size. They're looking for your insurance policies

00:32:28.319 --> 00:32:31.799
in your file structure. to see what the insurance

00:32:31.799 --> 00:32:34.059
company is going to pay out because they're never

00:32:34.059 --> 00:32:35.460
going to ask for below that. They're going to

00:32:35.460 --> 00:32:37.539
try and ask for more than that, but they know

00:32:37.539 --> 00:32:40.279
what the insurance is going to pay. And on the

00:32:40.279 --> 00:32:42.559
private side, they're going to like Zoom info

00:32:42.559 --> 00:32:44.980
to find out what your revenue is so they can

00:32:44.980 --> 00:32:47.380
ask for a percentage of that revenue. Interesting.

00:32:47.400 --> 00:32:50.319
So they're gathering quite a bit of intelligence

00:32:50.319 --> 00:32:53.259
before they're getting into these conversations.

00:32:54.160 --> 00:32:56.700
It's interesting you use the phrase proof of

00:32:56.700 --> 00:33:01.220
life because it reminds me of, You know, what

00:33:01.220 --> 00:33:04.119
I've heard from friends that were working for

00:33:04.119 --> 00:33:09.279
banks and overseas in areas with problems with

00:33:09.279 --> 00:33:13.579
gangs using kidnapping and effectively the same

00:33:13.579 --> 00:33:16.680
way where there's a there's a negotiator that

00:33:16.680 --> 00:33:19.859
is brought in that is, you know, outside of law

00:33:19.859 --> 00:33:22.359
enforcement and outside the company. But that's

00:33:22.359 --> 00:33:25.039
what they do is talk to these ransomers, basically.

00:33:25.140 --> 00:33:27.799
Yeah. And it's not too many people inside Crow

00:33:27.799 --> 00:33:30.680
that. have the skill to talk to the threat actors.

00:33:30.839 --> 00:33:32.940
And there's just a couple of them. We rely heavily

00:33:32.940 --> 00:33:35.839
on them. Yeah, that's incredible. What a strange

00:33:35.839 --> 00:33:39.480
negotiation that must be is, you know, just dealing

00:33:39.480 --> 00:33:43.259
with these criminal gangs frequently. What we're

00:33:43.259 --> 00:33:46.039
looking for, the best case scenario when it comes

00:33:46.039 --> 00:33:50.119
to this situation is a county that has gone through

00:33:50.119 --> 00:33:52.799
the exercise, through the tabletops, understands.

00:33:54.029 --> 00:33:58.049
how the threat actor organized crime works. So

00:33:58.049 --> 00:33:59.490
we don't have to go through that explanation

00:33:59.490 --> 00:34:03.769
that has the proper backups and that we're just

00:34:03.769 --> 00:34:07.430
delaying the tactics with the negotiations to

00:34:07.430 --> 00:34:11.150
bring everything back online. Like that's. That's

00:34:11.150 --> 00:34:13.769
as good of a situation you can get in a bad situation.

00:34:14.750 --> 00:34:19.489
What really slows down the recovery is when it's

00:34:19.489 --> 00:34:21.530
a county that's not prepared, that doesn't have

00:34:21.530 --> 00:34:23.550
the backups, and it's trying to figure out, can

00:34:23.550 --> 00:34:27.010
they pay? Should they pay? Knowing, having as

00:34:27.010 --> 00:34:31.289
much as you can ready and understanding can speed

00:34:31.289 --> 00:34:33.670
the recovery process up. And in the end, that's

00:34:33.670 --> 00:34:36.019
what we're looking forward to. Make it so the

00:34:36.019 --> 00:34:38.039
threat actors can't get back in and recover the

00:34:38.039 --> 00:34:40.179
environment to get them back to operating per

00:34:40.179 --> 00:34:43.880
the usual. That's great. Is there anything that

00:34:43.880 --> 00:34:46.039
I missed that you think our members should know?

00:34:46.380 --> 00:34:51.019
A couple things. If you aren't sure, something

00:34:51.019 --> 00:34:56.590
feels off. Please call the insurance, call the

00:34:56.590 --> 00:34:59.369
council, and then they'll work with us or just

00:34:59.369 --> 00:35:02.030
bring us in. If we notice that there's a threat

00:35:02.030 --> 00:35:03.469
actor in your environment, we'll immediately

00:35:03.469 --> 00:35:06.829
stop to go through council. But nation states

00:35:06.829 --> 00:35:10.269
and your business emails that are compromised,

00:35:10.690 --> 00:35:13.199
your phishing attacks. Those are going to be

00:35:13.199 --> 00:35:16.699
very difficult to know if you are already compromised.

00:35:17.780 --> 00:35:19.920
And it's still something we have to take care

00:35:19.920 --> 00:35:24.840
of and identify what scope has occurred. Ransomware

00:35:24.840 --> 00:35:26.820
is easy. We know immediately. Phones are down.

00:35:26.900 --> 00:35:29.380
Computers aren't working. Can't access your applications.

00:35:30.059 --> 00:35:33.179
There are very telltale signs for ransomware,

00:35:33.300 --> 00:35:36.400
but there's so many non -ransomware areas that

00:35:36.400 --> 00:35:38.719
can be affected. If something feels off, just

00:35:38.719 --> 00:35:41.280
bring us in. And then the other thing would...

00:35:41.420 --> 00:35:45.659
be what proactive steps are you taking? I talked

00:35:45.659 --> 00:35:48.079
about the defense in depth strategy, but what

00:35:48.079 --> 00:35:50.780
actual steps are you taking? How is your password

00:35:50.780 --> 00:35:55.719
hygiene? Do you have MFA properly set up? And

00:35:55.719 --> 00:35:59.739
are you separating MFA being multi -factor authorization?

00:36:00.179 --> 00:36:03.059
Yeah. Multi -factor authentication. Sorry. Authentication.

00:36:03.380 --> 00:36:07.800
Gotcha. For at least remote access in is what

00:36:07.800 --> 00:36:09.610
you're looking for in for admin. credentials.

00:36:09.750 --> 00:36:12.750
But some of the best practices would be IT. If

00:36:12.750 --> 00:36:15.329
you're listening, don't be using your admin credentials

00:36:15.329 --> 00:36:19.809
for everyday use and have alerts tied to those

00:36:19.809 --> 00:36:22.570
admin credentials. So that way, you know when

00:36:22.570 --> 00:36:24.949
a threat actor could be using it because you're

00:36:24.949 --> 00:36:27.469
not using it that day or at that time. What we're

00:36:27.469 --> 00:36:29.670
trying to look for is early warning signs and

00:36:29.670 --> 00:36:32.070
what can we do to make it difficult for a threat

00:36:32.070 --> 00:36:34.670
actor to move around in your environment, which

00:36:34.670 --> 00:36:39.090
could be include, let's separate our data. There's

00:36:39.090 --> 00:36:41.789
no reason that someone that is working in accounting

00:36:41.789 --> 00:36:44.909
should need to get to HR's data. So separate

00:36:44.909 --> 00:36:47.269
them. Make it so that way if a threat actor somehow

00:36:47.269 --> 00:36:49.670
got into HR, they're not getting to accounting.

00:36:49.710 --> 00:36:52.449
They're not getting to the CJIS data. Separate,

00:36:52.449 --> 00:36:54.690
know where your data is and separate that data.

00:36:55.170 --> 00:36:58.630
And then test your backups. You should have backups.

00:36:58.750 --> 00:37:02.090
Test your backups to see in this situation, will

00:37:02.090 --> 00:37:05.909
they actually provide you the data that you're

00:37:05.909 --> 00:37:09.429
looking for? One thing that I think, You know,

00:37:09.489 --> 00:37:12.710
our largest members probably have, you know,

00:37:12.710 --> 00:37:16.849
an IT team, risk managers. And so they probably

00:37:16.849 --> 00:37:19.610
know, you know, have a picture of what their

00:37:19.610 --> 00:37:22.090
needs are. But a lot of our smaller ones may

00:37:22.090 --> 00:37:24.329
be thinking, gosh, this sounds pretty overwhelming.

00:37:27.260 --> 00:37:30.320
Does your company, you know, provide like a scalable

00:37:30.320 --> 00:37:33.059
resource that, you know, our smaller members,

00:37:33.199 --> 00:37:36.019
maybe more even, you know, the medium sized ones

00:37:36.019 --> 00:37:39.199
that they're able to work with you to help, you

00:37:39.199 --> 00:37:43.960
know, practice, you know, good password hygiene

00:37:43.960 --> 00:37:47.079
and all those things that you talked about? We

00:37:47.079 --> 00:37:51.000
do. I solely work on the public sector side.

00:37:51.559 --> 00:37:54.400
It's a passion I've had. When I left the Department

00:37:54.400 --> 00:37:57.920
of Defense, it felt. We're going private sector.

00:37:58.039 --> 00:38:00.800
So at Crow, I stayed in the public sector so

00:38:00.800 --> 00:38:03.400
I can help. I can do my part to help the state

00:38:03.400 --> 00:38:05.639
and local governments. And I'm very conscious

00:38:05.639 --> 00:38:09.300
of not, you know, not every county has a large

00:38:09.300 --> 00:38:14.639
budget. And but every county is susceptible and

00:38:14.639 --> 00:38:18.159
exposed to threat actors. So what can we do either

00:38:18.159 --> 00:38:21.650
at Crow? But also the larger counties, what are

00:38:21.650 --> 00:38:24.030
you able to provide through knowledge transfer

00:38:24.030 --> 00:38:26.190
to the smaller counties? And as an association,

00:38:26.550 --> 00:38:28.510
you're doing your part. You're bringing us in

00:38:28.510 --> 00:38:31.829
as a trusted partner. So I appreciate that. From

00:38:31.829 --> 00:38:33.449
our conversations, you're bringing us in. We're

00:38:33.449 --> 00:38:36.849
here to help. Small counties, we will work with

00:38:36.849 --> 00:38:39.409
them in a different way. Maybe it's through checklists.

00:38:39.570 --> 00:38:42.750
It's through identifying the key areas, doing

00:38:42.750 --> 00:38:46.460
more of the work for them, getting them. Connected

00:38:46.460 --> 00:38:48.719
with a managed service provider that could be

00:38:48.719 --> 00:38:52.079
hands -on keyboard. We tend to be more in the

00:38:52.079 --> 00:38:55.679
advising role with this is what best practices

00:38:55.679 --> 00:38:57.860
look like. These are your action plans. This

00:38:57.860 --> 00:39:01.420
is your three -year strategy. And then connect

00:39:01.420 --> 00:39:03.280
you with a service provider that can do that

00:39:03.280 --> 00:39:08.039
work for you. And as the county grows in size,

00:39:08.260 --> 00:39:11.699
we switch from that kind of advisory role to

00:39:11.699 --> 00:39:14.639
more of the assessment and audit to your bigger

00:39:14.639 --> 00:39:17.159
counties. So the larger counties, it's going

00:39:17.159 --> 00:39:19.519
to be us coming in and testing your response.

00:39:20.039 --> 00:39:23.780
What you have in place, will that suffice? Are

00:39:23.780 --> 00:39:26.000
you ready? Are you trained? Do you understand

00:39:26.000 --> 00:39:29.480
what the alerts you have are telling you? And

00:39:29.480 --> 00:39:32.219
are you ready to respond to those alerts? Thank

00:39:32.219 --> 00:39:35.260
you. And one last question I have to ask, and

00:39:35.260 --> 00:39:38.769
you can skip this one if necessary. But does

00:39:38.769 --> 00:39:41.349
the Cyber Command really have a big map on the

00:39:41.349 --> 00:39:43.329
wall with a bank of computers with a bunch of

00:39:43.329 --> 00:39:46.610
people behind it, like Mission Control, you know,

00:39:46.610 --> 00:39:50.050
in the movies? I don't know anymore. Again, I

00:39:50.050 --> 00:39:52.429
started before Cyber Command was even stood up.

00:39:52.829 --> 00:39:56.090
I remember when the Army and the Air Force Ones

00:39:56.090 --> 00:40:01.570
were really becoming what they are today. And

00:40:01.570 --> 00:40:05.050
they all do have large maps, not nearly as cool

00:40:05.050 --> 00:40:07.789
as they look like on movies. You know, I think

00:40:07.789 --> 00:40:11.889
of so many movies where they like grab the screen,

00:40:12.070 --> 00:40:13.929
like something on the screen to throw it up on

00:40:13.929 --> 00:40:16.849
the wall. And like now they expand it and they

00:40:16.849 --> 00:40:20.570
use the words like enhance, enhance. You know,

00:40:20.610 --> 00:40:24.650
it's nothing nearly that sophisticated. But it's

00:40:24.650 --> 00:40:28.150
when it comes to proactive work. It's really

00:40:28.150 --> 00:40:31.250
looking for the anomaly. What's not right? What

00:40:31.250 --> 00:40:34.969
doesn't fit what we're expecting? That's what

00:40:34.969 --> 00:40:38.469
I would call that Snowden effect, that where

00:40:38.469 --> 00:40:41.289
is something where they're not supposed to be?

00:40:41.469 --> 00:40:44.250
And then we kind of pull and tug at that string

00:40:44.250 --> 00:40:47.590
until we figure out what's happening. That's

00:40:47.590 --> 00:40:50.210
ideal because that means we hit it before the

00:40:50.210 --> 00:40:53.280
ransom occurred. Gotcha. Well, thanks again,

00:40:53.380 --> 00:40:56.159
Joe. Really appreciate you coming on the pod

00:40:56.159 --> 00:40:59.860
with us. And I look forward to you meeting all

00:40:59.860 --> 00:41:01.940
of our members. Yeah, thank you. I'm excited

00:41:01.940 --> 00:41:04.619
and we're excited and really getting to know

00:41:04.619 --> 00:41:07.539
all the different counties in Washington. Thanks.

00:41:07.679 --> 00:41:11.739
All right. Thank you. Thanks, Joe. Thanks for

00:41:11.739 --> 00:41:14.039
tuning in to County Connection. Stay in the loop

00:41:14.039 --> 00:41:16.559
by subscribing to us through your preferred podcasting

00:41:16.559 --> 00:41:19.280
app and following us on LinkedIn, Facebook and

00:41:19.280 --> 00:41:21.380
Instagram. And don't forget to join the hub,

00:41:21.480 --> 00:41:23.659
your go to source for the latest news and updates

00:41:23.659 --> 00:41:25.880
from the Washington State Association of Counties.

00:41:26.019 --> 00:41:28.739
Until next time, stay connected and stay informed.