Keegan Stewart
: Hello and welcome. This is the LCU podcast, a podcast that will bring stories, insights and people from Lubbock Christian University. I'm your host, Keegan Stewart, and I'm happy to be with you for another episode. On today's episode, I visited with Austin Halliday. Austin is the chief technology officer at Lubbock Christian University. Our conversation primarily involved Cybersecurity Awareness Month.
We talked about what that means. The importance of paying attention and being aware. Being safe with the devices that you use. And we also talked about some of the ways that LCU is intentional in its approaches as it comes to cybersecurity. I really learned a lot. This is a really important conversation. I hope you enjoy it. Here's Austin Halliday.
All right. Austin, thanks for being here today.
Austin Halliday
: Thanks for having me.
Keegan Stewart
: So just to start out, just set the foundation for our conversation. Tell our audience just a little bit about what you do at LCU? You do a lot of different things. You do a lot of variety of different things as it comes to the technology side of the house. Tell us just a little bit about what you do.
Austin Halliday
: Sure. I serve as the chief technology officer. That puts me on the operations side of technology. So the the big, impressive data center with all the blinking lights is part of us all the way down to the Help Desk folks at chap desk that do so many hundreds of tickets a month. I get the blessing of being a support to all of them and making sure they have the resources they need.
Keegan Stewart
: Cybersecurity awareness Month. It's a it's an interesting thing to think about. It's a fun thing to think about. It's something that keeps popping up in different circles around. LCU right now as we're in it. Right. We're in in October. How would you working in the field of technology, explain Cybersecurity Awareness Month to someone who might ask, hey, what exactly is that?
Austin Halliday
: I'd say the Cybersecurity Awareness Month is an attempt to humanize all the aspects of technology that we deal with in our daily lives, whether that's texting on your iPhone or banking through an app or doing your work at a computer, getting gas and running your credit card. I mean, all of it has so much integration in our lives.
We take it for granted and we need to take a moment and kind of step back from that, whether that's like me in the IT field, in the security field, or just an average user and kind of recognize that and worry in a way about how it affects us and what we need to do to do our part for it.
Keegan Stewart
: How much has technology increasing also made threats to our cybersecurity more prevalent in just the last 5-10 years? With you know, our phones becoming smarter and our computers doing more and more things and our credit cards being on our phones and our computers and our watches. I mean, how how, how, how much bigger of a deal has? You know, being cognizant of what we're doing on our devices become even even just in the last five, ten years.
Austin Halliday
: Sure. Even just since the pandemic started in 2019, we've seen a doubling in the cost of the average business incident. So you hear about ransomware attacks where a business has their files locked out because somebody clicked on something they shouldn't. In 2019, that cost was 700 and 700 to $750000 to remediate that. Now it's 1.8 million. The expectation is over the next year or two, that's going to move up north of three, maybe almost $4 million a year.
So over the last five years, you've seen this almost regular doubling of the expense of dealing with that from a business perspective for an individual, if your identity stolen, that could take maybe just a couple of weeks to get straightened out. If you've already got all your ducks in a row with LifeLock or some of the other major credit industries, credit agencies, or but it could take as much as 6 to 9 months to straighten out with various banks.
And that's that's even if you just have stuff like with some of the local banks, you don't have anything big and and complex. I think that's that's really a focus on trying to prevent it because it takes so much time, so much money to fix it after the fact. And generally, it's just don't click that to keep it from happening.
So it's a really low effort usually on the front end to keep it from happening.
Keegan Stewart
: So don't click that. What kind of things are people seeing? What kind of things are people clicking on that to them? At the moment it seems like an ordinary, friendly, casual link or email or text. So what what? What is getting people these days with ransomware? Personal personal attacks on devices.
Austin Halliday
: Email and text message are generally the the vector that you see the stuff come in through. 88% of attacks that have been successful against businesses have started with a person doing something. So when you're you're looking at an email. Make sure that you're checking where it's from. Okay. Maybe you've got a friend. Let's say you've got a friend named Bob Dylan.
Okay, great. And you get an email from something from an email address that claims to be Bob Dylan. But his email address, you know, is Bob Dylan one at gmail.com. And this new email is from Bob Dylan at Yahoo.com. Well, don't click that second when it's somebody that that knows, you know, Bob, and knows that you maybe have money or an Amazon account or something like that.
So it's important to slow down and check that name at the top. And I know with iPhones and Androids and all the various apps that you can go through, then they try to make it the the industry folks building an app, try to make it really user friendly. Sometimes that can get in your own way because maybe I just see the email came from Bob.
That's what it shows me. I think, Oh, I know Bob, this is safe. That's fine. But you've got to, you've got to look and hover over that link or tap over that email address and see is that whole thing correct? That's the majority of it. Industry terminology would be like whaling. So if they went after somebody like President McDowell or myself as as a CTO, they're going to try and target me in a way that fits to me.
But we're seeing new trends evolve. One of the new terms that just I hadn't heard much until this year, even in the field, was minoing And what that is, is they start going after like a chief technology or chief financial officers kids. So they find out through Facebook, hey, their kid attends this school, they're there for this day, and they'll start using that information to go after the kid.
And once they can compromise the kid's device, you know, say it's your your 13 year old at home on their iPhone clicked on something and now they've been taken. Well, they can use that to leverage against the whale quote unquote, at an at an institution and try and get their foot in the door to start stealing data or compromising a person and, you know, you got a good person making bad decisions because of bad circumstances that way.
That's one of the new things that's starting to take root.
Keegan Stewart
: So the bad guy behind these these scenes that you're illustrating, who who are these people are they're a face to them. Do they hide behind a mask? Well, obviously, their incentive is a financial incentive. But how how is this industry, this real negative industry, this crime, this criminal activity that's taking place? How is it so prevalent and why is it growing?
There's a lot there, but I'm sure unpack some of that. Sure.
Austin Halliday
: Industry is a good word there. I mean, a lot of us have it in our heads that a hacker is this guy in his mom's basement in an old t shirt or, you know, with his bag of Cheetos or Mountain Dew and and tapping away at a green screen. And that may have been the case in like the late nineties, early 2000s.
Technology has evolved so much that our intrusion prevents and systems have have really pushed that that person at a keyboard out of the realm. This this is truly industry stuff these are nefarious businesses set up with at least a handful of folks, sometimes as many as a few dozen that are coding very advanced s artificial intelligence type bots.
They're using algorithms, they're using lots of computing equipment. If you've seen stuff with like the crypto miners where you see these big warehouses full of computing equipment, it's the same thing with these bad guys. The bad actors that are attacking it's not one guy in is Cheetos, Cheetos, Stain T-shirt. It's dozens of highly trained individuals all over the world, lots of them in countries that don't have extradition agreements with the U.S. and there is big money in it.
The projections put it between a 1.8 and a $3.1 billion industry just on ransomware attacks from this last reporting cycle. So that was the 2021 reporting cycle. You put that in the context of the pandemic with the economic downturn, but so much of it being online and that's a pretty big portion. So there's a lot of lure for these people.
And as businesses did, layoffs, as they've downsized right sized or just capsized from the economic impacts, you've got a lot of folks that are desperate to make ends meet. You know, they've got to put food on the table. And a lot of them are really smart. The war in Ukraine has has created some more of these folks as well.
Russia is well known in the cybersecurity industry as as leveraging this not necessarily always state actors, but they don't do a whole lot to stop the the groups. Fancy Bear is one of the examples I've always got these wonderful names wonderful names. But I mean, in that case, we even had also you we know there's at least 20 folks in that group and we've had stuff from that group that's internationally known Target LCU.
Now we haven't been none of it's penetrated yet, but we can track back and go let the FBI know, Hey, these are the things we've seen.
Keegan Stewart
: So that's something that's really fascinating to me that I actually want to pull pull the layers back a little further on in a little bit. LCU's defense and in those intricacies. But is there anything else as it relates to the cybersecurity world that that would surprise people? That's maybe not be common knowledge on the street between friends and their conversations, but is there anything else that's like that you've seen in the last couple of years?
Like, Wow, that is astonishing that this is taking place?
Austin Halliday
: I think it's the people factor. That's usually what surprises somebody who's not in this realm is, you know, again, it's that conception of this is all a big data center, banks of blinking lights, hundreds of thousands of dollars of of technology warring with each other. And that's how they get you. And it's not it's it's usually somebody in a hurry on their iPhone in the middle of the night or they checked an email and they they tapped on something.
And you've been had.
Keegan Stewart
: All it takes is one click.
Austin Halliday
: Yes, yes. So we had the the annual cybersecurity conference on campus today. And that was one of the examples that our speaker from CoNetrix brought up was they talked about a case that they worked with a bank. And in this bank there were only seven emails listed on their website. And so all seven of these email addresses, all seven of these people received a anonymous email that looked like a request to do a wire transfer.
So all the paperwork was there. So none of these seven people were the wire transfer folks, but one of them opened it out of curiosity. And as soon as they opened it, they realized, Hey, this isn't good. So they shipped it over to the IT guy and they were able to to start doing some digging. But one of the files inside of it is, is called a dot SDR file, and you probably don't know what that is.
Most folks don't anymore. But if you remember back, you know, 15 years ago when screensavers were prevalent, they all use dot SDR files and that's still a popular attack vector because screensavers are still a thing. You got to go out of your way to turn them on, but they're still there. And those files execute at an operating system level.
That means that they they triggered down in the deepest, darkest guts of the computer. And if it's been carefully crafted and your security's not in a good spot, that's all it takes is at one click, the user clicks it. They think, well, nothing happened, nothing open this files no good. I'm going to ship it over to it and see if they can recover it.
Well, it did do something. You just didn't see it. So what it did on that end users computer was it partially took over it and tried to start filling out wire transfer information. So again, fortunately, in that case, the IT department was ready for it. They started checking things and their wire transfer folks saw it. And they have it's a two factor authentication not not like what we do where you've got to click approve on an app it's a hey I use this as an example Keagan has requested this wire transfer.
Austin has to approve it. There's always that two keys to go ahead and launch it. So I think that's a good example to in our own lives. If you've got a big thing coming out of your bank account, lean on your spouse, lean on your friends to help keep you accountable. If you've got questions, you know, find that it guy in your life or that it gal in your life and go from there.
Keegan Stewart
: Back to the defense LCU plays against these kinds of things that you mentioned just a moment ago. How much do you and your team spend playing defense against those big companies overseas that are attacking or even, you know, nationally? How much is LCU worrying about this kind of thing in protecting itself?
Austin Halliday
: It's definitely a primary concern for our department. It's something that, you know, we've talked about it. It affects all the way to your just your average user. That has nothing to do with it as an industry. So for all of us in i.t, it's on our minds. It's I don't think there's anybody on the ops team that spends less than ten of their 10% of their time worrying about security, chasing logs, chasing monitors, adjusting rules.
We have a few dedicated folks for that sort of thing. We get about 57 million automated attacks against just one of our firewalls every month. And those are the ones that they're they're probing. If you go set a new computer out on the Internet without a bunch of protection on it, within 2 to 3 hours, it's going to start being targeted and probably within the first 8 hours, it's going to be the term would be owned by some bad actors separately.
So, you know, when I when I talk about how much time do we spend on it, everybody's spending at least 10% of their time secure it, really security focused, reading articles, reading our logs. And then we've got to folks that it's well north of 40%, probably 50% of their time. And then we also have outside vendors that come in.
So we partner with a penetration and audit tester that does stuff annually and we have real time monitoring 24/7 stuff. So just last Saturday, I was getting alerts kind of in the middle of the night waking me up of, hey, there's this thing trying to target you guys. So we make a couple of adjustments, go back to bed and see what happens.
So it's a pretty significant amount of time we spend on it.
Keegan Stewart
: So you say there's a huge number of attacks every month and you say they're probing. Can you can you explain that to me and and members of the audience that just want to understand that or picture that a little bit more detailed? What is what does that mean? Who how were they probing? Were they entering? What are they what are they finding?
What exactly are they trying to do?
Austin Halliday
: I think I'll use the example of like Google Earth. So let's say as a bad guy, you're looking at the satellite scans of Google Earth and we're going to liken that to our computers. So you're looking on there and what you're looking for is pictures of houses that the garage doors open on. And you're going to start there because that's this huge gaping hole that you can just walk right in.
And so they're going down the street one by one. In this case would be IP addresses and they're looking, okay, is this door open? Okay. Well, the garage door is not open. Is the front door open? That's a little smaller gap. Okay, that one's not open. How about the backdoor? That's still a big, big opening. Okay, that one didn't work.
Now let's try the kid's bedroom window. That's open. Let's go in. And so any time they start getting a response from an IP address, like a street address, in this case, they're going to start looking for those openings and they'll go all the way down to, oh, look, this mortar in between, the bricks is loose. If I pick it, this just right, I can get through.
So that's the that would be a physical analog to the digital scraping that they're doing, looking at all of our stuff. That's why you see so many of our applications. You know, you think, oh, how long could it possibly take to put a time clock application out on the Web? Well, it's going to take weeks because we have to do a lot of research.
We've got to do a lot of checking. We're going to do a lot of testing to see what's probing it, see if there's something new out there that we aren't guarding against already. Before we ever put anybody's real data out there. And once we're pretty confident, then we'll spin it up. So, you know, I guess that's the example I would know.
Keegan Stewart
: That's very helpful. That's very helpful. Every now and then, I'll get an email. Other employees that I know will get an email and it's suspicious. You know, something's not quite right. They're trying to get me to click on this or do something here. And if something's fishy, right? No pun intended. Sure. But if I notice that and I click at the top of my email and I report or mark as phishing, and then I get this awesome little animation, it's like, hey, congratulations, you've successfully passed this phishing attempt or something along those lines.
This is a process that LCU technology has put into place, correct? Yes. In training the LCU employees. What is that? And explain that further.
Austin Halliday
: Okay. The industry best practice is to train and test your organization on current cybersecurity threats and best practices, not to be redundant. So that's going to be watching for red flags. So I talked earlier about make sure that that email from Bob Dylan is really the Bob Dylan, you know, and not somebody pretending to be look for grammar.
Things look especially bad grammar really bad grammar, things that make you think they don't speak your native language as their first one. Sure. So we put that in place because we we saw as the industry was evolving, that it was a popular vector. You know, it wasn't 88% back when we started all this, but it was starting to really grow.
So we've done that. We've had some good strides there. We don't really get a lot of real reports where somebody actually clicked on an A real bad actor link.
Keegan Stewart
: But you'll get the, you know, the the fake emails that help train and get our eyes used to that kind of thing. Every now and again, employees will click on that. And it's a good learning lesson, correct? Yes. Yes.
Austin Halliday
: So we annually we do training of about 45 minutes that goes through all those things. It's a video training. It's got questions to generate user engagement. That's that's the big thing is keeping folks bought in on that. And then at least once a quarter we test all our employees. It goes out at random. It's going to select a handful of different templates, everything from, hey, you want a free pizza, Pizza Hut to you need to set up your iPhone account to take this survey and you'll get a $50 Amazon gift card.
And yeah, like you said, if they go ahead and click the link, it's going to pop up that gotcha screen of, Hey, we've been talking about this. Let's let's do some spots, some remedial stuff. It's not a it's not a punitive thing. It's a, hey, you need resources and we're an educational institutions. I think a lot of folks would recognize in the classroom, you don't always retain 100% of what you've been told.
We treat it the same way with cybersecurity and cybersecurity month is that month out of the year that we try as an industry to highlight it for everybody, not just the employees who are working on the banking accounts.
Keegan Stewart
: Austin Any last messages to the LCU community about cybersecurity, what this month is or just anything you want to communicate in general?
Austin Halliday
: I'd say don't be afraid of it. It seems like this huge thing, it seems like these millions of artificial intelligence systems out to get you. It sounds like thousands of people out to get you. But taking a second is all it takes. Really take a second. Slow down. If something's demanding your attention. Hey, click this link right now.
Don't, don't. If it's your boss call him, if it's your friend call him, be sure of it. Take that second to slow down. And you've already won against all these things that are trying to get you.
Keegan Stewart
: And if something comes up and they don't exactly know, but they have a question, the resources on LCU’s campus to reach out to our.
Austin Halliday
: Chapdesk at LCU.edu is always a great place to start. We're staffed many hours all through the semester, try to be open as much as the library is, and you can always contact data security at LCU dot edu. We have lots of tools in place, lots of people in place to try and help with that. We can help with education, we can help with remediation and if you've gotten taken by something, if you've clicked on something and they're reaching out to you, you can also contact LCU PD and go through public safety to file police reports on that and help get you made whole again.
Keegan Stewart
: Austin This conversation has been very beneficial, very educational, and it's important. It's very important. So thank you for taking the time. Join the LCU podcast today.
Austin Halliday
: Thank you for having me.
Keegan Stewart
: Thanks, everyone, for listening. This is the LCU podcast. If you enjoyed this episode, go ahead and send it to someone else. Do you think we'll do the same? Leave us rating a review and hope you will subscribe. Thank you again for listening. Have a great day. God bless.
Thanks for listening to LCU's podcast. For more content like this, go to LCU.edu.
The LCU Podcast will bring stories, insights, and people from Lubbock Christian University. Subscribe today to stay up to-to-date with what is going on at LCU! Go Chaps!
RSSCyber Security Awareness Month with Austin Halliday
Thursday, Oct 20th, 2022Author : Keegan Stewart
Chief Technology Officer Austin Haliday joins the podcast in conjunction with Cyber Security Awareness month. He shares some advice for the average user on how to be safe with your devices, and he also discussed some of the tactics LCU employs in its own electronic security.
Episode length 22:36 minutesDownload
00:00
22:36
Loading