Email Protection — A high percentage of all threats introduced to a company come through email. The two main threats regarding email are unsafe attachments and phishing. Each of these pose their own risk and have their own mitigation. It is important to have a spam filter that checks all attachments coming into your network and execute them to check for possible threats. A good spam filter will also provide protection against phishing, as well. However, there are several things that can be done to help with phishing threats specifically such as proper use of SPF, DKIM, and DMARC. These are all various methods of helping prevent phishing and spam that leverage DNS. Finally, no email protection plan would be complete without employee training. While cybersecurity training for employees covers a host of threats, email and phishing is probably the biggest focus. Most successful breaches include a human element such as social engineering/phishing. We cannot ignore training our people.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Dustin Leefers, Cybersecurity Manager at ThrottleNet, Inc. He has over 20 years of experience in the IT industry including systems administration, network engineering, infrastructure architecture, and information security. His security certifications include CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker). He also holds numerous certifications in the systems and networking space from vendors including Microsoft, Comptia, Cisco, and VMware.
Dustin is passionate about protecting businesses in the increasingly complex and unpredictable cybersecurity landscape. He keeps up to date with industry trends and best practices to ensure the ThrottleNet Team keeps their customers as safe as possible.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a small town in central Illinois. I was the oldest of three kids and had hard-working parents. We were lower-middle class, enough money for all the necessities, but not too much more. Being the oldest of three kids with working parents caused me to grow up quickly and take on additional responsibility. I developed a passion for technology at a young age and was always fascinated by computers. After high school, I immediately got a job fixing and building computers, all while attending college and beginning working on certifications. Looking back, I believe growing up with more responsibility than a typical child played a role on who I became as an adult.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
Movies from my childhood like “Hackers” and “The Net” helped open my eyes to the endless possibilities of computers and networks. I was lucky enough to have a computer at a fairly young age. I was probably 8 or 9 when we got a hand-me-down 386 PC from a relative. A few years later, I can remember building our first PC with my Dad. We spent a couple months flipping through “Computer Shopper” on a regular basis and picking out just the right components. For those who may not remember or know, Computer Shopper was a big thick magazine/catalog you could buy at the grocery store and you could order PC components through. I have always had an interest in security and just migrated that way naturally as my career has progressed.
Can you share the most interesting story that happened to you since you began this fascinating career?
A couple of years ago, we had a company reach out to us in dire need of help. They had recently been the victim of a ransomware attack and needed help dealing with the situation. After we assessed their network, it was discovered the company had a terminal server with RDP opened up to the public internet. An attacker was able to get access to the machine via brute force and deploy out ransomware to their servers. The attackers also encrypted the attached USB drives that contained their backups. Unfortunately, the company had no offsite or cloud backups of any kind. They also had no cyber insurance leaving them in a very tough spot.
We went to work exploring their options and discussing possibilities with the company. After determining there was no public decryption tool or any other hope for this strain of ransomware, the company decided they wanted to pay the ransom. I exchanged emails with the hackers a few times to negotiate the ransom and determine the installment method. They requested installment via bitcoin and provided the wallet address. The next issue was the client had no bitcoin wallet. Due to the amount of the ransom and no previous history with any provider it was going to take 5–7 days to get things setup, they did not have that kind of time. Their business was unable to operate.
After discussing options with the client, I volunteered to use my bitcoin account to facilitate the installment. We worked out the details and got a liability waiver signed. After wiring the funds to my bitcoin account, we made the installment to the hackers. After that, we had nothing to do but wait and see. After a period of about 6 hours, we received confirmation that installment was received, and they provided the decryption information. The hackers were even nice enough to provide them with a list of security best practices like disabling RDP, real sweethearts.
Obviously, we do not typically recommend paying ransom and will exhaust all options before doing so. However, in this situation the company due to poor security and backup practices had no choice. How do you stop a business owner who has their whole life riding on a business from doing everything they can to save it? When it was all said and done, the company got their data back and we were able to work with them on upgrading their network and improving their security.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
We had a family friend named Alan Kolberer when I was growing up. Alan owned the local computer store in the small town we lived in. I can remember calling him regularly during the first few years of PC ownership with random issues, let’s be honest, most likely computer games crashing. He would assist me on the phone with things like editing the autoexec.bat and config.sys files to find just the right combination for stability. Later in life Alan, would also give me my first job working in the IT industry as a computer technician at his shop.
More recently I’ve been lucky to be a part of the ThrottleNet team for over 10 years now. They are a great group of individuals working hard every day to provide great IT support and cybersecurity to our clients. Specifically, Eric Aquado and Todd Budde have been instrumental in helping me and providing the opportunity for me to get to where I am today.
Are you working on any exciting new projects now? How do you think that will help people?
We are currently in the process of redesigning our Managed Services offerings at ThrottleNet. While we have always had security at top of mind, we are really trying to take that to the next level. We have been working to make sure our security offering is all encompassing and really provides the layered security that is needed today. It is important to note that it takes more than just the right tools to properly protect your business, you must implement the right policies and procedures. That is where we can help, taking something as complex as “security” and making it simple. We want all our clients to be secure and we think our new plans will make that as simple as possible.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
We all deal with burn out from time to time. IT in general can be a very demanding job. Working in security and knowing that one mistake could lead to a massive compromise or other event is extra stressful. I think it’s extremely important to try and leverage the team around you as much as possible. No one can do everything, take advantage of the resources available to you.
Here are a couple things I find myself encouraging colleagues to do on a regular basis. Take a vacation! We all need some time away from work to decompress. Even if you aren’t actually traveling anywhere, take some time off and do something you enjoy to clear your mind. Also, spend time on a hobby that is not tech-related in anyway. Spending time not staring at a screen of any type really helps get your mind off of work.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
I agree, Cybersecurity is a very exciting industry and I’m very happy to have a career in the space. While it is not quite as exciting as the movies make it out to be, I could not imagine doing anything else.
- Impact — Cybersecurity has a real impact on people’s lives. Never before have there been so many threats to our data security, both on a personal level and as it relates to business. According to Webroot, there have been 121 million ransomware attacks in the first half of 2020, up 20% over 2019. It is very rewarding to be a small part of helping keep people and businesses safe from threats like these. Having a positive impact on society is one of many benefits of this field.
- Challenge — Cybersecurity is an extremely challenging field. Every day there is a new challenge to tackle, and I do not see that changing anytime soon. You are not only battling dedicated hackers, organized crime groups, and nation states, but you are also battling everyday people and human nature. It is no easy task to provide proper security in a world based on convenience. Often times it does feel like you are fighting a two-front war of staving off the bad guys and helping the good guys understand why certain precautions are needed. As more and more cybersecurity events are in the news, this battle is becoming a bit easier.
- Career — Cybersecurity is a fantastic and growing career field. While it is not typically an entry level professional, there is a path to the infosec space from all areas of IT whether that is systems, networking, development, or something else. Many publications, including Monster.com, state there is a 0% unemployment rate in the cybersecurity field and call for as many as 3.5 million cybersecurity jobs to be unfilled by 2021. This makes a career choice in the cybersecurity industry a great choice for long term prospects.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
We will continue to see an increase in automated hacking on a wide scale. In the past when vulnerabilities were discovered, the window of time to protect against the exploitation was longer. Hackers now have the tools and technology to make this process much faster, especially as they start to leverage things like AI and machine learning.
The cybersecurity talent shortage continues to grow, and companies should be preparing for this now especially in the current environment with increasing remote work and growing threats. Depending on the company’s size, they should be investing in their internal resources or partnering with IT and security providers that understand today’s risks, preferably they are doing both.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We had a county sheriff’s office contact us after finding themselves in a bit of a situation. They had recently been contacted by the FBI and told they were infected, and malicious traffic was being detected from their network. The FBI told them they needed to have their systems reviewed and blocked their access to FBI systems until the issue was resolved. The sheriff’s office was referred to us from the Missouri National Guard. They were familiar with us from when we previously helped a local county that had been hit by ransomware.
After deploying our tools and evaluating the network, we discovered a major Qakbot infection was present on most of their computers and servers. Qakbot is a sophisticated, self-propagating banking trojan designed for persistence, evasion, data exfiltration, and credential harvesting. We also discovered that this sheriff’s office was being used as a launching ground for other targeted phishing campaigns to other state and federal agencies. The attackers were targeting individuals with information derived from this breach and were attempting to infiltrate other agencies. In talking with the sheriff’s office, they had been attacked with ransomware a couple times in the past but never paid. It appears the attackers thought they would be more profitable as a launch pad for other attacks. We were able to work with their local IT provider and fully remediate the issue.
There were several takeaways from this situation. First, this network was badly compromised, and it was clear this had been going on for a very long time. They were in a rural area of the state and had a very small IT provider that simply was in over their head and did not know how to handle the situation or where to turn. Also, many signs of compromise were ignored. It appeared everyone knew something was wrong but did not know what to do. As is often the case, these smaller breaches go unresolved and lead to breaches in other organizations. It is extremely important to get outside help in these situations as soon as possible. Partner with a company that can act as a trusted advisor and ensure your company or organization has proper cybersecurity hygiene.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
There are so many great tools out there, both paid and open source. It’s amazing to see how AI and machine learning are adding value and speeding up tasks that used to be very tedious.
I use Nessus Professional on a regular basis. Nessus is a vulnerability assessment tool. I use it for both internal and external scans. It has a vast variety of plugins that will scan for vulnerabilities in all types of items from third party software, OS, networking equipment, etc. Nessus also has a nice patch audit functionality that lets you quickly scan all machines on a network and determine what patches are missing.
Nmap is another tool that I use all the time. Nmap is a free and open-source tool that is great for network discovery. It can quickly scan subnets and detect what hosts are running, determine what ports on each host are open, identify the operating system, and provide a lot of other really useful data. Nmap or similar tools are the basis for any network reconnaissance.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
If you use technology in your business, you should have a trusted IT and cybersecurity partner. There is simply too much risk in the world to neglect this area. IT systems continue to become more complex, dispersed, and interconnected. It only takes one fault to open the door to a possible security event. We typically see small and medium-sized business outsource their IT and cybersecurity needs. Over time as the business continues to grow, a time may come where you decide you want to invest in internal resources for some of these responsibilities. Typically when that is the case, the business leverages a hybrid approach with both internal and outsourced resources. They often find this to be more cost effective and get much more coverage and diversified skills for the cost.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
This is a good question, there are so many things that could be on this list. In the industry we call these IOCs or indicators of compromise. Some can be very difficult to track down and others are in plain sight. Here are some that a normal user should be on the lookout for:
- Loss of account access — If you suddenly have lost access to an account and are certain you are providing the proper credentials, this is a major red flag. While it could be benign it is quite possible an attacker has caused this issue. It is very common that once an account is breached the attacker will change the password to lock you out of it. Of course, this completely depends on the attacker and reason for compromise. They may leave the password the same as well as to not trip any alarms.
- Email issues — There are several things to be on the lookout as it relates to email. However, the most important, by far in my opinion, is if you have people you know reaching out to you saying they received an email from you that you did not send. Attackers are notorious for sending out malware and phishing campaigns to all contacts of a compromised email account to infiltrate more accounts. Also, be on the lookout for any missing emails or unexplained emails in your sent items. While attackers usually do a decent job of cleaning up after themselves, sometimes they slip up and can tip you off to something being wrong. If you notice any of these issues, immediately change your password and setup MFA on the account — actually, do that anyways!
- Workstation Slowness — While there are many things that can cause workstation slowness, one of them is malware or other malicious issues. If you find your workstation is suddenly unexplainably slow, it is probably a good idea to get it checked out especially if you are noticing a lot of unexplained popups, or programs popping up and closing windows quickly. Frequently malware will have tasks or processes that run in the background and when kicking off tasks, they do not always do a good job of hiding that from the user completely. If you notice any erratic behavior, it is best to get the machine checked out. This is certainly true if you have recently opened any weird attachments or downloaded and ran any programs from the internet.
- Data Changes — Always be on the lookout for any unexplained data changes on your machine. This can manifest in many ways, here are a few: missing data, unexplained files, or changing file extensions. Any of these could be an indicator of compromise. Make sure you are backing up your data!
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
After any data or security breach, it is prudent to make sure you are following the proper protocols for any laws or regulations that may apply to your business, whether that is HIPAA, PCI, GDPR, or something else. Ensure you are discussing with your legal team and not leaving your company vulnerable to further legal issues.
After the current event is over with, it is crucial to have a root cause analysis performed to determine what went wrong. Allowing for time to learn from the mistakes made and to engage experts to review the systems and processes in place is vital. You are never really “done” with security, it is an evolving process that must be kept up with and regularly reviewed.
As a regional business in the SMB space, we have not been greatly affected by these specific laws. However, we do help businesses deal with laws and regulations that affect their business on a regular basis, such as HIPAA. I can tell you that dealing with these laws and regulations is becoming more complex every day. Privacy is important to us all and it needs to be addressed. I believe there is a need for comprehensive data privacy regulation in the United States. If each state has their own specific regulations, it becomes quite difficult for companies to navigate that. Companies need to start preparing for laws like these. These laws are not just an IT or security problem, they have wide implications for the entire business.
What are the most common data security and cybersecurity mistakes you have seen companies make?
We work with a lot of businesses from various industry verticals, so we have seen pretty much everything! When starting an engagement with a new company, one of the things we often find is their current backup solution is simply not working, missing critical data, or just inadequate for proper data protection. We also commonly find that data shares are often misconfigured and instead of being locked down, the whole company has access to things like HR and accounting data. Finally, we often see issues with administrator access; whether that is users all having local admin access or various users being domain administrators, both have security implications.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
There has absolutely been an uptick in cybersecurity events since the pandemic has begun. I think there are several reasons for this. First, home networks don’t typically have the same protection as business networks. Further, many people are using their home machines that may not have as robust protection as their work machines. According to Webroot, home PCs are twice as likely to become infected compared to business PCs.
Everything is a bit fragmented right now and people are juggling more than ever. This can cause people to lower their guard a bit, even if just slightly, and that can be just the opening needed for a phishing or other social engineering attack to work. Cyber criminals are smart, they are aware of this, and they are very creative. Stay vigilant!
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Every business needs to take a layered approach to security. Unfortunately, there is no single solution to the problems we face regarding security. The list below is a list of great fundamentals to get you started on your security journey. However, there is much more to be done. If you do not already work with a qualified IT provider or have internal resources addressing these needs, I implore you to take action. You can start small and have an assessment done to see what gaps exist.
- Patching — Patching is critical to proper cybersecurity. New vulnerabilities are discovered daily, and exploit releases are faster and easier to obtain than ever before. You need to have a patching process in place to deal with these threats. Not only do you need to worry about patching operating systems for workstations and servers, but also 3rd party applications. Finally, firmware updates for things like firewalls, switches, and wireless equipment are equally important and frequently include major security fixes. Missing any these could provide just the opening an attacker needs to compromise your network.
- Passwords/MFA — The majority of account compromises could be prevented with proper password practices. While following these practices are slightly less convenient, they are infinitely more secure. When it comes to passwords, length is strength. I recommend 16 characters or more — think passphrase not password. Do not reuse passwords. Each account should have a separate password. If one account is compromised, this will not affect other accounts and can be easily remedied. Setup and use MFA (multi-factor authentication) for all important accounts, including email! If someone gets access to your email, they can typically reset the password for any other account you have. To make this work, it is recommended to use a password manager to manage all of your passwords. Obviously, make sure that account is protected with a very secure password and MFA.
- Email Protection — A high percentage of all threats introduced to a company come through email. The two main threats regarding email are unsafe attachments and phishing. Each of these pose their own risk and have their own mitigation. It is important to have a spam filter that checks all attachments coming into your network and execute them to check for possible threats. A good spam filter will also provide protection against phishing, as well. However, there are several things that can be done to help with phishing threats specifically such as proper use of SPF, DKIM, and DMARC. These are all various methods of helping prevent phishing and spam that leverage DNS. Finally, no email protection plan would be complete without employee training. While cybersecurity training for employees covers a host of threats, email and phishing is probably the biggest focus. Most successful breaches include a human element such as social engineering/phishing. We cannot ignore training our people.
- Firewall — Having a proper firewall does several things to help keep your business safe. It is the first line of defense from outside threats. It is important to have a firewall with the proper security services or UTM (Unified Threat Management). These next-gen devices provide more protection than the firewalls of yesterday. Things like geo IP filtering, botnet filtering, and gateway antivirus help keep your networks safe. Just as important with regards to the firewall, is ensuring only necessary services are exposed to the internet. Ensuring services like RDP (Remote Desktop Protocol) are not exposed to the internet is critical. RDP is an easy target for attackers, and since COVID, there has been a massive increase of publicly accessible RDP ports. With a proper firewall in place, companies could be leveraging the built in VPN capabilities for remote access instead of introducing additional threat vectors to the network by enabling RDP.
- Backups — Without good backups, you have no data security. Backups are the last line of defense and sometimes the only option for recovery. It is extremely important to have a proper BDR (Backup and Disaster Recovery plan) in place. It is crucial to have backups stored offsite, preferably in the cloud. It is all too common for a company to have some type of security event and have no backups. Generally this is because the only backup was connected to the machine when it was compromised. Remember, backups are only as good as the last time they were tested.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I would have to go with people reading more books. Reading books has seemed to have lost its luster with all the other entertainment options we have. I think society would benefit greatly if all of us spent more time reading and less time watching Netflix or on social media.
How can our readers further follow your work online?
You can find us at https://www.throttlenet.com we have a number of resources available including our blog, webinars, and TNTV! Sign up for our newsletter to keep up to date with us! If you’d like to connect with me you can do so on LinkedIn @ https://www.linkedin.com/in/leefers/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
Thank you for having me. It was my honor to be here. This is a very important topic for all businesses!