S1:E4 Troy Taysom – The SolarWinds incursion and data security

February 22, 2021 |  News
30 min

Troy Taysom has over a dozen years working in network positions and is currently a lecturer at Utah Valley University. He discusses privacy, data protection and network security.

 

Tyler Jacobson  0:01

We have joining with us [today] Troy Taysom. You’re with Utah Valley University, correct Troy? 

Troy Taysom  0:07

Right. 

Tyler Jacobson  0:07

Yep. Okay, so give me a little bit of background for our listeners on, in a nutshell, all of your experience and how you got to be where you’re at. And then we’ll talk a little bit more about IT security and some of the risks there.

Troy Taysom  0:24

Sure, I’ve been in the IT field 12, going on 13 years now. I was your network admin, for most of that. And then about two years ago, I took a full time job teaching at Utah Valley University, in the ISNT department. And I exclusively teach IT classes, I have a master’s degree and in network security management, and that’s been my focus. The security field. In particular, the management of security in networks. Yeah, that’s kind of how I got here, I was self taught until I got my master’s degree. Which, I would imagine most IT people, that’s kind of the way they are. 

Tyler Jacobson  1:18

So with a long experience in network security, network management, things like that, we were discussing a little bit earlier about some of the risks that are lingering out there. And in higher ed, when we talk to people, it’s usually the network security guy, or the information security guy [who] is one of the most intense people in the room. They’re the ones that are always looking with a very critical eye at anything that’s going to be put on the network. And I think the discussion today may relate to why they are so passionate about network security, because they understand the risks that are involved. So what are some of the risks and and what are the consequences of a breach of network security or having a problem there? 

Troy Taysom  2:09

Well, the biggest consequence, of course, is what gets taken off of your network. IT people aren’t necessarily worried about what someone is going to put on their network, usually that can be handled pretty easily. The problem is, is that when people start taking stuff off of your network, and that’s where you get into trouble, when they start to steal your information, whether it’s, you know, personally identifiable information, you know, names, addresses, social security numbers, credit card numbers, I mean, anything they can get their hands on. And that can have ramifications that are in the multi-millions of dollars per incident plus, [if] you’re the customer, whoever the customer is of this network, loses confidence in the people that are running the network. And I think one of the things that IT people need to understand…you know, I came from a sales background long before I came into IT, everybody has a customer. And no matter who you are, if you’re a university, your students are customers. And as IT people, the people within our company are also our customers. So the employees at a university are the customers of the IT department, as well as the students, because we’re there to support everybody. And that’s why IT people are so security aware now, because it really comes back on them if anything happens. And the ramifications again, can be not only costly financially, but could ruin relationships. It can even be sensitive information. If it’s proprietary information or secrets, government type stuff, the consequences can even be bigger than we even know. And that’s kind of what we’re seeing right now with the Solar Winds incident that happened and they still really don’t know how big it is. And they may not know for a long time how big it is. 

Tyler Jacobson  4:28

So really quickly outline what the solar winds thing is. I know that you understand that quite well. I’ve just heard to the level of: it was a network incursion, and it’s going to be a huge mess to clean up. So give me a little bit more of an overview there. 

Troy Taysom  4:44

Well, okay, so I’ll tell you what I do know and, and the trick is that most people don’t even know yet. So what happened was that FireEye, which is a cybersecurity company, discovered that there had been a breach into SolarWinds, I think it’s called Orion. And that’s like a network. It’s kind of like an all encompassing IT management type of an app. You monitor traffic and monitor logs, I think and all sorts of different stuff. It’s like it’s an all-in-one, it’s really a powerful tool for an IT manager to manage their network. And what happened was that a malicious actor was able to get into SolarWinds. And then they were able to get into the source code for an update that SolarWinds was working on. And they put malware into the update. And Solar Winds didn’t detect it. And they didn’t detect it, because it was so well done. They’ve been reverse engineering the malware to try to figure out how they did it. And it’s…they did a really, really, really good job of disguising their footprint and making it pass all the normal security tests. So the malicious actors got in there, and they put malware into the update. And then when customers downloaded the update, they got infected. And it was a Trojan horse type thing. Because it came in as something that you thought was okay, which is what a Trojan horse is. And then when it gets there, then it goes through and does things that most of the time, you don’t even know. And we know that Microsoft got hit with it. And we know that a lot of federal government agencies got hit with it. But we don’t know exactly how bad they got it, and how deep it went. They’re still uncovering it and trying to figure it out. But that one’s going to take years to unravel. In fact, some of the people in cybersecurity are saying that networks that have been infected with this may need to be just burned to the ground and rebuilt because of [how] all encompassing this malware was. So I think that’s the change we’re seeing. We’ve gone from the script kiddies, young people in their mom’s basement, in the dark room, messing around just trying to mess with people to: this one seems to be state-sponsored. So they were well funded, well trained, well hidden. It kind of points towards Russia right now. But again, they don’t know that much still. And this started happening in 2019. There’s a timeline out there, that’s pretty good, that shows how they did this. They put it together. And then they tested it. And then they got out of the network. And they went back in. And they ran their stuff and got back out. And I think that they were saying that malicious actors were gone in June of 2020. And so they’re just now discovering this in November. I mean it takes six months to discover that these things were happening. And they still don’t know how bad it’s going to get. So I mean, like I said, the ramifications can just be huge. And that’s why IT guys are nervous about what is on their network [and] who’s on their network. And security has now become…it’s no longer optional. For a long time. Everybody just ignored it. And they just, “Oh, it’ll be okay.” But now, it’s not optional anymore. And I’m trying to remember the statistic [that was] from a couple of years ago, but it’s only gotten worse. There’s like 90,000 security jobs that went unfilled, because they don’t have qualified people. And it’s only getting worse now, especially with this deal. Where you I mean, you had people in Microsoft. Microsoft got infected with it, and they’ve got really good security. And so everybody’s got to reevaluate now what they’re doing. 

Tyler Jacobson  9:29

Yeah, so as far as damages caused: you have, as you had said, a lot of personal private sensitive information could be floating around out there. And then potentially, a complete rebuild of the network. So what does that involve, when you say, “burned to the ground and start over”, from a business perspective, like a university or something like that…what would that look like? 

Troy Taysom  9:59

I don’t even know if I can imagine what it would look like just because everybody of course runs (well, they should), run backups on your stuff. But if you get infected, and it goes six months without you discovering it, your backups have become infected. Now, if you have archival backups, you can go to those. But think about how much data is processed within a six month period, or a year. How much are you going to lose? I mean, if a university lost a year of data, you’re talking about grades and student records and financial records. And it’s overwhelming. It’s crazy. So hopefully, they can figure it out without having to burn these things to the ground. But it’s going to look like billions of dollars just in the cost to get things repaired. Plus, you don’t know what it’s gonna cost you in lawsuits. If FERPA regulations are broken. HIPAA laws are broken. GDPR. What’s the European Union going to do to people? California, the protection act they’ve got, the privacy act that just came out? I mean, it could be….it’s mind numbing, actually. 

Tyler Jacobson  11:22

Yeah, you bring up an interesting [point]. The privacy of information like the FERPA, GDPR, CCPA, PIPEDA. You know, we’ve got several of those there. It’s kind of a transition of topic a little bit, but where do you see the privacy of it? Because with something like a university, you’re dealing with very, very sensitive information anyway, because you’re dealing with people’s financial records, their educational records, if there is a state of accessibility need. You know, you’ve got stuff that is sensitive information? And how do you find the balance and privacy of information as well as being able to effectively provide for the needs of the students and faculty and stuff like that? Where’s that balance? Give me a little bit of background [because] I know that you’ve done quite a bit of research into the privacy of information. What does that look like today? And what do you think the trend is like, for the next few years?

Troy Taysom  12:17

Well, the truth of the matter is that the information that we collect, at the university level or at a government level is necessary. You have to have that stuff. So protecting it becomes a priority. Now, the reason that the legislation and things have been passed and the regulations are passed, really has more to do with people selling information to third parties. That’s where the regulations are targeting. But it really does…the onus of protecting that data falls directly on to the company or the university, whatever the business entity is that collects the information and stores the information, you’re responsible to keep it. So it means you’ve got to have better security, you’ve got to have tighter security. The biggest thing you have to understand is how your company or whoever you work for, how do you collect your data? Number one: how is it collected? And number two: how is it stored? And then number three: how is it used? And you have to be able to have three different states that they call it in the IT world. Data is either at rest, in motion, or in use. And you have to be able to protect that data in all three of those states. And that’s not everyone’s priority now. Because if you think about it, the biggest asset that any company has now is their data. Right? That’s the biggest asset that there is. If you take away someone’s data from their company, they’re done, just like we talked about, you know, if you had to burn your network to the ground and rebuild it, what does it look like? Well, there’s a good chance it looks like you’re going out of business. But that’s the biggest asset that people have now. Because…go ahead.

Tyler Jacobson  14:34

Yeah, I think that, like I wasn’t really anticipating going down this channel, but the two are so closely related because anytime you do business with somebody, they’re collecting information about you. Even if it’s something that’s transactional, they now have potentially your credit card number and your name and your address and all of that. Even something as simple as signing up for a points program at the grocery store, that’s a lot of data that creates great value for the business. And so I think that’s the primary point of the legislation and these rules is: gather the data that’s necessary for your business, but also protect people’s privacy and their rights. And if you’re going to sell that data, or otherwise disseminate it, make sure people know what you’re planning on doing. So [at] the same time, if you’re collecting all this data for a university, or other business, that isn’t necessarily going to be selling that there’s a lot of emphasis on protecting it. I know that with LabStats, a large percentage of our client updates and updates to our product are relating to security, just to make sure that we’re compliant with the different privacy laws, as well as just securing the data because we had that discussion just a little while ago that an incursion could mean a very severe impact of the company. And like you said, if it’s bad enough, it could put just about anybody out of business.

Troy Taysom  16:13

Yeah, even if you don’t end up in a situation like a Solar Winds situation. If you have a breach and your company is responsible for the loss of this sensitive information, you can lose the confidence of your customers, and that would effectively put you out of business. But I think that we also have to face the reality that privacy is kind of…it’s almost a thing of the past now. All of our information has been out there for so long now. And has been sold and stolen. Is privacy really something that everybody has, or is it something that we’re trying to make people feel better about? The truth of the matter is that most companies have been infiltrated, at some level, it’s just a certain percentage of them actually know about it. And that’s what makes this last one with Solar Winds so scary is that the big players in the industry that are security heavy, you know, the US government and Microsoft, and these other real big…and solar winds, you know, they were infiltrated. And that’s what makes it scary is now really there’s nobody that’s untouchable.

Tyler Jacobson  17:38

And I think that’s kind of…to my earlier statement of: “Why is the network security guy, a little bit more intense during a lot of these meetings?” And I think that as you referenced, there’s a lot. It’s kind of a new…