Threat Vector 5.23.24
Ep 23 | 5.23.24

Guardians of the Digital Age: How Gregory Jones Shapes Cybersecurity at Xavier University

Transcript

Greg Jones: I would welcome everybody who wants to be, to be there. And I think that's what makes the best teams today, the people that actually want to be on the job; whether they know a lot or they have limited knowledge. A lot of times people with limited knowledge are easier to train. And I would say that my advice is cybersecurity is an ever evolving career field. You don't necessarily need a lot of tech -- background in tech to be able to contribute to the advancement of this industry. Everyone brings different career and life experiences to the table, and these collaborative ideas is what ultimately makes us more cyber secure. [ Music ]

David Moulton: Welcome to Threat Vector. The Palo Alto Network's podcast where we discuss pressing cybersecurity threats, security leadership strategies, and the latest industry trends. [ Opening Music ] Today, we're venturing into the world of academia. A space that is filled with distinctive challenges for any security team. I have a very special guest today, Greg Jones, the chief information security officer at Xavier University of Louisianna, whose unique approach to cybersecurity is shaped by his family's background which is steeped in service to country and community. Greg brings to the table a wealth of experience from the disciplined and adaptive world of the military. Directly into the dynamic and diverse ecosystem of a university. Today we'll discuss how he translates that sense of service into protecting one of the country's most vibrant educational institutions. We'll explore the strategies that keep the digital campus secure. The innovative awareness campaigns that educate and empower both beginners and the most savvy users. And the technological measures that combat the threats lurking to the academic community at Xavier. [ Music ] Greg, thanks for taking the time with me today on Threat Vector. You've got a really notable background: Military service in cybersecurity, a family full of IT professionals. I'm curious, how has this experience shaped your approach to cybersecurity?

Greg Jones: So, my childhood was shaped by -- from growing up around lots of veterans and educators. The majority of my family were -- either worked in education or served in the military. My grandfather was a World War II veteran. My dad was a technology administrator. Mom was an academic administrator for many years. This is what most of the people in my family chose to do as a career. We call it service to country and community. That's what cultivated my passion.

David Moulton: How do you translate that discipline and training from your military background into protecting the university environment?

Greg Jones: So, one of the things that we're taught in the military is always be ready to go and adapt to new things. That comes into play in my new role at Xavier because federal requirements require that universities have to meet some type of acceptable level of cyber insurance in order to receive funding for different programs. And it's -- the scoring matrix are basically of the same frameworks that we follow in the military, and I am familiar with those. So, that's where my transition from military to higher ed, cybersecurity was pretty smooth.

David Moulton: I would imagine that your environment, being a university, is a bit more chaotic of a mix than an average business. You've got that flux of students coming in. You've got temporary faculty. Different skillsets on your academic and administration side. You know, how do you approach that challenge of that community and their needs for cybersecurity?

Greg Jones: So, our approach there is to ensure everyone, you know, faculty, staff, employees, that they understand the challenges and risks that are lurking around with regards to cybersecurity. We have a comprehensive cybersecurity awareness campaign that covers many common topics and all of the emerging trends. And with that -- with those campaigns include different social events on campus: Yard signs, fliers on -- in the academic buildings, fliers along the hallways of the school, and you know, phishing campaigns as well as user cybersecurity awareness campaigns also.

David Moulton: So, our won Wendy Whitmore spent quite a bit of time in the Airforce as part of a cybersecurity team. Are there any big takeaways or moments where you feel like you had a formative experience there in the Airforce that, you know, still drives how you think about security today?

Greg Jones: Yes. So, my military background of always being ready to adapt to new settings comes into play in my role at Xavier. There are now federal requirements that in order for universities to receive funding for certain programs, they have to be able to display that they meet an acceptable level of cyber assurance. The scoring metric for this cyber assurance is based on the same cybersecurity frameworks that we follow in the military. So as CISO at university, I'm tasked with ensuring that we're taking the right steps to achieve cybersecurity maturity. And with this, our day-to-day IT practices will naturally become more regimented.

David Moulton: And so, Greg, universities and colleges in general, seem like they would be a bit more of a chaotic mix from a security environment perspective than, I'd say, an average business. You've got a lot of flux in your users, new students, temporary faculty, folks that never pick up a computer but need cybersecurity training. And then you've got these standards and, you know, the minimums that you have to achieve that you just mentioned. And I'm wondering, how do you approach those challenges? It seems like a big, thorny problem to get after.

Greg Jones: That is very true. Our approach her is to ensure that employees and students understand the challenges and risks that are lurking around with regard to cybersecurity. We conduct comprehensive cybersecurity awareness campaigns that cover many common topics and also emerging trends.

David Moulton: Greg, how do you ensure that the cybersecurity training is both accessible and effective for everyone at the university? Because I imagine that you've got a wide, wide range of capabilities and technical skills levels, you know, considering some faculty maybe have been there for decades? And you've got new students coming in that maybe don't have a ton of training. And then, you know, maybe on the other end of things you've got some really, really savvy computer users that might be able to be more capable than expected. And you've got a chance to level-set everyone against that standard. What are your approaches for that?

Greg Jones: So, the trainings usually cover various topics at a high level and are not overly technical. My intent is to create a cyber-- is to create our cyber campaigns to be both interactive and educational. Whenever we have new employee orientation, I give cybersecurity presentations where I demonstrate to our employees what cyber-attacks look like, how their specific job roll may be a target for bad actors, and how to report suspected malicious activity. We also offer training for new incoming students. So, basically upon arrival at Xavier, everyone is introduced to cybersecurity awareness in some form regardless of their skill level.

David Moulton: And talk to me a little bit about that new student coming in and having a requirement there? What was the driver or the impetus for that?

Greg Jones: So, that was actually driven by our top-level administrators. They wanted all students to -- it's kind of like a pilot program still. They wanted all students to be able to get introduced into cybersecurity because a lot of them, this is their first time away from home from their parents and they may be, you know, tricked into giving information to the wrong person. And so, we kind of use orientation time to incorporate the training, whereas when they log in for the first time on their student e-mail accounts, they're immediately prompted to begin their cybersecurity awareness training.

David Moulton: I think that's brilliant. And, you know, Greg, I'm wondering, do you hear from any of the students that appreciate that, or have become the sort of cybersecurity expert for their families as they go home? Or talking to their parents or their grandparents, friends, families, brothers, sisters, that sort of thing?

Greg Jones: Oh yeah. The students love the training. Once they take their first training, they think they're ready to work in cybersecurity and they're asking for job applications.

David Moulton: Well, you know what? That's perfect.

Greg Jones: Yeah.

David Moulton: At least there's this awareness and the beginnings of education. And well, answer me this, is -- have -- has any of the, you know, students that have raised their hands and they're ready translated into, you know, help for the university or been placed anywhere?

Greg Jones: Yes. They sure have. We have a st-- a -- our student work program whereas we train students with our IT department in various aspects of IT from cybersecurity to help desks, the system -- in system engineering, and you know, e-mail administration. So, we're using our students as well to build their competency levels up in security.

David Moulton: Congrats on that. That's amazing. I love it, you've looked at that pool of really smart candidates and said, you know, I'm going to tap into those that are hand-raisers and interested in this space. And, you know, as a fellow cybersecurity, I guess professional, welcome to the club and glad to have you. Recently I read in an interview that you said when you'd joined Xavier, one of the first things that you implemented was this dark web scanner to check for compromised credentials, and that you had found hundreds. For a university with around, what is it, 5,000 combined students and faculty, that feels like a lot. How did it make you feel when you found that?

Greg Jones: Yes. That number does seem like a lot; maybe even more in the thousands than we realized. What we did is we casted a wide net and scanned for all credentials that have been associated with our domain for a time period of maybe now and back to, like, 10 or 15 years. What our team discovered in this situation was while these compromised credentials may not have contributed to a cyber intrusion at Xavier, they were associated many times with third-party data breaches. So, basically, they were credential dumps from cyberattacks at various -- within various other industries where our employees may have been customers.

David Moulton: And Greg, talk to me about why you went back so far?

Greg Jones: Because we wanted to pretty much gauge the effectiveness of the dark web scans we were getting. We wanted to see how effective these scans were and how long this threat had been persisting upon on environment.

David Moulton: Can you talk to me about the impact of the policies, the processes that you've implemated [sic] -- implemented since starting at Xavier?

Greg Jones: Yes. One of the most impactful policies was restructuring the way we create and store passwords. Our network requires strong passwords coupled with multi-factor authentication. The process for MFA varies for different job roles, so we have that piece segmented. We utilize privilege access management tools for users who perform sensitive administrative level work, whether it's technical or nontechnical. And with privileged access management, strong passwords are generated, and you don't actually need to remember or store the password because they are configured to expire after a short period of time.

David Moulton: Okay. So, even if you found one of those passwords that's managed by the PAM, it would just go away, and that --

Greg Jones: That's correct.

David Moulton: Yeah. And that makes sense and cuts down on the risk that it's going to be used for something nefarious. What impact have the dark web monitoring and the new password policies had on Xavier's security policy, and how do you measure the decrease in security, and -- or have you measured a decrease in security incidents as a result? Yes. This has been a tremendous impact that dark web monitoring has had on our environment. And while malicious actors may know some of the e-mail addresses associated with Xavier, the passwords are already useless by the time they start brute forcing, and I've seen a tremendous decrease in email security incidents as a result of this. So, with business e-mail compromised in ransomware identified as significant threats in the academic space, you know, something that we noticed in a lot of our reports, whether it was a ransomware and extortion report or IR report that we just put out, we know that that's been -- some -- the types of threats that really impact academic settings. And what I'm wondering is, how Xavier university is adapted at cybersecurity strategies to protect against those specific types of attacks.

Greg Jones: Yeah. So, our cyber adaptation against business e-mail compromise is set up in a way that will screen both internal and external emails, and it also scans for known attack signatures of social engineering related e-mails. So, whenever a user receives a suspicious e-mail, our -- they can see that the e-mail may come from a bad actor --

David Moulton: Sure.

Greg Jones: And they're -- they're engag-- they're advised to use caution when engaging. Also, we configure the e-mail system to quarantine e-mails. With the quarantine, the user has the option to either engage with the e-mail, respond, delete it, or send it to our team for further analysis. And so, usually what comes after a successful business e-mail compromises tech is it can lead to ransomware. Our defense against ransomware is basically, we fine-tune our alerts and process it so that we can identify those common indicators of compromise of ransomware attacks. And if we notice that there may be potential malicious movement within our environment, we can identify where it's coming from and isolate the system as we see fit. And we also engage with third parties to do frequent penetration testing and stress testing, also.

David Moulton: Greg, can you talk to me a little bit about the kinds of social engineering campaigns that are targeted against Xavier? Maybe it's students. It's academic side, you know, what does that look like for you?

Greg Jones: So, what we see a lot is mostly for on the academic side, like, a lot of the deans are targeted. Sometimes our help desk is -- the e-mails from our help desk get spoofed. Whereas an -- and a bad actor would send an e-mail to someone saying your laptop is -- has a virus on it. Please click this link to open a help desk ticket. And, you know, the users are trained with their cybersecurity training to be able to spot these types of things beforehand, so they don't engage with them. And we've also seen incidents whereas people would, you know, pretend to be our president, and you know, he's asking administrators to, you know, call him right away; it's an emergency. Or send him $10,000 so he can, you know, get back to the states. You know, it's things like that, and they know, well, hey this is -- this can't be real. We have to investigate this, or we knew this from our training that, you know, we could just hover over the link or look at the two name in the email and know that this comes from 16500@gmail.ru. So, we know this is a malicious e-mail and it's not coming from Xavier. It's usually --

David Moulton: Yeah.

Greg Jones: -- someone trying to gain access to our banking information or, you know, our -- one of our database servers or things like that. The targets -- the attacks are pretty targeted and they're not, you know, just going after the most, you know, random user.

David Moulton: Yeah. So, when you get that argument, you're like that's definitely not a.edu.

Greg Jones: Yep.

David Moulton: And it sounds like it's really a lot of targeting towards, you know, privileged users or folks that maybe have the ability to move finances or pay for things. Do you have an example of a time when you were able to successfully thwart a potential business e-mail compromise or a ransomware attack? And if so, were there any lessons learned that you want to share from that experience?

Greg Jones: It's pretty easy for these attackers these days to try to social engineer our users by, you know, claiming to be someone they work closely with, maybe like a supervisor, a dean, or you know, the technology department or one of the vice presidents. And we have successfully thwarted these types of attacks to accomplish for ran-- for ransomware prevention, we continuously test and update our attack signatures and indicators of compromise, and these real examples are incorporated into our security awareness training. For instance, there was a staff member who emailed me saying they had received an email from someone pretending to be myself, and they realized, you know, what they did was, like I mentioned earlier, they hovered over the link, and they looked at the e-mail address that it was sent from. They realized that it wasn't int-- was not an internal e-mail, and from there they, you know, raised the awareness to me and brought it to my attention. And, you know, from there we -- our policy is to go and block those e-mails. We can't block the entire Gmain-- Gmail domain from Xavier because everyone uses Gmail, but we can, you know, block individual email addresses for, you know, a specific period of time. Or we can have them blocked to where they never expire.

David Moulton: And it sounds to me like that training has been pretty effective, sort of crowd-sourcing a larger security team than maybe you have as a full-time staff, which is amazing. And I think as a -- an encouraging thing that you're training up faculty, administration, and students, and then converting some of those folks to come over and work in your help desk and start their career in cybersecurity.

Greg Jones: Yes. We do a pretty robust campaign. We put out yard signs around campus. Fliers on -- inside the dorms, along the academic building. We have little socials on campus to where we pass out cybersecurity tips to the students. And, you know, that's just part of it along with the -- the fishing exercises and the annual cybersecurity awareness trainings. And also, the initial ones they receive upon joining the university.

David Moulton: So, if anyone is out there and listening and has done more socials, signs, posters, you name it, than Xavier University, write me at threatvector@ paloaltonetworks.com and let me know. That's the first time I've ever heard of anyone running cybersecurity training with a, like a road sign or a, you know, or a yard sign, rather. Which I would love to get a snapshot of that if you've got a second, Greg, to share that with a listening audience here.

Greg Jones: Sure will.

David Moulton: If we flip it a little bit from, you know, that response side to maybe the proactive measures that you've taken to mitigate some cybersecurity threats, how do you plan to continue evolving your strategy to address new or emerging threats in the future?

Greg Jones: So, proactively we have to continue with monitoring and scanning our environment for cyberthreats, especially zero days. We employ multiple types of products and we do include redundancy in our security tool stack in order to ensure we have as much coverage as possible. To evolve this I speak with other security leaders in the industry as well and other higher-education security leaders. We collaborate on our different approaches in cybersecurity. Oh, and on different approaches to cybersecurity. I attend quite a few summits and conferences where I meet people; meet speakers -- cybersecurity speakers, cybersecurity leaders from other areas. And, you know, we talk a lot and share ideas.

David Moulton: Collaboration is certainly a big piece of this, as in sharing ideas. I want to go back to those phishing campaigns that you were talking about. Do you think that the AI generated fishing or spearfishing campaigns have made it harder for people or for systems to detect when they're being targeted?

Greg Jones: Generally, yes. It has made it harder, but we do include AI phishing into our cybersecurity training campaign. We use vishing, which is the voice version of phishing, and we use the SMS phishing tools as well. So, we pretty much train our employees up on that so they're able to spot these types of attacks along with deep fakes with voices.

David Moulton: Yeah. I was just talking to a couple of our researchers here about adversarial AI, deep fakes, and a couple months ago talked to Solomon Chata [phonetic] about vishing, phishing, and smishing -- all the ishings. We did an ishtales episode, so --

Greg Jones: Yeah.

David Moulton: -- sounds like you're there, though I think I've heard some fatigue on the everything ishing. And it strikes me, Greg, that you're probably seeing better campaigns, as everyone else is too in that phishing or spear phishing side of things, or vishing or smishing. But the patterns remain the same, right? Like there's still that pressure. Call me. Do this now. Give me money. Right? Like those sorts of things don't change with AI.

Greg Jones: It's beginning to change. But generally, it's still -- it's -- it's the same for most of the generic versions, but we have seen some instances where the e-mails were as real as they can get. But, you know, usually what happens is that we realize that it's coming from a -- an e-mail of someone who hasn't been at the university for five, seven years. And that's another reason why we -- we decided to go back so far with our credential weeks.

David Moulton: All right. So, they thought they were clever because they had the domain, but then you look at them and you're like, you're not really a good account --

Greg Jones: Yeah.

David Moulton: -- because you're -- you've been dormant for so long.

Greg Jones: That's what happens.

David Moulton: That's really interesting. I want to talk to you about the structure of your cybersecurity team at Xavier. You know, talk to me a little about the dedicated roles and personnel that you have there to protect the 4,000 or so administration, faculty members, and all the students.

Greg Jones: Having a dedicated security team it's very essential. It's also an insurance requirement for our cyber insurance policy. But what we like to do is we like to have as much coverage as possible for myself as CISO. We have e-mail administrators, security engineers, system admins, and we also partner with the SOC team. So, we have a bunch of SOC analysts there also in our environment 24/7 and we're getting alerts all the time and, you know, we collaborate with those guys; they're great. And I just think that different roles require diffic-- different focus points, and collectively, this is what makes us -- you know, this is what improves our cybersecurity posture.

David Moulton: So, how does have a, like a dedicated security personnel or the -- you mentioned an e-mail administrator -- fit into that overall strategy. Talk a little bit more about that.

Greg Jones: Because with a dedicated e-mail administrator you have someone, or a group -- a team of people who, you know, all day they're responding to e-mail alerts. Or if you get an alert from Microsoft Defender said, this e-mail has just sent out 500 and something e-mails to ext-- internal people, and you know, that breaks our threshold of e-mails that you're allowed to send a day. We have someone always investigating that on the spot and is also, for myself, you know, with the security team, I'm able to confirm if, you know, this activity is legitimate within our environment or if it's potentially malicious and we're able to further engage from there.

David Moulton: So, it sounds like you've got some real dedicated skills, but not a huge team, right?

Greg Jones: Not a huge team, no. It's a -- we have a small team.

David Moulton: With that lean team, how do you prioritize the -- your cybersecurity tasks and what strategies are you using to ensure that you've got that comprehensive coverage across all the universities estate?

Greg Jones: So, what we do is, after we complete our self-assessments or audits, we base that off of our plans of actions and milestones. And this is usually what guides us with our daily cybersecurity task. We get those third-party risk assessments, and they list out everything that lists where the gaps are in our environment, lists where the gaps are in coverage, and we try to manage that as best we can with fighting those fires.

David Moulton: So, I promised you I was going to ask about AI. I'm curious, you know, it's a hot topic. But I'm wondering is it -- is Xavier University exploring the use of artificial intelligence in cybersecurity?

Greg Jones: Some of our security tools and software do utilize machine learning and AI tactics to be able to identify those AI-based cyberattacks. And our security team also participates in a lot of training on how to identify these types of attacks.

David Moulton: Greg, you sit at sort of an interesting intersection of academics and security. And if you were to give some advice to a person who wanted to either start a career or shift gears and come into security, you know, what would you advise them to look at? Talk to me about your thoughts there.

Greg Jones: I would welcome everybody who wants to be, to be there. And I think that's what makes the best teams, David, people who actually want to be on the job whether they know a lot or they have limited knowledge. A lot of times people with limited knowledge are easier to train. I mean, I would say that my advice is, cybersecurity is an ever-evolving career field. You don't necessarily need a lot of tech -- background in tech to be able to contribute to the advancement of this industry. Everyone brings different career and life experiences to the table, and these collaborative ideas it's what ultimately makes us more cyber secure.

David Moulton: Yeah. Having the homogenous team, I mentored my back -- a previous job, I talked about this, if everyone has the same experiences, same education, same background, you're kind of blind to where your biases are. But when you mix it up and you have a variety of people, you end up with a very -- very strong team. And that's -- that stuck with me quite a bit. Greg, before we wrap up, I want to ask you, what's the most important thing that a person who's listening today should take away from our conversation?

Greg Jones: One of the most important things that someone should take away from today's conversation is that don't be afraid to jump into cyber if that's something you're interested in. Don't feel discouraged by the, you know, thinking you may have a lack of experience. Just get out there. Meet people. Ask questions. Someone is willing to help you. We are -- we use students, student workers. They obviously don't have a lot of experience. At one point I didn't have any experience, especially when I joined the military, most of us were all brand new to cyber. And if you're willing to dedicate the resources to train your employees, there will be a great return on investment [music].

David Moulton: Greg, I think you've got an amazing job. Xavier's lucky to have you there protecting them. I'm sure that there's a sense of doing work at a place that puts good out into the world, that gives you quite a bit of pride.

Greg Jones: Yes. It really does. I love my job and I'm happy to be able to support such a fantastic university. [ Music ]

David Moulton: As we wrap up another episode of Threat Vector, I want to distill Greg's insights into three key lessons about the cybersecurity landscape. Lesson number one: Security awareness is non-negotiable. Greg emphasized that creating a culture of cybersecurity is vital. His approach at Xavier University involves comprehensive awareness campaigns that are as unique as they are effective. He employs strategies that frankly, I've not seen anywhere else, like yard signs and social events. This is on top of the more expected approaches like fishing awareness and testing. These initiatives ensure that every member of the university from the incoming freshman to the seasoned faculty are equipped to recognize and respond to potential threats. Greg's second lesson is that adaptability is critical. Drawing from his military background, Greg demonstrates that being prepared to adapt to new threats is as crucial on campus as it is in the battlefield. The cybersecurity measures at Xavier are designed to evolve. Today, Greg is utilizing tools like dark web monitoring to identify compromised credentials, combined with multifactor authentication to protect the university. As he learns from experience and peers at other institutions, Greg's adaptive approach is primed to evolve. The final lesson I heard from our conversation was the mandate to invest in people to strengthen your security posture. Greg underlined the importance of empowering individuals, whether they are students, faculty, or staff, to be part of the cybersecurity solution. By involving students in IT work programs and fostering a sense of shared responsibility, Xavier University not only enhances its security team, but also builds a community that is collectively more cyber aware and resilient. These lessons from Greg Jones remind us that in the digital age, the strongest defense against cyber threats in education is a proactive, inclusive, and adaptive approach. I hope you've enjoyed this conversation and hearing from Greg as much as I did. That's it for Threat Vector this week. I want to thank the Threat Vector team. Michael Heller is our executive producer. Our content team includes Sheila Droski, Tanya Wilkins, and Danny Milrad. I edit the show and Eliot Pelzman mixes the audio. We'll be back in two weeks. Until then stay secure. Stay vigilant. Goodbye for now. [ Music ]