From Passwords to Proactive Security: Essential Tips for Educators with Mike Spisak
David Moulton: Welcome to "Threat Vector," the Palo Alto Networks' podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, director of Thought Leadership. Today, I'm speaking with Mike Spisak, managing director of Proactive Security at Unit 42. Mike leads efforts to help organizations bolster their cybersecurity posture by staying ahead of emerging threats and implementing proactive security measures. With extensive experience in safeguarding various sectors, today, we're going to talk about securing educational institutions, an increasingly critical topic as schools and universities have become a prime target for cyberattacks. With a rapid adoption of digital learning tools and the vast amount of sensitive data that they handle, education institutions are particularly vulnerable. We'll discuss how these institutions can strengthen their defenses and protect their students, faculty and data from malicious actors. Here's our conversation. [ Music ]
David Moulton: Mike Spisak, welcome back to "Threat Vector." Good to have you again.
Mike Spisak: Great to be here.
David Moulton: So, we're here at Black Hat. Where do you normally operate out of?
Mike Spisak: I normally operate - you mean on a day-to-day basis?
David Moulton: On a day-to-day basis.
Mike Spisak: Yeah. At an undisclosed location, in the hills of New York, I'm just kidding. I'm out at - yeah, I'm close to Manhattan. I'm about an hour outside of Manhattan. I like to, you know -
David Moulton: Beautiful country over there.
Mike Spisak: Yeah, very nice.
David Moulton: Absolutely.
Mike Spisak: Yeah.
David Moulton: Let's talk about how you got into cybersecurity for a minute.
Mike Spisak: Sure.
David Moulton: What drew you to this space, what keeps you in this space?
Mike Spisak: So, those are two really good questions. I'll break it apart super quick. Like many young folks, I had no idea what I wanted to do. Right? I was bouncing around doing a variety of things. I was playing in a band, you know, in a punk rock band. I was doing magic. I was doing a variety of different things. But I started to kind of lean towards business. My father was an accountant and I guess I figured I would just organic - you know, head that way. Anyways, long story short, while I was at one of a - one of my colleges, I ended up rooming with a bunch of hackers. Now, when I say "hacker," right, I mean these were the types of folks that, you know, would take apart something to understand how it works and then reassemble it better, potentially better. You know, they challenged conventional wisdom. Right? They're just, you know, unique individuals. And they sort of exposed this world of tinkering and hacking. And, you know, I started to discover my love for technology there. And I immediately switched my major.
David Moulton: I love it. So, you saw a group of people that were curious.
Mike Spisak: Yeah.
David Moulton: And you, too, were curious and it was exciting.
Mike Spisak: Yeah.
David Moulton: And you became a lifelong, you know, passion of hacking and maybe in the way of the term was originally put together -
Mike Spisak: Correct.
David Moulton: Less about a nefarious intent and more of a curious "how does this work".
Mike Spisak: You're exactly right. In fact, it's funny, on the way over to Black Hat, I had a quick conversation with my Uber driver about that exact topic. Right? He said, "Oh, well, you know, black hat, white hat, gray" - you know. And, so, we started to talk about that. And I won't go on too much of a tangent, but I thought it was interesting that people hear the term "hacker" and they still think nefarious, you know, cybercriminal. And I explained - you're right. You know, decades ago, right, the term really came - was born of just to identify individuals who enjoyed taking things apart to understand how they worked. Right? And then potentially extend them and enhance them and make them better, so.
David Moulton: Of course. You had a very different cab ride over. My guy told me how awesome the Phish concert is here at the Sphere. And it does look pretty amazing.
Mike Spisak: Yeah.
David Moulton: So, we're getting together today to talk about cybersecurity in the educational space.
Mike Spisak: Yeah.
David Moulton: I had a conversation with one of our customers a couple months ago and I was just blown away by some of the things that Gregory Jones is doing to drive security into the university and the gamut of things that he has to cover. And I wanted to come in and get a different perspective. He's in the middle of it day-to-day. You're thinking about proactive security, you're thinking about ways that we can make an investment in time, technology, policy now that gets a result later.
Mike Spisak: Yeah.
David Moulton: And I think that's different than what a CISO is charged with. There's some of that proactive, but there's reactive, there's -
Mike Spisak: Yeah.
David Moulton: In the moment -
Mike Spisak: Yeah.
David Moulton: There's administration. And, so, I think you have a much more concentrated focus. And the education space in general is one where a lot of big attacks have occurred.
Mike Spisak: Yeah.
David Moulton: It's a vulnerable space and one that can't put all of its money towards security. It's got to balance things.
Mike Spisak: Yeah.
David Moulton: So, you're facing those constraints. I'm wondering - well, as an institution, you're facing those constraints. I'm wondering what you think are some of the most cost-effective ways for an education institution, be that a, you know, primary school, a high school, getting into higher ed. What are the things they can do to improve their security posture?
Mike Spisak: Yeah. So, before I answer that exact question, I was there - there was a lot there to unpack. So, if we don't want - just to rewind super quick. And, you're correct, so my day job is proactive security. And, you're right, very often reactive gets the headlines because, you know, someone will finally go buy a garden hose when they realize something's on - you know, when the house is on fire. Right? So, it's like, "Well, why didn't you just put those measures in place to begin with?" Right? So, you're right, that's where I spend a lot of my time trying to help. And the way I do that is I help clients get a risk-based sort of veneer or lens, right, on the things that are going on day-to-day, right, so they can begin to start to think about them in a more proactive fashion. That's important because, you know, again, this - to use that analogy, right, you know, the house is burning down, that shouldn't be the time where you should start thinking about investments. Right? You want to do that beforehand, right, do the - you know. That's why - and I think you and I talked about this once before, I like to consider myself almost like a fire marshal, right, you know -
David Moulton: Yes.
Mike Spisak: Or a fire inspect, someone that would come in and make - you know, show you where your risks are lying. That also being said, to pivot over into the education space, I think is - you're correct, they've seen a lot of attacks and there's a number of reasons for that and we'll probably go through some of them. But, you know, they are vulnerable and susceptible to attacks for a variety of different reasons. And then the other thing I'll say is that I do have a soft spot personally for the education space. My mother's a teacher, my sister's a teacher, I have uncles who are, you know, teachers and professors. And it does span from everything from K through 12 and upward in college and university. Right? So, I think they all need help. Right? And then there's a tremendous amount of resources available to them both from the public sector as well as the private sector that we could talk through as well that I think will help them get organized. I think that's the other aspect of it is just how do you organize all of this. So, now it's your question around budget constraints. What are some of the just basic blocking and tackling types of things that can go - you know, that they can do? And, you know, I like things in three. So, I'll try to - I'll just try to summarize because there's, again - there's a lot, right -
David Moulton: Sure.
Mike Spisak: And we could spend a day talking about it. But I think I'll take it in three. So, the first one, and I always go here, is passwords.
David Moulton: Right.
Mike Spisak: And we talk a lot about passwords in cyber in general. Passwords are hard because, you know, you have to remember them, you have to make them unique and you have to make them complex. And then you have to store them, you have to make sure you don't reuse them. Right? So, these are all hard things. So, the ways you can simply combat this is, you know, and I hate to say "password manager," 'cuz a lot of people would say, "Well, of course, a password manager, that's the way to do it." And, you know, then the question becomes, "Well, which password manager do I choose? There's a lot out there. How do I - you know, how do I get ahead of this?" But I will say passwords are probably one of the weak - you know, they say the person, humans, right, people are the weakest link of the cybersecurity chain. And that's still true. I would say and that's exacerbated by password management.
David Moulton: Yeah, yeah.
Mike Spisak: Right. So, if we could just really - if we could just do that, I think it'll go a long way. So, password managers, right, there's a bunch of them out there, there's free ones that are out there. I think education and teaching people how to make memorable passes - passwords or what we would call "pass phrases."
David Moulton: Of course.
Mike Spisak: Right?
David Moulton: Yes.
Mike Spisak: And I know I'm telling - I'm probably - especially for our cyber audience, they're probably hearing this, right, you know, there's nothing new here. Right?
David Moulton: But it's a good reminder.
Mike Spisak: This is a remind - this - these problems still happen. Right? Like it's constant. You know, you hear about all these breaches and it's like, "Wow, what was it? Was it - you know, did they infiltrate from, you know, all this advanced attacks?" No, it was a password that was just leaked in clear text. Right? That's what did it. That's what brought the castle down. So - and then I'll go to another - the last thing I'll say about passwords as I'll move on is multifactor authentication. Right? It's another one of these like basic types of activities that a lot of people just don't know what to do. And then, when you look at education, I'll even talk to my sister or my mother and others, you know, MFA, multifact - like, "What is that?" You know, it doesn't mean a lot. Right? So, it needs to be I think - people just sort of need to understand that this is the new way of life, multifactor authentication.
David Moulton: Yeah. So, maybe some storytelling in and around how to use a password correctly, getting after MFA so it's not just a three-letter acronym -
Mike Spisak: Right.
David Moulton: That the nerds keep talking about, that you're actually looking at it as, you know, something that you want on your side. And I'm curious as I've looked at, you know, some of the operating systems, Apple comes to mind with OS 18 and what they're doing to build passwords into kind of the flow. And you talked about, you know, free, I think things that are built in at the operating system -
Mike Spisak: Yeah.
David Moulton: You don't think about it, it's just there -
Mike Spisak: It's just there.
David Moulton: You're expected to use it, it supports you.
Mike Spisak: Yeah.
David Moulton: So, I think that'll be a huge boon in - you know, in security from a password standpoint. You know, maybe you can talk to me about some of the other low-cost/no-cost resources that schools could go after that they could bring in that you think would make an impact.
Mike Spisak: Yeah. So, I can name a couple. And just to extend just a little bit more, I mean, it doesn't stop with passwords, just to go back to that last question, because I don't want to leave it. I would just say regular system updates, right, 'cuz I'm a good cyber citizen. Right? So, I would be remiss if I didn't mention, right, that you have to, you know, update your systems.
David Moulton: Yeah.
Mike Spisak: And then regular training and awareness. And the last time you and I sat down and spoke, I did speak a little bit about just continuing to raise that, what I like to call, cyber-aware culture, right, just making sure everybody knows that security is not restricted to just the IT department or the cyber team, it's a team sport and everyone's got to get involved, you know, even you, mom and sister and every - you know, everybody's got to get it. So - okay, so free resources. And I'll go back to passwords. There are - you're right, spot on, right, it's ingrained in many operating systems now so you can take advantage of those capabilities. I won't get into that. But there's a lot of open-source password managers as well. Bitwarden comes to mind as being one that's cited often. But, I'll also say, from a training perspective, and that's why I wanted to go back and make sure I talked a little bit about the cyber-aware training, I'm proud to say even Palo Alto Networks has, you know, free cyber training online. In fact, if you go to paloaltonetworks.com, I think it's /cyberpedia, right, there's a host of resources there, everything from intro to cybersecurity to fundamentals of networking to the cloud and even, you know, those who are a little more - want to get into it and understand security operations, there's a SOC, which is Security Operations Center, types of overview and fundamental awareness. Right? So, that's something anyone can go to and read. But, from our friends in the education area that are looking for helpful resources to just sort of organize their thoughts, these are fantastic entry points that - and then I could go on, right, CISA and others, NIST. There's a ton of resources out there. I think the other side of that would be just information overload and just -
David Moulton: Right.
Mike Spisak: How do you organize all that. So, I think to - once you sit down and make an organize - from a cyber perspective, organize your thoughts around a cybersecurity program, these would be great entry point resources to go after. [ Music ]
David Moulton: And the last time we got together, we talked about this idea of having a AI assistant that rides with you as someone to -
Mike Spisak: Yeah.
David Moulton: Remind you maybe, you know, "Hey, David, don't click that link" and - or "It's time to update your software." Right? Like -
Mike Spisak: Yeah.
David Moulton: It helps. So, I think something like that is sort of future state. I want to go outside of the technology and the policies and I like the Cyberpedia offer or I like those free resources, and talk to you about sitcoms from the '90s and 2000s.
Mike Spisak: Okay.
David Moulton: So, there was this program where drunk driving was a problem. And they're trying to figure out how do we show a cultural norm is to have a designated driver.
Mike Spisak: Right.
David Moulton: It seems pretty obvious to me. However, the sitcom became the vehicle where you modeled, "We're going to go out, we're going to have some drinks, we're going to have some fun" -
Mike Spisak: Right.
David Moulton: "But one of us is going to be the DD. One of us is going to have, you know, a Coke at the bar" -
Mike Spisak: Right.
David Moulton: "And, you know, it's going to be something that's a celebration of somebody that takes that responsibility." And I wonder if there's an opportunity for us in security -
Mike Spisak: Yeah.
David Moulton: To look to culture, to look to entertainment, to look to the types of things that are around us -
Mike Spisak: Yes.
David Moulton: And to model what it looks like to have a good password manager, to -
Mike Spisak: Yeah.
David Moulton: Update the software on the fly. What do you think of that idea?
Mike Spisak: So, I like this idea a lot. And let's unpack it a little bit, let's double click on it. Right? So, first off, well done to think - because you're right, the sitcoms and all that kind of normalized this designated driver idea. Right? This - it made it like, "Oh, we should all do this." Right? And I can remember, you know, even talking to kids and, yeah, it became sort of the norm. It wasn't abnormal to have a designated driver, you know, and all of that. I think the other aspect of this, and I know we're talking about cyber and education, but I'll even take it a step further and say I think that even the students, right, not only do they need cyber awareness training, passwords and MFA and encryption and things like that, right, being cyber-culture aware, but even to the aspect of, "Am I computing responsibly?"
David Moulton: Right.
Mike Spisak: And I'm just, again, thinking from a student perspective. Right?
David Moulton: Right.
Mike Spisak: You know, someone's talking to me on Snapchat, do I know who they are, it's a girl or a guy or someone who shares interests with me or, you know - and, you know, that's such a problem. Now, I won't go too deep down that. But, back to your point, I was chatting with a friend of mine recently, now, in the high schools, in order for a student to go to prom, right, they have to attend a - they have to attend a session where they watch a film about drunk driving. Right? And it's interesting because - and it's a - it's almost traumatizing in a sense where kids leave like, "Oh, my God, that was such a hard film to watch" because it goes to a story about, you know, drunk driving and -
David Moulton: Of course. I think I've seen this.
Mike Spisak: You know? Yeah, you may have. Right? In fact, when students get ready to drive, right, they go to Driver's Ed, they watch, you know, whatever it was called, you know, "The Highway," a movie of, you know, driving erratically and all that. Right? So, what's interesting about that pattern of, "We're learning to drive, you should watch a movie about, you know, these are the dangers of driving." Right? "You're going to go to prom, you should watch a movie about these are the dangers of drinking and driving and you need to be responsible." And then I was talking with a parent recently about kids learning to compute responsibly and the dad turned to me and said, "Mike, where is the movie," - you know, and we were talking about that and he said, "Where is the movie about, you know, extortion of kids through these online platforms?" Right? Where is the education knowledge about don't send photos to people you don't know? Right? Don't send photos to people you do know. Right?
David Moulton: Right.
Mike Spisak: Don't answer personal questions, you know, when you're having a chat with someone on Snapchat or TikTok and you don't know who they are. Right? So, I think the levels of awareness - I'm sorry, I'm running a bit of a tangent here, but this is - you know, this is a really important area where I've just seen kids, you know, the youth struggling. And, you know, there's a lot of good that social media and computing platforms and all that can do. But I do believe that as an extension of classic cybersecurity, conventional cybersecurity, we have to get into the space of, you know, teaching the next generation how to be just aware of those types of activities. Yeah, so.
David Moulton: I couldn't agree more. I took shop class in high school -
Mike Spisak: Yeah.
David Moulton: And I had to go through -
Mike Spisak: Yes.
David Moulton: How to go to shop class and not have long hair, not have -
Mike Spisak: Yeah.
David Moulton: Loose clothing.
Mike Spisak: I watched that movie, too.
David Moulton: Right?
Mike Spisak: Yeah.
David Moulton: Like how not to lose a finger on the -
Mike Spisak: Yeah.
David Moulton: Bandsaw.
Mike Spisak: Yeah.
David Moulton: We did all of this and yet you don't necessarily look at your phone or your tablet or your computer, whatever it is, your social media as a bandsaw. Right? You don't look at it as one of those things that's as dangerous. But it does have those same things where maybe on the "how to use it," is a how to use it safely and, you know, what does responsible use look like, what does safe -
Mike Spisak: Right.
David Moulton: Use look like. And I think that, while we were initially talking about like how can schools secure themselves, perhaps there is a jump off point where schools have a responsibility and opportunity to teach how to use these things -
Mike Spisak: Right.
David Moulton: That are pretty common in our day-to-day lives now -
Mike Spisak: Yeah.
David Moulton: Social media and applications and -
Mike Spisak: Yeah, yeah.
David Moulton: Different - you know, different mobile devices in particular in a safe way and understanding how those do present risk, how those do present threats to students. The extortion thing is really interesting. It's a conversation that I've had. I've got some teenagers and -
Mike Spisak: Yeah.
David Moulton: You know, we've been very clear of if you get into a point and somebody's coming back and making those threats -
Mike Spisak: Yeah.
David Moulton: Escalate that to, you know, the house CISO -
Mike Spisak: Yeah.
David Moulton: Me.
Mike Spisak: Yeah.
David Moulton: You know, let's have a conversation and -
Mike Spisak: Yeah.
David Moulton: And not to just over-index on solving it yourself. Right?
Mike Spisak: Yeah.
David Moulton: Like a tap into the community here at the school or at home if you -
Mike Spisak: Yeah.
David Moulton: If you need some help.
Mike Spisak: I do like - but - and I know I took it kind of down a little bit of a serious route, you know, we talk about schools showing movies from school perspective. But back to your original point about, you know, what if we normalized it through sitcoms. When you do it that way, right, it could be a little more memorable about, you know, that episode of that show and it was kind of funny. But, yeah, don't answer that text, you know, or don't click that link or, you know, change that thing. You know. And, so, I do think there's opportunity do -
David Moulton: Right.
Mike Spisak: It that way as well.
David Moulton: Yeah, I think they just like baked it in -
Mike Spisak: Yeah.
David Moulton: Didn't call attention to it and then -
Mike Spisak: Yeah.
David Moulton: Ran it on repeat through a number of shows.
Mike Spisak: Yeah.
David Moulton: And I can't remember if it was a team out of Harvard that came up with the idea, but it ended up being particularly effective. In the show notes, if I can go find the study, I'll definitely put a link into it.
Mike Spisak: Yeah.
David Moulton: So, I want to come back to -
Mike Spisak: Yeah.
David Moulton: Something you were talking about, there's lots of resources. There's a lot of different controls, whether they're, you know, no-cost, low-cost or a heavier investment. Can you talk about some of the rubrics that schools can use to create an organization around understanding what they have and what they need and how to best implement?
Mike Spisak: Yeah, yeah. Especially - and I'll even say it, especially with limited resources, right, 'cuz they're - and, you know, a rubric's a great visualizat - a great mental model, right, that you can use to get into something. Let's - I'll take a step back and I'll start with something that I do almost daily, right, for customers is a risk assessment, a cyber risk assessment. Right? So, that's - to me, that would almost be like ground floor, you know, if you're an organization and you're trying to understand, you know, where the - you know, where are the holes in my infrastructure, you know, where do - how do I get started, where are vulnerabilities lying, I think just a grounds up end-to-end cyber risk assessment. And that's something you can do to find significant risks, understand, you know, everything from device management your network structure, you know, go end-to-end with it. I know it's easy to say hard to do, but this is one of those things that'll pay off in dividends because, if you do it once, it gets easier to do over and over again. Right? So, you start there. And then I would then, after that, adopt a cybersecurity framework, something like a NIST cybersecurity framework. And I cite NIST because, you know, they're sort of like the de facto standard.
David Moulton: Sure.
Mike Spisak: And it's out there and everyone can use it. So, you have - so, you take these two things, right, and then you take sort of the sum of - you know, you want sort of the whole to be greater than the sum of the parts. Right? So, you have your cyber risk assessment as sort of this foundation. You layer on top of that a cybersecurity framework that you then - and you now have a roadmap to, you know, what do I need to do, you know where the holes are from your assessment, you could start to plug those holes using the cybersecurity framework. And, to be honest, right, from an educational perspective, they - there are low-cost resources that are available to them. Schools can work with local governments, schools can work with private institutions, industry partners to find, you know, resources. Again, I'll go back to like the Cyberpedia type example. But there are resources specifically for universities, colleges, you know, K through 12 that they can go after and get support for implementing. And then I would even say, and I'll close here, that, you know, get the students involved. Right? So, if you have an IT club, you have a - you know. And up at the university, right, a lot of the IT staff is students that - you know, that they are working part-time. Right? So, I think it's a great idea to get them engaged and operationalize that, so.
David Moulton: Gregory Jones talked quite a bit about being a welcoming community to your user base -
Mike Spisak: Yeah.
David Moulton: To become your team, right, your security team and training up a lot of those students to help protect the university -
Mike Spisak: Yeah.
David Moulton: But then to also go home and be that one that was bringing that information to their families. Sometimes they're the most educated on it as they come back from college courses there at Xavier.
Mike Spisak: Yeah.
David Moulton: So, I think that that really makes sense and it becomes one of those things that drives the culture outward.
Mike Spisak: Absolutely. Yeah.
David Moulton: He also used, and I still love this idea, but, you know, little roadside signs, you know the little ones that you stick into the grass -
Mike Spisak: Yeah.
David Moulton: As a reminder that things were coming up and don't click that and make sure -
Mike Spisak: Yeah.
David Moulton: To redo your password. And I was just blown away of like, you know, it's low-cost, but it's effective.
Mike Spisak: It's effective. Right?
David Moulton: People are walking across and they're like, "Oh, yeah, I got to change my password."
Mike Spisak: Oh, yeah, yeah.
David Moulton: "It's password change day" or whatever -
Mike Spisak: Yeah.
David Moulton: It is. It was sort of wild.
Mike Spisak: You know, we are in - oh, gosh, we're in August right now. Okay. I just - I was trying to think October is cybersecurity Awareness Month. That's a - you know, it's one of my favorite times of the year, just saying.
David Moulton: Yeah, yeah. So, thinking about some of the challenges that universities and high schools face. maybe elementary, maybe not so much now that we've kind of reared back from remote learning in -
Mike Spisak: Oh, yeah.
David Moulton: Those context -
Mike Spisak: Yeah.
David Moulton: But it's certainly a big piece of how universities operate, can you talk about some of the particular challenges that remote learning poses to the students, to the faculty, to the organization -
Mike Spisak: Yeah.
David Moulton: And, you know, how do you mitigate some of those things?
Mike Spisak: Yeah, yeah. We could definitely step through some of that. Right? So, to - for starters, when you have remote learning, I think - and this may be - again, this may be obvious to some of our cyber audience out there, right, but the attack surface just expands all of a sudden. When you have people working remotely - not, sorry, working remotely, learning remotely even, right, the attack surface expands. Now, what's interesting, if you just compare and contrast those two, right, remote workers, when we went, you know, remote, there was a lot of training, don't do this, don't do that, here's equipment for you, you know, and so on. And, from a learning perspective, a lot of students don't get that or maybe limited - in a limited fashion. So, things like VPN, endpoint enforcement, managed devices whenever possible. Right? So, a lot of that is somewhat - I don't want to say foreign, but it may not be top of mind for students. You know, they get a laptop for their - you know, as a graduation gift and they go bring that to college and off you go. So, the advice is, you know, for remote - so, that's one of the challenges. And the advice on this like expanded attack service would be for institutions to implement virtual private networks wherever possible, understand managed devices, you know, and whenever possible allow students to use what - I guess what I would call school-managed devices. Right? So, these are devices that might have some kind of, you know, endpoint protection installed on them already. Some of the other things though that plague the remote learning population would be phishing campaigns. Right? And they're getting - and you and I talked about this, with AI now, phishing campaigns are getting a little more sophisticated, harder to detect. So, to mitigate that, you know, you need to implement email filtering. And, again, I know I'm saying things to our cyber audience that might be, "Come on, Mike, this is" - you know, but I go out and I talk with institutions and it's just still just continuous problems. You know, these are just areas that need improvement. And then the last thing I'll say - two more things, actually. One more is data protection. Right? So, when you're in a remote environment and you're accessing - I remember, you know, when my kids were home and it was Moodle and classroom and, you know, this and that and there - and what was amazing to me was, "Well, this teacher is using this and that teacher is using that." And which one do we use and we're - it's not -
David Moulton: No.
Mike Spisak: Standardized. I know a lot of that's worked itself out. But you have these platforms and you don't really know what's going on under the hood. Right? Are they encrypted in transit or at rest, do they - are they complying with regulatory, like GDPR and, what's the one, FERPA, right, that's the Family Educational Rights and Privacy Act. Right? It's another one where, you know, just protecting the data of students and parents and things like that. So, you have all of this. And then, again, and I started with it and I'll close with it, is the home network. Right? So, students are at home, right, and they probably have a router which they got at a - the local electronic store and they plugged it in, maybe they didn't change the password on it, maybe they're using devices that don't have security on them. So, I just think education guidelines for how to have a secure home network, you know, would go a long way in helping with remote learning. [ Music ]
David Moulton: Mike, you mentioned phishing and I think that that's always one of those top vectors that we see top - you know, at least in the top five. I'm curious, thoughts on training up the staff in particular -
Mike Spisak: Yeah.
David Moulton: Maybe the students as well on ways to identify a phish, avoid those scams.
Mike Spisak: Yeah.
David Moulton: Talk to me about that.
Mike Spisak: Yeah, again, right, it's another area that continuously plagues, you know, businesses as well as, but I think schools are especially susceptible to it because they don't get - in some cases, they may not get the constant reminders, you know, or maybe they don't have simulation in place. But you're absolutely right, awareness training, simulations early and often, and then reporting on that, I think would go a long way. And, you know, I was at a conference recently where I gave a talk to a bunch of professionals and I was just talking about like phishing and deep fake. And I did it in such a way where I showed examples. And the reason why I bring that up is the feedback I had gotten was, "Wow, I'm so much more - now that I know what's possible, I'm - I feel like I'm much better equipped and much better aware." So, the advice I would give is educate people not just on this is what phishing is and, you know, how to identify links and the language and all that other stuff, but let them know what's possible, you know, what adversaries are actually using and show them examples. And, more importantly, show them examples of the after effects of if you did click this link, this is potentially what could happen. Right? I think that would go a long way and would resonate more and longer, you know, for students and faculty and staff.
David Moulton: So, here at Black Hat, we've recorded a number of podcasts. And I was talking to our colleague, Chris Tillett. He talked about the need to contextualize the impact of your security decision-
Mike Spisak: Yeah.
David Moulton: Whether that's to put in a control policy or to, as we've talked about, click the phishing link and then understand what happens.
Mike Spisak: Yeah.
David Moulton: And I think that that storytelling and that ability to make it not abstract, but pertinent to what I'm doing in the moment -
Mike Spisak: Yeah.
David Moulton: Is the theme that I'm getting is driving this closer to something that I care about rather than something that I have to tolerate.
Mike Spisak: Yes, yes. I love that actually. Let me just say that back again so I can steal that. Is that okay if I steal that -
David Moulton: Yeah, totally.
Mike Spisak: And make it something I care about versus something I tolerate. Right? I think that's -
David Moulton: Yeah, yeah.
Mike Spisak: Just that little - that statement right there could underpin a lot of activities in cyber and probably even more.
David Moulton: So, if that phishing campaign or, you know, the mission impossible style attack that's very sophisticated leads to a data breach -
Mike Spisak: Yeah.
David Moulton: You know, what are some of the things that schools can do to take to mitigate or shrink the damage that occurs in a data breach?
Mike Spisak: Yeah. Okay. So, again, I'll try to - we could have a conference just on that topic. Right? But I'll break it down into threes because I like things in threes. So, I'll start by saying something like, and I'll even put on my zero trust hat for a second, role-based authentication or I'll even go further and say least privilege. Right? That right there would go a long way in I think mitigating data breaches for institutions. And, you know, again, let's just say, well, you know, private companies are not excluded from this, by the way, but, yeah, role-based, now it's RBAC, what we call RBAC or role-based authentication. Right? You're a teacher, you have access to teacher things. Right? I'm a student, I have access to student things. Just we have certain roles and we have access to certain things. And keep it there. And then if you go further and implement least privilege, which is the concept of you only have access to just enough. And when I say "just enough access," access to applications or access to data, access to systems, right, where it - you have just enough access to get done what you need to do. So, as a student, I should only have just enough access to submit my assignments and maybe not - and maybe research some things, but not go and explore all these other areas. Right? So, least privileged, RBAC. The next thing would be encryption. And we talked a little bit about this before, but encryption in transit and encryption on rest. What does that mean? You know, again, my - all our cyber listeners are probably well aware of this, but, you know, just using, you know, https, right, making sure you're connected to secure protocols and when data is at rest in a system it's encrypted. Right? And then - and I already sort of mentioned it, but secure channels. That would be the third thing. So, virtual private networks, making sure you're using - you know, you're communicating with the school only over a secured channel. It's okay to sit in the library or even sit in the coffee shop. I was at one this morning. Right? But if you're connected to public Wi-Fi, you need to make sure that you're doing it over a VPN, right, and you're using secure channels. And you're - and if you are connecting to a public network, you need to do it in a way where - you know, where you're sure that - where you - where it's a trusted public network so you can avoid those man-in-the-middle type attacks that often happen.
David Moulton: So, you've talked about some back to basics, some -
Mike Spisak: Yeah.
David Moulton: Fundamentals, getting into a level of discipline as you approach securing educational institutions. But they're weird in the sense that you've got temporary staff, you've got students that are coming in -
Mike Spisak: Yeah.
David Moulton: Maybe they're staying till -
Mike Spisak: Yeah.
David Moulton: Graduation, but maybe they're not, maybe they're just going to be there for a semester or two, maybe they go home for a bit and they're not part of the network, they're not part of the institution for a bit, but then they come back. Right? Like whatever was going on in their lives, they're able to pick up their education again. And then you've got researchers and parts of the university that are looking for the full exposure to the internet able to use any application that they need because their job, their goal is completely different than yours in security.
Mike Spisak: That's right. Yeah.
David Moulton: How do you bring those two things together? How do you strike that balance such that you're able to allow for education to occur, research to occur, a vibrant digital community to flourish -
Mike Spisak: Yeah.
David Moulton: Inside of this construct of an educational institution while also not exposing it to the dirty, nasty part of the world that we live in that will harm you?
Mike Spisak: Yeah, yeah. So, I - I'm - I draw an analogy because it's very often - and I like the way you said, you know, the role of teachers and professors and all that is to teach. Right? And that's what they want to do and we shouldn't prevent them from doing that. They should have access to tools and tech and the resources they need in order to do that effectively. And, very often, when I'm working with customers and clients, they'll say, "Well, you know what, I have a team that needs to innovate, they need to move at light speed. And security can't slow them down." So, it's almost a very similar, you know -
David Moulton: Parallel.
Mike Spisak: Yeah, parallel -
David Moulton: Right.
Mike Spisak: Thank you, right, that - to what's happening there. And, so, the answer to that, it's almost the same answer, right, it's - and I've corrected myself 'cuz I would say things like, "I think frictionless security could be a real thing," and I've gotten into great debates over this concept of frictionless, you know, making - but I think we can do things to make security less friction. Right? Maybe not frictionless, right, because, you know - but less friction. And I also think - and we talk about this term in cyber called shift left. So, this is the idea of taking security concepts and pulling it, you know, shifting it closer to where it originates. So, when I go and I talk with in a - people who are, you know, using AI and doing a lot of innovation and they say, "I can't worry about security because I need to move at the rate and pace of the market." Right? So, I say, "Well, there's things we can do that are very fundamental that are not frictionless, but are less friction that you can do now, right, by just, you know, taking a breath. And you can still move fast." Right? So, you know - and examples of that are like many that we talked about. You know, just making sure you know the data you're using is good quality data, making sure if you're going to go use that AI model, right, make sure it's of good pedigree and you know where it came from and you're not just randomly - you know, just basic housekeeping type of - conventional housekeeping type of things. That same philosophy applies in the education space. Right? And we need to help professors and teachers and staff, you know, equip them with, you know, the guidelines and the boundary, you know, the guardrails. Right? So, you don't need to be - it doesn't need to be a tollbooth, but I think you need a guardrail. Easy to - again, easy to say, but hard to do sometimes.
David Moulton: Yeah, I like the idea of shifting left and getting to a point where somebody understands why the security is there. I'll go back and, you know, Gregory Jones gave me this idea, so credit to him. And, as the students come in, before they're able to attach to the network, really get going with their studies, they go through a very brief cybersecurity training.
Mike Spisak: Yeah.
David Moulton: That's the first thing they get.
Mike Spisak: Yeah. That's the movie they watch.
David Moulton: It's exactly right.
Mike Spisak: Yeah, right.
David Moulton: And instead of trying to bolt it on after something bad has happened -
Mike Spisak: Yeah.
David Moulton: They start with a like, "Hey, here's this device, it's very powerful, it connects to the internet."
Mike Spisak: Yeah.
David Moulton: "You're going to have email, you're going to have all kinds of phishing, whatever it is, coming at you. Here's the things to keep in mind just to get you moving in that right direction." I think that's a really powerful shift.
Mike Spisak: Yeah.
David Moulton: So, Mike, let's look out to the future a little bit and think about some of the emerging cybersecurity trends that you see that you think educational institutions should really be keeping an eye on. And those could be advances in technology or those could be shifting threats, TTPs, that you think are really worth having another look at.
Mike Spisak: Yeah. I mean, there's the obvious one, right, that everyone's talking about is AI. Right? And I could talk all day about AI. But you know what? I think I'll glaze over it a little. I mean, I have to mention it because, obviously, it's a technology. And that - and for educational institutions, AI poses a bunch of different challenges for them, everything from our students using it in their day-to-day, it's - you know, grappling with the fact that it's here to stay and how do we - you know, how do we morph and how do we change and how do we adapt and overcome, you know, and all these different things. Right? So, there's that. And then there - of course, there's the cyber aspect of it. There is adversaries using it in attacks and then there's adversaries attacking it. Right? So, if you're making use of it, it's being attacked and so on and so forth. Right? So, you have those aspects of it that are definitely challenging and people need to - you know, everyone needs to kind of have their eye on that. But if I push that aside a second and I talk - and I think about - and, again, we could even go into Moore's Law, we could talk about quantum, we could talk, you know, all about these things. I'll go back to, again, some basics. Threat intelligence. You know, I just want to talk about that for a second. When we think about, you know, phishing campaigns, right, what's the latest phishing campaigns that are plaguing, you know, educational environments, how do I understand that, what are some things I should look out for, what's the latest malware that's floating around out there, is there one that's more - you know, that would target schools more than others, are there threat actor groups doing things and so on and so forth. So, a lot of this is rooted in just threat intelligence. And, so, I think in the - we talked about - earlier about, you know, setting up a cybersecurity program, having - doing a cyber assessment and then building, you know, sort of foundational awareness and all of that. I think threat intelligence needs to be a part of that equation as well. And, so, while threat intelligence in and of itself is not emerging new technology, the content of it is always going to be new and emerging. It's con - so, that's one area I think where it gets often overlooked. There's tons of free resources on threat intelligence. So, there's paid for services, obviously, and then there's open-source threat intel. And I think the challenging part of that, especially for, you know, institutions that might be resource constraint, would be, you know, again, information overload and taking the time to curate it, you know, and bring it together.
David Moulton: Yeah.
Mike Spisak: And one are the ones that makes sense to me to - you know, if I'm a university -
David Moulton: But if I go back to the AI comment for -
Mike Spisak: Yeah.
David Moulton: Just a second, there may be a moment where you could say, "Help me find relevant to me" -
Mike Spisak: Yes.
David Moulton: "In the threat feeds, paid or free" -
Mike Spisak: Yes.
David Moulton: "That are targeting or are about educational institutions as the thing that I want to see escalated first." And maybe even going to that point where you're saying, "And how do we, with our particular version of a network, our particular community" -
Mike Spisak: Architecture, yeah.
David Moulton: Yeah, our community.
Mike Spisak: Yeah, yeah.
David Moulton: "How do we prep for that? How do we prepare for that? How do we look for that in our signatures or, you know, in the space that we do have?" So, it seems to me like maybe as much as you glossed over AI for a second -
Mike Spisak: Yeah.
David Moulton: Threat intel plus some of these new tools applied in a different way -
Mike Spisak: Yes.
David Moulton: Gives an advantage back to this side of the equation.
Mike Spisak: I'm really glad you went there because you're absolutely right. So, I did glaze over the AI, but, you're correct, if you take something like threat intel, which someone may say, "Oh, well, that's something old," and you add it to something new, like AI, you could get this net new force multiplier, right, where you're now exponentially ahead of the curve. And I think that's an area where, like you said, I think paid for or free, right, if you're curating, right, and - but you're using AI to help with the hard stuff, which is how do I know it's relevant to me, how do I know how to curate it and then how do I - how do I put it in the context of my world. So, if you had an AI that understood your world, right, your community, your architectures, your environment, the tools that you're using, the policies you have in place, right, you can finetune a model that has understanding of that, a local -
David Moulton: Yeah.
Mike Spisak: Model, by the way, right, or even, you know, one in the cloud. And, again, I can talk all day about that 'cuz I'm very passionate about finetuning -
David Moulton: Yeah.
Mike Spisak: Models -
David Moulton: Yeah.
Mike Spisak: And making them do very task-specific things. But, yeah, you know, I feel like there's a space there for acceleration. So, very cool.
David Moulton: That's awesome.
Mike Spisak: Yeah.
David Moulton: Mike, thanks for coming on "Threat Vector." As -
Mike Spisak: Yeah.
David Moulton: Always, wide ranging awesome conversation.
Mike Spisak: Appreciate it.
David Moulton: I've got the best job in the house. I get to come in and talk to people like you and ask my questions and become more educated. And that's just catnip for me, man.
Mike Spisak: You know, I - likewise, I appreciate the time here. I would love to close to any of my educational folks out there, you know, that are listening to this that I understand, you know, protecting a school from cyber threats, right, or institutions like this from cyber threats may feel a lot like, you know, guarding a fortress with just a drawbridge made of spaghetti. Right? I mean, just to kind of put a visualization out there. By the way, we're getting close to lunch so I'm hungry. But, I promise, you know, if you take some of the basics that we've talked about, right, with some of the accelerators of new technology that's coming out and you bring it together, and I'll go back to something I said in the beginning, you really can make the whole greater than the sum of the parts. You know?
David Moulton: So well put. Yeah. Thanks, Mike.
Mike Spisak: Thanks for the time. [ Music ]
David Moulton: Mike, it's always a pleasure having you on "Threat Vector," especially on such a critical topic of securing our educational institutions. As we discussed, the educational sector faces unique constraints where its budgets are limited, there's a complexity in managing the diverse user base and the ever-expanding attack surface due to remote learning. But your emphasis on proactive security measures, role-based access and the importance of a cyber-aware culture really provide a roadmap for these institutions to follow. Your analogy of guarding a fortress with a drawbridge made of spaghetti perfectly captures the daunting tasks schools are facing. But, as you highlighted, by focusing on the basics like password management, multifactor authentication and ongoing education while leveraging new technologies like AI for threat intelligence, education institutions can significantly enhance their security posture. To all our listeners, whether you're working in education or just interested in cybersecurity, the key takeaway from today's conversation is the power of combining fundamental security practices with emerging technologies. This approach not only helps mitigate risks, but also builds a resilient foundation for the future. Mike, thank you again for making this complex subject more approachable. We look forward to having you back on the show soon. That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your review and feedback really do help us determine what you want to hear about. If you want to reach out to me directly, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Mike Heller, our content and production teams, which include Kenny Miller, Joe Bettencourt and Virginia Tran. Elliot Peltzman edits "Threat Vector" and mixes our audio. We'll be back in one week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]
