Dan Lohrmann has served global organizations in the public and private sectors in a variety of executive leadership roles, and has received numerous national awards, including CSO of the Year, Public Official of the Year, and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 – August 2014, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor, Inc.
Springbrook: Why are malicious attacks becoming more frequent and more complex?
Lohrmann: There’s a number of different theories. We’ve been seeing ransomware attacks really for a decade, but you really started seeing an escalation in 2013, 2014, and two or three years ago it really exploded. It has gotten much more sophisticated, and the types of attacks are evolving. They’re not just encrypting the data, they’re stealing the data. So [bad actors] are not only using ransomware, but are stealing data and saying, “If you don’t pay, we’ll release it to the Dark Web.” So the attacks are changing and the actors are becoming more sophisticated. The people who are creating the ransomware have affiliates, and they’re the ones going out after individual targets.
The stars are aligning for the bad guys. A lot of people think that part of it is bitcoin and cryptocurrencies becoming more and more widespread and usable. People think [cryptocurrencies] have enabled the payment of ransoms. Logistically, [ordinary money] makes it easier to get caught. People wrote articles a decade ago saying this kind of thing could happen.
Springbrook: Are municipalities especially vulnerable? If infrastructures built-up over the years — what Springbrook dubs “Frankensuites” — are a big part of the cybersecurity problem, what’s your advice?
Lohrmann: [All cybercrime metrics] doubled in 2014; 2019 was the year ransomware hit state and local governments. A lot of these organizations do not have a lot of resources or staff. Maybe they’ve survived fine over the decades with antivirus software, but they have not had a very sophisticated staffing or security architecture. So they were fine in the previous threat environment, but not that the threat environment has dramatically changed, they’re just not prepared.
A lot of the local governments and cities, counties and states are in the wider net of [fishing attacks, whereby malware is downloaded, typically through clicking on a link in an email or on a website by an unsuspecting user ]. I’m not saying none of these are targeted at individual units. There might be someone saying, “Let’s go after Eaton County, Michigan.” I know cases among both government and private business where it was very targeted. [The bad actors] went in, learned the systems, and sat there for weeks, sometimes months, learning all the passwords, all the credentials, and where all the backups were. And then they encrypted them, including the cloud backups.
There are benefits to the move to the cloud. [It relieves] the organization of having to apply those patches or maybe [the cloud provider] mandates two-factor authentication. The cloud is part of the solution. I do also think, it doesn’t solve all of your problems. You may get a virtual server in the cloud, and you’re running your application, your software-as-a-service, but all the time we have stories about misconfigured servers in the cloud. If your people are administering that server, you can still screw it up, and not put in the right protections, like multi-factor authentication, in place. Consider that two-factor is free from Gmail, Facebook and LinkedIn, but only about 25 percent of Americans use it.
Springbrook: What mistakes are organizations making? How can they protect themselves better?
Lohrmann: Do you have backups? Are they tested? That is, have you ever actually tried to restore from those backups? Are they offline? Just because your backup is in the cloud doesn’t mean you’re exempt. You also want two-factor authentication. A lot of times, people will say, “Well, I have complex passwords.” No matter how good your password is — and I’m all for good passwords — the reality is, if the database gets hacked and your credentials get sold on the Dark Web, they can use your username and password.
Legacy systems, old systems and operating systems that haven’t been updated or patched, is a huge problem. Cyber hygiene can solve 90-plus percent of these problems. It’s always about people, process and technology. It’s all three. And I often hear, “Oh, we had that training five years ago or five months ago.” It’s not just “one and done.”
Springbrook: How can end user cybersecurity training be improved?
Lohrmann: At Security Mentor we want to make sure it’s fresh, relevan, engaging and interactive. We start out with Brief, Frequent, Focus. So many people have been doing the same [cybersecurity training] PowerPoint deck for decades or the same videos. So people start the video, then go down the hall for a cup of coffee. It’s not updated, relevant or interactive.
You want training that covers the relevant topics. But you also want to test it with simulations to test your people. Definitely let them know it’s coming, because you’re not trying to trap anybody, but you want to make it a positive message. The goal is to train people in things they don’t already know. At the end of the day, yelling at people is not going to make them change their behavior.
Springbrook: Finally, are you optimistic that new federal monies like the Cares Act will help address cybersecurity issues?
Lohrmann: Some organizations are using it for cybersecurity, some not. It’s a very mixed picture. There are a number of new initiatives, such as a proposed bill for $500 million a year for 10 years at the state and locals dedicated to cybersecurity. It’s not passed yet, but in the current environment with ransomware, there’s a lot of hope. I just came from a National Association of State CIOs meeting two weeks ago, and CIOs were saying they were optimistic about Congressional passage this year.
Dan Lohrmann appears on the Springbrook webinar:
Local government ransomware attacks: Best practices for managing new threats