June 6, 2026 AZBSN Digital Access Task Force Recording
6:57PM Jun 6, 2024
Speakers:
Steve Peters
Ilana Lowery
Mark Goldstein
Karen Ziegler
Heather Floyd
Alexis Susdorf
Dario Solis
Keywords:
good
vulnerabilities
jerry
ransomware
cyber
resources
cybersecurity
entities
week
steve
tool
assessments
critical infrastructure
working
information
tabletop
put
share
talk
manual processes
Okay, good morning, everybody. Glad to see you. I wanted to start with a couple of quick announcements. So as I was mentioning a little bit earlier, that Aaron is not going to be here today to share an update on with the Broadband office. She is in Tucson today for a big STEM conference. So she will not be here. And I think we have a couple of new people who have joined us this morning. So I want to introduce them. Andy Tobin, would you like to introduce yourself?
Sure, well, thanks for having me appreciate it had a bit of a history in this. In this process, as you will know, from more than more than a bit. Your Side excited yeah. But very grateful and very thankful for the group on online here today, a very distinguished group. And it's been my pleasure to be in a position where I can continue to be in business to the state of Arizona. So thank you for organizing and putting this together.
So Randy, you want to just do a quickie background, about your long history with the state of Arizona.
Oh, thank you for that I got to play a role as Speaker of the House. And I'm glad I'm not the Speaker of the House today. As you as you know, I'm a rural guy in the it gives me a lot of pleasure to be continuing to operate and helping the rural communities to help broaden this to digital access, which is very important to us to, for our economy and continue to grow. We may spend time in the Corporation Commission where we downloaded to a lot of money from the federal government, for me rate, and got that part of this show going in, also created the with the help of many of the Governor Ducey his office when I was head of the department administration to build on our on our Security Task Force, which later got moved over to the Department of Homeland so very grateful to have played a small role in a lot of those events. So thanks for having me.
Thanks, Andy, for joining us today.
He is just being way too humble. I worked under director COVID as that the Department of Administration and under his leadership was how we develop the rural Broadband initiative and created the state strategic plan in 2018. So I just wanted to make sure I threw that in there.
Thank you. Thank you, Karen. I'll put in a call for a raise if that's
okay. And Alexis, would you like to introduce yourself please?
Hello, Alexa superstar.
Hey, yeah, Alexa store. I've been on this group and it's been a while while I own a broomstick 48 Public Affairs and in this capacity, I'm here on behalf of ordinate cybersecurity. Thanks for having me. It's been a while a couple months now. Okay.
Well, thank you. I have a good memory. It's just a little bit short. That's what I have to tell people all the time these days. And we had a couple of other people who were new today.
Alexis, another other cabling. cabling. Okay, well, let's go ahead and keep rolling here. I mean, one second. Okay. So little change of agenda today. I just got a note last night, that the folks from T Mobile will not be here this morning. But I do have some information to share. And they're planning to be here next week. So just wanted to share that with you. And so I don't think we have anybody from the Broadband office here this morning. So, but just a couple of quick updates from them. Excuse me. So the Broadband office will be hosting a June BEAD roundtables. They have excuse me, local government on Monday, June the 10th. And by the way, again, A reminder that all these dates and links are all in my email that I sent out. So if you're trying to scribble this all down, don't worry about it. It's all there for you. But local government does on June the 10th. Internet service providers, and also on June the 10th, at two o'clock, local government is at 11 o'clock. And then tribal communities is on June the 11th, at two o'clock. And then on June the 18th, from three to 4pm. They're hosting Digital Equity plan, Community Roundtable webinar, and Aaron. Excuse me, I'll make sure I get you some information. But you were asking about the timetable. And this, that'll be a good event that you can attend. That'll give you kind of an overview of the timing and all that sort of stuff. Okay, so next thing is that the sub grantee application process? And Aaron, again, this relates to the question you asked. So the outs, the sub grantee application process is in the process of being developed. And excuse me. And if you are thinking that you might want to be a grant sub grantee, there is a link and it also is in my email, that you can go to their website, and indicate that you might be interested in being a sub grantee, if you fill out that form, it doesn't mean you're not committing that you will do something, but they want to get some sense of who is going to be interested in applying for some of those Digital Equity font funding. So again, I encourage you to do that. If you're thinking about and again, it's not if you put information in there, it doesn't mean that you're therefore committed to doing that, but they want to get some sense of what's what's happening. Okay, so moving on. This morning, NTIA is Nicole's not here, I don't believe and Brenda or you're not here this morning, either. Yeah. Renee and Judy 50 years,
she's not but I I can give a report today, Steve, if he wants.
Good. So you want to do that Elena?
Sure. So it's a brief report, but an important one. The Senate Commerce Committee Chair maria cantwell announced that there would be a markup on Wednesday of next week. For a revised version of her spectrum bill. It's 20. It's 4207, the spectrum and National Security Act. So some of those features, and I can put this in the chat is it would restore the FCC spectrum auction authority provide $7 billion to continue the AC program, it would provide an additional $3 billion for the rip and replace of foreign equipment in rural telco networks. And it would make some spectrum available for shared and unlicensed used use. So the problem is the bill is 119 pages long, which if anybody's read the Luhan Bill was only it was only 11 pages. So you even if the Cantwell passes through the committee next week, chances of final passage on the Senate floor in the house are probably slim. The other problem is that this bill has been pulled twice when it's been slated for markup. So
that's kind of what's happening right now. of news. Oh, the other piece of good news is that just this morning, which is why I was a little late to this meeting, the FCC adopted with a three to two vote from the Commission on the rate cyber program for schools and libraries. So we talked about that last week, I believe, and today was the the commission hearing so and
we are going to have Moloch courses in here today. She's also at that STEM conference. But she's certainly has been following that and had planned to do a discussion on that on that program. So while we do that in the next week or two, Elena, if I understand correctly, I saw that that notice today about the cat wells bill, if I understood correctly, they're saying that it will allow the FCC to borrow money from the Treasury to fund the ACP and at the F TC would repay the loan from a rep from revenue generated by future spec spectrum options. Correct. Kind of interesting. Very interesting.
Talk about last ditch effort.
Yeah.
Well, at least people are still trying to figure out how to make it happen. Which is better than having given the other.
Yeah. And yeah, in that, in that note from John, from Shelby, this morning, um, he did point out kind of an interesting factoid, I guess. And that's that the mark up agenda didn't include that Cruz bill, the kids on board act for schools. And Shelby is saying that this is a victory, because they obviously they worked very hard to oppose that bill. Because that bill was putting more restrictions on ERate. And so that's a good thing. So if it does actually see the light of day and mark up on Wednesday, there's going to be a ton of changes. And the key is to obviously not watered down the bill to that point. Where you know, where it doesn't provide what what's needed. So we'll see what happens. Like I said, the bill was pulled twice from markup before so. No, no, I
was with Congress these days, right? Yep. Okay, thank you, Elena. Thanks for that update. Dan Golson Are you on? Yeah, I see. You're online. Can you introduce yourself quickly?
Dan Gaussian. Are you there? Is that your proper pronunciation of your name? Okay,
okay. He's, he's with for tonight as well. Steve, just FYI. He's,
yep. Yeah, we haven't seen you guys a lot lately. So it's good to have you back. Yeah.
I'm busy.
I wonder what brought you out today.
I got an agenda item.
Okay. So what one more announcement and then we're going to get into were presentation from Jerry this morning. So actually two announcements quickly. June 26, that you've heard this before. And it's in my email, that there's going to be a workforce outreach Summit. Here in Southern Arizona, the talent pipeline from nine to 130, at the threat of coast to Job Corps, that is meeting is open to anybody who was interested. And I have put into the email, the contact information with bond Croft, if you are interested in want more information, and want to register. So that's the first thing next thing is got a note from sight Tech Institute, that they've teamed up with pipeline AC, and the Center for the future of Arizona to bring our state a Department of Labor grant. And actually, Eric, you want to talk about that grant?
Yeah, sure. Just briefly, Steve, thanks. So in partnership with pipeline Cytec, really with Cytec Institute as the lead, secured a multi year Department of Labor brand really focused on rural areas in particular, stem outreach, STEM career exploration. So some components that include middle school career exploration, really working also with out of school to find providers. So we're in the process of reviewing some applications from out of school time providers that are going to be operating with facilitating engagement activities for youth and stem oriented fields. And so certainly more to come. The grant was announced, oh, gosh, last October, but as you can imagine, sometimes as it goes with, with a federal grants, a little bit of time to get everything worked out, ramped up, but have initiated that grant and be happy to share more with those that are interested, but I'm certainly focused in the in the rural communities, so really, outside of Pima County in Maricopa County, in that those focused efforts.
And by the way, if any of you don't know, Aaron, he's been doing workforce development and education for a long, long time. We've heard Where were you before you were one of the school districts want you to be when I first met you? Yeah,
that's correct. Steve. So prior to the to my work at the Center for the future of Arizona, I was with the Pima County joint technical education district, and then also with the following Law School. security's on. Yeah.
Thanks, Erin. Thanks for all the great work you do. MPJ Carlin, did you want to introduce yourself?
BJ, are you there? Okay, did I miss anybody else? who's new to us today? Okay, Steve
are not new. But I have a brief announcement when you're okay.
Go ahead. Sure,
as I discussed with you a week or so ago, we're in the editing cycle for the tech Council's big public policy guide, state and federal public policy guide. This group has worked for years, either formally or informally to help me review and freshen things up. This year, the submittal cycle for all the couple of dozen editors have sections is much earlier. And I am looking, I'm not going to work shopping as we did in a CBSN session, I believe, once or twice before, but looking for people to comment, I have promised commerce, Brett Garvey, there is organizing a group AS KEITH WATSON, Sandeep and others that I will have a working session with, they have some particular interests and ideas. But over the next week and a half, if you have some interest in bandwidth, feel free to do a mock up to the current version that I posted that Steve can post to ACBS and does reflect last year's text. I've started some offline editing, that's not ready for prime time. But a little bit closer to what I've said is the due date, maybe the Thursday before that Tuesday, I'll post an in process revision so you can see how things are shaping up. Thank you.
Actually, I was going to talk to you Mark about whether it makes sense that I wasn't sure if you want it to be shared too much. So maybe we do a work session. For anybody who's interested outside of this regular meeting, for anybody who might be interested in might want to provide some input, or they'll be okay with the interest
or see if the interest arises if if people are interested in a interactive discussion and session, that's a good idea, Steve, I I can't commerce wants to keep their session pretty limited to check bounced Oh, and commerce people. But if a parallel discussion and work session arises, be glad for that. Again, though, I have set the date that I hope to have all input of for June 17 as I leave on vacation June 25. And I have to have it in before I leave for New York City and Ireland.
Okay. Yeah. Thanks, Mark. And I'll talk to you about just setting a date George, just do it. Whoever shows up will show up. Appreciate that. Okay, sir. Thank you. Okay, so let's move on to our main presentation today. We're Welcome. Glad to welcome Jerry Keeley, who's with the US cybersecurity and infrastructure security agency known as Sissa. And I was fortunate dari actually has presented to us in the past, but it was great that Pima Community College hosted a cybersecurity event last week. And I got to meet Jerry in person. So, so Jerry, I'm going to turn it over to you and let you tell people more about Cisco. And you got lots of stuff to tell us. So I'm going to turn it over to you. And if you want to share your I'm going to stop sharing.
Okay, perfect. And thank you for having me, Steve. And so Heather mentioned I had an opportunity to scare a bunch of her colleagues have been talking stick a few weeks back. Did you get a little scared there Heather.
They didn't invite me that. We sent well qualified people, but I heard about it. And Bob was very excited about working with you.
Hey, Jerry, if I can interrupt you for just a second. I want to go back Heather. So you got kind of a recognition couple of weeks ago. Would you like to just tell people about the acknowledgement you got?
Steve to be honest, I still don't know what you're referring to.
You don't know what I'm referring to? Well, then I will have to tell you in the dark
so I have here on this page that the NTC a the rural Broadband Association, legislative and policy conference. You attended that?
Yeah, I attended that.
Okay. Can you tell us a little bit about that? I thought you had permission from maybe it's just that you attend.
I used to attend every year. I've gone for four years in a row. And we meet and it's well, it's the rural Broadband Association, National rural Broadband Association, actually, Jerry's Cali Gen Sissa. We call it Gen. Sissa. Jerry, can you please tell us what her last name is? So I'm not just calling her Jim sister.
Jennifer easterly? Yes.
Okay, Jennifer presented at our policy conference. So we talk policy on one day, and what's going on with Universal Service fun, affordable connectivity program and all of that. And then the next day, we all head to the hill and talk to our legislators and tell them what's going on in our neck of the world and why we need their help on Capitol Hill. So it's an annual conference we do every year.
Thank you, Heather. So I'm sorry. I confused you there. But I knew that you were in Washington, doing good stuff. So thank you. Okay, Jerry, back to you. Sorry about that.
Okay, so some of you may have heard of Sousa and some have not, we're not a well advertised broadcasted agency as of yet. It's very young, it's only been around about five years. And so as Steve was given the opportunity, really to come in and speak with you about what says it does for you, you have access to a lot of resources available from the cybersecurity and physical security fronts. And he's given me an opportunity to present this, I did it last fall as well to the group, but we have some new members here. So let me see if I can get that to advance. So I won't worry too deeply on this. But basically, we came out in 2018. So we are one of the youngest agencies in the in the Department of Homeland Security, with the primary mission of protecting critical infrastructure. Now, critical infrastructure is wrapped up into these 16 critical infrastructure sectors. But frankly, almost anybody that you know, of any business, you know, pretty much can be tied to one of these, one of these components in some way, either directly or via dotted line, which means that the services that we offer are available to all of you for absolutely free. Let people love that free. Actually, let's not say free, that sounds cheap, okay, let's prepaid, okay, because you paid your taxes you paid for us. And so we, I always encourage folks put me to work, make me work for my money, because you've already paid for it. Take advantage of these things where it makes sense for you. And so these are obviously the nation state actors that are everybody's well aware of that are really going after our critical infrastructure. And you hear more and more in the news about that. And so it's making our job more and more difficult. And so we really have to be out there in front of our partners, to help them improve their cybersecurity posture, especially those that are a little underfunded, their, you know, Target, Target rich, resource poor. And so we really try to get out there and do that outreach. So one of the things that we do initially, is communications, if you sign up for sizzle alerts, I promise you, we will spam you, okay. But the advantage of having that everybody will confirm that, but it's not really all the spam that is of the value, it's that one or two emails that you get a week that may be important to you that might be directly directly impact you an organization you're working with, or an organization you work for. So you kind of weed through the noise because we're trying to cover all all the infrastructure across the United States, and actually the world, and we have a lot of releases. But if you kind of we do these, you will find nuggets in there that pertain to you that you could put an action on. So I highly recommend that. Shields up basically, this was a program that says that one of the many programs were involved with but this was when Russia invaded Ukraine, it put a highlight, especially on critical infrastructure, because it's kind of well known that Russia is using this Ukraine invasion, to test their their resources, their tools, their technology and their capabilities, so that they can probably pivot to use those against us here in the United States. So we have to pay attention to that. The cam catalog so this is really more for the nerdy types, or for you to get over to your nerdy types. So based on some of those alerts that we give, we also identify all the vulnerabilities that are out there and are kept catalog is a huge centralized repository of all the known exploits. vulnerabilities. And where this comes in handy is, if you see something I want to be alerted, you can go over here and find out not only what the vulnerability is, but how to patch and remediate it. But it's also good if you're deploying a new piece of equipment or new software and something with firmware, you can go to this Kev catalog, and you can look for it now, because vendors are notorious for deploying stuff with a known solid image, which might be dated, it may be old, it's not patched, they want it, you know, they want to deploy something that is no good. So they don't have to work on it. And sometimes they haven't patched it appropriately. So when you do bring in a piece of new equipment or software, you want to come to the cabin catalog and search for that to make sure that it's up to date, and make sure that you are protected with your equipment and your updates. So that's where that becomes kind of handy. So free cyber security services and tools, right. So focusing on anything I talked about today, you will never get billed for, you can take advantage of these whenever you want, as often as you want. And we don't even have a process for billing people. So you'll never ever see a bill. And I'd like to bring that up kind of clearly, because we have had vendors and consultants out there across the US trying to sell so as a services, they're gonna say, okay, you can do these risk assessments, you can do all these different things. And they try to route the customer through themselves, to offer our free services. So we're doing services for free, but they're taking money off the top, okay, so whenever you see this as a logo, and you see a presentation, please don't pay for it, because you don't need to the bad practices page. So this really pertains to more advanced entities actually. So I think we all can find ourselves guilty of getting too far down the road and forgetting the basics. And in cybersecurity, the basics are still being leveraged constantly. And so we might be following this shiny object and this new tool, this new resource, this new vendor, whatever. And sometimes we forget to revert back to the basics. So I like to bring people back and say, you know, go to the the bad practices page and make sure that you haven't bypassed or forgotten about the basics. Because it's all too many times I've done notifications to victims. And it's because they're very advanced in their security posture. But they forgot to do something that was simple, something that was basic. And so you really want to remember the the basics matter, because those are easy exploits to you. So don't make sure your cyber teams or your IT teams, don't forget to ring forget to remember some of this the basic stuff. And the ransomware. So ransomware is a big deal. If you're going to get hit by something, it's going to be ransomware. And more than likely, this document here we have a whole stop ransomware page, lots of resources. But I'd like to highlight this one because this is a PDF that you can download. And it's good in that it has a good way of describing what ransomware really is. Some people we hear about it on the news, we know the term, we kind of have an idea about what it might be, this is a good place to kind of look at some good descriptions of what ransomware is, especially if you're trying to speak to executive leadership or getting people that aren't real familiar with what it truly is. And then it also has two other things that are great. It first of all has a whole section on how to avoid being hit by ransomware. And I have another tool I can show you that helps with that as well. Which is obviously very important. And then if you have been hit with ransomware, it has some good tools and resources on what do you do. And those are things that can go into your incident response playbook. Or you can refer to if you find out you just suddenly been hit by ransomware. Not going to. So we do have a section that talks about general AI for the election cycle. But it's not just for elections, there are a lot of things that AI is bringing into the workplace and bringing into our world that we have to pay attention to. And so don't forget it. I mean, most people are familiar with AI little bit. So there's some good reads that give you the more information. If you're not real familiar with AI. At some point, I might come out and do a presentation with you guys. If Steve will let me that I basically can take any one of your LinkedIn profiles and a YouTube video from any one of you, I can clone your voice and make you say anything I want. I can make pictures of you in jail or out hunting or whatever I want to do. And I can also do news articles or events and basically fake that maybe you were involved in some kind of scam or something like that. And it will take everything in related to you realistically and it's complete AI I'm you know, I don't I don't know how to do this stuff. But I actually have a tool that I can show you how easy it is to do. And more importantly, how fast it is to do and that's where AI has really become a force multiplier in the cyber front, that we have to pay attention to want to ignore it, but we really shouldn't. It needs to be part of our life. We need to embrace it, but we also need to understand its challenges. Hey,
Jerry, can we go back to ransomware for just one second. Many folks probably know but the education community has become a prime target for ransomware.
Absolutely. And again, that kind of goes back to the target rich resource poor, these bad actors know who has the resources and who is really doing a good job defending and who is not an educational facilities happened to be one of those great targets for them, because you have very important valuable information about students and about families, and it carries a great deal of value. And yet, you don't have the resources to protect and defend in the education space. And so that is one that we certainly tried to target from from a protective standpoint. But the bad guys know this, and they're trying to target them as well, kind of the two main things that are getting hit out there with ransomware is education, and medical facilities, hospitals, and because again, a lot of valuable information, a lot of valuable tools, and they know that they can leverage those against you. So it's a very strong point to realize that you are being watched, they are coming after education facility, specifically.
This was mark there, there was a very recent Municipal Library shut down for over a week for all facilities, I think they're just climbing back now a couple of dozen facilities in a I think Midwest municipal library system shut down over ransomware hard, and then went back to manual processes while they continue to crawl back on their computing environments.
Yeah, thanks for highlighting that mark. And, and, yeah, and going back to manual processes, you mentioned that a lot of entities can't, they've come so reliant on technology. And that's why ransomware has been so successful is they don't have the option. If they don't have good backups, they don't have the option. But to pay the ransomware, which we certainly don't recommend. We want to we want to have good backups and have the ability to defend it. Because some some entities simply can't go to manual processes. I was doing a hospital event. And the initial statement was, yeah, we'll just go to manual charting and stuff. And then the question came up on this tabletop, it's like, well, do your people know how to go to manual charting, and unfortunately, a lot of the younger generation folks have never been trained on manual charting in the hospital. So their, their result, I think, was very clever, as they said, they bring back retirees, and people that are more familiar with the old school process to help train the the younger folks on how to do some of this because some of our younger generations have not been exposed to the manual process that you speak of. So that's a and that that's another thing. Even schools think about it, how reliant are schools right now on technology? Very, very much so. And so for them to be able to try to go back to, you know, there are no such thing as books anymore. Everything is online. So if they get hit with stuff, as you can well imagine there's not necessarily a manual process to revert back. So bear that in mind as well. Those are great points. Thank you, folks.
And Jerry, I think you're also working with Homeland Security. But Homeland Security, I believe it's the National Guard, in particular, are collaborating with the Department of Education, to provide cybersecurity assistance to schools. So I don't know if you want to talk about that now.
Yeah, so yes, I am a component of department Homeland Security, but the National Guard is actually Department of Defense. And they in the state of Arizona, they have a Cyber Command, run by Lieutenant Colonel king. And now Eric Ramirez, Catherine Ramirez has joined us. And yes, they have they have a mission. They're working with elections entities, because that's obviously very, very high priority. And schools, they will come in and they will do external internal pentesting. I'm working with them on creating some tabletop exercises, as well as there is an umbrella agreement with the with cyber command, that if a school entity does get hit, they have an incident response team that will come in and help you get out of that or help you at least research it and then help you recover. And so yeah, that is a free resource that is available to all the schools, it really kind of focused on governments and schools. So if you're part of a government or school, you have access to that resource as well. The key thing to note though, is if you're not a school district, you do need to enter into a an IGA with them. And you want to do that before you have a bad day because it's scrambling to get an IGA done and through your board or whatever that is, is it last minute after you've been hit is kind of very hard to do. So if you are a government entity, enter into that agreement with them early, and then go and take advantage of their their pentesting their internal pentesting resources. They're really good. They're very good quality and they really will help you reduce your risk and your vulnerabilities. So thanks for bringing that up as well. Be
sure to do. So I just I just want to, you know, we have several people who were related to school districts, or work with school districts, and it would be great to help spread the word. Theoretically they are getting this information. But that doesn't mean they're actually getting the information. So to help share that information,
yeah. And so anybody here that is wants more information about wants to have a further discussion or wants to be in touch with the National Guard to have them come and tell you what they do and what they can do for you. Just reach out to me, I'll put you in touch with the right people, for sure. Actually,
Wesley King has actually presented to this group.
Oh, yes. Okay. Yep. And, and now, Eric Ramirez is gonna be taken over for him in the fall. So you'll want to know that name as well, Captain Eric. Because Lieutenant Colonel King has been deployed in November, I believe. And so Eric will be taking over for him. So okay.
Thanks for letting me know that
the team will still exist is different, different people. And again, I can put you in touch with anybody you'd like to. So now I'm going to go over, I'm not going to get real deep into these, these are all the services that we offer. It's better to do those one on ones with the IT team, the cyber team or leadership within your organization to really drill into what these things are. So I won't try to go through, I'll highlight some of them. But we won't go in detail. These are really more better with one on one because every entity has different needs different requirements in a different posture, and can take advantage of things at different levels, because we have varying levels of cyber maturity that we do. So first of all, one of our big things is an assessment, you can't protect something, or you can't can't mitigate risks unless you know you have them. And so these assessments are very, very valuable, what you can do them on your own or explain in a moment, or you can have me come in and I will sit with your team, while I can do it remotely or physically. And to do a cyber resilience review, or any one of these assessments really. So the cyber resilience review is for very mature organizations. And then external dependencies, that's if you use a lot of third parties, it's good for you to understand that mostly with finance types and legal type to make sure your documentation is up to snuff and make sure you've covered your entities interests when you're working with third parties. The CIS Cyber Infrastructure review is the most common one that I do. It takes about two hours, maybe three, depending if you have a larger group. And it's based on this standard covers five of the NIST domains. And we just kind of go through, it feels like an audit, but it's not as just a tabletop conversation, where I ask questions, you answer them. And then we come up with these, these graphs that show where you're, where you're measuring off on your on your posture, so you can focus your time. And I'll show you some of those graphs here in a moment. And then cyber resilience essentials and protective goals, those are for entities that are smaller, don't have a lot of things in place or kind of want to just get started. And they're they're quicker to go through. And just give you a snapshot of where to start Incident Management Review. This is very handy, because if you have an incident response playbook within your organization, I hear a lot of Yeah, I had one, but we did it back in 2009. Well, whatever was happening in 2009, it's not happening again anymore. So having it reviewed on a regular basis is very helpful, we can come in and review that help you and give you a scorecard on some of those areas, which I'll show you here in a moment. Or if you don't have an instrument responsible, it will help you build one to then ransomware readiness, I'd mentioned that the PDF is good to have. But we also will do an assessment specifically focused on your organization, your technology, your policies on your readiness for a ransomware effect. So that's very handy to kind of go through that and bring that awareness to the focus on what to pay attention to, and what to fix. You can always go to the senate.gov Cyber resource hub and all the things that I'm talking about will are in there that have some better descriptions of that. Another thing that is like number one step, cyber hygiene, vulnerability scanning, okay, so bad actors are scanning your external facing IP addresses and networks constantly. Alright, they're already doing that. This you sign up for it's quick, it's easy, it's free. And you see three documents I can send you you fill them out, and you send those in and inside a week we'll start scanning your external facing IP addresses and notifying you all the vulnerabilities that you have every single week. Every Monday morning, you'd get a PDF that shows all the vulnerabilities including the new ones, since you know the cyber criminals make creating new vulnerabilities every day. And so we scan it every week and give you a report on that so that you can go in and fix pass those things and update those. It's great because many of us don't just sit They're looking for vulnerabilities or study all these things or can get on that this basically brings awareness to these and they rate them really nicely. It's a nice dashboard that shows you critical high, medium, low and informational. It ages them from the day you start. So if you have, like one that's on a legacy application, or something that you just simply cannot remediate. You go for a period of time, at some point, you're gonna put your foot down and say, Hey, we need to, we need to fix this, we need a vendor, we need a new version of this or whatever that looks like. So everybody should be doing this, because right now, you are being scammed by all the bad actors and all these government agencies. So let us scan and tell you what's weak, and what's vulnerable, so that you can get it fixed a web application, if you have websites out there, we do the same thing. We'll scan your websites every week and let you know, vulnerabilities are exposures and things like that. And that's come in real handy. And then revoke vulnerability assessment. So when you feel you've got good scanning, going decent security posture, you've done some assessments with us, then we can have this remote vulnerability assessment. And like Steven mentioned, if your school or a government agency, then now I do recommend the National Guard, one because it is more inclusive and more involved, but says it does offer those as well for free. It's a team out of DC that will do the remote testing of you in one week. And then the following week, they'll actually drop a box in your environment that allows them to pen test you from the inside just like the National Guard does. And let you know what it looks like if you had a bad actor get inside your networks. And what to patch what's what's found inside those networks. So great resource, but again, if your government schools use Lieutenant Colonel kings resources, so now,
does this also apply to nonprofit organizations?
It does. It absolutely does. Like I said, critical infrastructure can be tied to almost anybody. And so, you know, as you as you all probably no, any kind of cyber attack against anything in our environment in our world, can be an attack against us, there are ripple effects that always happen based on one attack. So you know, it was like, say attack against one of us is an attack against all of us. So I take every entity out there as critical infrastructure in the way I view it. And not when we talk about this isn't their remote vulnerability, they prioritize those with things based on their if they are critical infrastructure, like if they're critical manufacturing, if they're wet water, wastewater, if their electrical utility. If their school district if their elections office, they get prioritized, obviously, based on the impact in the environment, I don't prioritize them that way, I basically prioritize and based on my schedule, when can I get to it and have a pretty have a fair and flexible schedule. So I can do these things with you. So some other resources. So remember, I said on these assessments, you can do them yourself, there is a free tool called the cyber security Valuation Tool, the CSET, simply go to ces.gov and type in CSAT. And you can download this tool that not only has all the assessments we do, but it has a ton of other ones and industry related assessments. And they are they're just really good evaluations that you can do on your own. Now I've had several customers say I'd rather have them guided with somebody that works in the industry and knows how to do these, at least for the first one, and then they'll follow up and they'll do them on their own later, which is better a good technique people have used working with to some electric powers, one of my, one of my people I'm working with and they're their cyber supervisor went and tried to do the CIS assessment. And he said that it's just too involved. So he's gonna have me come in and do it for them. And then they'll do all their follow ups once they learn how to do them. But you're welcome to do any of these, I encourage you to have any of your IT or cyber people download the tool, look at it, look at the assessments, understand which ones make sense, and attempt them if you'd like. And then if you or you can go through them and say, Okay, no, this would be wonderful to have Jerry come in and help us with and I'll be there for you. So it's you know, some of the some of like, the ransom ransomware readiness assessment, and Incident Management Review are built right in there. So you can go and do the assessment yourself. You don't need me, you guys can do them yourself and kind of walk through that at your leisure. That's the nice thing about doing them yourself as you can, you can spend an hour and do part of it and then come back to it next week and do another part of it. You can you can you can pace yourself through the tool. Whereas if I come on site, we're going to try to bang it all out in one shot. So that's the big difference. Now we're analysis. So if you do find yourself with malware and you want a software analysis of that, you go to our website, upload the malware and they will give you a run through a software analysis piece and it will let you know what it was who it was what they were attempting to do all that stuff. So that's a handy tool to have and Then we also do tabletops. And I listed a couple here. And there's one that I'm actually not really listing but is real is, I will, I will create tabletop exercises for you and facilitate them for your entity. tabletops are really important, they're usually the last ditch effort, people don't like to consider them. But if you have a plan, and you have a team that you don't practice it with, in the event of any event, that's not the time to practice that time is to practice in a, in a controlled environment. So everybody knows who does what, when, and where and why. And that's what the tabletops are really good for, we can do large scale ones to our national planning team, we have a regional planning team out of Oakland that will come in and do those for you, or you have me locally that will take care of those as well, I can do them remotely or on site once again. And then you also can just go to this as a website and download a template and do one yourself. There's tons of them out there. And you can build your own one. And entities like to do that initially, just to get a feel for what's what's a tabletop look like, who gets involved and walk through them. And then if but somebody still has to facilitate, I offer the advantage where I will come in, and I will do all the injects I will do all the tabletop and I will facilitate it so everybody in your entity can play. So that's the advantage that we have there. So, you know, again, if you don't test it, running around with your hair on fire is not an incident response. Having a response plan, and having it tested is very, very valuable. And then Information Sharing and Analysis. So there's an ISAC for pretty much everything out there. So we have the EIA sec, which is the elections infrastructure, there's a hospitalized sack, there's an electrical ISAC. So they're usually Information Sharing and Analysis Center and ISAC that you can sign up for that would be related to your industry, those are very valuable and free. And it's a subcomponent says A funds, the MSI sec. So that's the MultiState iSeq. It's a It's funded by CISM. So they're a partner of ours. And they offer information sharing, which is, again, you know, if somebody gets something and alerts them, they can alert everybody at the same time. And that's very helpful. So we can try to keep in front of some of these bad actors. Couple websites I highlight, yet somebody saved them. Okay. So we have stopped, they connect, which is an educational resource, the stop ransomware, all all things ransomware. It's a good site to go to cyber protective visit. That's why I mentioned you call me in and I can kind of go through these things in greater detail with your organization, we come up with the cyber plan to help bring some of this stuff online and talk about some of these things. We also have a physical protective visit. So we have to physical security advisors here in Arizona, that will actually come and do a walk through I went through cap water with them earlier this week. And next week, we're gonna go on to a pumping station. So kind of do the physical where we look at, you know, if you've got, you know, if you have ramming issues, or you have, you want to do a active shooter presentation, in your site, all that stuff, and then they walk through, look at your cameras, camera locations, blind spots, door access, and all those other things. So take certainly take advantage of that I can put you in touch with a physical adviser. And then since that got my warning on this one is, since the.gov is like, it's like YouTube for cat videos, once you go on, it's just got all kinds of stuff that you can squirrel and you look up and oh, geez, I just wasted two hours. Susan's like, says that guns like that it's a huge catalog of resources and a lot of great resources, but it will squirrel you. So if you go in without an intent, you're gonna get lost. And so I recommend using scissors that gub when you come up with somebody say, hey, I want to know how to do this, I want to research this, I want to address this problem, go to ces.gov and use this search engine. Because if you just simply go there to see what it's all about, you may find yourself lost. I'm sure some people like it, it's ever been to our website, we'll probably affirm that that is that's a challenge. So moving on here, assessments. So kind of, you know, the high level, you know, you can't protect what you don't know needs protecting, you can't fix if you don't know what's wrong, right? Um, so assess these assessments are very valuable to everyone. And I also like to highlight, we are a government agency. And so if your private sector you're like, I don't want the government getting my information because we are a republic. We're voidable if that's what you're gonna word, but we do put your data under a law called PCI, which protects your data against stuff. FOIA requests. can't disclose anything publicly. And Kenny your data cannot be used in civil litigations already. regulatory processes. We are not regulatory, we don't report to anybody. So people get concerned like, well, if you got all this information, do you have to report that to an inch to our insurance company? No, I don't And I won't, my job is to help you become more secure. And if I share your information out, you're not going to trust me anymore. And your cyber information is very, very important because that gets in the hands of the wrong people, game over. And so we collect this information and we do hold it very close hold, I don't even share. If I get information about an entity, I don't even I'm not even at liberty to share it with another scissor employee, unless you instruct me to. So it's yours and yours alone. And so just be aware of that. So then, these are just some of the different reviews this is the big one I talked about comes out with a scorecard. There's 11 of the NIST domains, it's covered in that one, that's a big one that one takes, that's a full day engagement, 300 and some odd questions. So it takes some time. But here's the output, so you can basically get a report card. And what's nice about these assessments is they tell you where you need to focus your time, resources and money. If you've got a green bar going all the way across that report, don't spend any time there, it means you're doing good as it pertains to NIST standards or best practices. But if you see red all the way across, that might be something you should be taking a look at, spend your time working in the red and yellow areas and ignore the green areas that helps you focus your resources and time. Especially if you don't necessarily know where you really need to begin. And then the external dependency thing, it's the same thing I already covered that they come up with a scorecard. And you can use this information to bring back to your finance or your legal department and make sure that these things are held in your boilerplate and your T's and C's to make sure that your best interest is covered.
So the the CIS is the one I do most commonly, I'll give you here's the kind of the output of that, where it kind of has, these are the five domains we cover. And there's lots of sub domains, you get all these different sub graph graphs that show again, where to spend your time. So you look at this, okay, incident response to my lowest area, maybe I should spend more time on incident response. But again, it's up to you as an entity to decide what's important to you. And then it does a comparison, based on what other like entities aren't doing in these areas. Then Incident Management Review, I mentioned that. And that's good for you to do yourself, but I can certainly help with it. Same thing coming up with a scorecard. So now you can address the red, the red markings could be a policy could be a procedure, could be staffing could be a communication plan, it could be anything addressed the red stuff, and the yellow stuff. And that will help bolster your incident management plan or response planning. And then the CRR. Again, these are this is for entry level, folks. So if you just want to just get a quick quickie snapshot on where your security mindset, as you can see, it's very simple. It's a yes, no maybe kind of scenario, question and answer. And then you can kind of look at the areas you want to focus on, or the areas that you need to do some research on. And so it's good for entry level, doing a self self assessment, just kind of see where you're at. vulnerability scanning. So this is the one I harped on earlier, is have us come and do the vulnerability. So just to highlight this. Now, this is a very old slide, but it said we had over 7100 customers nationwide that we've really been on an effort banging that drum to get people involved. So we have a lot more than that. But we find vulnerabilities all the time. And, and I will say that this lives, it says most of all enrollees improvements in the first 90 days, I can tell you, I've worked with several entities, including when I worked for Pinal County as the Cisco. You, you actually see improvements within the first week when you first get that report. So a little scary saying Oh, geez, I didn't know I had all this stuff. But you and your team is working on it right away. Okay, so and then the 40% reduction in exposure. Again, it's much higher than that. Because if you have exposures out there, you know that the bad actors are trying to exploit them right now as we speak. So if you get those and you button those up, you really improve your posture, day one, okay. And then the web application scanning, same thing, it's a report card you get and you can go and fix any of the any of the bugs or vulnerabilities or weaknesses you have in the web environment. The ISAC then all of that will get too deep into into the Information Sharing Center. But please reach out to your ice axe and get in get involved with them share information and out get information in that's really important across our country. And then we also offer some free training go to fed fed VT e which is a virtual training platform. As you can see, there's several different high level trainings that you can attend. They're very, most of them are pretty short, but they're free. So take a look at those instead of paying for some of the resources, see if there's something that is applicable for for free and if you're a.gov create a login and you get an access to a whole nother much deeper broader library if you have a.gov email address but if you don't is the free publicly available stuff. And the CSET tool I've already mentioned, download at heavier, heavier cyber or IT teams download that. Or if you have a risk manager, that's a good good place to look at to do all these assessments and see there because there's so many more than that are available to you that you can do. And then this is where you can upload malware to us, and they'll do an evaluation for you. Then this is the cyber events. And if you are a school, or a government, entity or city of any form, Ryan Murray, who was at our event last week is the guy that kind of oversees at the state of Arizona all these tools are available for you for free. And we also have resources to help you implement and roll these things out. So please take advantage of that. They're great tools, and they're free. So take advantage of it, especially your school's out there, please, please make sure that you're working with Ryan on that. Okay, so there's my contact information, please screenshot it or whatever you would like to do to make sure you can reach out to me. And now I know I talked very quickly as a quick overview. Any questions out there, folks?
Jared, can you stop sharing now? Please? Yep.
No questions. Did a cover everything good?
Well, Jerry, I just want to say a couple of things. And I've been getting notices from Cisco and for years. And, but I never really understood what what else Cisco always knew that they were focused on critical infrastructure that really had no idea about the kinds of resources that you just went over today. And I and I have talked with Jerry and, and Ryan Murray and a number of others about the cybersecurity issue. And the vulnerability of all these people that were connecting, during free internet and free devices, and so forth. And there's a lot of vulnerability out there. So anyway, just wanted to, to share that. Oh,
and another thing I don't have on my presentation that I would like to share out is I do offer security awareness trainings to companies and to write to people, maybe you're an elder care center on Green Valley, and a couple of weeks, and I'm going to, I'm going to be talking to the residents who are a target, you know, elderly people in technology as a major target, as well as I'm gonna be talking with their staff. So again, if you want somebody to come in and do a security awareness training for your staff, or for customers, or anybody general public, let me know, happy to do so come in, kind of scare people straight. Let's see, oh, somebody asked. So I'll put my email address in here. And then Andrew asked about during the presentation, what I'll do is I'm going to send an email to Steve, with the basically, it's the slide that shows our services. And it's a Word document, actually, and it kind of has some links over to the physical website, I will share that off to you so that to Steve, and he can share it to the membership at large. And so that, that way, you guys will have my contact information as well. But that way you can kind of see high level what I cover today. And maybe bring that to your organization and say, here's some things we should be looking at, then contact me and let me come in and do a do a sales pitch, if you will. And I'm putting like, email into the chat right now.
Okay. So, Randy, I think he addressed your question in the chat, but you want to just talk briefly about what you were thinking?
Well, my thoughts were is that getting this information out to the school? You know, there's so much over changing of the guard when you have new school years arrive? And, you know, your our schools have a tendency of hiring from each other and what what have you so I think I'd like to try to help get this out to some of our especially our rural counties, most of them I'm sure have have seen this, but I think knowing the school superintendents are, are in that mix and in, I think would be additionally helpful. In you know, in cases like Arizona, of course, we're having elections for school superintendents, and some of them are leaving and particularly, you know, I think Kim Carter's one of the best we've ever had, and, you know, he's finally getting the chance to go do some fishing here come January. So I'm trying to maintain that continuity for what they have and what they don't in the updates that Jerry was providing or something things that I think are new. So anyway, my thought was Elana, thank you for sending me your, your email. So my thought is, is to kind of take what Jerry is presenting, and get it to our county managers and school superintendents, just so that they have it in and put Jerry's invitation out there. Let him come in and talk to these folks.
put me to work, please.
You're You're asking the wrong guy jerk. You may, you may get to retire after I'm done with you, but you'll be tired.
Like I'm asking the right guy. This outreach is very important, because we don't have a means of advertising what we do, yeah,
well, well, I think this team you've got on here is a great resource. So you'll get a lot of folks to spread that word. So anyway, that was my thought, Steve. Yeah,
everyone has a job. Sorry. Go ahead, Jerry.
We got, we got a program that just kicked off a couple of weeks ago called secure our world. And it's obviously a mission. Jenny's really put out there, we got a public service announcement. If you go to our website, it's a cartoony thing that you can share to your customers into coworkers and stuff. It's annoying. I'll admit that upfront, but it really does cover the key things multifactor, secure passwords, things like that, and the forbidden keys. And it's, it's tricky. It's a good, good for all audiences, because everybody can kind of relate to it. And like I said, it's a little annoying, and the jingle side, but it is good. So please go to this website, and you will see that secure our world public service, cartoon, and share that share it widely because it is it does have some good talking points, especially for people that don't really think along the lines of cybersecurity.
Well, Jerry, when you talk about the resources for schools being very, very target rich, I think this is something that they need to regularly continue to, to bring to their boards and you know, their local districts. So anyway, so I'll just take what you send me, and I'll share it, you can make them cartoons or anything you want. But I think that they need to see this more often. You know, sometimes things Elevate, as soon as the school gets hidden. Everybody gets worried it's a little late then. So
yeah, one of the big challenges that we run into with school districts, particularly the small and rural school districts, is that their IT director is also the football coach, and the science teacher and all kinds of other things. And so it's a real challenge to be able to help. Yeah, even the larger districts have their own challenges. But the smaller school districts have a challenge. Chair, if you want to speak to that at all. I'm sure you've run into that.
Well, yeah, I mean, one of the one of the things I run into mostly, I mean, the large school districts have had the challenge of they sometimes don't take cyber very important. I mean, it's obviously the instructional side of the house is where their their main focus is. But if you just look back, Mesa schools got hit really hard. Tucson unified school district got hit really hard. So even the big schools aren't necessarily taking that to heart. But one of the bigger concerns will be our rural school districts, the small ones who, you know, the IT director was a math teacher who built a computer back in 1976, right. And so they really don't have the resources. Not only just from the, so all these tools that I mentioned, they're all good and nice. But if you don't have anybody that has the ability to manage them, or monitor them, they're kind of a waste of time. And that's one of the struggles that we have is the resources on the school side. So we that's what we've been, that's the problem we've been trying to address is getting extra resources from the state level to help support these entities that just don't have the staffing to not only deploy the tool, but to keep the tool up to date or to manage the tool or do something about it. So is that what you were talking about state? Yes,
absolutely. So Dario, you had a question?
Yeah, thank you so much. Great presentation. My question was, in terms of linking up with the research groups at universities in cybersecurity, both in software and hardware. Do we have any channel of open of communication or how can we make sure that we're connected? Yeah,
so I've worked with us a little bit ASU quite a bit. But But I'm really network with many of the other universities and then I've worked with a couple community colleges central Arizona Community College and Pima Community College are closely with them. But yet, you know Same thing is, you know, this is an outreach outreach program I have. And so if you have any contacts or somebody can put me in touch with, we can talk about what we offer, and help them help augment whatever tools resources they have. Now, even universities have had some really good cyber programs and some good cyber tools and things like that. And they're generally pretty good. But I will tell you, one of my job's is to do victim outreach, when we identify a device is being actively exploited with ransomware. I contact these agencies and it's nice if I have a contact for I can call directly, directly. Otherwise, I sound like a scammer saying, hey, there's something bad going on. And if they're good at their security, they will hang up on me, unfortunately, but But even as good as ASU and you have AR and its largest AR here in the state, I've had to make victim calls to all of them. One of them was kind of interesting, there was a device in their network that was beaconing out to a ransomware server. And when I contacted them, they didn't have any idea about this device, they found out later that it was a teacher that had been put that server up for a class environment, that teacher had been gone for three years. So this device was sitting out there talking to the internet, and they had no idea it was that was happening. And through my phone call, they were able to identify the device, and it's just sitting out there running. And you know, as you know, as you guys had mentioned that, you know, there's turnover in these areas. And that's a great example of that, where you had a, you know, a, an instructor in your school environment that wanted to do something for the purpose of the class. And then they leave, they turn over and they forget that that device is sitting out there running and then the IP of the cyber team don't even know it exists. Again, another valuable use of either having us do our scanning of the network, or even better yet having us do the cyber hygiene scanning so that somebody can look and see that that you know, you got that Windows eight box sitting there talking to the internet, you know when you need to get that off of there.
Sounds great. Thank you so much, Mary.
And Mary, Lisa, we will be sharing, and actually his contact information was in the email I sent announcing this meeting, that it will also be in the and my follow up email. So Jerry want to Well, actually Dario, maybe this is in relation to your question. But one of the things that I've observed, and I actually created a cybersecurity Alliance, many years ago, back in the 80s. And one of the things I observed is that we have a lot of cybersecurity organizations, but many of them are focused on enterprise organizations, IT professionals, cybersecurity professionals, not the small business community, not the now of course, we have even more users out there who never even owned a computer, and yet they're vulnerable, and they create vulnerability, or a lot of other people. And so that is really I think, is a big challenges. While these research groups and a lot of are focused on training, cybersecurity professionals, all those things that are important and necessary. But sometimes we tend to forget that there's a whole world of other people out there who don't understand cybersecurity, don't know about resources, don't know where to go to get help. Often they can't afford to contract with folks to manage their networks. And so we have a lot of vulnerability out there that we don't have a good strategy for.
That's that's a good point, Stephen. And we're dealing with the AI threat, as you as you know, both as a threat, and also as a defense mechanism. And I was very impressed a couple of months ago, I had to participate in a presentation one of our faculty with a company that a company that was losing hundreds of millions of dollars with scams, that were automatically implemented using AI and some bots, and I could not believe that the company could lose so much money through that kind of process. So now we are we are generating capability. But to your point, we have a huge university that of course, it's a client. And also it's it's a producer of technology and solutions. And sometimes not necessarily we have all our capabilities being used to defend the network that we use every day. So I really liked that example that Jerry gave, because once we learn about that perhaps we can make sure that our capabilities in the lab migrate to all the users all the way to the community and also the small companies.
Thanks, Daria. Any other questions or comments? Jerry, great job, great presentation. And you know, for a lot of people as you started out on your presentation, oh, God, people have no idea of what CES is never heard of it, and so forth. And so to be able to learn a little more about CIS, and all the resources, you know, and most people, most people like myself, who knew about cessa really were Thinking more about the critical infrastructure focus of Cisco, and not all the other kinds of resources that you provide. So I think it's pretty amazing. Thank you. Any other questions? Or comments for Jerry? Jerry, anything else? Before we were about out of time here? Nope.
I'm good. Thank you everybody for your time and attendance. And please share the Word and invite me and invite me into your organization's and let me let me let me help you put me to work, please.
And we will share his resources. Are there any? Excuse me, any other announcements anybody has before we up for today? Going once, going twice. If not, I do believe that we are done.
Have a great day, everybody. Thank you.
Thanks again, Jerry. Yeah. Thank you, Steve. You bet. Thanks for Thanks for Thanks for joining. Definitely one morning with you anyway, we can well I'm Vivian I'm sorry. I didn't introduce you. I was looking for you. I know you were there. And then that books, and I think she just Oh, there you are. And so I was gonna introduce you. And then I couldn't find you. Well, that's okay. I know. I was like, the bottom the ledge. Well, we'll do that again. When you hopefully join us again. Sounds great. Thank you for Bye. Thanks.
See you tomorrow. Okay,
anybody else? Kirk Busch There you are my bud. Did we lose Andy? Oh, no. So stop recording.