I’m here at the lovely Westin La Paloma resort in Tucson, Arizona. TAG—Technology Affinity Group, the IT, grants and program leaders from grantmaking organizations—is having its annual meeting here. So, this week’s post will be a sort-of real-time blow by blow of events and insights from the conference. I’m here with my colleague, Jackie Bilodeau to learn, meet new friends, and present a session on cybersecurity. I hope all our readers will find some interesting insights, even those not involved in TAG or philanthropy.

The first takeaway for me is an old truism: the nicer the resort, the less time you will have to enjoy it. The resort is situated against the Santa Catalina mountains. There are plenty of hiking trails, three nine-hole golf courses, tennis courts and a couple of swimming pools (including a swim-up bar, which has Jackie’s interest). With any luck, I’ll manage to take a swim. [Note: this didn’t happen.] I’m not asking for anyone’s sympathy (don’t cry for me, Argentina). It’s just that, between a busy work schedule and an injured knee, I can’t really take advantage of all the amenities here. Back to work.

On a side note: I came to the TAG opening cocktail reception straight from the airport, so I wasn’t able to pick up my name badge. I thought that might make it difficult to meet people. I was pleasantly surprised by all the people that already knew me—the result of reading our weekly newsletters. Thanks to all of you who are reading this!

Cybersecurity

A few of my initial conversations (after Tim O’Leary and I talked about fishing) had to do with cybersecurity. It sounds like the “hey, I need you to wire $XXX thousand” scam is alive and well. In fact, the bad actors are getting more sophisticated. They’re more carefully forming email addresses, in some cases spoofing the actual email address. They’re paying attention to social media indicators that identify when leaders might be out of the office, lending credence to the claims about needing money wired right away.

After discussing a breach and the response with one TAG member, I suggested one additional step for them: set an alert (this is for Office 365 customers) that identifies when a user has set a forwarding rule, sending email to an address outside the organization. Yes, there are legitimate reasons for setting such a forward, but this is also a flag that the user’s account might be compromised.

Here’s a link that describes this suggestion and how to accomplish it. For our CGIAR readers, CGNET can set this. Just let us know.

Another recommendation, although this is more reactive than proactive, is to run a regular audit of administrative actions over the last (you pick how long) time period. This is especially valuable for larger organizations that have a distributed admin function.

I found it interesting to see, in one of the security sessions, that most of the audience members had implemented Office 365 Advanced Threat Protection. I recall running a session a few years earlier, where hardly anyone had implemented ATP. It was nice to see the change!

Anatomy of a Malware Attack

Oleg Bell from the Open Society Foundation demonstrated how a malware program, Wannacry, works. He ran the program in a sandbox for safety purposes, while we watched. In just 60 seconds, the program had taken over a Windows executable considered “safe,” encrypted files, deleted other files, and attempted to connect with known bad command and control sites. It was a little scary to watch. Oleg also said that malware creators have adopted public cloud services to develop and host their malware. One benefit (for them) of this approach is that organizations can’t simply block all traffic from a malware location, since this would block other legitimate traffic from Google Cloud, AWS or Azure.

Data-Driven Defense

This reality led, during my security session, to a discussion of “data driven computer security defense.” Earlier security approaches focused on defining who or what was not to be trusted and presumed everything else was OK. That model is breaking down. Likewise, focusing on defense of a perimeter is breaking down, as the perimeter is (with the use of mobile apps and devices) resolving to the device itself. Instead, what’s called for is a more intelligent approach that seeks to better understand each kind of threat and craft a response in turn. From there, we can begin to consider ways to automate the threat understanding and response.

Adios Tucson

I learned a lot of other interesting things at the conference, but I’ll save those for another post. Meanwhile, if you can get to Tucson in November… I highly recommend it. Just reserve some time to enjoy the surroundings!