Denis Savage of NFINIT: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

Create a company culture that puts security at the forefront. This should include constant training and testing of your users as well as hardening guides for servers and firewalls that allow access only to the services that require it. Users are, generally, the weakest link of the organization. Clicking on a nefarious link is still the easiest way to breach a company. Phish threat campaigns against your user base can help train employees. In addition, it only takes building one server incorrectly without the necessary security features to bring about a compromise. Every system and application should be built with security first.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Denis Savage.

Denis Savage started his career in the IT industry as a slayer of dragons, starting with the game Ultima in 1987 on his Commodore 64. He had no idea then that his nerdiness would lead to greatness — and they say hanging out in basements as a kid will not be rewarding. Denis has been in the IT industry for 25 years, serving multiple leading roles. As the Director of Network Engineering for Zayo Group (formerly KIO Networks/redIT/Castle Access), he was responsible for all network infrastructure within Zayo’s data centers across the US and Europe. In his current role at NFINIT, Denis is responsible for operational support across the company’s entire IT space. Mr. Savage’s thoughtful leadership has helped NFINIT stack layers of Subject Matter Experts (SMEs) throughout its cloud, disaster recovery, network and security practices.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My love for IT really came from my passion for video games as a kid. While I had the experience of playing pixelated games on my Intellivision and Atari, I was fascinated when Ultima came out on my Commodore 64. As games improved and became less pixelated, I wanted my experience to be flawless. I learned everything I could about computers in order to customize my build to outperform what was on the market. As things evolved over time, and I went to school for computer science, I was able to parlay that curiosity into an IT career that has now spanned over 25 years. I feel pretty lucky.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

A natural progression occurred across my IT career that has led to cybersecurity being at the forefront of every thought. A single story did not inspire — it is the totality of it. When I first started in IT, security was the afterthought. It was desired but in the context of a budget that didn’t reflect its importance. You have to know a fire is hot before you can take the appropriate safety measures. As the C-level team became more aware of the dangers that were inherent in a digital world, the need to provide enhanced levels of security rose. Now, we think of security first, and applications and servers have to comply with that methodology.

Can you share the most interesting story that happened to you since you began this fascinating career?

The most impactful time of my career came when I taught the Cisco Academy at Coleman University. Scott Green, an instructor at the college, and I became certified as Cisco Certified Academy Instructors in 2010. We brought the initial four-semester training to Coleman and built the syllabus and content (with Cisco’s help) to the classroom. Being able to give back to the community was life-altering. It really put things into perspective — how helping someone else achieve their dreams can mean so much to you. I was lucky enough to hire a handful of people that came through that program with me. A few are still with me at my current company, NFINIT, today.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

There are so many people who helped me during my career that it is tough to narrow that down to a single person. Speaking strictly security, I was lucky enough to work with Matt Stamper, a CISO on the Board of Directors for ISACA. He really drove home the importance of business security before it was a thing. He has championed security for a long time and kept many of us mindful of security in how we architect infrastructure.

Matt is one of the most interesting personalities you will ever meet. He has quite a few catchphrases that always made us laugh, starting sentences with “fundamentally,” saying, “I can spell IT if you spot me a few letters,” and, of course, his interest in world history. History is a precursor of things to come.

Are you working on any exciting new projects now? How do you think that will help people?

We are working on a full compliance portfolio that will interest our clients. As their needs change to ensure greater levels of cybersecurity, we are focused on constructing a security framework that fits into the higher-level compliance our customers desire. We are scoping in a larger segment of our infrastructure to be PCI-compliant and will be looking at whether HiTrust is a fit for us as well. We are working with several of our clients and mapping our policies and procedures to meet their needs. By strengthening our security posture, we do the same for our clients.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Keep your passion. Be positive. IT requires constant learning. You have to come in with that mentality and be eager to dive into new technologies. The next one might break a barrier, and being on the leading edge can be exciting. The best way not to burn out is to be a mentor and take the time to teach other team members your trade. There is a tremendous level of satisfaction in helping others achieve success. Passing knowledge to your peers is a great way to lift up others while also lifting up yourself.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

“Exciting” is an interesting word to use in conjunction with the term cybersecurity. I always feel like you need to be on the edge of paranoia. A healthy dose of fear. That fear promotes a desire to ensure that data is protected properly.

What excites me is the larger world seeing the importance of security. By highlighting the issue and ensuring this is a hot topic in the news, that raises the awareness and makes it easier for companies to justify improving their security posture.

As the need for hyper-vigilant security increases, the industry has accelerated the go-to-market strategy to improve upon security postures and lessen attack vectors. This is leading to innovations within the cybersecurity space. Prior to this, companies had only a few select cybersecurity partners to choose from. Now, we are seeing more innovation in this space. That is good for everyone.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

We are just touching the tip of the iceberg when it comes to ransomware. If you are not taking this seriously, you need to have your head examined. Now is the time to start taking steps to improve your security posture. Remember, good is better than no movement. If you can make incremental security improvements, you are setting yourself up for success. Tackle the smaller things first — ensuring you control data across segmentation zones — both inbound and outbound, ensuring antivirus is up to date and on every computer, event logging to a SIEM, and building policies and procedures that dictate how you will handle the various components of security.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

A tale of caution. We had a client who was working with a consultant on a migration from Exchange to Office365. The client provided elevated privileges to the consultant. That consultant account proceeded to be hacked and the attackers used that to install a key logger on the system, capturing other credentials that allowed them to go east-west. From there, the attackers were able to spread a ransomware attack across the entirety of the client’s infrastructure. Luckily, we had implemented a strong immutable backup policy that allowed a quicker recovery, but many lessons can be gleaned from this situation. And we all need to continue to learn.

We have a stringent policy against allowing unfettered access to consultants/vendors, and, generally, only allow access via a shared screen — so consultants/vendors do not have credentials. Our team would watch over what consultants/vendors are doing to ensure the safety of our infrastructure is always maintained. If we believe that consultant/vendor unsupervised access is necessary, consultants/vendors must go through our security risk assessment before obtaining access. This assessment is an in-depth look at how they handle security and the compliance frameworks they are adhering to. We can then make a decision based on the data whether the consultants/vendors take security seriously enough to be deemed worthy to unsupervised access.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

There is a comprehensive list of tools, working in concert, used to enhance your cybersecurity posture. ManageEngine is our primary Security Information and Event Management (SIEM) tool and automates reporting on anomalies. It also includes a File Integrity Monitor (FIM) to ensure that critical files remain unchanged. Firewalls (we use Sophos) need to be present and configured to block all, only allowing services that are absolutely necessary. We also use Sophos for our Antivirus, allowing us to marry our security posture from the servers up through the firewall, which allows for synchronized security. On top of that, we run vulnerability scans daily against our publicly accessible IP addresses and run penetration tests routinely against our private IP space. Security Awareness Training and Security Training must be constants. Frequent phishing campaigns against your user base is a good preventative tactic and reinforces the training. Immutable backups, which cannot be encrypted, deleted, or modified, ensure that if there is a breach, you can safely recover.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

There is no way to put every company in the same box — each business needs to determine their acceptable level of risk. Asking the tough questions around the impact to the business, looking at varying levels of compromise, will assist in developing a plan that works for that business. What we can say is that every company needs to factor in a cybersecurity budget. That should include constant training and a security posture that includes firewalls and antivirus. Smaller companies would likely benefit from outsourcing tasks to an external vendor.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Potential indicators of compromise:

• Changed/edited/locked files
• User accounts locked out
• Degraded performance: slow browsers, memory and CPU consumption spikes
• Abnormal system behavior: pop-ups, program crashes, unusual warnings

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Try and determine patient zero, and, if possible, isolate that device from the network to reduce the risk of cross-contamination. If not possible or the issue is thought to be widespread, remove all devices from the network and perform forensics on each system, collecting evidence. This can mean removing network access and even powering down affected devices. Change credentials on all administrative users. Force a password change for the entire user base. Secure the perimeter of the network. Closing things like RDP or other means of entry until the root cause is located is crucial. Notify authorities, as necessary. Restore from immutable backups and go back far enough to ensure you are not bringing up already compromised machines. The recovery portion is where you assess what happened and how to ensure it does not recur.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

This is shedding light on a largely underappreciated commodity — privacy. As more information is shared online, there is a greater need to protect those assets. They say that you can find the identify of someone with 87% effectiveness by just having their name, zip code, and date of birth. Social media has made most of this information readily available. On top of this, “willful neglect” is a concept that everyone needs to understand, reported as, “the conscious, intentional failure or reckless indifference to the obligation to comply with the administration simplification provision violated.” In non-technical language, this means that you cannot simply ignore security. Principals of the company can be held personally responsible for such neglect. That is serious — and can include fines and jail time. As a result, businesses will need to be increasingly aware of security and will need to dedicate budget to ensure the safety of their data sets.

The media needs to be continually preaching, teaching, and marketing cybersecurity awareness. By talking about it more often, we can raise the awareness to the level it should be so companies can take larger steps to minimize the effects. President Biden’s Executive Order on Improving the Nation’s Cybersecurity is a move in the right direction as well. The narrative has to be that this is something we discuss often.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The thought that simply putting antivirus in place has achieved the desired result. Security can be a behemoth. It is not a single thing. It is a compilation of policies, procedures, constant learning, technology, and constant upkeep. Security awareness training needs to happen on a routine basis. We have seen companies put a firewall that allows all in front of their critical business servers. We have seen companies allow a vendor domain admin access and have that account compromised.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

There has been a constant threat level in the cybersecurity landscape for some time. What we have seen is more conversations on the topic, largely sparked by some very large attacks. The SolarWinds hack brought some of this to the forefront. It is not that there is necessarily more attacks (although there are more ransomware attacks, specifically), but we are hearing about them more.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

• Create a company culture that puts security at the forefront. This should include constant training and testing of your users as well as hardening guides for servers and firewalls that allow access only to the services that require it. Users are, generally, the weakest link of the organization. Clicking on a nefarious link is still the easiest way to breach a company. Phish threat campaigns against your user base can help train employees. In addition, it only takes building one server incorrectly without the necessary security features to bring about a compromise. Every system and application should be built with security first.
• Perform a risk assessment. A risk assessment is a complete view of everything surrounding your IT presence and the holes that exist. Once risks are identified, they should be categorized to remediate or to allow an acceptable level of risk. This can go a long way towards closing attack vendors.
• Expand your horizons from thinking perimeter security is enough. This old-school mentality can get you in trouble. Security is comprehensive and should extend from firewalls to servers. This means building hardened servers, using only the required services and disabling unused services, installing antivirus software on all machines, and routinely running scans against your servers for vulnerabilities.
• Create immutable backups. As noted previously, immutable backups cannot be encrypted, deleted, or modified. Ransomware relies on companies not being able to safely recover from a breach. Having immutable backups can ensure your business recovers without having to pay a ransom.
• Develop policies and procedures around security and compliance. There should be guidelines that define how to onboard/offboard employees, how to build a hardened server, what security should be built in to applications, and the steps to take should a breach be identified.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

Be a mentor. Everyone knows more about something than someone else. We should each be striving for how to help the “we” instead of the “me”. By creating a “we” society, we are looking out for the best interests of everyone. Use your skills to teach and help others. Hoarding information is not the way forward. If we each share our experiences, we will pass on life lessons that can help another. That impact cannot be understated.

How can our readers further follow your work online?

Check out www.nfinit.com and follow NFINIT on LinkedIn (https://www.linkedin.com/company/nfinit-us/) for more insights from myself and my colleagues. Find me on LinkedIn at https://www.linkedin.com/in/denis-savage-633b9b/.

Thank you for these fantastic insights. We wish you only continued success in your great work!