Using common sense to stay secure with Joe Dietrich

Host Jeremy Cherny interviews Joe Dietrich, Manager of Hosting and Storage for Dover Corporation 

“Dover Corporation is a diversified global manufacturer. We've got about 325 global locations with about 23,000 employees worldwide. What I do for Dover is lead teams that provide server and storage support, as well as Active Directory support and what we call data protection, which for us means backup and disaster recovery.”

Why is security important?

The systems and applications that run on the servers and storage that my team supports are things like Oracle, our payroll, our accounting software. Those programs are used to not only produce drawings for parts but actually deliver those drawings and blueprints to the shop floor so that they can do what we call cut chips. This means they can actually make parts. This means that security is a key infrastructure. When these programs go down or are unavailable the company stands to lose significant amounts of money.

I know you don't always work directly with the end-users, you've got the teams you manage, how do you guys stay on top of security threats?

This is going to sound very rudimentary but every place that I've worked, this has been a bit of a struggle. The first thing you need to do is understand what you have. You need to have a very solid list of the systems that you support. We start with that list because you can't secure what you don't know. For example, you don't know how big to build your fence if you don't know what you're trying to build it around. So it's extremely rudimentary, but it's just looking at what is the list of things that I'm responsible for? So you can then take that list and you can say, “Okay, I see I've got 1000 servers. Okay. Do I have an antivirus on all those servers? Do I have them reporting to things like OpenDNS? Or are they sending their logs to Splunk?”. So you can't really understand or you can't really secure things until you know how many things you have.

Do you ever find that people have blind spots? Like something where someone says, "Oh, where'd this asset come from?"

Absolutely. I know you've been in the business long enough to remember when, if you wanted a server, you bought a physical server. I remember when I came in, servers were monsters, you could not really lose that because they weighed 150 pounds. Now, especially with the proliferation of cloud technologies like Azure, AWS and Google Cloud, it is so easy to spin up new environments. It really just takes a credit card and a few mouse clicks and you can have a 1000 server farm sitting in Azure. So what we see sometimes is what we consider shadow IT. Shadow IT is where somebody in the engineering department wants to test something out, and they go to aws.com, and they spin up an environment for themselves. They've made it so simple, which is great. It doesn't take the same level of knowledge that it used to actually put in those floppy disks to install. We absolutely see that sometimes and the key then is to make sure that you educate people as to why even though it's so convenient and so easy, it might not be a good idea for the business.

How do you educate them? How do you keep your team informed on those kinds of things on security awareness? 

It's hard because as you know, new technologies are being spawned daily, which makes knowing everything impossible. What we try to do is make sure that as things come up from the various thought leaders throughout our department and some of our trusted partners, that we're getting that knowledge out there either via email, meetings, maybe pieces of training, that kind of thing. We really try to get as much information to the folks on the frontline as we possibly can.

What are some of the things you see that people can do to protect their data online?

Communication is always key. What I mean by that is if you're a small shop, and you've got maybe one IT person, making sure that that person is well-known throughout the company and is seen as someone that's a trusted resource so that somebody won't just go to AWS or Azure and spin stuff up. They'll stop by that person’s desk or they'll ping them on Teams, Skype or whatever, and just say, "Hey, I've got this idea," or "What do you think about this?" That communication is so important so that people don't feel like IT is a roadblock. People understand that IT is really a business accelerator so I think that that's really important. You talk about staying secure online, and a lot of it is just common sense stuff. A lot of people can't even understand what IT professionals do. Well, a lot of it is just extremely common sense. Take the time to read something, take the time to look at links, look at what it’s asking you to do. If you're getting emails and they’re supposedly coming from your boss, read them with a critical eye. If they're using phrases that your boss doesn’t normally use, and they're trying to get you to go around a process and just wire money somewhere that’s probably not your boss. I think part of our problem now is that we always have so much information coming at us that we just zip through things so quickly. We're scrolling through our feed of whatever it might be. It's emails that we don't sit there and read and say, hold on, you know, "Jeremy's emailing me now, and he just used a phrase I've never heard him use." Or it could be something as simple as you know, he spelled "color", but he spelled it "colour," and I've never seen him do that before, is this really him? So I think that time to maybe just slow down for a second and be critical, read things critically is so key. It's not a technology, it's just more common sense stuff.

Do you have any war stories you can share or anything where you guys had an issue or something you maybe even heard of from one of your partners that our listeners would benefit from?

Yeah, absolutely. Unfortunately, it kind of follows the theme of my last answer. We had somebody in a payroll department that saw one of these emails that were supposedly coming from a customer saying, "Hey, we've changed our banking information, now we want our payments to be sent here." Unfortunately, the person I think was trying to just rush through things and they updated that information into the system. This was something where they sent payments of a pretty substantial amount that just got sent into the ether and then they were gone. There was no recourse. If I remember correctly, it was sent outside the US and the laws and the ability of the US to reach out and reclaim this money is limited. So it was, somebody just rushing through things and not reading it with a critical eye. That's actually where I got that example of “color” vs “colour,” it was actually from that. It was supposed to come from somebody that they had been speaking to, and they just didn't read it critically, and unfortunately, it was a substantial monetary problem.