Finance Committee - 6/6/2018 Page 2
mails that come in from the outside world actually make it into the intended target. About 40% are actually
Malware and viruses.
We block a lot of stuff. This is the kind of thing that keeps me up at night. One of the weakest links,
unfortunately, is employees. Not that employees are malicious, not that employees are trying to do something,
the cyber actors that are trying to do this are very good at what they do. Actually just today, Dan Kooken came
to me and he got an e-mail from Jim Donchess asking him to send him | think it was 100 iTune gift cards that
he needed right away. CFO Griffin has also got those same types of e-mails. If you look into them and spend
the time you can detect that they are fake because it will come back as the name “Jim Donchess’” but behind it
has some other e-mail address.
That is just a simple type of thing. We get them all the time where people open up their own personal e-mail
and they will click on a link that is actually soam and since they are at work, it will automatically try to take over
their PC. We have done some things where we restrict access on certain PC’s so people can’t do that. But
what we really want to do is to train people what to look for. There are some things, either misspellings or a
misplaced comma or just the e-mail address, to really look at what the e-mail address is. So this software will
help us train the user community as well as do some testing to try and see whether or not people learned
anything from it without actually causing damage. So this is something we have been working on for a while
and | think it is one of our weak links unfortunately and that we need to try and tighten that up.
If you have any questions | can answer some.
Alderman Klee
My question is this will help with mail and the phishing and so on but will it educate on mistakes in typing. |
work for the Federal Government, | went to go to the FDA web site and instead of doing FDA.gov | did .com
and it is a completely different web site trust me. But | Knew enough to stop at that point rather than say this
seems odd because it asked the question “are you over 18”. But if someone may have gone on, we don’t
know what would have happened at that point. | had to report it and so on.
Mr. Codagnone
There is something like a few hundred, like 400 different modules that we can pick from and some of it is how
to identify the correct web sites. So in reality if you do get a link that says it is from your bank, you shouldn’t
click on the link, you should go to your bank directly. But if you type in Bank of America through the wrong
misspelling, a lot of the cyber criminals are smart enough to know they can get some of those domain names
that are similar but not exact. And they can actually create fake web sites that almost look like it. So we have
to train people what to look for, how to detect these kinds of things. So it helps in their personal life as well as
protecting the City infrastructure.
Alderman Klee
Okay thank you.
Alderman Laws
Does this exclusively deal with basically user error from our end where we are just training people not to open
corrupt e-mails or does it protect us from people trying to hack into our system?
Mr. Codagnone
We already have those things in place. We have a very expensive fire wall that protects the City infrastructure.
We also have Malware programs that protect other devices, we also have a lot of anti-virus software that is
kept up-to-date. Most of the things you have to do on the infrastructure side, internally, is to make sure that the
patches are done in a timely manner that come from the vendors to patch the security leaks. We do all those
