 This is Think Tech Hawaii, Community Matters here. Hey, hello everybody and welcome to Think Tech Hawaii. This is the cyber underground and Dave the professor is not here today. So my name is Andrew Lening, I'll be hosting I guess today for us. And I have a guest here today, Chuck Lurch. He is from Hitech Huey. Chuck, welcome sir. Thank you. We are going to be taking you through some of the cyber challenges for the small businesses and not just small businesses in Hawaii, small businesses everywhere. First I want to learn a little bit about Chuck and give you guys some of his credentials and then we'll get into it. So Chuck, give us your, you know, give us your, you know, where you found what you did, how you arrived here today. Okay, great. So I'll keep it short. Some origin from Baltimore, Maryland. I landed out here in 2001. I was a consultant for the DOD and the FAA. From there in 2005 to be the Las Vegas to be the CTO of a national healthcare company. We put family doctors inside Sears and Kmart. Okay. And then from there I went to work for a family.com. So we had data centers all over the world and one of three is my kids here in Hawaii and decided to bring them back here. Nice. That's a quick segue. So how long have you been back? I've been back since 2012. And mostly working on? Of course, I was working with DR Fortress for many, many years as a consultant employee back to consultant. Okay. And at the same time we also had our company with my wife and a couple other partners that we created was Hitekui. Yeah. So DR Fortress is a major data center out here in Hawaii if you don't know and Chuck does a lot of the, did you do architecture? Architecture, cell engineering, all sorts of different. Support, just whatever, jack of all trades over there, right on. And then Hitekui has been offering services to enterprise, small everybody. What's sort of their history? So Hitekui is a bunch of people coming together, a community, right? Sure. Or a business. So it's a bunch of IT consultants that came together to create Hitekui. And we came from various backgrounds. So one of our partners came off of Wall Street. My wife, for instance, worked for Accenture, Microsoft, Amazon. So we have a lot of technical experience in the company as well. We wanted to bring that to all the companies here in Hawaii. So we work with small business all the way up to enterprise. Awesome. With a focus has always been on security from day one. We are partners with security and A before they got spun down by FireEye. Okay. Right on. And so that's still, so do you bring in products, so you offer the products as well as the config and support? Hitekui, okay. We do. We do. So we offer not just products, we offer all the services that go along with that. So if we need PEN tests or whatever the enterprise or small business needs, we have products and or services that go along with that depending on of course what it is. Awesome. Okay. So I think this, I can safely say that as a small business owner that the status of small business in Hawaii from a cybersecurity perspective is pretty grim. I'd like to think that from a security, from an electronic security perspective, I think we've done a good job. We've got some great security companies in town. So the companies that have availed themselves of those services I think have the, you know, access control on the doors. They've got good surveillance. They've got good communications, good intrusion detection, things like that. But as soon as we get underneath that fabric and get into the IT network and even of course the network, you know, cyber maturity of some of those types of systems that have been put onto their network. Right. So you find a lot of what I like to call sort of consumer grade applications. You find things exposed, things without firewalls, things that can't be patched, things that could be patched that aren't patched, all that kind of stuff. So what's your take on the sort of cyber hygiene or cyber maturity of the SMB and SMB is small, medium businesses in that market space in Hawaii? It's still pretty sad. And I mean that in a loving way. It's, you know, we go into a lot of small businesses. A lot of them have applications that were maybe developed out here by somebody and then they lost track of the developer. He moved on and then they have these applications that cannot be patched. So they have very insecure applications. Their brother law, you know, maybe put in a links this route or something like that and thought they were protected and, you know, these different things. And we see a lot of things. We hear a lot of sad stories about, oh, our account got hacked, you know, 20 grand went to Russia. Like we hear a lot of these stories and it is very sad. And that's why we're very, you know, proactive in the market. We do free seminars to try to get as many people and educate the market as much as we can. And the more education, the better. And the other part of it is it's not just a technical issue. Yeah. It's a cultural issue with business in Hawaii or just not in Hawaii. It's anywhere in the country. It's across the globe. I think we can almost safely say, but, you know, we know Hawaii and we know the, I think Barazan, the report garden. I think all the major reports tend to see numbers at least in the high 80s for like confidence in small business owners that they don't have any problems. Right. But we see when the assessments get done that 90 plus percent of them are basically wide open to even small or what would you call it, non-nation state type attacks. Like very generic sort of attacks that are known, that are active in the wild. Right. And they're vulnerable to that because they haven't done any of the basic things you need to do in cyber hygiene to sort of shore yourself up. Like patching, right? Like patching. So let's get into a few of those. I yanked down just the SBA's top 10. So let's just, you know, so they advise small business and I thought this would be a good place to start. And these are all the things that we tend to talk about. But so first of all, protect against viruses, spour and other malicious code. And by the way, that doesn't mean on Windows 95 you can't fix it. It could really be on Windows 10, at least Windows 7, 8 today. So talk about that a little bit. What's the sort of maturity, the services that you're able to offer to small businesses today in that market for malware protection, antivirus, things like that? Right. So what makes us a little bit different than other security providers, I would say, is that we look at what's in the market today and what the vendors are selling. So there's a lot of confusion in the marketplace. Yeah. There's like wide open the fridge and all your veggies fall out on the floor. Exactly. And they all say that they're the best and, you know, we'll protect you. And, you know, five years ago, we were strictly a services company and then, you know, we kept hearing all this stuff. I'm like, you know what, let's do something about this. And then we came on to, you know, one of the first, I call them game changing applications or antiviruses, which was silence, right? So they said, well, feed us up. Like, really? Really? Yeah. Somebody says that. So we started doing that. We started benchmarking against like the crowd strikes and all these other next generation AVs that are out there and we do it every month. So I could tell you this year, you know, without a doubt, this is your best bet. Yeah. Next year, it could be McAfee. I mean, I don't. It could be something else. Yeah, it could be something else. So you need to stay on top of all that. Yeah, it's interesting. I think, you know, a small business owner, he's working on his business. He really has no way to keep up with all that. So he may be running some of the older sort of signature based type of antivirus things. Right. And he, you know, if you don't know, these are really only good against things that are out there in the wild that have been assessed and known. And they built updates for that and added to your engine. But if there's brand new things, you need tools like silence would take advantage of machine learning or a little bit of artificial intelligence, perhaps to look at the file structure and the actual stuff coming into your computer and saying, hey, this is not correct. And then it stops it from even executing on your machine. So, you know, you need to probably look at a provider. If you have no idea, you're not able to keep up with these things and you're in the small business market. Don't just accept that the thing you have today that you always had is doing what it needs to do for you. You know, the newer tools do newer things and you may need a layered approach. You may need one or two of those. It's hard to say. Number two, they got, here's some great advice, a little generic for me, secure your networks. Okay, safeguard your connection using a firewall and encrypting your information. Now, let's be honest, how many places do you walk in? They might have a firewall. It might even be updated with the latest firmware and things like that. But how many of them are running any kind of encryption? Fairly any. Very, very few, right? Because I think the word maybe freaks people out. And this is not that difficult. This device, your Windows 10, I think Windows 7 even, ships with BitLocker. You have to turn it on. Just turn it on and it completely encrypts your hard drive. Now, don't lose your key, by the way. But there's some things you can do if you have important data on your machines themselves to add encryption. A lot of it's there and people just don't use it. So what do you see when you walk into small business owners? How are they handling the data that they have? Well, they're doing the best that they can with what they know, right? You know what you know, right? So they think that they're doing the best they have any virus and they probably don't even know about the encryption piece, right? It's really rare. I mean, I think it's crazy, but it's just turning on. I mean, it comes with Mac, it comes with Windows. Yeah, it's there, right? So not too many. And firewalls, you know, they might have a firewall, but then all the ports are open. They're port boarding like RDP, which of course is Microsoft Remote Desktop or something like that. So they're wide open to the world anyway. So understand what that firewall is doing. And we'll talk a little bit. So today there's a lot of next-gen firewalls that are doing intrusion prevention and intrusion detection, and all these other tools that run as a service. Right. So you can get a firewall from like Hitecui or Cisco. It doesn't matter where you get it, but these next-generation firewalls have a lot of services built in that are sort of kind of monitoring that threat fabric that's out there, right? And looking for vulnerabilities. So like if you click a malicious link and your browser tries to go there, it's known bad by the rest of the world. So this next-generation firewall will stop you from actually getting there and downloading something poor. So again, don't accept that what you have to always work. Get it pentested. If you're not sure yourself, get some help with it. Number three, they've got established security practices and policies. Now, who's got policies? Who's got all these policies written? Let's just raise your hand. Everybody. I got some. Do you have them all? I doubt it. So that's a lot of work. And so my advice there, I don't know what you tell about. Don't just go do things. Don't just go buy a tool because you heard it's a good tool. Understand the reason why you're doing something to help your business. And that's part of that policy. Somewhere in your policy, there's a reason you've assessed some risk that you're trying to mitigate and that's what the policy addresses and that's why you implement the tool. And I see it the other way all the time. They buy the tool and then maybe they go back and write a policy. They know why they're trying to do something, but they never write it down. Exactly. Here's another big one. I think maybe this is some of the stuff you guys get into. Educate employees about cyber threats and then hold them accountable. What kind of education do you see going on? What do you guys offer? So we offer, you know, with anything that we do, we have two types of programs. We have like a small business program and our enterprise program. So the small business programs are a little bit more affordable. So more of the, you call it like spearfishing campaigns. And so we have different types. So we have, you know, a service that will automatically use spearfisher employees and see if they're clicking on links. And it's an education series. And it's pretty good. And for our advanced clients, we have a, I call it like a written spearfishing campaign that's not going to trip off a lot of the filters. A little more advanced. Ah, a little more customized. Yeah, a little more customized. So going and trying to get the big guys to get some buying in. So what do you kind of buy into? Do you think that the small business owners have? And let's get, if we get out of the small shops, out of the 20-man shops into the 50-hundred-man shops that you see out there, is ownership paying attention to this stuff? Are they buying in to spend the money on training? Are they, you know, upgrading their systems? Or what do you think? Once they understand what the value is and like what the effect on their business is, like if they don't do this, they start to buy in. So we're seeing more and more buy in. It's just, again, it's cultural. If the owner doesn't have buy in and see why this is important, then the rest of the employees aren't going to see why it's important. So it needs to start at the top and then work its way down. And once the owner is passionate and gets, you know, understands the risk to his business, he's going to want his employees tested all the time. Yeah, there you go. And then, and a lot of people that we test, you know, what happens is eventually the employees start to catch on and they get it and then they know not to click on every single link that comes through. Yeah, you finally see those adoption rates fall down. Some of the best I've heard though still get, you know, three, four percent is about as good as it gets. Yeah, that's about it. So for the small business owner, just understand, you're probably never going to get it perfect and your employees are never going to not be foolable. There are, you know, when they're getting really good at the easy ones, we write harder ones and we go back up to over catching 30 or 40 percent again. So this is an ongoing thing. I love that you mentioned ongoing. I'm one of these guys that has all the phishing posters and stuff and I move them around the office, I put them on the toilet, put them on people's desk. You need to constantly be reminded because the threat is persistent. You know, every time you're checking your email or out there, you know, browsing the internet for something, you don't know where you're going. If you're not paying attention to it, right? So I think that training is such a big piece. You both on some education with that as well, you say? We do. Is that like online? There's only an education piece and then our team actually goes out and educates the local companies. Awesome, good. So that's the kind of thing you should have raised up, especially with the new year coming. You know, kick off the new year with a cyber campaign if you don't have one, an internal campaign for your people is a great way to start the year. So we're going to, I think it's about time for a break. So let's do that for a minute. We'll pay some bills and we'll be right back. Hey, welcome back to why this is the cyber underground. I'm your host today, Andrew, the security guy. And I'm here with Chuck Lurch from high tech. And we're talking about small, medium business, cyber security. We've been going through some of the best advice and some of the major problems that we find that we see out there in the small, medium business market. And the final point we wanted to talk about in that area is just this idea about it. Employees are required to use strong passwords. And, you know, there was a, there was a thing there for a while about changing your passwords all the time. And now what we found is these employees are, you know, their password was something hard, something hard, one, two, three. And so when you tell them to change it, they just go something hard, something hard, one, two, four. Something hard, something hard, one, two, five. So I've seen some of the advice changing there as far as frequency of changing. But strong passwords, which until we can get rid of passwords, which is what we need to do, strong passwords are still going to be with us. So what sort of stuff do you see out there and then what sort of advice do you give? Sure. I mean, strong passwords are key. And even beyond that dual factor authentication. Yeah, multi-factor. You have to do it now. I mean, there's no way around it. So you just can't trust the password at all. That's what we said. You have it here. So, but what we recommend for small business, like if small work groups, you know, maybe using a last pass, there's a multiple like small business ways to share passwords amongst each other. Unless you have an employee that, you know, you have maybe some turnover and you don't want them to see your passwords like your banking site, but they're your controller. They work in your accounting department, so they need that. So it's a way to mask the password so they can't go in and start messing with things. So we use last pass a lot. We see that a lot in the industry in recommending that. Sure. And on the enterprise side, we like Thiccotic. Okay. It's been up for quite a while and it's got amazing password tools and it actually goes through your Active Directory and starts looking for different things. Nice. So it's scanning for where they're stored, things like that on the network. Okay, good. And so, and then multi, let's talk about multi-factor real quick. So something as simple as Google Authenticator, Microsoft Authenticator, or you can get a UB key today, you can dump U and SIR like a USB or a smart card. Yep. How prevalent do you see that? Oh, multi-factor. So that's actually, you know, in this control, it's like, they talk about it, right? And the UB keys and all these other ones, they're good and bad. Yeah. So if you have access to the box, if you insert a UB key into your domain admin, you can actually find a way to get that credential because it's hard-coded and have access to the whole environment in like two seconds. Ouch. So... So they're not always everything. They're not always everything. And you've got to be very careful. And there's a link we could piepost with a little article about that maybe later. Okay, good deal. Yeah. And so you mentioned NIST there, I mean, so let's, so for the small business community out there, there's some help coming your way from the government. The house, just this past month, no, this isn't December yet. So in November, they have finally approved this NIST Small Business Cyber Security Act. So they are leaning on NIST, National Institute of Standards and Technology, to get us some guidance for small business, for that community, because they recognize that they need help. But they don't know what to do. Like you said before, there's all these tools. There's so many things. What do we do? How do we start? And some of the guidance that those of us that work in regulated industry have come under, really it already started, but if you didn't get started yet, you're going to see it in your contracts on January 1st of this year, is a set of controls called the 800-171. You want to give us your two cents on what those are? I've said it over and over again, but it's, what, how many? 109? Yeah, I was going to say 110, but yeah, 110 controls. So it's a bunch of controls that are put in place by the U.S. government to make sure that you're doing the right things to protect their data and your data and help prevent all these breaches from happening and having this government data being just put out there in the market for people to buy. I mean, that's a short story. Sure. And so the, you know, everyone's probably heard of things like classified information, secret information, top secret information. So the government's finally come down and wanted to address specifically the 800-171. I'll get the title for you here. Yeah. It is called the, what did I do with it? It's protecting controlled, unclassified information in non-federal information systems and organizations. So that is the commercial community at large. And this is information that wasn't previously considered as, you know, risky for the government to have exposed out there, but now they've said, hey, if you have perhaps technical drawings, security drawings, for example, in my case of a government facility, we now want to put some controls in place around that information, so it's not just blowing in the wind and available for everyone. The controls themselves to a technical person like yourself, and these are not all technical, but what we're talking about there is the configuration of a tool in your, a setting in your active directory, for example, or a level of encryption that you've implemented on a data store, like on a file, or your hard drives, for example, where you're storing information. I know you've kind of been through these and you're working to offer these 800-171 sort of assurance services to folks. What's your take on these controls? Because out of the enterprise, you saw the whole 853, which is another set, a larger set of federal controls. There are 1,700 something. So obviously small business can't handle that. So they stripped it down, gave us 110. What's your feeling about getting compliant here? So I always talk about there's compliancy and there's security. So you can still be compliant, but still be somewhat insecure. I see. So it's great to have all these checks in place, but you've got to remember some of these things that if you checkbox on the compliance, there's ways to get around some of these checkboxes. I see. So when you say get around, there's known vulnerabilities for that setting. So that's important for our audience. So I was talking a second ago about the multi-factor. It's a dual factor authentication. There's actually ways around that. So any virus, for every security product that's out there today, there's a workaround. So even though that you're hitting all your guidelines and you're good, you still need to pay attention to what's going on the market. It's an ongoing battle. You're going to be compliant. You're written off. You still need to be watching. Yeah, and the monitoring is a big piece of that. So when we sort of talk about cyber maturity, you've got this control. You've got to have a policy for the control and you need to know why you're using it. Then you've got to actually implement the control. In this case, you're told how to implement, or a minimum level that you must implement it to. But once it's implemented, now we've got monitoring. We've got automation, perhaps. We've got reporting. So there are many more pieces to that cyber maturity sort of posture than just installing the firewall, for example. If you just install it and you never look at the log files, really you have no way of knowing what's going on. Or you don't set up alerts to come to you or things like that. So you guys provide services like this to small business. Where does that information aggregate? If they have some tools from you, they've implemented a word? Does it text them on their phone? What happens to those alerts, let's call them? Right. So it all depends on the level that they're able to afford to. So a lot of these services, they do cost money. Nothing good is free. Let's put it that way. Yes, yes. So depending on the business and their needs. So we have SOC services. So that's the Security Operations Center. That's 24-7. And that's another very important piece. All these products you can choose from, you've got to make sure they work together at least so that they can, all these logs can go to a place that are readable. Sure. And someone read them and knows how to read them and know what they mean. Exactly. So you need to do your research. You need to find, if it's a SOC company or whoever you choose, that they know the products that you're implementing or your IT providers suggesting that you implement. And so that they'll either A, alert you to, hey, you need to black hole this IP or you need to make this change to your firewall. Or B, give them access to go ahead and make the change for you. Let's say at 1 a.m. on a Saturday night or a Saturday morning. And so those are levels of services. If you don't have an IT person in your shop that could perhaps get this alert from the SOC and then make the change or implement the mitigation, whatever may be needed there, then they have services that can handle this for you. And then you just get a report. And you can often see I get several of them and I see how many threats were there, how many were mitigated, what was ended. So it's kind of interesting to live in that world. And if you haven't seen this information coming at you, a lot of people just aren't aware that it's constant. What is called the advanced persistent threat, right? These things are just out there attacking you all the time. And just because you're in small business, it isn't singled you out. It's just attacking everyone. Right. Well, actually, I think it actually makes you more of a target because I know the small businesses have the right controls in place. Yeah, the horse power. They're not keeping the firewalls updated, as you mentioned before. So these are bought attacks. They're worms. They're these things that are out there. They're moving around. They move in certain ways and they're looking for those open doors that you may have exposed. And maybe let's talk a little bit about some internal exposure. So there is the whole problem of bringing things inside your own environment, right? You've got wireless set up inside your office. Now you've got employees letting them use their mobile devices on your wireless, for example. And they get some malware on the phone. They walk in the door. Now it's on your network. Yeah. It's a mess. Yeah. And without some of these tools, we've got no way to know, right? So if you've got some of these monitoring tools in place, they'll see that internal threat, perhaps shut it down, but at least maybe alert you that it's there. Right. And then sometimes what we'll do is we'll drop a couple of USB drives outside the office and see if the employees bring them in for a little pen testing. What does it say? Caught ya? Well, don't worry about that. But yes. Yeah. Right on. Right on. So we've got a few minutes left. What kind of advice would you give to the small business guy who's let's step back away from the regulated industry stuff first and just, you know, you've got a small shop. You want to try to make sure you're safe. Give us your top three or four things that you think these guys need to do. One, make it a priority. I think that's the number one thing and make it a part of the culture. And if you need help with training, of course, you know, there's many ways to do that. Mm-hmm. But that thing, that's number one. Yeah. Number two, you know, have a good antivirus, right? Something that works. And have it up to date. Even if it's signature based, you'll still be behind, but at least if it's up to date, it's better than nothing. Yeah. Yeah. So pay for that service, right? The monthly service fees. And a good backup. Like, so you keep hearing about all these, oh, I got ransomware and I can't do anything. Well, if you have a good backup and it doesn't cost that much to have a good backup, you don't have to pay them. There you go. Right? So, I mean, there's some... And by the way, test your backups. Yes. Restore them once in a while as a part of your policy so that you can make sure you have a good backup. Backups are known to fail from time to time. Right. And if you want to get a little more advanced, like you can download, like, Nexpose or Tenable for free and actually starts getting your home networks and just to start seeing what's out there. And so you get a little better understanding than kind of what we see. Awesome. Yeah. So, for the small businesses out there, it's not hopeless. Yep. Chuck gave you some great advice there. Get started today. Make it a priority. Okay? There are some free tools out there. Avail yourself of them. Yep. But get smart about what you've got. Do an inventory. See what's there. See what's updated. Keep it patched. And do your best to be safe. Stay under landing. Chuck Lerch. We're signing off from the Cyber Underground on Think Tech Hawaii. Join us again next week and we'll have some more good, maybe scary stuff. Bye.