 And how are you doing? It's Gordon all the techs are here with my good old buddy and to the security guy. How's everybody doing? Dave Stephens in the house. Yeah Dave is joining us. We're talking cyber today. We're talking cyber today. We're not gonna talk election too much. I hope we keep. No let's go ahead. Give it one minute. There's only a 30-minute show now so we gotta behave myself. Gotta be quick. So please grab yourself a chair and a live ation come and join us and for the next 30 minutes. We're gonna talk about a really really cool project at the University of White Community Colleges regarding Black Box Mock Spear Fishing. Say that five times. Fantastic. It's really cool. So Dave just tell us a little bit about yourself. Who you are. You've been on the show. That's awesome. One of our favorite. He should be a monthly. So tell us a little bit about yourself and then we'll get into what we're gonna talk about on this Black Box Spear Fishing campaign. Okay I am a full-time IT instructor at Kepiolani Community College for the University of Hawaii but I'm also the University of Hawaii Cyber Security Coordinator for the TACT grant. So the TACT grant is a grant that has been going on for several years signed by President Obama and Joe Biden. Speaking of which. So that rolls right into that. Well this year we got about ten million dollars to split between healthcare and the cyber security. So cyber security we developed some curriculum some cyber security certificates at the community colleges all of them. And we just got that rolling. So by coincidence at KCC we developed an ICT club who came up with this idea of doing some Mock Black Box Spear Fishing campaigns some pen testings for companies for charity to get us to this conference. Black Hat Okay to get you that because you're not we're gonna talk about how we can get you there. Right. Right. And we're gonna talk about what you're gonna do or enable companies to take advantage of. Right. So that they get they win the companies win. Right. And at the same time you win and get to go to students win. The students win. Right. And it's a win-win for the campus but then I talked to my students who also agreed that we should take the system wide. We do the first couple of customers and then as more customers come in we make an actual non-profit organization that is system-wide. Right. And in all the community college systems and maybe even the UH main campuses can participate with their cyber security students. Yeah. And do these tests. It gets them two things. It gets them an internship opportunity. Right. An actual organization doing pen testing for cyber security. Pen testing because penetration. Not many. Penetration testing. So that's a penetration. There's several types of penetration. Right. So several types. But the most common as you guys know is social. Yeah. The biggest hole is social engineering. Right. That human loss is the biggest problem. So we're gonna do spearfishing which is identifying particular people and sending them personalized emails with links to click on or instructions so we can gather some personal information from the username, password, emails and then we tell the companies hey this person gave up some of their personal information. PII. Can we give a can we get a donation? Okay. So okay. So you're getting a little bit ahead of me but it's a good but it's good though because we're setting the tone for what this is all about. Right. Because it is complex and it's it's the fact is you know there's an ability here that you're gonna create for students to be educated in a field that is growing like no one else. Exponentially. Yeah. And then we're gonna have an opportunity for businesses here to take advantage of it if they'd only open their eyes and I won't go down that path because I'm dealing with it all day long. Open up their eyes and see what's happening and be able to get on on top of that. So with that night we have we have this segment that we do called you know got one tech job and so you know yeah so the election election just happened as we all know and really and I must have missed that. Yeah. Where was I? Packing it. And Mr. Green. So and they passed a lot of marijuana laws in a bunch of states. Nevada. What is that? Vegas is a whole new place. You've got one tech job. Look at this guy. Zigzag. This guy. I saw this guy on the big island when I was on Halloween and he this was his costume. He's a pack of zigzags. He's a zigzag rolling paper. Oh that was at his rolling paper. Okay. Wow. Wait come on. You're gonna tell us you didn't know. I didn't know what that was. Oh really. Okay. I believe him. What do you think? Do you believe him? No. No. Okay. Gee. I believe you. I'm with you. I actually do believe him. He was my naive, howly boy. Oh. Let me get that out for you. They didn't have that where I was. It's gonna cause a scar in Kentucky. Okay. We're getting off topic. Here we go again. So anyway so so we're talking about the fact that you're putting this program together. I'll call it a program where students will get educated in this whole realm of cybersecurity and then you're going to be able to then do these spearfishing attacks. Right. And so tell me what's a spearfishing attack? I mean not a lot of people know what a spearfishing attack is except if you go like watch the fishing channel. Right. Right. Right. Different than shooting a spear. So fishing spelled pH 9F is usually a cybersecurity attack that's social and it's a targeted at a company or an organization that you want to enter through covert means. So you send emails to people with links or updated flash links or something like updated keys for the browser and people click on these links and actually enter information. So the most common one you've seen these they come in Bank of America needs your new account information or there's been a problem with your Wells Fargo account please update your account. So you enter your username and password but they've hijacked that account. Right. So you're actually entering that account information and giving it to somebody else a hacker who now can get to your bank account. And go to your bank account and log in very quickly. Yeah and drain your drive. So this is being used also to put worms and Trojans and backdoors in companies. If you click on that link you can drop a little piece of malicious software inside your network. Inside your network and inside. You can be on the PC version. But I'm going to be the naive Howley Boyd Ellis. But I have all these different firewalls on my computer. I have all these different I pay Mac a fee and everybody else for all this protection stuff. So why do I need this. I mean I got all this stuff on my my machine. Perfect answer is it bypasses everything. So the humans can let anything in the door they want. So you can have the best lock on the door on your front door that you have. But if you have someone naive walking up to the door answering the door opening the door for somebody who's going to attack you. You've let them in. That's right. So it doesn't matter how good the lock is or how good your firewall is. The human factor is always the biggest factor is all the biggest fact. Right. And there's some there are some tools that are better than others. The Z like silence you know stuff that's looking for zero day at the malware you're talking about. Right. Another product. Well this is because first it's all that's all signature based on that. So that's different. Right. That has to be known. But again John John Q public you know most of the people are not in this business. Oh and they wouldn't know the difference between silence and macphie. I had a staffer. That's a price. Click a malicious link seven times. I don't know why. It came from a manufacturer who had something hijacked obviously. And I can see in the log. Semantic caught it. I can see in the log seven times. I said why did you keep clicking that. So I mean where we educate. Social. It's social. It's totally social and it's trust based. So no matter how well trained your people are somebody's always going to let this through. So you really need to do this test about. Quarterly. Oh. Because it comes in your company all the time. Right. I always got new staff. People are leaving. Oh. So you got to keep retraining. Keep retraining. No matter how many times you tell them don't click on a suspicious link. They're going to click on a suspicious link. And so training training training. And I team managers and tell them to just wake up and let us be more proactive than reactive. That's right. If you're reactive. You're done. Done. So now just. You're like the pioneer of all of this. I'm assuming at. You a. You've got a program at KCC now. You've been pushing this for some time. I have been pushing this. But there's been a Honolulu Community College has been leading the way. That's right. We have Mike. Yeah. Mike. So Honolulu has actually had the best program so far. KCC is tailing after that. Okay. And then West. Of course. Yeah. And then West Oahu has got a fantastic BAS applied science degree. Okay. Coming up. Yeah. But we've been pioneering this one effort to try to actually get people hands on experience. So as you know. Oh yeah. It doesn't matter how much you know. If you don't practice it goes away. Yeah. Right. So we're trying to get the people's hands on it. So when they get into a company to hit the ground running. And that's what employers want. They don't want to do a lot of on the job. No. No. Not at all. I mean you can't learn to drive a car by reading the manual. That's a fact. You can. You won't be good. Guaranteed. You won't be very good. So you you really need to read the manual and then actually execute something. So we put their hands on a wire shark and map and Zen map and burp suite and all the other hacking tools. Aircrack. We have a lot of lab these terms. Well these are all the tools you can get. I'm just saying. So is there a positive. Are you getting a lot of response or a lot of students coming out of high school say we want to get into these programs. As a matter of fact. Yes. Oh that's awesome. Kaimuki High School. I'm actually going to be teaching a basic security suite that will fill a requirement for our cybersecurity certificate. Okay. I'm going to be teaching that in spring. We have 10 students taking cybersecurity fundamentals at Kaimuki High School. That's awesome. Yeah. That's great. We got to come up with the kids. Who are the kids. The group of kids out here that do their their cyber guys. Oh my gosh. Well your gosh is gone. Anyway we'll keep going. But you'll think of it. It'll come. But wouldn't it be cool if Hawaii could become a cyber security melting pot for creating the talent that's needed nationally in this country. Well the NSA's got how many openings now. I know. 60 or 80. They come to us. Here. Not me here. The UHCC system every semester and say that you know you've got 10 months and get into this program now. You're zig-zagged. No. And then you you have 10 months to go through your security clearance and then you can get into an internship for a summer and we have a lot of applicants for that system wise. So NSA's got a lot of openings and there's quite a few kids going into that. But there's there's a lot of opportunities. I mean it reminds me of when I first got into this IT industry. It was like you couldn't find anybody and everybody was you know scrambling to find people that would just go in even without a degree. They would teach you. And now here we are in this whole cyberspace and people are just screaming for help. Screaming for help. Okay we're gonna we're at that moment in time when we have to take a break. You're kidding. That was 15 minutes. That was 15 minutes. Wow. We need to get to talk about the program too. Whoa. We need to talk about the election. Yeah. Okay we got. Will you take us an hour show? Anyway we're gonna take a very very short break. You go get Angus. We'll go get Angus. I'll make sure Angus doesn't talk too much. And we'll have Dave come on and talk more about the program. So we'll be back in about a minute. Thank you for watching Think Tech. I'm Grace Chang the new host for Global Connections. You can find me here live every Thursday at 1 p.m. where we'll be talking to people around the islands or visiting the islands who are connected in various aspects of global affairs. So please tune in and Aloha and thanks for watching. Hi I'm Chris Leitham with Think Tech Hawaii and I'd like to ask you to come watch my show The Economy in You each Wednesday at 3 p.m. Aloha I'm Kirsten Baumgart Turner host of Sustainable Hawaii. We live stream every Tuesday from noon to 12 30. You get a chance to hear what people are doing about sustainability in Hawaii and what the issues are impacting all of us in all the islands. Join us please. Aloha my name is Josh Green I serve as Senator from the Big Island on the Kona side and I'm also an emergency room physician. My program here on Think Tech is called Health Care in Hawaii. I'll have guests that should be interesting to you twice a month. We'll talk about issues that range from mental health care to drug addiction to our health care system and any challenges that we face here in Hawaii. We hope you'll join us. Again thanks for supporting Think Tech. Join us at Think Tech of Hawaii. Our show is Azure in reveal. Our next program is on November 17. This is Johnson Choi your host. Aloha everyone I hope you've been watching Think Tech Hawaii but I'm here to invite you to watch me on Viva Hawaii every Monday at 3 p.m. I'm waiting for you mahalo. Hey everybody welcome back is Drew the security guy. Just got a quick tip for you today. NIST put out a small business information security guy today fundamentals. So for your small business owners this is free you can we might see a I don't see the web link or not but you can go get download this document today it's a quick read maybe 30 pages but it's got some tools in there to help you do risk assessment of your organization. Ways to identify like your asset management and and so just some the things that you need to do to get started in raising the awareness of cybersecurity inside your own organization and it's a it's a great document it's free it's the government you know you basically paid for with your tax dollars so really good stuff uh check it out that's it uh Angus is here obviously as he always with something good what's up Angus. How are you doing there Drew? Hey buddy. It's me you know Angus McTrump. Right on. McTrump again. I saw you last time looking like that. You're not coming president of the United States of America. Right on. Good on you. What do you think there Dave? It's gonna be cold living up there. What do you think? How am I looking? How are my hands? Your hands are a little bit big. Don't stroke me with your hands because you might knock me out. That's just how we are. I was going to do a wee bit on the NIST as well you know I think it's a really cool thing. Yeah. So you know they came up with all that document the technology released the draft cybersecurity framework it's all there you know and you know there's a lot of businesses that got it and trying to get the pay attention to it but he has no luck at it but now that I'm the president you know what we're gonna kick some sorry okoli and make sure that right on you know so now I'm going to be politically correct now that I'm the president you know I like it. That's right. Anyway so anyway I mean we'll go after the email scandal a little bit later but anyway so anyway I got that but I got a wee gadget for you too but you know what this is this is the NIST framework you know and Dave you said it's all about the people. It's all about the people social is the biggest hole that's right and then it is there's your people right there in your um there's your people right there and your NIST unveils the new cybersecurity framework this is a pow box to give me that information so we're all set on there but again a wee gadget for you you don't have a year I have a wee gadget a wee gadget a wee gadget a wee gadget you know and you know and Thanksgiving is coming up so you know and you're sitting around the family and most of the time you're social again pretty bored. Come on make it yourself this wee chalkboard tablecloth you know when you're bored at the dinner you can just draw on it and make notes. Nice. And it can't be hacked so you can't do a cybersecurity check on it. It's all set there. Anyway that's that's my gadget that's my security and you know you know here we go it's it's just you know change it's the really the inner chance to remember it like I always said but you're getting being free where are you being alone. It's always bringing to something so a chalkboard tablecloth think about that and uh definitely check out there another thing that NIST published was a um uh thing about the jobs like a pathway to jobs that flow into cybersecurity and even the middle manager guys that uh make 107,000 a year so if you could use that uh income check it out. I'd like to make 107,000. Welcome back brother. Welcome back. Let's talk about this program. So let's talk about this program so we're here with Dave Stevens we're talking about Hawaii Community College's opportunity that you're going to enable for the students and for businesses in Hawaii. You know the students for opportunities to grow and their skills in the cybersecurity space and businesses to take advantage of um mock attacks yeah because you would organization so talk about this. You would pay a lot for a pen test you would pay a penetration thousands of penetration tests like this so and you know to have the results and have it analyzed in in business out there I just want to say something expect to fail this you will fail you will fail badly sixty seventy eighty percent of your people will take this bait and they should that's a good thing then train them and go to NIST there's a ton of training that's what that's what I use securing the human right it's a great point you know if you if you provide a little bit of training for people then you perform this penetration test and it's phishing scam and people click on the links then you can provide the results to say this is how effective your training has been so far then you provide some more training and do another pen test and then you compare the results and then keep training and training and training it's an ongoing process that's the problem with folks who understand uh you know if you install antivirus or something like this you know you're done you can not think about this anymore but it's not it's a running game so no matter how fast I run if I stumble the bad guys are going to overtake right there so what's so what's your plan so how's the program going to work how can I as a company take you know um call a body call and enlist in in in this opportunity and how are you going to get it out there I mean we're hoping that we can help you get it bit get the word gosh I hope so yeah so so how what's the plan what's the program so right now we've got a lot of plans however I feel like uh nasa and the team mine is 60 countdown and we've got the the the bird on the pad ready to go and we're still deciding what astronaut to put in the capsule that's the that's the stage we're at right now however what we plan to do is like Andrew suggested provide some training do the testing have a 30 day windows so no one sees it coming and then after that provide the results and then based on results do some more training right and then if they want another pass we'll do another pass yeah and we we get people down to I think you were saying four percent as the biggest organizations I've talked to that started oftentimes 30 40 50 percent acceptance of of of phishing email right um are no one seems to be able to get it down below three or four I think that's terminal velocity right that's critical mass you can't pass and so imagine that you know just if you if you got to accept the fact that one out of 20 of your people are always going to be a vulnerability to your organization yeah I mean it's just now we're talking about ransomware basically it's not just private industry now no it's everybody I mean Hilary Clinton's email was hacked it was probably a social attack I mean they have network firewalls they have all these intrusion prevention intrusion detection systems and all these sophisticated pieces of software but you put a human in the mix you bypassed all of that I mean I have clients and clients that have called me or now my clients because again some secretary or clerk or whatever clicked on an email and now everything on their servers are all locked up yeah and they say okay now you got to get me out and I used to be going to I pay the ransom you do oh you got to pay you got to pay the ransom they don't have a backup well because they don't have a backup that's the other issue as well they didn't do a oh and they brought the backup in well this well they brought the backup on while it was still in the system that's right and it encrypted the backup now some ransomware actually will now actually time itself yeah you don't know you have it right until your third backup in the rotation is also corrupted so no matter what backup you bring online it's also corrupted people are very sophisticated but it's not new in 1999 I was working for a company called home store.com we got hit by the I love you virus okay think about that was the I love you dot VBS that was the 10 every geek in the company double clicked on I love you VBS yeah and we spread it everywhere so it was just instant I love you double click and and what I didn't get that what it's not doing anything double click again double click again double click again and you were telling me one person had like seven times this is the same thing it's not new but companies don't accept that this is a risk so how are we going to get how are we going to get company stuff up their eyes and and allow this to happen so we'll tell the story I think we gotta my biggest question is is that it's I think it's I if I was in a company and I was the IT director and I've been many times you're the first guys I would say yes come on in but there's my my problem is I have is it 80 to 90 percent of the IT directors that I'm in contact with will not allow this to be happening they won't it's a fear yeah there's a fear what if we're penetrated even if you are these guys than the bad guys that's right I'm sitting there going like you are already I mean what do I got to do so the banks have to do this now health care or you know the rate late industries have to do this training already right hippo it would be really fun to see because they in Steve Robertson he'll share his test with you he'll talk he'll talk about his well he's well he's fun to see if you went to their organization if you got similar results as he's been getting right you know I mean because it's nice to have that third party audit they're very progressive now they're one of the few one of the organizations in the town why Pacific Health it does a great job in and they'll bring stuff in they will do they will go out of their way to make sure that what they've done is right yeah but you know he's a rare rare yeah bird in this town that sounds like a jam really yeah I don't get that very often you don't get that very often we were still dealing with old school mentality people worked up their way in a corporate ladder and they really didn't come up through the trenches in IT so they really don't understand the vulnerabilities and they don't understand the risk until it's actually become an exploit I know I got 40 year olds who are acting like I'm supposed to be acting and I'm the one that's saying you know I'm going to wait a minute I'm the old school guy I've been doing this for 50 years yeah I should be acting like you and I'm arguing with them and they just literally arguing with them and they're not doing it we're not it's a hard sell yeah it really is a hard sell it won't be once they're hit yeah that's the problem once you're hit it's already happened and it's too late and they're so used to being in reactive mode and I keep telling them why don't you just start shifting your mind and why we get proactive so you're ahead of the game and plus it's it's basically free there's the training time right but so I use those securing the human posters saying you know sans has posters that show you what a bad it shows about all the elements and when you get stuff to take a look you know you get something you weren't expecting first of all don't click on anything look at the header go look at it and see what it is who's it from is it is it says Andrew landing but is it really for me no it's from somewhere else you know so they they've it just doing that type of training that awareness training for people and I'm the guy I'm paranoid so I got these posters like posts you know I move them around at the one time they're on the mirror next time they're on your desk when you come back next time they're on the toilet like I I'm constantly trying to keep that awareness because all you can do is go for constant awareness because it's a constant problem we can harden 80 plus percent of your environment technically we've got csc trop 20 controls we can do that but we can't fix that person the people and you can't and you can't and my message to the ceo's and co's and cfo's and so on is like you need to demand of your c ios or cto's or cso's you need to demand that they be doing this stuff at least like you said earlier on a quarterly basis at least and at least and then it's an hr issue too so you got to monitor it right so if you've got a person that fails three times after being trained for three quarters of training now you've got you've got an employee requirement right like this guy's not doesn't get it and he's actually a danger to your organization he's a risk actually the the biggest danger is budgetary yeah so i know and i'm not going to tell the company right now but i actually know of a company that implemented a cyber security group paid for them to all get their c isis p's they're all really good people okay and then they went through a merger and the emerging company came in and cut their budget in half well yeah can you imagine for the cyber security group right and i said that's bad yeah yeah you're going you're going to get hit and here's where you can help them get their budget back so here's you just hit on something so yes i want you to come in i want you to bring your students in i want you to try and do a phishing attack on me and if you find it then i'm going to use that information just to go to the budgetary hey wait a minute we brought in a neutral third party who's showed where we're vulnerable i need money to fix this if you can now once that's done it's on the record yeah if they ever get hacked oh someone's going to go down wait wait wait you know your cto or cio you knew brought new new about that you knew about this and you do it and then i said go like well that's why we don't want you back in because we like you tell us again but again it's you're going to you are yeah you will fail this and you should fail this i've never actually i don't actually know of a penetration test that ever failed actually no i don't get most testers will test until they get in and they they would there's just always a way well i remember one a long time ago where it was a social medium guy guy guy was trying to get into a bank the bank brought him in and he got in socially and he called from the help desk and his name was um shan lemongelo and his name was lemon jello and he called in as shan lemongelo and they let him in and that's and they were like spent two weeks trying to get into this bank and it was the human being the social part they got him and that even michael milkin i mean it's what he did you know i got a great story guys okay sure so it security i got it cybersecurity i told my class okay they're talking smack hack me hack my email five weeks 130 hours 23 students working in consort hacked me three ways they did a social attack they built an actual profile from uh of me on ancestry.com to get my mother's maiden name they did a they did a physical attack they misdirected my attention in class well someone actually put a keylogger on my system wow and they put it underneath the power supply so i didn't notice right and it's just a loose usb cable and they did a session hijacking attack in the classroom they did arp poisoning and dns poisoning to redirect my login to my email and they grabbed it duplicated the site stripped off the htps and i didn't notice okay then i'm the teacher that's awesome that's awesome so believe it or not we we have burned through 30 minutes and i'm gonna be back we're gonna talk about this and have you come back again and the message to everybody please listen today you've got to bring in the tools especially if they're offered at free 99 well you got to make a donation to the student just donate yeah but that'll come that'll come anyway so uh you 67 was your solo cup you got number 90 i won't give you this one we got number 91 coming up 91 right no one doesn't go unrewarded all right um we're gonna bring you back with a student next time to see what's going on fantastic anyway i'm exhausted this is really this is a really good one anyway want to thank you guys for joining us again on hibachi talk drew dave cyber security enemies say to everybody at the end of the show oh yeah one two three how are you doing