 Aloha, welcome back to the Cyber Underground, where our mission is to dig deep and to find out how cybersecurity touches all of us in our everyday lives. I'm your host, Dave Stevens. With me today is my great guest, Jeff Milford from the ISC2 local chapter. Thanks, Dave. Thanks for having me. Well, what is the ISC2, first of all? The ISC2 is the international information system security certification consortium. That's a lot to get out. Yeah, it's a mouthful. Basically, it's a non-profit organization dedicated to not only producing certifications, helping people to become certified, but it also has altruistic side where it believes in reaching out to the community and trying to make society itself better and more secure. Some of the other organizations pretty much are studying for the test, get certified, but they don't have that goal of benefiting society itself. You want to train the earth, give you the hive mentality, the more people that know the easier it is to secure yourself. I like that. I like that a lot. So, if I'm a business, now let's go this way, if I'm a business and I'm hiring individuals to do security for me, why are certifications important? I think they demonstrate that an individual has taken the time and effort, the dedication, to go above and beyond what a lot of other people do. I meet a lot of co-workers who don't understand it, don't think it's of value, but I think the employers do. As I go through my job searches, people will look at an MCSE and kind of say, oh, when they see that CISSP, the Premier Certification, that really opens their eyes. It shows that you've really done something that's difficult. Now, let's talk about those two certifications, the MCSE, the Microsoft Certified Systems Engineer, versus the CISSP, the Certified Information Systems Security Professional. Let's talk about the difference between the certifications now. What is the CISSP exactly? It's vendor-neutral, for one thing, so it applies basically anywhere you go. If you're a Microsoft Certified System Engineer, you know the Microsoft family of products and there's nothing wrong with that. But the CISSP goes way beyond a lot of the other certifications. You need to know about physical security, about network security, about cryptography. You need to know about the laws, governance, business continuity, disaster recovery. It's a very deep subject, 250 questions on the test. Six hours, right? Six hours. Six hours. 225 questions count. The other 25 are there for research purposes. You don't know which they are. But it's not an easy test. I took two months to study for it, two hours a day, very dedicated. Are you a methodical studier? I took the test and I'm going to freely admit that people are going to laugh at me now. I read a 1200-page prep book, which did me no good. It was better than Sleeping Pills. And then I went out and saw on the shelf, CISSP for dummies. Yes. Great book! The dummies series are wonderful to build a foundation. Yeah. They're excellent. It was perfect. I did that. I took some practice exams and then I had some experience in the field. And that was enough to take the test. And I was confident in it. Whereas the other 1200-page book, it was kind of oversaturation. How did you prep for this test? The first book I started with, I was 10 days out from my test and I reached a section where I was talking about backups using DVDs. And all of a sudden, I looked at the publishing date and went, Oh my God, this book's 12 years old. Wow. It's like 25 years in human years. And I just thought, what am I going to do? I've got 10 days to study 10 domains. I went down to the local Barnes and Noble, well, I don't mean to plug them. I went down to the local bookstore and bought Sean Harris's book. And that's one of the best books for studying for the CISSP. I also had the official book of knowledge from the ISC squared. But basically, as I studied for it, I realized how much security I've actually done over my 20-some-odd years in IT backups, part of that. Access control, passwords, make them complex, all those things, network security. Lots of things fell into place as I went through and studied it. Now tell me, when someone hires you as a CISSP, they have expectations of what you're going to do, but what do you actually do when you get into a position in a company? I think what a CISSP does is that they bring that focus on security in everything that they do. When somebody called me months ago and wanted me to change your password to Minoa, I said no, I'm not going to do it. It's just, it becomes part of your DNA that you just recognize that that's a really bad idea. I was working on a customer's problem at 2 o'clock one Sunday morning, and I saw their backups weren't running. Fix their backups. It's just something you're always thinking about. What can I do to keep this customer, keep my company more secure? Now that's something a lot of people disregard, I think, in security, is that you're not only there to secure the data and the people and the facility, but you're also there to ensure business continuity in any business. Amazon.com goes down for even a couple of minutes. They're losing a lot of money. When you go in there and you see backups aren't running, hey, that could be a detriment to the business continuity down the line. If an incident occurs and they need a backup and it's not there, they can come back up online. It hasn't been tested. I can't tell you how many places I've worked where they don't even test their backups. Everybody out there, test your backups. It seems like it really. Yeah, I'm back up regularly. I'm right there with you. I've worked for a couple of companies that didn't test their backups for a couple of years. And then it came time to restore the backups and you find out those tapes have been bad for quite a while and they're not keeping it. What's the encryption key? Oh, Bob had that and he left two years ago. Tribal knowledge, the worst, and write stuff down. With ransomware being what it is today, the backups are the only thing that's going to save you. That's the key. Customers that had somebody clicked on a bad link, all of a sudden their servers became encrypted and because they had a plan where we backed them up incrementally every two hours, we could make them whole in less than a day. But without those backups? You'd be done. You'd be paying the price. Or the company could fail. Literally fail. Wow, yeah. I read somewhere that a large volume of companies that get hacked for credit card numbers because of the fees they get charged by the credit card vendors, they end up failing within six months. That's a horrifying reality to face that you invest so much of your life and your finance and you get venture capital and you start this business and then you get hacked one time and you're white out, you're done. That's why folks like you are necessary. And if people don't think that ransomware is a threat, there are some criminal organizations that actually have help desks so that if you pay the ransom and get the decryption key and it doesn't work, you can call them up and they will walk you through the process of getting your data back. It's just the saddest thing in the world. It is. Criminals have the help desk. What's even worse is some of the criminals are not sophisticated enough to write the algorithms properly. So even if they give you a decryption key, it won't work and you'll never get your data back. Forever gone. Plus you paid the money. And I would imagine that some criminals don't care about getting your data back. Pretty much. Yeah. Thank you for the bitcoins. I'm into the ether and on the dark web. You'll never see me again. You'll never find it. And there's another one coming up. Someone's telling me, and this hasn't hit me, thank goodness, but someone got hit by ransomware and the deal was the person that gave the ransomware out said that I will decrypt your data if you infect two other people. A train letter. That's a train letter with ransomware and he said, well, should I do this? Okay, think about this. First of all, we're in Hawaii, so this is an island. But even if you weren't, this could come back to bite you. Say you pick your two worst enemies and give them the ransomware and decrypt your data. Someday, the worst enemy that you just gave it to is going to turn around and follow their deal and give it back to you. And you're going to get it anyway. So it's better just to restore from backups and apply the training to your people. Absolutely. And a possibility. Training. Do you get used for training in a company? You get brought as a CISSP, you have all the 10 domains of the CISSP. That's really important because you can't patch a human. You can patch your systems, but security awareness is really difficult because it's a fine line. If you oversell it, people tune it out. But they need to be aware that their actions can fail the company as well. That person that gets an email and clicks on a link without thinking and causes the company to become encrypted, all the data, they need to understand that those actions have consequences. So trying to bring that awareness to the employees is a tough act. But it's extremely important. You should do that not just once, but this is something that's rolling. Constantly. Because the threats are constantly changing. And you roll new people in and some people leave. That should be part of the onboarding process is information security. Somebody sees a thumb drive outside the door as they come in and they say, oh, look, what's this? And they plug it in their computer. Oh, my gosh. You're done. Yeah. Whether it's ransomware or any other kind of malware. And how do you handle that? Do you handle it with training? Or do you turn off the USB ports? What do you do? I work for a company that wanted to put glue in the USB ports. And then they were reminded that since it was leased equipment, they couldn't exactly do that. Yeah. But it really comes down to the training. You can disable them, group policy, and windows. You can disable the hardware, things like that. But it's really getting the message out to people to think before they do something. And that applies for people at home just as much. I am constantly being phished. 5, 10 emails a day. Well, they're quite entertaining. Oh, some of them. I do. I do. I'll sit there and read them in the preview pane, but then delete, delete, delete. I got to read all of them. You know, I get everything from Walmart and Amazon gift cards, too. I still get the Nigerian prints, and it's highly entertaining stuff. I love to read it, see all the broken English, find the links. And actually, there was a really, almost a successful one with me. It came to me. I do an ICT club activity with my students at KCC at University of Hawaii. We fish companies. They give us donations, and we actually do fishing campaigns. And we use a host, so we have a host that sends out these emails. And I always thought they knew what we were doing. I told them, well, I got an email from them, I thought, that said, hey, will you notice your fishing campaign, and you're going to have to call us right now to get this taken care of? And it had some phone numbers on it, and it looked legit. It looked legit until I noticed those phone numbers aren't the contact phone numbers from my host. And I looked, and sure enough, the domain that the email was from was .ru. Yep. Thank you, Vladimir, for sending me, but it was highly effective. I got hit by another one that was, they sent me, thank you so much for buying this game. And it had a really cool video game in it that I probably would have bought. And sometimes I buy stuff and I'm not thinking about it. And I thought, oh, I must have bought this game. But I don't remember that. And it said, thank you. And here's how much your card's going to be charged. If this wasn't you, click here. And I hovered over the link for a second, and I went, wait a minute, that's a Xbox game. Yeah. I have a PlayStation. But that's what stopped me. I almost clicked on that link. I'm vulnerable. Today, I read that Facebook and Google both paid out $100 million to illegitimate vendors after a phishing scam. Google, for me, I think of Google as the tech giant that kind of navigates the path. Full of armor. Right. And Facebook, too, as a social engineering platform, you want to be not socially engineered, right? But they got hacked. Anybody's vulnerable. Yeah. Your PayPal account, there's something wrong with it. I don't have one. That's an easy one to spot. But I was trying to sell a car. And a guy wrote me back and he said, hey, I don't know you. So you click this link and get a vehicle report. I clicked the link and luckily the domain was no longer in existence. Oh, OK. But I would have been infected. Right. And people don't realize all you have to do is click on a link. And if your browser's not completely up to date, if your OS is not completely up to date, if there's a patch you've missed somewhere along the line, you're just a week behind and patching it, just clicking on that link could allow a remote connection to your computer. That's scary. Well, and also most people are admins of their own machines. Oh, you get God right. You should have a user account and an admin account. That's a good idea. The user account is where you go in, do your browsing, look at your emails, just play around on the computer, go look at videos, whatever. But you should have an admin account to be able to log in, apply the security patches, do whatever you need to do as the God-like person. Now, that goes down to separation of duties, which is pretty significant in a company. So that for a person, that's significant. You should do that, maybe separate your identities online to work versus personal. In a company, what would you say to a company if you walked in and everybody's just got local admin rights on the machine and they're not right to think about it? I'd fix it right away. How would you fix it? Through group policy? Through group policy? You'd also have to convince the people why they didn't need to be admins of your own machine. Back in the olden days, back in the Windows NT days, if you wanted to add a printer, you had to be an admin. Right. In the olden days, it's not as important, but there really isn't any reason for a regular user to be an admin at their own machine. Even with traveling, BYOD, all of that. So that's a really important thing that you at home can do as well. So we're going to take a short break right now, one minute, and we'll come right back and we'll talk about more stuff that we're passionate about in cybersecurity. Aloha. My name is John Waihei and I used to be a part of all the things that you might be angry at. I served in government here and may have made decisions that affects you. So I want to invite you in. I want to invite you in to Talk Story with me and some very special guests every other Monday here at Talk Story with John Waihei. Come on in, join us, express your opinion, learn more about your state, and then do something about it. Aloha. Aloha. Welcome back to the Cyber Underground. I'm here with Jeff Milford, president of the ISC-2 here in Hawaii, the local chapter, and we're talking about cybersecurity, how it touches every one of us in our everyday lives. And I'd like you to talk a little bit about what you feel passionate about in cybersecurity. You've been around for a long time like me. You've been in the industry for 20 plus years, right? And yeah, I just gave away a rave. Sorry about that. Yeah, it's okay. But that's okay, we're the experienced guys and we have passions about this stuff that a lot of people don't understand. I'd like to hear your perspective. I mean, someone asked you, what do you say? I still get excited by technology. The whole idea of virtual machines creating something out of nothing. It's been around for a while, but it's still amazing to me that I can spin up a server out of my hard drive and play with it and do things with it, protecting people. There is so much to know about cybersecurity and you and I are so-called experts, at least our knowledge is elevated from most people. That's a good point. There's always someone better, always someone smarter. And you can't know everything. Yeah, you can't know everything. Because you always have to be learning. Right. It's a constant learning process. You got to stay humble and stay on top. And stay hungry. Yes. Yeah. You got to keep learning, right? Yeah. So, I look at people, when I see something happen to myself, I just think, what is the average person going to do? How can they protect themselves from something like this? That's important stuff. And to that end, we talked about backups, how important they are. Sure. Patching your hardware. Extremely important. So running Windows updates. Windows updates. Apple updates. Home router. It's not the easiest thing to do to log into your router, but there's online videos, there's documentation that comes with it. Call a friend. Call a friend. Change the admin password. Change the admin password. Maybe shadow the ID that broadcasts that this is a name of your router. But update those routers. Because they have security flaws. I just bought a big screen TV recently and as people may have heard Samsung TVs were listening in on people, at least they had the ability. So I went back to the store, we'll mention who it was. And I was talking to a guy that just completely interrupted me when I brought up the subject and said, not going to happen. And I paused and I said, why is that? And he goes, well, there's no transmitter. And I looked at him and I said, then why do I have to log into my Netflix account on the television to watch videos? There's traffic both ways. It doesn't need a transmitter. It's the internet. He started mumbling and slowly walked away to find something else to do. Most people don't understand that Wi-Fi is just a simple way to say radio. You're broadcasting in every direction, in every which way. And unless you specifically encrypt something, it's open to the entire world. You might as well be just listening to an AM radio and picking up everybody's signals. And the tools are out there. There are Linux builds that come with all those tools built in. The sniffers, the ability to do. You're talking about Kelly and Tails. The first time I powered that up, I'm like, oh my God, I'm glad I'm a white hat. I will use my power for good here. It's the candy store. I put that in front of my students quite a bit. We pop up in Cali. And the first thing I show him is Wireshark. Here's all the traffic going around this room. I want you to look and see how much of this is really not encrypted. We're not actively encrypting something. And if you don't go to an HTTPS site, you're not encrypting anything. And sometimes when you do go to an HTTPS site and you get the indicators that it's not a valid encryption platform and the certificates out of date, it's still not encrypted. So you can get your username and password. If websites are developed incorrectly, the login pages I've seen are HTTP with no S. And so you're logging into a quote unquote secure website, but broadcasting your credentials as you do it. And I tell my students, go into Starbucks any given day. And pop open Wireshark. And just sit there and watch. And watch as these packets go by. And read all these packets. People are sending so much information free. And I think, unfortunately, my students have become very paranoid now. They're graduating internally. You almost have to be. Every time we have a speaker at one of our chapter meetings, I go home and want to crawl under my sheets because you realize how tough it is out there and how clever the hackers are. They seem to have an unlimited amount of time and resources to be able to gain access to what is valuable to them. And it's hard to register what's valuable to them at any given time. Could be an ex-girlfriend or a bank and anything in between. I've seen scenarios where they talk about trying to capture somebody's identity. And people share so much information in social media, pictures. They talked about this one person. They got her address. They know her kids, their names, their ages. They had pictures of her in their kitchen. So somebody could socially engineer this person and say, oh, as an owner of a certain product, we need to recall it and start getting information that way. The social engineering side of it is pretty amazing because humans want to be helpful. Now you're talking about open source intelligence, which is investigating somebody with the tools and resources that are available to anybody at any time. Open 100%, 24-7, 365 on the internet. So you can just look up somebody and see their public Facebook posts. You can see what else do you look at Pinterest and what else would you look at? YouTube videos. YouTube, OK. Their LinkedIn profile is going to give you a lot of information about where they work. Way too much sometimes. It tells you what they do. And sometimes you can discern what the company network is like from what they tell you they do. Right. Here's a fishing example of a CEO. You go on a LinkedIn and you see the person as a member of several charity organizations. You craft an email saying, hey, we'd like to invite you as our guest to this golf tournament. No cost involved. We know that you do a lot of good work out there. Play up to the person's ego. And then you put a link on there for him to register. Boom. He's infected. It just goes on and on and on. And you have to be paranoid in a way. You at least have to always be thinking when you interact with anything on the web. So how would I get a certification like the CISSP? What does that take? The CISSP is the hardest certification to get. Because not only is it a long test, as we talked about, but you need five years of full-time paid experience. In two of the 10 domains. In two of the 10 domains. Eight domains now. Eight domains. Two of the eight domains. Let's go through the domains. There's operations. And there's security engineering. There's encryption. There's network security. There's disaster recovery, business continuity. There's governance. There's physical security. And I probably can't list the rest of them. So almost anything you do in IT is going to have some of it. It's going to touch somewhere there. You could do access control. You could do physical security. Access control is another one. You could do logins on your software. And securely engineer your software, your apps, or mobile engineering, something like that. So after that experience period, then what would I do? You also need a sponsor. You need a current CISSP to sponsor you for that certification. So if you look at the ISC, they have a lot of different certifications. There's an entry-level certification called Associate of ISC Squared. That's for people that don't yet have the experience. So if I was a student, I'd probably want to get that. Perfect. That's perfect. Perfect for student entry-level people just getting their teeth wet in IT. You have to pass a test. And I think it's 15 continuing professional education units. Now that's stuff I have to do outside that has to do with security, or continuing education in security, or participating in a security event, or attending a conference about security. And that gives me credits so that I can continually update my skills so I don't have to retake the test. Exactly. So you need a certain amount every year. So I think the CISSP is 120 of those CPEs every three years. Every three years. Yeah, and there's a couple of different domains. They tell you what you can do. In some of the other certifications, there's forensic professional. There's cloud security. There's HIPAA. There's IT operations. There's risk management. There's different levels of experience and number of CPEs that you need to maintain those. The ISC Squared page is excellent for that. I'm surprised not to see a PCI compliance, the payment card and interchange. Yeah, I had a funny experience. I was asked to verify their company's PCI compliance. And they pointed me to the third party vendor who sent me a certificate that said they were compliant. Self-certification. That's nice. And I'm looking at that saying, so they're trusting you and they're trusting me to investigate, but we're both looking to you and you say that you're fine. I didn't find that to be very valid. That's not comforting. Not at all. That's not comforting at all. So the ISC too, let's talk about some of the community outreach you might do with the ISC to the local chapters. We have a program called Safe and Secure Online where we go out to schools, senior centers, churches, basically anywhere there's groups of people. The ISC Squared Center for, and yes, I'm just going to forget this, Center for Security Safety and Education, I'll say, and that may be wrong. They produce materials for us to go out and teach. We teach, there's 8 to 11, 11 to 14-year-olds. You catch them young. That's good, because they have a ubiquitous phone with them all the time. Yeah, they've licensed Garfield as a spokesman. I saw that. Exclusive rights to Garfield. But they also have something that people can do for themselves if you go to safeandsecureonline.org. They have a section for kids, a section for parents, and a section for seniors. And I looked at the seniors' page today just to see what was there. There's avoiding scams. There's online banking. There's top 10 security tips. One page about passwords, basic computer security. It's all there online, and it's all free for people. That's one of the advantages to ISC Squared is that they produce this material not only to help those of us in the industry, but also to help people in general, people just out there like our friends and neighbors. I'm glad you brought up the passwords. Making good passwords and having separate passwords for separate things is very important. It is. Not just one, two, three, four, or password, or secret, or something simple that's in English. And at the very least, if you're going to do online banking, make sure those are complex passwords, and that they're not the same for your various accounts. If you have to write them down and store them securely at home, that's fine. There are also programs that you can use, password vaults that take a master password to encrypt all your other passwords. That's a possibility for a lot of people. But yeah, using one password for everything is a really bad idea. Can be terminal. Because if you get that one password, you get the keys to the kingdom. How many accounts got hacked at Yahoo? Yahoo? A billion? Lots of them. I'm not going to say a number of millions. A lot of them, yeah. But a lot of them. And so all people have to do is say, this username with this password and start banging them against other sites. And sooner or later, if you're using the same one, you're going to get hacked that way. Jeff, thank you so much for being on the show. I'm going to wish everybody a loa out there. And everybody remember, stay safe.