 I welcome back to the cyber underground where our mission is to dig deep to find out how cyber security touches all of our lives every day. I'm your host, Dave, this cyber guy, and this is my exceptional co-host. Did he forget his name? I forgot my name. Did he forget his name? It's a Friday. You're Dave, the cyber guy? Excuse me. Okay. No, you must face the camera. That was awesome. I've done that. Don't worry about it. This is Andrew, the security guy. Aloha, everybody. Thanks for joining us. And our wonderful guest today, Jody Ito, from the University of Hawaii system. Thank you for having me. Thanks for coming down. We're so happy to have you on here, and I really needed to drink more before we started up. I don't know. Maybe not. Maybe not. I've never seen one forget their own name. It's pretty good. Godot forgets my name, but that was good. It's all the millions of viewers that we have live, I'm sure. There you go. Oh, you're nervous. Totally nervous. Every time. Wow. It just happens. Yes. How did you get here? How'd you become what you are? So, I drove in a car in traffic, and what, no, just joking, so. Nice. That's okay. I totally get it. So, I'm actually a product of the University of Hawaii Toy Silver, so I have a Bachelor's of Science in Computer Sciences, as well as a Master's, and very fortunate, I started a student employee at the computing center back then. Really? For academic computing. Oh, right on. I didn't know that. My graduation, a full-time job, opened up, and I thought, you know, mom says, earn money, so you take whatever jobs you need for it, right? So, I did, thinking I'm going to only stick around for a few years, and then, like, my friends are going to go hit it off to the mainland, or, you know, for those big defense contractors, and, but, you know, the job was actually very, very interesting, and it changed over years, and one thing really good about the university is you get to see all of the things change and move and progress, right? Because we have to be teaching these things to the kids. So it was a very dynamic environment, and so 35 years later, it's like, oh my gosh, I'm still here. Now, you're the chief information security officer? Correct. So, CISO, and I was just, I got to say, I'm amazed at your leadership structure. First of all, you got President of the University, David Lassner, IT guy, right? Yep, absolutely. And then you got Garrett, who was on the show last week, super IT guy, and goes to David if he needs help, and so you have Garrett, and you guys, what a great team. They're climbing that way. Absolutely. The IT has taken over. To be honest, it's because David Lassner was actually my supervisor very, very early on, and it's largely because of his leadership, his vision, and we stayed. A whole group of us just stayed, and then we're very fortunate that when he became president, eventually, Garrett, who was originally a director under David initially, he left, and then he came back when David was president, so it worked out really, really, I feel very, very fortunate. You guys have a super team, and I think you're getting a lot done, and there's a lot of cybersecurity going on throughout the entire university system. You guys manage 10 campuses, right? But there's more physical campuses, like Hawaii Community College has two physical campuses now. Correct. It's campuses by legal entity, right? But each of these campuses have multiple locations, as you alluded to. Not to mention all of the research facilities that are out, so Coconut Island, for example. It's still part of the university. You have telescopes on the top of Mauna Cane, Haleakala. You have a lot of these research projects that have sensors out all over the place. The water, not even seismic energy grid. People who need to test devices out in the field, they'll do that. So it's really big and all-encompassing. Security night, man. I think we snuck in that R&D piece last week, because I was interested how it's part of, segregated from, because you've got the student body. You've got a quite a mixed environment to manage there. So from the university's perspective, right, we actually have to have academics where the students are very free and the researchers are very free to access what they need, collaborate with whomever they need to collaborate with, get to almost anywhere. And we also have the business environment from the university, much like any other corporation, the things around personnel information, student information as their academic records. We talk about the financial information system. We're a university. We have to track and we have to have data. So we have longitudinal data across what we call the operational data store. So academic research, innovation, you know, we basically have every little piece of businesses that you can think of. Wow. You have a big dashboard of that, like in your pocket. Get on your little farm. Oh, exactly what's going on. Yeah. What metrics are you looking at? Oh my gosh. How do we protect all of that? And so we actually have to prioritize. Yeah, that's a lot of risk surface to deal with. Absolutely. How do you manage that? Especially because of the research and education piece, we have to have wide open networks. We don't really have ways to put up filters where we can prevent people from going to certain maybe even known bad sites. Garrett was telling us that it's your dirty network. No, no, no. You've got to let them ride. We're not a dirty network. We're a hostile network. That's maybe worse. I don't know. It's up a level now. Yeah. Because if you think about it, right, you can bring your computer, your device to the network at the university. And we don't have any way of saying, no, we're going to get you through some device check to make sure you're clean before you can get on our network. Because lots of times it's visiting faculty, visiting colleagues that need to come in and jump on the network immediately. And they have to be able to do whatever they need to do. And those devices could already be compromised when they get on your network. Absolutely. The majority of time they are compromised other places and then they bring them to the university. And so, you know, students bring their laptops and the majority of the time they actually are infected with something. And so we might actually see alerts. But if it's on a part of our network that someplace like our wireless network where mostly our students are on. And it's what we call a dynamic address where we don't know exactly who's using it at any given time. We're going to say we're not going to be able to identify that unique component. That's just a transient address on your network somewhere. Correct. They pop on, pop off. Yeah. Absolutely. Anonymous as far as you know. You see that the outbound connection is a problem. It's connecting to some. That or we also get external reports that people like the multi-state ISAC that we belong to stands for the Information Sharing and Analysis Center. Right. It's to help state organizations to help protect their assets. So we actually are members. So they actually help monitor some of our address space and they'll, you know, send us emails that say, you know, these IPs are exhibiting behaviors of compromised hosts. If it's in a part of the network that is largely our transient network as we consider it, there's not much we can do. We can't even identify the computer that it's came from. So it's firewalled from any valuable R and D side. So it's, you know, it's kind of like, okay. So we actually have to segregate or architect our network into different zones so that we create a more secure area for those things that are very, very important for us. And then, for example, the wireless that's generally available. We think of that as part of the hostile network. Hostile. Yeah. We'll give it to you, but we consider you hostile. If you're using it and you're on it, you're a part of the problem. Well, it just means that we don't have a way of easily being able to manage it so that we can get it cleaned off and things like that. It's interesting. We talked about that last week, that help the convenience versus security piece. Right. So I can't like let you use it and then like lock you down. Right. That's a problem. Right. So you want the university to take that risk on. Right. How do you decide to? How do you meteor that? What's the concern about that component? So the concern? Is it so isolated? No, we actually have what we can call a data governance process. So we identify and categorize data based on their criticality and sensitivity. A lot of it is based on just regulations, right? So for example, payment card industry data. You know, if that's breach, right? Credit card number is very sensitive. Social security numbers. Yeah, Title IX. Title IX. And exactly. So we have ways of categorizing our information. And that information, which is very, very sensitive, we put more controls around. So we actually will have processes. Like if you want to use, for example, student academic records for research or anything, you actually need to go through a data sharing request process where people would have to approve that before you can just use that data. Good. I want that to be the case. And it's a process, right? So it's not just about technology and procedures. It's this whole education of the community, right? How do you make sure that the people using this data, managing this data, understand the risks around it and therefore how to protect it? I love the fact that you've gone through asset classification. You know what everything's worth, how much you want to spend on securing it, how secure it has to be. If it's open, if it's not open, what segment of the network do you put it on, if it's classified versus non-classified? And you also share a lot of intelligence, right, with other organizations like the DHS, FBI, NSA. So in general, what they will do is they normally notify us if they see unusual or anomalous activities that is of interest to them. And each of these different three-letter agencies have different, I guess, priorities, right? Really? Oh, I thought they were all the same government. We're all the same government. Strange. So we actually have to work with many of the different agencies differently. So NCIS, FBI, DHS, Air Force. NCIS, it's real. It's real. They are real. But it's real. That's right. But yeah. And again, they're looking for different things. And so we will respond to them in different ways based on what they share with us and what we'll share back with them. So when you collect all this threat intelligence, how do you analyze it? Where do you keep that information? How do you go through it? What's your dashboard like? I tell you I'm going to have to kill you. Oh, I see. No, I mean, really. You're the CIA, too. Well, no. If you think about it, right, the information that we gather from these types of security devices actually gives up a lot of information about the university and the assets. So that is something that we try not to share very widely. So a lot of times when they want, for example, network logs from us, we actually try to sanitize it some degree. So they might be able to see where it's trying to connect to, but we won't give up the endpoint. So we actually do try to protect the privacy of university devices. So you approached a new subject. That's awesome. So this is brand new, I think, to cybersecurity that people are realizing that big data has a huge role to play in cybersecurity. Let me just tell you, anytime you're using one of those online coupon things like RetailMeNot that offer you coupons as you go to their stores, even when you belong to those loyalty shopping programs, CVS, you get to scan everything, they're recording what you're buying, how often you're buying, are you a cat person or a dog person? You know, Amazon kills me, right? You jump on, you look at a few things, and the next time you go back on, they go, well, based on what you looked at the last time, we recommend you look at these things. That's all data analysis. And data can be captured anywhere. So for people out there looking for jobs, besides cybersecurity as being a huge, huge need, data analyst, right? We were talking with our IT advisor, data visualization and big data analysis. But it's heavy in statistics, right? Your pathway is computer science and statistics and the traditional engineering pathway towards this field. Or it could be in mathematics, right? So it might not be hardcore sciences, but it's going to be one of those hybrid fields where you would be able to act, it could be even marketing, right? Yeah, I think for sure on the ML side, you know, machine learning machines, right? That ability to take that data and manipulate it for the business or for a purpose, or for the sake of the information itself, right? There's the outputs of what can be learned. And analysis is much faster done by machine learning than people. Correct. People can query it. You didn't ask questions for. Right. Exactly. I didn't even think about that. And that, and if you throw the visualization piece on it, you can actually imagine data in different ways that you would not be able to envision just looking at it in paper, right? In a line-based Excel spreadsheet. Yeah, me asking me, I look at a spreadsheet. Oh, that's boring. Oh my gosh. Yeah, bottom right. But machine, like you said, it adds to the creative capacity of even just exploring what something means. What does all that data mean? Exactly. But with that, with all of our devices now, right? Your phone has a GPS. Are you making sure that it's not actually giving up your location when you don't want it to be? No. I wish I was. It's hard because you have to go into every single app and turn off the GPS setting for it. Christine finds me wherever I'm at, you know that. Because she injected that chip in your... Is that what it is? It's not a chip. It's in your dental. Remember when you went to the dentist and did that filling? Is that what it is? Absolutely. Well, and so with that, though, we just don't know where we're leaking our information to, and that's more of a concern for me. Good point. So, okay, so this is me. What about students who are not even less aware, right, willing to give up just... And I think the students that grew up at this technology age, they're much more willing to do that because they were socialized in such an environment. For me, coming from a mainframe punch card environment, it's really hard... I did punch cards. I'm with you. I'm with you. I'm with you. So it's really hard for me to give up that idea of privacy. Yeah, so... Yeah, it's interesting how quickly they... Or they're not worried about it. And I don't know what the implications are for them up the road, but some people will definitely... Privacy's risen in this world of identity. What is an digital identity and what's the privacy side? The students want to be known. They just put it all out there for everyone to read. And it's building also a reputation to, especially, right, they're young. They need to get their name out there. They need jobs. So how do you get to be known? You put your things out there. But it can also help affect you negatively, right? So let's say you have some views you're very passionate about and then you apply for a job, but it's at odds with your prospective employer. Yeah, sure. Right, so... We're going to take a break real quick. Yeah, I just got the message. We're going to take a little break. We'll come back in one minute. Wow. Aloha. You can join the Hawaii Farmer Series every Thursday from 4 to 5 on Think Tech. And I'm your host, Matthew Johnson, here with Justine Espirito. And we are so thankful to have this show to use as a forum to get to know all the movers and shakers in agriculture in Hawaii and hear kind of their background in history as well as... Their perspective on what they're doing and also the future for agriculture in Hawaii. So join us every Thursday. You can tweet in your own comments and suggestions and be a part of the conversation at Think Tech High. And we hope to see you every single Thursday. Hello. Welcome back to the Cyber Underground. I'm Dave, the security guy, here with our exceptional co-host, Andrew, the security guy. I thought you were the cyber guy, and I'm the security guy. I'm the security guy. I got to get that started. We don't know. We're not sure who we are, but... That's Dan. But we're here. The important person is Jody, who's with us. Thanks for coming after us. Thank you for having me. Let's talk about how you balance at the university the difference between the physical and the data security. That's got to be a hard balance. Physical security and data security? Yeah. Okay. So actually, the university, again, is an open campus. Most offices don't really have swipe cards or entry access controls into their spaces because, again, we're a university. And I think that's a little bit of a harder challenge for university personnel to wrap their arms around because they're just not used to it. So when we actually have our new building, it's brand new, maybe about three years now. We actually built it specifically for information technology. It houses our main data center. And we actually built, as we architected it, with control, access controls. And it was... We actually had to go through a whole culture change for us and even as employees within IT to get used to swiping your card to get up to the elevator to the right floor, accessing swipe cards just to get into the office spaces and things. So as you said, it's a delicate balance and we need to ask ourselves, is it okay for some non-known person, unknown person to get into a space that may have papers that have social security numbers on them or even servers or hard drives that may have the sensitive information. So again, it's that culture and education that needs to go on to tell people about it. It's working, though. For example, people will find information on desks and paper that might have social security numbers on them and I'll get called. I found this thing out there and it's like, well, please take this to the person who it belongs to and ask them to secure it. So any opportunity that you have, you have to try to get them to make that culture shift and think more about security. It sounds like the awareness campaign is working when you're getting calls. So when you have that awareness campaign going out, it's interesting. We find that culture of locking down is tougher in Hawaii. It is. It's an open culture. Ohana, you're my friend. And the whole acceptance piece in campus safety, campus security is a concern across the nation. So it's interesting. Here, I've worked with a lot of the campuses and that idea of how do we keep some openness and then protect what we need to protect and there's that battle of security and convenience, right? Right. So, you know, well said. Right. So we do. The IT building is a great example of not necessarily a compromise. It's pretty locked down. That's very important. As much as it needs to be. Our first floor, we want to be more of an open space. That's why we have those large conference rooms on the first floor that can support that. Sure. And we have our lab there on the first floor too. Our help desk is there. So we don't want to make it a barrier for people to come in and use some of the facilities. But we still want to protect everything else that needs to be secure. Yeah. Have you proliferated this around the campus? Not just that building, but have we started... It's very difficult to do that because it takes retrofitting of buildings to be able to provide that sort of access. Although... What happens is we have Andrew right here and he runs integrated security... So there is some of that happening. Student services is finally merged with the IT server. So they were able to save some money there. There are some things we were able to do to distribute those services. In the physical security world, we want IT to own the server side and then offer the client side application out to the resources that need it. And slowly some of that started to happen at the University of Hawaii. So it's a great start. And I think what also needs to happen is vendors like yourself who work on problems like that also need to make sure that you fully engage with the IT people. So for example, with building automation systems, sometimes that didn't really happen well. And so all of a sudden, surprise, we have this server that shows up what ran somewhere. And because nobody told us, we weren't able to help them secure it. So it's all those types of things. Even Xerox printers, right? Those things have hard drives. Those have web servers on them. Those are devices with a lot of security built in. You not only have access control, you have authentication, you have abilities on the computer for logins. Certain logins can do certain things. But you also have IoT devices out there. Everything from just regular switches to other layer two devices to webcams. This IoT thing is exploding. Absolutely. How do you manage that? So we actually don't really. So it's again about the education piece, right? Because normally these devices will go up in smaller units, like say computer sciences department, just as an example. And they set up their own camera surveillance system on the floors that they manage. And so work with their IT person to make sure that they understand how that just a video surveillance piece should be isolated on a separate network, separate from their data stuff. And working with all of the units like that with the education piece. So at the university, we're highly decentralized. So you think of ITS, my group, as managing everything. We actually don't. A lot of departments have their own IT support people. And so we rely on them to help us secure the assets in that space. So you have to disseminate your policies and procedures across all those IT groups. Absolutely. Do you bring them all together? Absolutely. So we tried. It's hard because they're on all islands. I think there's probably about 300 of them scattered across the University of Hawaii system. So as far as I think the University of Hawaii, Garrett might have alluded to it, we are one of the larger IT employers in the state. Right? You cover a lot of people. What's the student population now across the... Across the University of Hawaii system, I think we're roughly around 50,000. That's a lot of people. 50,000? Yeah. I had no idea. That's just the students. I think we're probably another 8,000 faculty or staff. Wow. That's a lot of people to manage. It is. And we actually... It's not just them. We actually have affiliates and associates and alumni. And so in terms of the number of users that we actually support through our... what we call our UH username, I think we're somewhere up around maybe 100,000 or so. Wow. That's a lot of surface area. That's a lot of responsibility. Yeah. And people can be the problem. That's always the problem, I think. Well... 90% of the people get hacked first, socially. Correct. And then it gets behind your firewall, yeah. Absolutely. All right. Well, so we actually have a lot of cases where we get what we call phishing runs. Right. Because it's multiple phishing campaigns. Sure. And so I think within a month we could get 20 to 30 campaigns roughly, which, you know, that's a campaign. Wow. So each campaign, there's hundreds of messages per campaign. And we actually get a number of compromised accounts because people are just so trusting, right? They say it says... Oh, and they use ITS because we're the technology group. Sure. And they'll represent that they're from the help desk. And so, you know, we need you to enter your username and password so that we can help you or whatever that phishing campaign is of that moment. Sure. And people will do it. They'll put in their username and password. So never, ever, ever put in your username and password. If somebody asks you for it, double check. Definitely. And the reason they're also doing is they're reading their emails on these tiny little mobile devices. Right. So it's hard for them to get the sense that it looks like a phishing message because it's really small and they can't see it. And that's something. So, and if they're reading the same message say on a full screen, they will instantly be able to identify it's a phishing email. So when people are on this open Wi-Fi network, you have a system now of free VPN access through the UH system. That is correct. For university students. When I log in and I'm just going into a coffee shop at UH or even to Starbucks anywhere on the island, I can use my VPN from the UH system and all my traffic is encrypted so I don't have to worry about people doing a wire shark and getting all my data. Well, it will do it until the point of when you get into the university network, right? So once you get into the university network, then you have to rely on if you're browsing, make sure you have HTTPS and everything turned on, right? So again, it's just to get you into the university network. But it is a very good resource and I actually do use it, especially in hotels. Hotel Wi-Fi if you're getting into it. For sure if you're coming from outside in. So do you mean you mean so that internally if you had an internal breach, someone could connect to it internally and you may still have a man in the middle type problem going on? Possibly. I see. But because the university network. You pulled back through the VPN. That's ugly. It could. But we actually do have much more control within the university network. That's why. So routers and things, the ones that we manage and maintain, they're not publicly exposed. So, you know, they're in lock closets. You know, some of that physical security you talked about. So we try to implement that. So we have, I think, a little bit more comfort in knowing that within the university network, we're better at protecting that. We cannot protect you outside the university network. Oh, for sure. So I need to look for HTTPS in my browser, URL, and make sure that certificate's actually valid. Yes, absolutely. Yeah, I'm sure it's valid. I read this thing about this puny code, right, where that if you're connected to something that's not in English, this hack of that, you can actually, they can emulate at gavel.com. It's the extended character set. Yeah, so you can take that, yeah, but you take that and put it in Google and it'll show you that it's actually not in English. I didn't know you could even do that. I was like, wow, this is a recent thing I read. It's amazing, because I always thought you're protected with HTTPS up there in the left corner. No, not always, yeah. Foolish, foolish, no, never safe. Wow, puny code, right, is what translates that non-English into English. And they can act that. It is. It just goes to show you, you need to stay a step ahead of the hack. And it's hard because there's so much information flowing at us all the time, right? And how do you weed out the legitimate information from the stuff that could be fake, right? All the stuff with fake news and stuff. And just because you read it on what appears to be a legitimate website, is that true? But if it's your website, of course it is. If it's your website, of course it is. Well, I hope so. If it appears to be my website, it may actually be my website, you know? Right, so that's the other part, right? How do you actually validate the information that you're getting? And then, again, threats are changing so quickly, the threat vectors, how people can attack you are changing so quickly. I can't imagine sitting over top of 100,000 people, most of which are students doing... I'm not thinking about this stuff. Whatever they want, not real security. They think you're handling their security, right? They feel protected in that environment. We are protecting their data. Sure. And it's up to them at the endpoint level. We do provide free antivirus. They can email for assistance to our help desk. If they bring in their device, they can try to help clean them up. But for the most part, it's a personally owned device. So we actually have to teach them how to manage their device. So we actually try to do educational seminars for them, teach them about fishing, teach them about how to protect your computers. But a lot of them, they're just too busy and they don't come. So how do they reach students? Kids, what could they be up to? Sure. Possibly be up to. And how do we get them to take security seriously? Because it is their privacy that can be compromised by themselves. We've got to wrap this up. I'm getting the message. You're getting the beep? From the... The beep? Wow, that was quick. Thank you for being on the show. Oh, no, thank you for having me. It's such a lot. Thank you so much. Jody should come once a week, I think, and update us. Oh, yeah. You want to be co-host? Thank you. You're doing such a fine job. Aloha, everyone. Stay safe.