 This is Think Tech Hawaii. Community matters here. Okay. We're back. We're live. We're back to Think Tech. Tech Talks on Think Tech. I'm your host, Jay Fidel. Our show today is called October is National Cybersecurity Awareness Month. It's more than meets the eye. We're going to talk about how we can be cyber secure in business and how businesses have to be proactive to prevent damage and loss of reputation and clientele resulting from cyber attacks. If you want to ask a question or make a comment about this discussion, you can tweet us at Think Tech HI or call us live at 808-374-2014. Our guest for this show is Brian Fannin of Detrick Insurance right here in Honolulu. So we have October. It's National Cybersecurity Awareness Month. It seems like, you know, every other week another news story about how a business is being hacked with related warnings to customers about the loss of their private information and compromise as much more, you know, intangible fallout beyond that for business and for business clientele. So in short, it's nearly impossible and Brian can confirm this or deny it to fully insulate a business from cyber attacks, but businesses can take steps to make it more difficult for cyber attackers and to guard against those events. Welcome to the show, Brian Fannin of Detrick Insurance. It's nice to see you here. Thank you very much. I appreciate the invite. Yeah. So, you know, every company now has to keep up with the technology because there are those out there who want to, who keep up with the latest ways to attack businesses so businesses must defend themselves. And that's your job. How did you get such a job? I'm fascinated with security actually. I love it in many different forms. So I started working, doing implementations for actually a laser tag company back in the 90s. And then that kind of merged into, you know, you had to install the technical equipment and then it just kind of went from one to another and started doing the IT manager role. And then, you know, once you do that, then you get a big introduction to people and the technology and what's coming at you and what you've got to defend yourself against. Yeah. What fascinates you about this? There's just so much to it and it changes so fast. Changes so fast. It just changes so fast. How is it changing now? It's changing now because I think as an industry, the security industry has done a really good job of hardening the companies. You know, if you do the baseline stuff, you know, we've got firewalls in place. You've got firewalls on the computers. You've got antivirus. As long as you do the stuff you're supposed to do, 90% of your problems aren't there. The things that have been changing more is that now the hackers are targeting the everyday users. And that's how they're getting in. How do they do that? I mean, I'm not an insurance company. I'm just an ordinary schmo. How are they targeting me now? They're targeting you because they want you to do one of two things. And in the end, it's for the one thing. They want to install malware on your computer. It's going to do what they want it to do. And they do that one of two ways. Either they have you follow a link that goes to a bad website or they have you open an attachment that has the malware in it. So it's a deception. They're suckering me in some way or another. And if I'm smart, I can see that happening and not participate in being suckered. Yeah. Yeah. I mean, so you get an email that looks like it's from Pizza Hut. You get a free pizza on every Monday. All you got to do is follow the link to go to the website and download it. Yeah. Are you going to click the link? Yeah. I got one this morning. I mean, every day there's something really. And you've got to have a high level of paranoia to deal with this. And it said, you know, you're a non-profit. We have $28, a very suspicious number waiting for you. And all you have to do is click this link and you'll have $28 contribution to your non-profit. As I never heard of this company. I never heard of their domain name. You know what I did? I didn't click the link. Was I right? So the key word you said there, the most important thing, you never heard of the domain name. Right. That's the key there because what they'll do is they'll try to craft some kind of cell, right? Some kind of thing that'll make you want to go there. And then if you follow the link without checking where it goes first, that's a pretty good something bad's going to happen. And you know, if you're on the street and some guy says, hey, I got some candy in this panel van. Yeah. Come on in. You know, you're not going to go in because you can see there's a panel van there. It looks suspicious. But most people don't know to check the link to see what actual domain they're going to. And that actually has been the focus of what people in our profession have been doing for the last couple of years is like training users, like, understand what a domain name is and look at the link before you go there. And if you can train people how to understand that, you're solving a huge amount of risk that you could have as an organization. Well, it's fooling you. It's social engineering you, right? And seeing, well, seeing if you'll bite on some cute little $28 bait, so to speak. And I think we should all be very, but is there any other way? For example, Microsoft may or may not have a patch on a given problem. And you have no control over that. In fact, you don't have that much control of figuring out when you should download that patch on your machine. So that's not your fault. You can't really protect against Microsoft's failure to patch against a particular risk or can you? So there's two pieces of that puzzle, right? So you mentioned that you can't really control when the patches come down. So as a regular user, you should just set your machine to download the patches when they ever come out and get started. Automatically. Yeah. Kind of no question. So in organizations, we control those. So we, an organization typically will know when the patches are coming out because you'll get the notification. And then each company will have their own what they call patching policy. So as in an organization, you don't want to just put a patch on and then, oh, great, it broke our server and now nobody can get any work done. So when patches are released, then you have your patching policy that defines how soon you're going to apply those if you're going to test them ahead of time. That seems sounds good. Right? Yeah. To make sure stuff doesn't break. That's pretty good about not breaking stuff, but every once in a while, something does get broken. Yeah. So the thing that's down side, though, is the speed at which you do that is key because what happens is, it's the first Tuesday of every month is when Microsoft releases these patches. That's true fact. It's the first Tuesday of every month, so if you get it on a Thursday, then you should be worrying that maybe that's not a legitimate patch. Well, typically, if you download it directly from Microsoft, it's going to be a legitimate patch. So if you guys ever get to circumvent that, well, there aren't trouble, but so they call that patch Tuesday. So what do you think they call Wednesday? Patch Wednesday. Nope. Hack Wednesday. Thank you. Because what happens is, is that Microsoft or even other organizations, when they announce a patch, they say, hey, we found this vulnerability. Hackers can get in this way and do these things. Well, not all the hacker community knows that. So on Tuesday, they're reading their news and they're like, oh, I didn't know I could do that. So they immediately start coding and writing programs to take advantage of that vulnerability. So within a week, there's thousands of programs that have been written to take advantage of that vulnerability that was announced. Wow. So if you don't download the patch, you're subject to those programs. Yeah. And the longer you wait, the more programs there are. So what you mentioned, phishing and deception and social engineering is my great. Uncontrollable risk and my own machines. But insurance companies, different. They have protocols and programs and they're regulated to have these things, right? What's it like being in Dietrich or any insurance company in terms of dealing with the possibility of being hacked? Well, the good thing about the regulations is that it's making you do the things you should be doing anyway. The baseline core things like having a firewall, having backups, checking to see what your vulnerabilities are from the outside world, checking to see what your vulnerabilities are from the inside world. So the regulatory body, it can be a lot of work, but it's just making you do the things you should do in the first place. If you would do anyway, if you were Akamai about it. Right. But the other thing is that if you want to be an insurance company, like any company, even like any nonprofit, you have to be innovating, you have to be moving ahead, you have to be improving your software, getting new software, addressing new system problems all the time, all the time. So how can a guy in your position as a systems, you know, technical service manager or technology service manager, how can you keep up with all the changes that are happening in the company as against all the changes that are happening outside with the hackers? I mean, this sounds like maddening, do you sleep at night or what? Yeah. Oh, yeah. Well, you know, as an organization, if your organization has good communication internally, which I feel we do, you know, you learn, okay, well, what's coming down the pipeline? What's the next project that we need to do? And then you apply the filters like, okay, well, how does this affect our security? You know, what could happen here so that we can make sure we can avoid those pitfalls? And the other piece of that is getting educated. You know, I mentioned it's constantly changing and I love that. So there's several really good security-based conferences that happen here in Hawaii every year. Who runs them? Well, the ISSA is my favorite, if I had to pick a favorite, and it's a national security organization and we have it, there's an Oahu chapter, and their big yearly event is actually next Wednesday and Thursday, they call it the discoverer security event. I mean, what could be more appropriate because we are now in October and everyone knows, everyone knows that October is National Cybersecurity Awareness Month. I think they may have planned it that way, I'm not sure. Sounds right. Yeah. So there's a few others that happen in town that are really good and you know, the vendors basically want to get people's business and so they'll sponsor a lot of those events. So I go to those as much as I can because I want to learn what's new, what's going on, what's out there. Yeah. You have to work on two levels though. One is when you're going to develop new systems in-house and you want to develop them in a way that you will be able to use, apply the rules and the techniques for avoiding hacking from outside. The other is you have to figure out how the hackers are changing and what they're doing. How do you find that? I suppose it's the same conference. You have to have, you're looking at both things at the same time, what you do inside and what they're doing outside and how you can keep protected. Well, you know, so we're really good at keeping the door closed, right, with the firewalls and not letting them in that way. So that's why I mentioned the key thing that you're trying to do now is train your staff so that we can prevent the back entry, the back door being unlocked. It's the same kind of thing as you were talking about, you know, against phishing and social engineering. You're looking at an email and you're looking for suspicious telltale signs on the system and immediately, you know, you shut down that hole somehow and report it to you, for example, and you shut down the hole. What kind of training happens inside? So, you know, part of the systems that we use are smart about what the websites are. And we actually subscribe to a service that is global, that basically classifies websites. And then you say, okay, anything business related, you can go there. If it's been flagged as a malware site, it just gets blocked, even if you try to follow it. You can do that in-house. Our systems have that capability. And so, you tend to block it out. So if I'm an employee, Dietrich, I'm not going to be able to get access to that site because you put it on the no-go list. Correct. I mean, sometimes, you know, you get a legitimate site and then the users will just let us know and then we can check it out, make sure it's good, and then add it to an exception list. So the training is to train them to be a little suspicious and see for the telltale signs and know what the telltale signs tell you and then report it back to you? Well, the training for the staff is, you know, the two key factors that prevent people from, you know, either opening an attachment or going to a link. But we also try to train them like, hey, this is what's going on right now, to give them kind of a thought process of like, okay, well, people really are trying to knock on the door all the time and get in. And, you know, we just want to make people aware of that so that next time they get an email from a suspicious looking email that they think twice about clicking it. Yeah, I want to take a minute before we have a break in a couple minutes, but I'm going to take a minute to examine who is doing this, who's out there. You know, years ago when it first started, when ThinkTech first started in the early 2000s, you know, we had a bunch of kids on the show and they would tell you about the fun and one of them went to jail, by the way, about the fun and games. Not because he wasn't set on the show, but what he did before he came on the show. But, you know, these kids, they were just pooling around. It was just a show you how smart I am kind of thing. That's not like that anymore. And it's not from local. And in fact, it's mainly, it's not even from this country. Is it, where is it coming from? Who's doing it? And how do they get the resources and access to do it? Well, you know, you mentioned that at one point it was just like, oh, look what I can do. I can break into this system and hack whoever. But then somebody figured out you can make money doing it. And you can make money anonymously. So, like any other business or business concept, once people catch on, then it gets more and more diverse. So, it went from, you know, people doing little hacks here and there to, oh, well, I can write code, hey, you can help me break into a website, let's team up. And so now, you know, those businesses have really diversified. It's a multi-billion-dollar industry. And so, organized crime now is turning more to cyber crime because it's low risk and high profit. So, if I break into Equifax, for example, and I get hundreds of millions of, you know, records with email addresses and social security numbers and I don't know what else. How can I make money with that? I got to sell the list. Is that all it is? Just selling the list? Where does the money come out? Well, yeah. So, if you were the one that stole it, you'd want to sell it to make your money immediately and not have to do any of the extra work. So, you sell those credit cards or the social security numbers and addresses and things. And then people will want to buy them from you because then they'll go and they'll open up cards in people's names and basically just find ways of stealing that money using someone else's identity. Identity theft is what it amounts to. Correct. What's interesting, though, is that, undoubtedly, these people are going to have to do it on the Internet. They're going to, you know, access a marketplace where you can buy and sell these stolen lists. And can't the government find them? Can't the government make, you know, put an agent in there somehow to impersonate someone who was buying a selling list and then get enough information to go and arrest them? Can't we stop them that way by stopping them at the buy and sell exchange point on the Internet? And they have. Oh, okay. Yeah. No, no, it's called the dark web. You know, in the dark web, you can only get through certain types of browsers. So, TOR is one of them. And actually, yeah, the law enforcement agencies have busted places like that, like Pirate Bay is one of them. The Danish officials just recently shut down another one of those websites. Because, like you said, they'll steal it. And then, you know, I was mentioning they'll want to sell it right away. And the people that do that in between, yeah, then law enforcement has a way to try to track those folks down. I mean, you're mostly anonymous on the Internet. At some point, you know, you can be tracked down. Yeah. But if you're tracked, if they find out it's you and you live in the Ukraine, it's not likely that anybody can do much about that. Or for that matter, in Vladivostok, where, you know, they have plenty of cells of young fellows who go out and hack just for, well, for the money. Used to be for the sport now, for the money. So, you can find out who it is. And you may be able to shut them down. You may be able to shut that dark web site down, too. But you can't go out and arrest them if you're beyond your reach to arrest. And, you know, if you shut their site down, why do I feel so strongly that another one will pop up in 20 minutes? Am I right about that? Oh, it's a business gap and someone will fill it, right? Yeah. Yeah. And so, as far as, you know, countries with extradition laws, you know, if they're friendly or not friendly, it's, I mean, people still do get arrested in this place. But then that country has to have a desire to want to have that person hacked or to allow them to get arrested, right? If that particular hacker happens to be doing a whole lot of stuff for their country that they want them to, then they may or may not want to let them get caught, right? Well, you know, it seems to me that we learned in this presidential election, and we haven't learned everything yet. It's still coming that hacking is ubiquitous around the world. It crosses boundaries. There's really no limits on it. And, I mean, I just really wonder what can be done about that, because obviously it's expanding and unfolding different targets for different reasons. The political targets are really chilling, actually, where you can hack an election and the like. When we come back, though, Brian, I'd like to talk about, you know, what we can do as a business and as a person. And the worst case analysis, if we don't do anything, I'd like to talk about that, too. That's Brian Fanning. He's the Fanning. He's the Technology Services Manager here on National Cyber Security Awareness Month at Dietrich Insurance right here in Honolulu. And we're examining these questions with him and learning what is being done, what can be done, what we can do. We'll be right back. This is Think Tech Hawaii, raising public awareness. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea. Law Across the Sea comes on every other Monday at 11 a.m. Please join us. I like to bring in guests that talk about all types of things that come across the sea to Hawaii, not just law, love, people, ideas, history. Please join us for Law Across the Sea. Aloha. I'm going to the game and it's going to be great. Early arrive and for a little tailgate. I usually drink but won't be drinking today because I'm the designated driver and that's okay. It's nice to be the guy that keeps his friends in line, keeps them from drinking too much so we can have a great time. A little responsibility can go a long way because it's all about having fun on game day. I'm the guy you want to be. I'm the guy, say good morning. I'm the guy with the H2O and I'm the guy that says let's go. That's your DNA. Bingo. You wish you were here for the break because we're talking about watches and chips in the back of your ear and all this is so much happening. And Brian Fanon of Dietrich Insurance is fascinated with these kinds of things. So let's study for example what could happen with an insurance company in a worst case analysis that somebody got in and just had their way. What's the worst case analysis? Does it have to be an insurance company? No, no it doesn't. I mean any company that deals with the public, it's a service company, right? It's a company that has your data and where you need to have them and they are an important part of your business life or your personal business life anyway. So there's a few things you know there's regulations that you have to follow as a company. So insurance companies for example will hand a work comp and the folks that do do that will have HIPAA information which is personal medical information. I'm still a little unclear on what hackers can do with personal medical information. Yeah I mean I'm not sure what they would care and if they sell it I don't know what that means it doesn't mean anything to me. If they want to. Well I guess one thing they could use it for would be extortion right? So maybe if you have something you're not you're ashamed that you don't want people to know of or well or just none of their business to know right? So like you know say I've got some bunion on my foot or whatever and I don't want anybody to know and I may be willing to pay money to not have people know that. Right. So you could use it for extortion. Or mental problem. Yeah that too. And then the political official or you know some kind of I'm in an office where it wouldn't be too swift for people to know about my medical issues my mental issues yeah. Sure so you know another case would be some companies store credit card information and then they've got to follow PCI rules to make sure that that information's protected. You know you've got name address sometimes social security number insurance companies have those as well but a lot of companies in general can have that information as well. So worst case you know all that information gets stolen then all your customers let's just say you get a hundred percent success rate for the hackers right and they're able to hack everybody's information and you know steal their identity and buy new cars or get cash or what have you. That's wrecking havoc but it's also wrecking credibility and I'm saying you know if I had a choice of dealing with the Equifax or not dealing with Equifax at this point I'm not sure I do have a choice but I would not deal with them. I wouldn't want any I wouldn't want that around me they they somehow got my information or however they did that with fine print whatever and then they they blow it by allowing that with it hacking and if I had a choice of not having them on my case I would not have them. Well and the bad thing is is you know even though companies will pay for credit monitoring you know that trust has been broken yeah and trust is huge yeah especially when you're giving your personal information out yeah you know and and some time back you know companies started selling your information to their their affiliate partners so they could advertise to you and things like that yeah that that was such a shame because it was kind of the starting of people monetizing that stuff without really telling you yeah well they tell you in the fine print but you know nobody reads that stuff right fine print really so you know worst case is all that stuff goes out which is really bad for the customers now if you're looking at it from a business standpoint if you lose trust with your customer base they're not gonna work with you yeah so you know if you're well insurance companies are all about trust well absolutely we make a contract to say you know we're gonna restore you if if something happens I'm really relying on that going forward in fact it's life or death to my business whatever risk we're talking about that that I trust you to restore as you say so we have to make sure that doesn't that the trust is justified and not broken absolutely yeah so it's important but it's also important for silly things like Facebook where you know my information I they have a lot of information about me I would say they have more information about me than you do that Dietrich does oh maybe even Equifax because they're collecting everything I do everything I say everything anybody else says about me well they're collecting whatever you provide them yes yeah but it's free because you're the product yeah yeah and that's it's troubling when you realize that people do not understand that what you provide to one of these social media companies is is going to get out there beyond where you thought it might and and not be sold or used against you in some way we feel don't realize me for example people in judicial appointments where the judges it's not a great idea to go on Facebook and and tell everybody what you had for lunch you don't want you don't want your persona to be revealed in public or in private well if they know what you eat for lunch then they know where you eat for lunch and so if someone was targeting you then they have some information that they could use for bad right yeah yeah so we live in a world where all of this is transparent and and we buy into it because it has its positive benefits for us but we can't we can't we have to contain it and that's really an art form you know I'm I'm troubled because every time you look you hear about hacks and breaches and whatnot how can I know that a given company is taking the right steps wow that's a really good question now you know one of the things that we do in the financial industry that we vet our vendors and the target breach was a great example of of how much did they vet their vendor and you know and if you read about how that hack happened it was very obscure if you really think about how it how did it happen air conditioning it was a well you know I don't want to quote because I don't remember the exact detail of how but it was a third party vendor that had a vulnerability in their equipment and the hackers took advantage of that that got them on the network and once they were on the network then they were able to work everything is connected because everything is connected so even the air conditioner is a part of the internet of things with an ip address and all that oh yeah and you can get from one ip address to another ip address ip address and then now we got you so you said the internet of things with magic word right so all the those devices that we're putting into our houses and on our networks all hackable we could talk about that for a whole episode I'm sure but as far as knowing you know when if companies are secure or if they're doing the right thing you know the financial industry has to vet their who they're working with they say okay you know are you doing the things you need to do are you do you have a firewall do you have antirvirus are you doing the baseline things that you have to get done because not a lot of companies do that and it's surprising actually you see how many just aren't on top of what you would consider the baseline security posture they should have I agree and so you have three possibilities one is they're not performing the baseline two is the performing at the baseline and three is the performing beyond the baseline so is there a way for me to find out in a given company where they are in those three possibilities me for example if you came out and said Jay don't worry we are above the baseline let me show you you can't show me too much because that opens an exposure to the hackers when you make a public statement about that and so it's really this is a conundrum because if you tell me everything about what you're doing that's too much information well and and also if you say hey you know you're the best then you're also putting a challenge out there right yeah right you're tweaking somebody's big yep yeah so this is so as it goes forward every company needs a guy like you every company I mean I'm not talking about somebody who can go and program computers and help people get online and you know do all those things to educate people on the use of the systems and software in a given company I'm talking about a guy who protects the company everybody needs you well in the industry itself has got a huge gap in people that are skilled that can do this organizations are getting you know deep information security officers and security folks and it's just a it's a huge huge need and you know one of the organizations I'm affiliated with you know talks to the professors and said look what can we do to get the the ramp up for people come into school to get them interested in this and and to tell them that there's a huge need for this and there is going to be a huge need for it really going forward yeah so I mean can I get a degree in protection as opposed to in creation of software can I get a PhD in that area what should I rely on experience you know one of the things I mean when we spoke for the show you told me you had 15 years of experience in this area and I was impressed with that to me that would be actually more important than somebody who just took a PhD you know last week honestly so it sounds like there's a there's a brand new career opportunity here and there's not enough people who have the experience that's a degree or otherwise and there are I don't know that there's a degree per se yet but there are no way to call them it's like you know vocational training courses and certifications that you can get there's a lot of certifications but that you can get for security to to kind of add to your portfolio of being able to do security right so like you mentioned you know if somebody just had a degree but didn't have the experience you know that could be in a lot of different fields where the experience helps to pay off but you know I'm hoping that IT security and agenda as a whole will get some good mentors to really bring that next generation up and you know train the next folks that are coming in and I feel like there's a lot of good some of the professors that I've seen talk here doing a great job of that as far as you know getting the educational pieces there but you know having that mentor that's already doing it is a valuable thing but we don't always get that opportunity and it's a profession I mean it's just like any serious profession you share with your other professionals you learn from them you schmooze with them you go to conferences we have we have actually two guys here on our lineup one is Andrew Lanning and the other is Dave Stevens Dave teaches at KCC in this subject and they're both into the cyber terrorism and cyber attacks so it's an important topic I'm glad you're doing it I'm glad we're covering it and I would like you to come back so we can track with you on the latest and greatest or the worst and most awful because the case may be because I think our world which we I think we're naive there for a few years at the beginning say when Bill Gates discovered the internet in 1995 we were really naive and now you know we have to be much more sophisticated there's no choice about it yeah yeah so why don't you tell businesses tell all the businesses out there even one minute actually all right all right tell them what the mindset should be okay in dealing with this issue in their company so you want to follow the baseline you want to you know have a firewall have antivirus think about how people can get into your systems and get things out you know if you've got people that need to take confidential data off off-site then use one of these guys here and this is a an encrypted USB drive that you put a code into that unencrypted and let you access it and then you also want to think about what happens if you do get hacked what are you going to do you've got to figure out how they got in you've got to figure out what they got you want to help your customers that did get their information stolen out there whether it be offering them credit monitoring you'll need some sort of PR team and part of that thinking about what's happening is look at cyber insurance um that's what cyber insurance is for actually it it covers those things because not everybody's going to keep what they call a red team on staff someone that has the technical capability to go in and discover all that stuff so when you have a cyber insurance policy it covers that kind of stuff yeah that sounds really important and especially a case where your whole business is dependent on the you know the security of your equipment well thank you Brian great to talk to you my pleasure Brian Fanning Dietrich Technology Services Manager yes better