 Okay, we're back, we're live for the 4 o'clock block. This is Think Tech. I'm Jay Fidel. And the guy on my left is Attila Suresse. Attila Suresse, welcome to the show. It's been nice. It's been a long time. It's nice to see you now. Well, it's good to see you too. You keep getting younger every time I see you. Yeah, so do you. I don't know how, you know, maybe we'd take drinking the same water. Attila was a host on Think Tech for a long time, back a couple years ago I guess. And a lot has happened since then. He's been building his company, which is SOSTechSolutions.com, yeah, you got it. And he's been doing cybersecurity. So we're calling this show, it's a new year in cybersecurity because there's a lot of developments there. Yeah, that's his logo and everything and show a picture of his website as it exists. There it is. It's coming. I know it's coming. I see it coming. Watch this. Poof. TV magic. TV magic. Poof. So, I've sort of summarized what you've been doing, but give me a little detail on that, Attila. Sure. I mean, there's a lot of small to medium-sized businesses in Hawaii. They're all subject to the same kind of demands and problems that the big companies have. So the idea is to bring that kind of enterprise level protection to the Hawaii business market because we need it here. Any sort of disruptions in any sort of businesses here, be it food, be it retail, be it wholesale, any of that stuff, can really mess up the economy. Yeah, on a larger scale, it can mess us all up, you know, if some critical function in the economy goes down, we all suffer. So on a public policy point of view, it's valuable to do what you're doing and increasingly important, I would say. We saw that on Saturday. We saw how important computers are. We're completely dependent on them now, and therefore, we have to make them work. But there are things that get in the way of nasties. There are nasties. Can we talk about some of the nasties? You have a newsletter. Talk about your newsletter and talk about the article that you had, which was about Hackers Got Lucky at Christmas. Of course. So, there's something called Grateful POS. Now, if you haven't heard of this, you will. It's very new. What happened is a bunch of malicious software got on point of sale systems. I'm not sure if you know this, but point of sale systems are essentially computers. And those computers are swiping credit cards, and that Grateful POS software silently made its way onto thousands, if not hundreds of thousands of point of sale systems. Still a figure of numbers. A cogent horse kind of thing. Exactly. And the worst part was that no antivirus software that was currently on the market of the top 65 antivirus software could find it. So, what that meant is it was siphoning off credit card numbers and sending it off to a far off country to fund human trafficking, drug trafficking, organized crime, and all that stuff was affecting local businesses all throughout the United States and here. And so, there's some damage control that's being done, but in the coming weeks and months we're going to start seeing the outcome of that. You know, isn't it interesting that we have all these hacks and ransomware attacks all in 2017, and now organized crime is stronger than ever? Third world countries have the funds to build weapons of mass destruction and send them our way, potentially. And who knows what we're going to see this year? It's here countries too. First world countries are up people. Well, just rewinding a little bit in the timeline, if you look back in November of 2016, when WikiLeaks originally left out some of these problems that were being used, some of these exploits, a few months later we saw the WannaCry ransomware attack and that WannaCry ransomware attack took down computers all from London to Thailand all across the way, you know, so big commercial computer systems were held ransom, millions of dollars of ransomware payments went out, it's been confirmed to North Korea, and then six months later North Korea has a new missile program. Wonder where they got the funding from? Oh, that's really stinky. Came from them, huh? Well, it's confirmed. I'm not repeating anything that you can't Google yourself and find out to come from. Yeah, OK. You can talk stinky about them. They've been stinky to us. Anyway, you know, the thing about it is you mentioned now two things that are threatening. One is the one at Christmas was again. This is grateful and you mentioned WannaCry, OK, and the Christmas grateful happened at Christmas, but we haven't heard about it since. I mean, I haven't. And then WannaCry was a year ago and we haven't heard much about that. Does this mean these things have been resolved? They say it came up on the screen and then they went off the screen. Did somebody fix them? What happened? Well, they paid a ransom. And the way the ransomware works is that it gets onto a computer, right? And then once it's inside that computer, it says, OK, I'm going to silently encrypt all these files. We've had to physically do this for clients to remediate this problem. And once it encrypts all the files, then it says, great, would you like your files back? If so, here's the ransom demand. It can be anywhere from $1,000 to $5,000. The highest we've seen here locally is $105,000. Wow, they didn't pay it though. They did not, but they also did lose 12 years of data. Oh, they never got it back. Never got it back. But if you can figure out the encryption and decrypt it, you get it back. Well, these guys are smart. What they figured out is that in order for you to figure out the encryption would take several years to reverse engineer that encryption key. And they only give you a few days before the ransom goes up. And then a few days after that, before they just erase all of your files. Destroy the files. So that's their way of preventing you from spending any time to fix it. Correct. So what happened? I mean, what's the end of the story? Are they still doing it? Correct. In fact, it's become more and more targeted. So 2017 was kind of the proving ground for this kind of activity. What we're seeing now, and you can see this almost on a daily basis, we have three hospitals that I read about just this morning that were infected with ransomware. Power companies are now becoming infected with ransomware. And it gets more diabolical than that. They're exploiting very specific targeted attacks in order to do very specific things. So for example, in the case of these energy companies, they look at the energy company's website. And on the website, they have beautiful graphics showing the company's equipment and with engineers standing proudly in front of them, right? And so the criminal looks at that and says, wow, I recognize that piece of equipment behind them. Let's go on their website and see what jobs they have opening. Oh, great. They're hiring. Let's send out some resumes with some malicious payloads. Oh, this is sophisticated stuff. But well understood and well known. And not simple, right? I'm sorry. It's simple, but it's not terribly easy to do. They take these resumes. They match a qualifying resume. They submit it to the power company. Within that, they have malicious payload geared directly towards taking down that piece of equipment that's there at the power company. And they have been successful at gaining control of a couple of them. Luckily, not here in the US as far as we know, but it has been around the world. And we're seeing more of that when it comes to health care, when it comes to insurance, big boys, right? But big data. Big data and big money. And these hospitals in particular that I reference, they did pay this ransom of, it was an undisclosed amount, but they did pay the ransom, and they were able to kind of get back up and going. A ransom is a very finicky kind of business. It's like a real ransom where they're holding someone hostage to give them money. They say, maybe we want some more. There's no guarantee of you receiving your data back after you've paid that amount. And the FBI says that you should never pay the ransom, because it encourages this activity to continue. But people do. They do. It's just like real kidnapping. It's the same thing. People do. Well, it gets worse. So there's this new strain of ransomware called Jaff ransomware. How do you spell that? J-A-F-F. And Jaff ransomware is fun for the criminal. They've gotten wise. They say, you know, these ransomware payments are going down. People have great backups. They just take their computers, either throw them away or wipe them clean, put in all new data, and off they go. They've just lost their opportunity. So instead, before encrypting the files, they take all these files and send them off to a cloud storage somewhere, some compromised place. And then they encrypt the files. And then they ask you for money. They say, oh, and you know what, if you don't pay us, we're going to take those files that we stole and sell them on the dark web. And if they contain things like PII, which is personally identifiable information, so security numbers. Oh, that's one step further, isn't it? Yeah. Wow. So the price goes up. I mean, what do you do to stop this? Well, believe it or not, the best defense is education. What do you tell them to do? Well, there's ongoing education and training programs. And a lot of it's common sense. So obviously, there are some technology solutions that can mitigate some of this damage. But whenever we work with an organization to secure, to increase their posture in terms of cybersecurity, what we do is we make sure, OK, we put in the best of breed equipment to protect you, and there's still this element that is human. Sometimes I've heard it called a chair to keyboard interface error, i.e. the person between the chair and the keyboard. You want to look at that. For example, we sent a weekly email trainings. And the one that went out this week was about how to identify misspelled words and emails and how to identify a bad link in the email itself. So for example, if you get an email from Chase, demanding payment, and you hover over the link and it says some long Ukrainian website, you know it's not Chase. It's not Chase. I always do that now. Always do that now. So OK, so that's the phishing side of thing, where they're doing what a social engineering and phishing engineering on you. But once you've got the pox, how do you get it? Once they send you that awful email and tell them it makes all these threats and demands are ransom, what do you do? Well, the best defense is to have a good business continuity plan or backup plan. So backup helps. Backup does help. You've got to backup and you've got to backup such a way so that your restore will be minimal disruption. And the larger the organization, the more disruptive it could be, it's kind of a hidden fact. But 60% of all businesses that get hit with ransomware within six months go out of business. Out of business. Out of business. They simply cannot recover. You're so disruptive. Bad disruptive. This is really damaging. So if I'm a prosecutor or the FBI or whatever, some law enforcement agency, what do I do? How successful have they been? Have they caught any of these guys? I'm not a liberator, you say, because I do work with them on some of this stuff. But I do know that they are able to, they usually know about the threat actors beforehand. So they know that this stuff is going on. They're busy putting out the real big fires, the real big problems that they have to deal with. And a small business, such as what is what, 98% of our businesses here on the island, is going to kind of fall by the wayside when it comes to something like this. They can't afford to deal with it. Right. They're going to go back to paper and pencil and try to run their business that way. Terrible. I remember the state of Hawaii Attorney General's Office had a unit that was supposed to be involved in computer crime, not only cyberterrorism and all that, but computer crime. And I think my recollection is they had a one lawyer or two, and they didn't have a whole lot of investigative resources. They didn't have an army of guys working for them that could actually identify or investigate, find out where it was coming from, talk to other agencies and all that. So I don't think that we do as much as we can to find these guys and prosecute them and punish them. There's really no disincentive, is there? It works just well for them, doesn't it? Well, let me tell you about who these guys are. Maybe we should have that conversation. So there's kind of this misconception that it's this guy in a hood. I'm sure you've seen it. The guy in a hood, he's on a computer, he's got a cup of coffee next to him. In the basement. In the basement, right? Maybe some matrix looking letters going in his background and he's sitting there hacking away, right? And he's stealing money. That image is completely incorrect. Cybersecurity, cybercriminals are well funded. They are organized. And they typically have ties to larger organizations. Like governments. Correct. And there is a strong incentive to keep their relationship alive because there's so much money at stake. Just as a comparison, the largest bank heist was, I think, $30 million. And last year, something like $40 billion estimated was stolen by cybercriminals. So it's a completely different ballgame. You know what's an economic weapon is what it is. I mean, I'm North Korea. And I want to really hurt this country. Sure, I can try to bring the power plants down. But if I take all the data and separate the data from the companies that need the data, I can really put a dent in the economy in general. Make one great big attack like that. Using proven technology. Technology we know that works. So when these guys are developing ransomware, and they're state actors or they're working for state actors, seems to me they're involved in a process that could be like war against any country that has companies that require their own data. Yeah, and it's not just them. It's an entire industry. Cybercriminals are not just completely isolated in these very organized syndicates. There's actually industries where you can kind of get your own kit and go after a company yourself if you wanted to. So it's become commoditized. Even the targeted company. Correct. And what is beginning to happen a lot with these cyber criminals is actually so much data being stolen that it's very difficult for them to even commoditize all that stuff. So for example, Equifax. How many records were stolen? Over half the US populations. And there was a breach a few months later that didn't really make headline news. And there's continuous breaches that happen with smaller companies, such as cell phone carriers. And you see those on the news feed as well. Now the deal is that that information ends up on someplace called the dark web. Have you heard of the dark web? So the dark web, of course, is where all this stuff ends up. And then the deep web is where the real nasty stuff is. But your credit card information is on the dark web. The average is you can get into both the deep and the dark web, can't you? Well, it's just degrees of the same thing. And on the dark web, they're actively selling credit card information, personal identifiable information, health records that have been stolen. Even targeted. Yeah. If I say I want to get Joe Blow, right? I can go and get Joe Blow's information and do some bad things to Joe Blow, right? Sure. In fact, after the show, because I don't think we should do it on camera, I can look up your information to see if you're on the dark web, because you might be. OK, well, that makes me feel like I need to take a break, Attila, to react. That's Attila Ceres. He's the CEO and proprietor of SOSTechSolutions.com right here in Hawaii, in A. And we're talking about a new year for cybersecurity or terrorism, as the case may be. We'll be right back with Attila. I'm going to the game, and it's going to be great. Early arriving for a little tailgate. I usually drink, but won't be drinking today, because I'm the designated driver, and that's OK. It's nice to be the guy that keeps his friends in line, keeps them from drinking too much so we can have a great time. A little responsibility can go a long way, because it's all about having fun on game day. I'm the guy you want to be. I'm the guy I save good money. I'm the guy with the age you were growing. I'm the guy that says, let's go. Lots of out of the comfort zone, where I find cool people with cool solutions to problems that all of us face. Now, the thing is, we're really cool, and I only invite really cool people. But the thing is, I think you're kind of cool too. So I think you should come and watch. That Thursdays at 11 AM here on OC16 Television with Think Tech Hawaii. I'm RB Kelly, host of Out of the Comfort Zone, and I will see you next Thursday. I mean, there's stuff on there. OK, now, during the break, Stella showed me SiWare, C-Y-W-A-R-E. What is that? Well, it's a great source. They assemble a lot of cybersecurity news, a nice pleasing format that anyone can pick up and watch. One of the other feats. So we watch a lot of feats to get some of this stuff. Obviously, we work with Federal and State for some of their proprietary information. But you can also pick some of the stuff up SiWare and even Flipboard, which is built into one of those types of things. I see, yeah, I have Flipboard, yeah. Just filter out your category so you don't get all that trash about whatever's going on in the White House, and pick up just the cybersecurity and new tech news, and you'll see some scary stuff on there. Yeah, well, scary stuff. I want to talk about that. I want to talk about you. I mean, if I were you, I'd be slightly paranoid already, knowing as you do about all these troubles and threats and bad guys and malware just all surrounding us, we're sinking in a world of this stuff. Doesn't it give you a headache actually to know about all that? Well, wouldn't it be better that I become informed and our staff also become informed as much as possible so we can best protect our clients? I mean, that's what it's all about. Can you protect me? I'm ABC Company. Can you tell me, Jay, no problem, oh, we're going to protect you from all these threats? Can you tell me that? Sure. The idea is that it's best effort. Everyone's going to give you best effort, right? You go to McDonald's, they're going to give you the best effort hamburger they can. They can't guarantee you're not going to get food poisoning. But they'll give you the best effort, and overall, they provide a consistent experience. In the same way, every organization is like that. We do best effort cybersecurity with the best tools available. And guess what? Every year, those tools change. So we keep giving the best tools, and then the best tools in the next year and the next year. So that's kind of the process. So who's winning this deal? I mean, we have more malware going on all the time. It's everywhere, and you don't have to do much computing to see it filter in on you and get in the way of things or worse. And we have cybersecurity guys who specialize and try to come up with fixes and protections and the like. Who's winning? Well, to find winning. Who's making more money? That's for sure. We're still ahead. Who's winning in terms of can you beat them? Can they beat you? Who comes out ahead? You know, you're coming a little while ago about how this large percentage of companies that have been attacked by ransomware go out of business. I would say the ransom guys are winning. Well, that is one statistic. But you can also see that after a major data loss, so not necessarily a data breach, 60% of businesses go under. 80% of restaurants go under within the first year. There's a lot of factors that can come in there. But it's a confounding variable. So when it comes to actually figuring out if this was the cause, I'm sure it's one of the things, but it could be the final nail in the coffin for a company. So it just depends on the size of the business. It's part of doing business now. Yeah, exactly. I mean, as a business owner, you can expect a lot of problems from your employees or from legal problems from all kinds of angles. So this is just one more. Sure, because implications, because you have a duty now. It's a duty. You as a proprietor, serving clientele, holding their data, you have a duty to protect. And if you don't do anything, that's clearly a legal exposure to you and your company. So that's another way you could go down by failing to take care of it in violation of your obligations to your clientele. Well, and from an insurance perspective, they're not going to insure or even obviously reimburse a company that didn't put essentially locks on the doors that the doors being their computers. They didn't properly secure their data. They didn't put in a business continuity plan and they have a responsibility to their own customers to be able to operate and they fail to do so because they didn't hire like a cybersecurity company or someone who specializes in this to come protect them. So let's take the retailer who got the grateful bug. You know, I find it very interesting. It reminds me of Stuxnet. Stuxnet, how the guys who developed Stuxnet propagated it all over the world. It went everywhere, but it was calculated to go to one kind of nuclear controller made by Siemens, just happened to be in Iran, just happened to be there. So it went everywhere. I mean, it must have been millions of machines were infected with no effect, but it went to this kind of machine in Iran and it blew up the center futures. So the same thing here, you could target, you could get on retail, you could bring a company down on the retail and I guess they, you know, one way or the other through social engineering or otherwise they can get it onto your retail machine. Now, the retailer, I guess this hasn't been solved yet. So every time I put my credit card in and I do, I'll admit it, I do. Okay, it's at risk. Does the retailer have to tell me, should he tell me that I'm at risk? They're obligated by PCI compliance. So they do have a compliance standard that they have to, and we should talk about compliance here before we run out of time, but compliance does require them to notify you that something's happened. So you may have received something in the mail that says, hey, you know, I'm sorry to say, our important sales systems have been compromised or our database have been compromised. Be sure to keep it on your credit report. Thank you very much, goodbye. And that's it. I mean, what else can you possibly do? Yeah, what am I gonna do with that? Yeah. Okay, I'll cut all my credit cards and start walking around with cash. No, I'm not gonna do that. You know, that's not functional. Well, as long as we know where you are, we can put a blindfold on you and take all your money. Well, maybe we should change our credit cards every two weeks, you know, that'd be safer with it. Well, it just really depends. I mean, if you really need some sort of credit card, you can put a credit freeze on your account. So that was, if you go to my blog, you'll see I wrote up an entire thing about what to do. If your personal information was compromised during the Equifax breach. Yeah. And one of the things to do is to put a credit card freeze on there. Yes, it's 30 bucks. But you know what? If you're not getting a new credit card all the time, that's okay too. Yeah, yeah, yeah. How do I get your blog? How do I find it? Your newsletter is blogged, same thing. Yeah, well, there's things to it. What's the name of it and how do I find it? Well, if you go to our website, sosy.com or sostechsolutions.com, there's a link right there to the blog. We have all kinds of stuff on there. And if you just Google my name, you see tons of stuff. Okay, tell us a rest. That's what, through T's. Yeah, you got it. Okay, so anyway, so in closing, we only have a couple of minutes left here. What are you gonna spend your time on this year? Are you gonna spend your time on NISO 800-171 Federal Cyber Security Requirements? Oh yeah. Are you gonna spend your time on the Intel chip problem? Are you gonna spend your time on other kinds of malware and ransomware and what have you? What does it look like for you, Attila? Well, predictions for 2018, big time. The chip problem, the meltdown problem, is gonna affect a lot of cloud service providers. We're gonna see some service averages. There's gonna be more targeted and sophisticated ransomware. And the NIST 800-171 requirement that the federal government has put out on all federal contractors that receive any sort of funds from them. Even on a project that they're participating in as a sub, they are required to protect the data. This is called CUI, controlled and classified information. They're obligated to protect that information and keep it from getting into the wrong hands by all these ways that we already described. So, part of those NIS requirements, and I know we could talk about this a lot longer, there's training involved, there's best practices involved. A lot of the stuff that these NIS requirements that are coming out, they're really guidelines that you shouldn't be doing anyway. What's that stand for NISD? What's that stand for? National Institute of Something or Other. But it's the standards for it. Standards, yeah. Right, so every organization has to pick some sort of standards that they can go by. And so whether it's an engineering standard or if it's an architecture standard or one of these other standards that they're gonna choose is an industry standard, the software development standards. The NIS standard is kind of a general standard that the federal government has imposed. It says, look, follow this and you'll be okay. Follow this and we'll deal with you. We'll have business with you. Don't follow this and we can't use you as a contractor, yeah? In fact, if anyone has been on a contract after October 1st of last year, they're required to submit all their proof of cyber compliance. And if any contracts are awarded and you think you're in the clear, that can be contested by someone based on that standard. So it's another bullet in the barrel of their gun against trying to knock you down from an awarded contract. All the big major federal contractors, anyone with even as a subcontractor to a federal are required to go by this NIS standard. And it was enacted in December 31st of last year. So it's just a few weeks old now. So they're gonna begin enforcing that. They're gonna be requiring this stuff. And a lot of it is paperwork, but a lot of it is also procedural. So it's not terribly complicated stuff. It's just a lot of little moving parts that you should really put into your business. At the end of the day, it's really best practices. Do you have a program or do you have a written procedure for bringing someone on and bringing someone off and hiring someone and doing drug tests and these kind of things? How do you protect this information? Are your employees trained on cybersecurity and how to protect yourself? These are all really important questions that even as a business owner, especially if you're handling classified information, you should have a really good handle on. And particularly for all these subcontractors that are really small, right? That are maybe just making a buy. They haven't thought of these things. They're out there doing plumbing, electrical, et cetera. They're not thinking about the actual critical data that they're holding onto that they've compromised to compromise the entire project in our country. I'll give you another thing. Bunch of really good investigators who are trained in computer technology and prosecutors find a few of those buggers. Find them and prosecute them. If the statutes aren't stiff enough, make them stiffer and put those guys in the pillory in the stocks for about a thousand years and make it public and try to diminish the amount of this activity. Because right now it's rampant. That's what it sounds like to me. And there's no downside to doing it. And if there's no downside in this country, well, there's no downside in Ukraine either at all. In fact, your government might support you. So what I get is we're not stopping a flood of this kind of activity. We're dealing with it on a completely defensive basis and we aren't stopping anybody from doing it. We've got to take action against them, don't you think? Absolutely. And it's like toxic mold. It just continues to grow if unchecked. And 2017 was the biggest year in history for breaches and data loss and all these other big problems. 2018 is going to be even worse. Oh my goodness. Yeah, every year it keeps getting bigger and bigger. Back to Walden Pond, back to the Alaskan hinterland, so we can get away from all this. Well, environmental sciences and what we're doing to the planet is probably a different conversation. If we can get back to it, I really hope so. Both of the good old days. So in the end, what we've learned here today with the Tillis Arrest is that this kind of computer malware and ransomware and all these horrible things that these smart guys are developing, sometimes by themselves and sometimes has hired weapons or even state actors, it's not so much that. It's really sort of like toxic mold. That's what we learned. Thank you, Tillis. Thanks for having me. Come back soon. Great. I will.