 Hey Aloha, thanks for tuning in to Think Tech Hawaii and this is the inaugural episode of Security Matters. I'm your host, Andrew Lanning. I'm going to drive you through the security playground of my world as best I can, trying to keep it relevant to things that are happening for us here in the islands. First thing I'd like to report on is the ISC West event that was the pretty much the largest show in North America every year. We just had it last week and it's in Las Vegas at the Sands and I know a lot of folks from Hawaii don't get to go, I don't get to see a lot of my security directors and the other folks out there that, you know, take care of us here in Hawaii. So I like to bring back a little bit of what was, you know, I think most valuable, at least the takeaways that I thought were the most valuable from the show. And I can tell you it was a record attendance. First of all, I think we had nearly 40,000 folks there. The classes that I was a part of that I put on were heavily attended the first days and they tend to have less and less attendance as the days go by. But one of the first classes that we taught was a course on Tier Zero and Tier Zero really has to do with the cyber maturity of your organization. And a lot of the integrators in our industry, that would be your installing companies are struggling with, you know, how to how to implement best practices inside their own organization so that they're protecting, you know, not only themselves, the information of their employees, but then also expanding that and learning to harden up the systems that, you know, they're installing for their customers in their businesses. We had a packed house for this one. It's one that we started giving about three years ago, which was amazing that so many turned out. And, you know, we always ask for a raise of hands, you know, who's actively working on, you know, the hardening of their systems and their practices inside their organizations. And we really ended up with, again, about a 10% or 15% take rate of folks that are feel like they're doing some things. And it seems like most of the integrator community really hasn't yet figured out how to get started. And I believe that's probably because most of them aren't working in the Department of Defense space or in the financial sector or the health care sector where, you know, these regulated industries have begun asking a lot more out of their supply chains. And this started happening a year, year and a half ago. So, you know, they're tending to push that regulatory compliance down on their security integrators. And also in that space, we tend to work much more closely with the IT providers for those organizations. Oftentimes, those are even internal to those organizations. So, you know, they've already got some standards and some guidance that the integrator community needs to adhere to when they bring those systems in. We had a lot of questions still on password management tools. And for the audience out there, I think the thing, the takeaway for you about Tier Zero is you want to start asking your supply chain and your vendors what they're doing, you know, from a cyber hygiene perspective, just so you have a feel for their level of competence, especially if they're going to be putting devices onto your network. You know, is that network segregated from the rest of your working network, if you're working LAN or WAN, is it a standalone network? And if so, you know, how are they going to apply patches to it? How are they going to put updates to the access control components, maybe the camera components, intercom components? Anything that's IP connected really has some potential vulnerabilities associated with it from the electronic security world. And so, you shouldn't really just trust that those devices are hardened or are safe to be installed on your network. So, you know, those are a great place to start. You know, ask your suppliers, do they have ways to manage that password? And this could be for a POS system. I could be just the service providers for your IT systems, but you know, how are they managing the passwords? Passwords are a real problem in our industry because if I can, if I gain what's called the root password, that's the senior administrative password for a device. And that could be a camera or an access control system or the badging workstation or something like that inside your organization. I can then escalate those privileges from there. You know, I can sit in there and hide. I could potentially lock you out of the system or I can install malware onto the system. There's a lot of other things that are fairly insidious that can occur. So, Tier Zero is really a class we give with, you know, 20 basic questions for the vendor community to ask of itself first. And, you know, the password piece was a good one. Another one that people tended to struggle with a little bit was just asset management, right? You've got to be able to run a scan of your network to know what devices are there. And this includes the security devices. You know, IT types are used to doing this. They're used to monitoring workstations for Windows 365, Windows 10 patches or Office 365 updates, things like that. But a lot of people just forget that those security equipment that's out there also needs that same type of monitoring. And if you have no way to sort of assess the devices on the network itself, then, you know, you don't know what you have. So, you want to ask your vendors to give you some sort of a mapping, a common tool that we talk about is in-map or in-map, which is a free open source tool. And, you know, they can run a scan and that'll show you all the devices. It will also show you the open ports on those devices. And, you know, if you're the person receiving this information from your provider, you know, if you see that there are SMTP, which is simple mail transfer protocol, ports open, but you know you're not emailing any events out of those cameras, then there's no reason to have those ports open. And another common port that we find open on these devices is FTP, file transfer protocol. So, you want to have those ports closed if they're not in use. You also want to identify all the services that are running and in-map will print this out for you. So, you want to know what ports and services all these devices have and you want to turn off unnecessary services that aren't being used by the system itself. So, we tend to walk the team through that and remember that the cyber hardening for a security system integrator in the electronic security system industry isn't all about the products that they install. It's people, it's processes and it's products. So, this bench testing and determining the, basically the condition of the systems that they bring into you. This is something that they should be familiar with and can explain to you readily how they've incorporated that into their deliverables that you should expect to receive from them once the system is commissioned. And the real reason to baseline these devices is so that later on, maybe monthly or quarterly, whatever the maintenance cycle is that your organization can accept, you can run these scans again and make sure that nothing's changed. You know that these devices are still just as hardened as the day they were installed. It's not uncommon to have devices get reset by users, what we call the end user, which is oftentimes the customer who's done something unknowingly or perhaps there's someone who's a maliciously inside that organization tried to disable a camera or a device or reset it so that he could do something without being detected or surveilled. So, there's quite a bit of value in understanding that, hey, even if I'm at tier zero for our organizations, we wanted them to understand that that's a starting place. And so once they start to look internally at their own systems, it gives them a comfort to be able to talk to the customers about the systems that they're bringing in. And that session had a lot of folks in it and a lot of questions afterwards. We distributed a document, it's called tier zero. You can actually download that from PSA network. I'm sorry, I didn't bring links for that stuff today, but it's free. You have to give an email address up just so that we know who you are, but you can pull that document down. So if you're trying to figure out for your own organization how to maybe get involved with cyber hygiene or you just don't know where to start, that's a good starting place. And we called it tier zero, and this again, it was created a few years ago, but we started there because most of the maturity modeling type of tools out there start with tier one, tier two, tier three, tier four. And those tiers can be a little much to consume if you're just trying to get yourself engaged with that type of hardening information. So that class went really well. We did another class that was interestingly, fairly heavily attended. It was called Hacking Back. And once you've had someone attack your security system, for example, what rights do you have? Someone's taken your cameras and turned them into a botnet, for example, which means they've basically harnessed your devices to do other things, to broadcast other information from them, and perhaps even to deny you the service of the camera's video being recorded. So you've now lost the capability that you expected to deliver. And there's been no real court cases yet to decide when a consumer has the right. The law that we did discuss came about from basically a personal defense type of law. And if you can imagine that you're, if you're being attacked physically by someone and then maybe you hit them and knock them down. And so now they're no longer attacking you. You have the right to defend yourself in that instance. But what you don't have the right to do is to go over and then start assaulting them, like kicking them or doing more damage than was necessary to defend yourself. And in the case of electronic security systems, electronic security equipment being attacked and used in that way for a botnet or for some type of a cyber crime, you also have the same right. And so you can go out, you can see where the attack vector perhaps is coming from, you can perhaps identify that. Maybe it's coming from someone who doesn't even know that they've been subverted and that their system's being used to attack you. And you can ask them to turn it off. If they don't turn it off, then we decided that you definitely have the right to go at that system yourself and perhaps you can turn it off or shut it down beyond that. You know, you need to do this obviously with a lawyer involved at every step of the way so that you understand the legal engagement that you may be up against. Cause ultimately you probably will end up in court trying to defend your actions. So they need to be documented in the type of legalese that you know, that represents your position in a way that the court would understand. But definitely, you know, you don't have to just sit there and be a victim. And there was a lot of interest in, you know, the potential for doing this. This is not the type of thing it really takes a team of folks to help you probably do this. It's not the kind of thing you should do on your own. We definitely warned against, you know, if you're going at hackers, they're probably have a lot of skills at their ability and they're gonna see you coming. And remember that that is a two way street that communications are perhaps open in both directions. So, you know, things could actually get worse for you. So, you know, this is not something you should do if you don't, you know, have the proper team or the proper resources or you don't know how to go about, you know, going and looking at who's attacking you and then figuring out a way to stop them. We had another class on best practices. And there was a lot of discussion around this. The security industry itself is finally beginning to mature. We're starting to get some better products, products that can be hardened in accordance with what we would call standard IT type of measures. And, you know, previously what we had, the issue was really that the chip sets and the firmware in these devices has just really not been made very well. And so, you couldn't, for example, add a high level type of encrypted certificate to a device. It just really couldn't support running with that level of encryption on it, things like that. So, we're finally starting to get some products out there. The sort of standard, Underwriter Labs came up with. It's called 2900 and we had a few product, a few manufacturers announced last week products that they have now run through that process. So, you know, if you're in the regulated industries or you're interested in making sure that the products that your provider is bringing to you have some third-party level of audited assurance associated with them, you could begin to ask for products that have been through the UUL, 2900 Underwriter Laboratories certification process. And I think that that's a pretty good start. Again, there's not a lot of product for that yet, but the fact that we had some product announcements and some folks finally going down that path means that the things that we're doing are going to get better in the future. So, we're going to go pay some bills and I'll be right back with more of Security Matters. Welcome to Sister Power. I'm your host, Sharon Thomas Yarbrough. Where we motivate, educate, and power and inspire all women. We are live here every other Thursday at 4 p.m. and we welcome you to join us here at Sister Power. Aloha and thank you. Aloha, I'm Kaley Akina and I'm here every other week on Mondays at 2 o'clock p.m. on Think Tech Hawaii's Hawaii Together. In Hawaii Together, we talk with some of the most fascinating people in the islands about working together, working together for a better economy, government, and society. So, I invite you into our conversation every other Monday at 2 p.m. on Think Tech Hawaii Broadcast Network. Join us for Hawaii Together. I'm Kaley Akina. Aloha. Hey, welcome back to Think Tech Hawaii and thanks for joining us on Security Matters. I'm your host, Andrew Lanning, and in our first segment, we talked a little bit about the ISC show last week in Las Vegas. So, if you missed that first little bit, check it out. There's some best practices and maybe some tier zero advice you can get on things to ask your provider to make sure that you're getting the best you can get out of your security system and your security system provider. Going forward, the rest of the show today, I want to start to get into the other topic that was really hot and it comes out of what's called enterprise risk management. And there's been quite a bit of practice built around today what's called enterprise security risk management. And those practices, while we call them enterprise, those practices are really best done by everyone. So, this is a small, medium-sized business practice. You can definitely take a bite of risk assessment and risk management. And I wanted to talk a little bit about the evolution of that thinking in 2018 anyway. The security starts, it really starts with risk assessment and risk management. You've got to have a baseline understanding of where you're at and a baseline understanding of where you want to get to so that you can understand the gap that's there and then, you know, figure out what type of resource it's going to take to address the risks that are most salient for your organization. A lot of times, people tend to jump on something that's right in their face that they worry about. We get calls like that all the time. You know, I had a break in in my parking lot or I had someone, found someone in my fire stairwell. And so, people, often time for security, tend to just be reactive to what's occurred instead of planning for the long term. And so, security really begins with this risk management process. And it's about a third of the way through the year right now. We get a lot of the big boys in the consulting world who put out their findings about global risk studies. And these are relative to Hawaii. So, I wanted to talk a little bit about that. The World Economic Forum issued theirs in February. Microsoft in March put theirs out. There's other vendors, Verizon and Cisco that put out more cybersecurity related reports. But some of the common trends in this data really is that the global economy is recovering. And this is something that they weren't really ready to go out and acknowledge, you know, these are the perceptions of, you know, the security managers and the CIC suites of the world. And so, this really got a fuel investment in risk assessment as well as recovery and business resilience. So, you know, when there is when money's flowing well, when there's extra earnings, that's the time to plan for the future. And risk assessment should be a part of that in risk management. Another thing that really moved itself up, and we'll talk a little bit about why environmental risks are going in prominence. They were ranked higher in likelihood and impact than they had ever been in the past. And recently, we just saw how in Hawaii we had some areas that were devastated in the state simply from heavy duty rainfall. And we've got a lot of vulnerabilities here that need to be addressed from a security perspective. You know, hurricane, tsunami, earthquake, tropical storms, flooding, volcanic eruption. So, you know, security is a risk management is a holistic practice. It's not just limited to the status of the doors or surveillance on a parking lot. Cyber security also was a risk that's growing in prevalence and potential. And I do advise you to tune in to Dave Stevens' show, Cyber Underground. It's another Think Tech Hawaii production that airs at one o'clock on Fridays to keep up with what's going on with cyber security. But the thing that interested me about some of these findings is they basically called cybersecurity a war without rules. And for us, you know, these state on state type of attacks typically don't visit our world. But they are starting to look at attacking critical infrastructure. We've seen some examples of that already happening. And then what we get in the security industry and something you should think about are supply chain vulnerabilities associated with that. Could your vendor function if he doesn't have electricity at his facility? Or if he loses the bathrooms at his facility, for example. So, or the communications at his facility. So state on state attacks attacking critical infrastructure could impact your vendor's ability to deliver to you. And so it could impact other pieces of your supply chain that you should give consideration to. The other thing that they talked about was youth unemployment. And I didn't realize because Hawaii we're not really having an unemployment problem. We have the opposite problem where there's not a large workforce to choose from. But in the rest of the world or in many places in the world, there's as much as 30% youth unemployment. And the problem, the concern I have with that is that there's a very, very low barrier to entry into cyber crime for those unemployed folks. If they need to make money it's absolutely free to get ran somewhere hosted and the guys who host it for you will simply take a cut of whatever the earnings are. And so you can get into that business very inexpensively and a lot of these unemployed kids are going to be doing that type of thing which raises the specter risk for all of us. So what do you want to do with risk management? You know what is it? You know really we want to identify and estimate the probability and the impact of a given threat, right? And we want to look at all the threats. We really want to work to minimize our exposure to those threats. One of the things that came out is this really needs to be a team effort. No it can't just be one person inside of an organization. And so I dug a little paper up on really what goes wrong inside those organizations that don't take care of this. And now this is some work from Michelle Walker. It's on cognitive bias which is a thing that happens in teams. And this is really about why do people pay attention to certain risks and then ignore other risks. And the most pervasive form of cognitive bias is called availability bias. And you know this is where decision makers rely on evidence or examples that come immediately to mind. You know top of mind type of stuff because you know they're emotionally salient they can feel it because it's something that they're thinking about or something that just happened. You know versus something that's really objectively likely to occur to them. And that objectivity is important not to lose when you're doing risk assessment. The example is really that I wanted to bring up were natural disasters. In 2017 the rise of perception of risk in global studies went up substantially for natural disasters. And if you think about it in 2017 we had three major Atlantic hurricanes in ten of the natural disasters that occurred that caused actually the most deaths in the first half of 2017 were from heavy rainfall. So that involved flooding or landslides associated with that rainfall. Storms and other weather related hazards also were a leading cause of displacement. 31 million people had to move last year as they were forced to leave their homes as a result of weather related events. So that's a situation where decision makers may actually look at the things that have been occurring and try to put all the resources into something that's weather related just because it's been happening recently. But perhaps their larger objective threat or larger objective risk is a little further out or it could be from another area. So the other, the next form of cognitive bias I just wanted to bring up is called hyperbolic discounting bias and it sounds fancy but this really is just where people put off long-term investments or they delay like difficult decisions in favor of handling like short-term things because they're easy. And so we see this a lot in security budgeting especially sort of not to pick on it but like in the property management sector where expensive you know expensive security implementations you know that basically raise property safety and protect the security of the folks that live there you know be they guests or residents or workers those get put off in favor of other maintenance or property improvements and those really don't impact safety or security and that happens quite a bit in our industry. So that's the idea where they're looking shorter for something that maybe looks nice or something that can actually help and that's a problem. Another form of cognitive bias that Wooker talks about is called confirmation bias and this is common in a lot of organizations and you hear it discussed in other things other than risk management sectors but this occurs when decision-making groups really have a lack of diversity or thought or opinion. So there's a strong fear or there's a strong fear of disrupting group consensus so I don't know if you've ever been a part of a group where the leader's really strong and he states his opinion really well and then no one wants to speak up against it and that's a real problem because if you don't have a lot of thought into what the weaknesses or risks that a company is up against you're going to miss them. No one really has that broad enough vision because they don't do all the tasks and perform all the day-to-day things that are happening inside of a company. So there's some advice that Wooker gave us on bias avoidance and I think these make sense especially with risk management. The first one is to make risk management an organic piece of operations and by that I mean it should be as important as business as budgeting as project management, as marketing as sales. So risk management is that piece of fabric you just can't leave behind. And then you need to educate the teams in the various silos or in the various departments in your company depending on how you're structured on risk awareness and then encourage their participation in that risk management process. People from every area of the business should come in and talk about the problems that they foresee, the things that worry them. Maybe their team is always working late, having to transit out into the parking lot late at night and there's people out there at night that no one ever sees because they're not there during the day. So there's a lot of information that's held in the entire organization when you bring them together and work on risk management as a holistic practice. And you really want to use there's growing bodies of data that are available that can help drive effective action for your organization. But once you've taken action, the other piece that's really important depending on what piece of the business is taking care of that you also want to make sure that you're tracking the outcomes and then maintaining the accountability among those stakeholders that are supposed to be performing or supposed to be executing. Risk management is a big piece of the tool that is not something that you're going to have to template yourself. You don't have to figure out how to do this and I'm going to be bringing in future episodes some of the standard tools. One of them that was just revised this year is called the ISO, the International Standards Organization. It's the 3100 and it's now 3100-2018. I think they've trimmed it down to about 16 pages. It's very succinct and we'll probably spend an episode kind of going through how to implement the ISO 3100 in a small or medium-sized organization. The enterprise tends to have folks that are kind of working on these processes but in the small and medium businesses that also need the same sort of help, they're oftentimes a little daunted. I bring up the 3100 because it's inexpensive. I think it's 80 or 90 bucks online and it's a small packet of information to get your head wrapped around. So we talked a little bit about the things that were important at ISC West this week. We talked a little bit about risk management and how important that is and gave you some advice on a document you could use to get started with. So I hope that helps you stay a little bit safer because security matters. Thank you.