 I think Tech-Tech talks. How secure are you cyber-wise? We have Attila Suresh, he's the expert in that. He used to be with Cylind, but he changed his name. That's the first thing we need to talk about. Attila, tell us about your name change. Thanks, Jay. I appreciate that intro. Well, Cylind, it was a great name, but it doesn't really reflect what we do. We do focus on protecting the Pacific, the folks that inhabit these islands. SIPAC is a better name that exhibits what we do. It is fully trademarked and protected. That's also really important when it comes to names. We have a great new logo that's like that ocean wave. I'm not sure if you can see behind me. It just is an ongoing commitment to the local community protecting Hawaii's businesses from global threats. Jay, I appreciate the time and effort that you take into educating the community on all the things going on. I hope I can contribute from a cyber perspective. You used to be a host on our shows back in 1922. I remember it. You taught me all about Android phones, and I'm still committed to what you talked to me about what you told me. That was very important. I took your advice and it was right. By the way, deep, deep in cybersecurity, what a wonderful tagline. Can you explain what is that supposed to signify? One thing about the cyber industry itself is it's pretty mature. It's been around since the 50s. Think about all the secret stuff we've done in the government and everything that's been needed to protect it. That's been done through government contractors. It's been done through private companies. All the space program, everything that's led up to today has all had a need for cybersecurity. It's just now it's more top of mind than ever. Part of our tagline of deep cybersecurity means that we're focused on cybersecurity. A lot of other small IT shops are now starting to shift their focus to cybersecurity, and we've been doing it for quite a while, and that's been our main focus. The tagline really emphasizes our differentiation. This is cyber. This is all we do. This is our primary focus. If you want to work with a firm that specializes in cybersecurity, Cypax your choice. I'll tell you what it means to me. This is a deep subject. When you start looking at cybersecurity, there are levels and layers and levels going down to incomprehensible things for the ordinary person. Every time I get a guru to try to help me in programming, my God, it blows my mind how deep his knowledge is and how in my life I will never understand what that guy is doing while his fingers whizz over the keyboard. It's the same thing here. Deep cybersecurity means to me, it means cybersecurity that is not for the everyday person. It's for somebody who is a professional and it's complex and it's changing and you need somebody to help you follow it. That's what it means to me. It's an arms race, Jay. You're absolutely right. You do need a partner to walk you through the process. Someone who's constantly going to be on the lookout for the latest protection, the best tools and processes available to keep the business secure. Obviously, what worked five years ago doesn't work today. Five years from now, you're going to have to continue to evolve as these threat actors continue to evolve too. Finding a firm that is constantly on this cybersecurity train is priced right. That's where we are at. We hope that we can service the community with this new message and be of service. Good for you. Anyway, so they were on PBS Hawaii. Every time I turn on a tech show on PBS Hawaii, there you are. At first, I thought my television was broken because they were every time and you had done some kind of thing on PBS Hawaii. But no, it was just another show with you. And it was recent and I like to know what you discussed. Give us a post discussion of what came up in that conversation about cybersecurity on PBS. So this is a good topic because it applies to everyone at all times. It's kind of the foundations of having a good cybersecurity posture. And those foundations mean not just having a technological level of protection, but a behavioral level of protection. So in cyber, if you want to be protected, not only are you going to have to invest in the right technology, you're gonna have to invest in the right behaviors. Now I'll give you a perfect example. We've all seen those phishing emails lately, right? And I'm sure you've gotten a few more of them recently than you would have expected a year ago. Yes. Well, that's because in Hawaii, we are a target. Our geography makes us the gateway to Asia. And many folks here do business with the federal government. And they're not going to differentiate between your business and theirs. And if they are able to sneak their way or trick someone into clicking on an email that they shouldn't have, well, now they have access to potentially government secrets, government networks, etc. That's bad news. But they're just going to go with a blanket approach and try to break their way into anybody's network that they can, including yours. And, you know, that's really important to know how to identify emails, right? That's the behavioral component, how to identify if it's a spoofed website that's trying to harvest credentials, how to monitor the dark web and make sure that your password is not leaked out there. Because if it is and you're reusing passwords over and over again, that's a behavioral no-no, right? Use a password manager, they're very inexpensive, less than a cup of coffee or tea, whatever is your, your preferences. And something like that will make sure that your, your passwords are not reused over and over again. That's very important. And that there are complex. And if it all possible, turn on that two factor authentication. Now, there are some sophisticated methods that these bad guys are using to bypass some of these things. But you know what, do your due diligence, do your best effort, unique passwords every single site, turn on two factor authentication if you can. And be sure to use a password manager, because you can't keep all this stuff in your head. You just can't add a one or two or an exclamation mark to a password and call it unique. They're smarter than that. So that behavioral component is really important. The technological component is also really important. So let's talk about the technology that's used to protect your computer. There's something called antivirus and there's something called EDR. Antivirus is, is reactive. That means that something has to come into your computer, infect it, and then it's going to try to scrub it out. Well, I don't know about you, but that's kind of a tall order. These days, you want something that's a little bit more proactive. And so a many a great deal of products out there are now called EDRs, those are endpoint detection and response. And they operate a little bit differently. They sit on the computer and they look for anomalous behavior. So this means privilege escalation. Let's say a program is trying to scour the network, look for weaknesses. Well, it's going to detect that stuff and lock it down. That's what you want in a good EDR. So these kind of software deterrents are also super important. And probably lastly, we're going to talk about SIM and what a sock and a knock looks like. Now a SIM knock and sock, what those are is acronyms, but let's just call them security guards for your workspace. Think of your office space as a building, right? Well, your building, you probably have the basics, a lock and a key and maybe some cameras on the outside, but you have a security guard waiting out front. Well, that security guard is the knock in the sock team. And that's a live set of people that can be monitoring your network for any anomalous activities. And they'll let your IT department know. And if they find something, they might even be able to go in there and stop it in the middle of the night or on a long weekend before there's a major problem. So these are some of the basics and fundamentals that we kind of talk about on these shows. And much like a showering, you have to do it over and over again and make sure that you're up to date on the latest stuff. Because these things change and perhaps the software or the solutions or the behavior that you learned last year don't apply this here anymore. The bad guys have gotten smarter, so should you. Yeah, my wife keeps reminding me about the showering thing. I think that's absolutely right. There is a good metaphor there. But you know, something you said is worth pursuing. And that is this. Remember Stuxnet in Iran, where a combination of programmers from Israel and in the US intelligence community, you know, put a put a virus in the nuclear, nuclear, you know, atomic development equipment in Iran. And they caused the the Siemens controllers that were being used to go to spinning too fast. And thus it blew itself up. It was it was very creative. But what's interesting is how the Stuxnet virus got into the Siemens controllers. So what they did, apparently, and this is, you know, right on point of what you were talking about, they just put it out there into the world. It was a virus. And, you know, it didn't have much effect on most people. It just traveled around like a virus would do. And when it hit the Siemens controllers in Iran, it was smart enough to know, this is a Siemens controller in Tehran, Iran. And my job is to blow it up. And that's exactly what happened. Well, this, this virus was traveling worldwide, knocking at every door. But the door that it was intended to open was only in the nuclear development, you know, facility in Iran. And when you talk about, you know, the fishing and all that, sure, these things are going to knock at your door. Most people know, know well enough when when it's bony, but a lot of people don't. And so it gets by you. It's the same kind of thing. It goes everywhere. And you, you know, you may or may not know, but if you do some things, it's going to get you. And I think that's the new method. It's that we learned a lot by watching Stuxnet and how they delivered the virus. And it sounds like it's a similar process in the case of fishing. So how do I know? Give me an example of something that appears some dangerous program or email that appears on my screen, which looks innocent, but which is not innocent. And if I pressed the wrong thing, I'm going to be sorry. You're right about this. Now, what you're describing here is called an ICS industrial control system attack. And remember colonial pipeline last year? That's exactly what it was. They were able to shut down an entire, you know, oil, the oil delivery system. So that fuel delivery system was the largest on the east coast. And since then they broke into Florida and they changed a water treatment plant. And all they had to do was adjust the levels of the lie from like one in 100,000 to like one in 10. And that level of adjustment meant that the water that would have been coming out of that water treatment facility would have burned your skin on impact. And imagine if it would have gotten into the water system, luckily, there was someone there physically watching the gauges and the dials and they saw the levels go up and they shut it down. So we were very fortunate there. Since then there's been attacks on other water treatment facilities that have been successful utility companies not necessarily here in the United States, but in Canada and abroad for sure. And what kind of the takeaway is is understanding that fishing is just one piece of the puzzle. So let's lay out a situation like what you asked for is how would this happen inside of, let's say a power company, right? So let's pretend that a ABC power company is very proud of their infrastructure. So on their website, they post pictures showing, look at all of our wonderful generators and all this equipment that we've invested in to provide you power in your town. Wonderful. And another part of the website, they put jobs. That's interesting. What kind of jobs do we need a specialty for? And in those job descriptions, they will label that you need experience with this particular type of equipment. Wasn't that interesting? Now, what have you just given a bad guy? You've given them pictures of your equipment and a job description indicating specialty that's needed in servicing this type of equipment. So they have a pretty good idea in terms of what kind of equipment is needed to infiltrate. All they have to do is apply to the job, post a Word document, and in that Word document put in a macro that puts in a malicious backdoor. Someone in HR probably has a little bit elevated privileges because they have some decision making capability at that company. They click on the Word document, and the macro is downloaded, perhaps because maybe they're using an old version of Microsoft Word, like Microsoft Word 2013, something that's almost 10 years old that shouldn't be used anymore as considered end of life by Microsoft, right? So they open up that Word document, gets inside their computer. Now that computer is accessible at the bad guy's luxury to go in there and scan the network and install malicious tools, find out ways to get inside of that industrial control system equipment, and they can be in there for months, years, and if they get nowhere, at the very least what they can do is deploy ransomware and then request some money. And that's often what they do as a last resort. So there's a lot of hype behind ransomware, because it's really obvious your computer is being held, held hostage. There is a countdown timer on the screen and it's very dramatic. But truth be told, that's the last step and the last resort in a bad guy's operation. They're going to sit there and want to monitor and sell access to the network, exfiltrate data, otherwise known as siphoning the data out of the network, looking for anything important. And if they can, taking that data and selling it on the dark web for a profit, and if all that fails and they have nothing else better left to do, then they'll lock down the computers and ask for a ransom. You know, until I was going to ask you why, you know, it sounds like you've got to be a state after to have these kinds of resources and sophisticated programs. I was going to ask you, why don't they just do it all the time? Why don't they bring down power plants and the like everywhere just to flex their muscle? But I think part of my answer, based on what you just said is they are doing it all the time. They just they choose their moment for doing the destructive part of it. What they're doing is they're building their database, they're building their information about the power plant so that when it comes time to really do a job on the power plant, they have all the information they need to blow that power plant up. But you know, it seems to me that if they can, they will and they are. They are doing that. It's a war, if you will, a cyber war. I know people don't use that term so much anymore. But in fact, it's a war where nation states and I'm I'm not including maybe I should include, but I'm not including the US because I think that you know, we're not we're not evil. But the evil guys like may I save Vladimir Putin and Xi Jinping for that matter? You know, they are looking at our stuff with a view toward doing something dastardly in the future and when they do it and how broad their attack is is really a strategical decision that they may may not they may not make that right away. What do you think about that? Well, I can refer to last years. So each year the Internet Crime Center, that's FBI's IC three, they release an annual report that says, Hey, who's reported what to the FBI? What has been the damages so that it's a data gathering and reporting thing that comes out each year. And in this last report, very interesting, they mentioned that over 60 percent of all of their open cases were related to China. Now, that does leave another 40 percent for who knows what else, but China does seem to be the big player in this space. That being said, the largest crypto heist of about 650 million dollars occurred earlier this year. And with that one, that was attributed to North Korea. So there's different motives for different countries. There's nation state issues as well. And when it comes to nation state, this is kind of interesting from a from a insurance perspective. So earlier this year, back in February, it was found that if a if a bad actor is able to get inside of your network and then let's say that bad actor is tied in some way to a nation state that's considered an act of war. And at that point, your cyber insurance policy will not pay for anything because they've tied it back to a nation state. Now, it's very difficult to prove that they're not a nation state, particularly because nation state actors don't often you know, align themselves with the nation state or the nation state itself will subcontract this workout. So this kind of blanket, you know, problem that we're looking at here is that many folks who think that they are protected by their insurance may not be because of this small change in the legal legal environment. That's very troubling. What about this this affair? This is so bizarre. The affair between Albania and Iran again. They're having a little spat. Are they not? Can you tell the people what's going on? Now, this is interesting. So like like you said, there was a little bit of a spat between the two. But then what Iran did was they were able to successfully shut down the equipment that protects the border between the two countries. So Albanian borders were their entire systems were locked down. And they worked with the FBI and Microsoft to, you know, before coming out with such a such an accusation. So I guess there are third parties involved that corroborate what they have said. But this is a prime example of there's no longer kinetic warfare. It's all done in cyberspace. Well, that's that was clear in the Ukrainian invasion, where Putin, you know, would soften up his targets by knocking off their power plant or communication, their supply lines using, you know, using hacking from inside Russia. What's interesting is that the Ukrainian did the same thing back to him. So that's another kind of bat war, if you will. And it suggests that, you know, going forward, we're going to see more of that. But but we know, I mean, it's really terrible when you do that, because the target, the victim, is not necessarily the other nation state. It's the people who go hungry, who don't have power or water or light. But let me let me ask you this, though. You know, from what you said, it's very clear to me that the big multinational software companies that take Microsoft, for example, certainly Google, right? They're multinational in the fullest sense of the word. And they understand, you know, so much about where these attacks are coming from and how they're being done and how they're traveling, you know, for delivery and all that. And they're they're global. And they have global connections. So it seems to me that as you and I speak every now and then, probably these multinational software companies have a better advantage. They have more outreach, more leverage, more connection, more technology. And they can spot what's happening. They can spot the nation states, even the individuals who are involved in the hacking and the cyber war. Am I right about that? Is there a trend, a direction where these huge software companies are better situated to deal with things? Well, they have to be better situated because they're also a bigger target. Think about Microsoft. That's as big a target as you're going to get. But the other targets are are just as important. So think about those that are contractors for utility companies such as wine electric, right? They now are subject to ISO compliance requirements. That means that if you want to do business with a utility company, you have to have certain safeguards in place. Same thing if you're working with any DoD contractors, either as a prime or a sub, that kind of thing behooves you. And you know, some interesting things we're starting to see in the past few months since we started off talking about email, you know, with that when it comes to email, emails are often not set up correctly, the domain names. And so this is called DMARC and DKIM. And if they're not set up correctly, you can essentially impersonate anyone you want from that company. And this goes to effects banks, to small engineering firms, to any particular business. A good website to check that out is going to MxToolbox.com. That's Mx, so short for Mail Exchange. And MxToolbox.com will tell you if your DMARC and DKIM are set up, is it a little green check or a red check? If you don't have it set up correctly, anyone can impersonate someone at your company. And then they can go inside and start stealing funds. We've seen everything from the smallest of about $30,000 stolen by email impersonation to upwards of $250,000. So it just depends on the scale. We're not seeing this just in engineering and contracting, but we're seeing this in attorneys. So attorneys are being impersonated, AOAOs. As you know, this is a fairly old problem with contractors and high rise buildings. So it is affecting all industries and even we even saw this at a florist shop actually. So can you believe that? So it happens to anyone and all it does, all you need is a little bit of assistance and guidance to get things set up and configure correctly some good behaviors. And you can mitigate a lot of these problems. You know, we all talk about what is good health? Well, good health is diet and exercise, good cyber hygiene, as good behaviors and good technology. Well, your story reminds me of Stevie Wonder. Remember how these guys impersonated Stevie Wonder out of Florida before he was supposed to come here and, you know, and do a concert? And they impersonated him and said why don't you send the money? This is to the university. Why don't you send the money to this address? They impersonated Stevie Wonder. And the university didn't realize what was going on. And it sent the money. And the money was never recovered. That's it. Impersonating is can be a very powerful, elegant way to steal from people, you know. But the other thing I want to ask you is that, you know, recently there was an article about some guy had certain physical characteristics, call it genetic characteristics. And, you know, in the past, you would have to have his DNA of record with, you know, one of those DNA companies. But now in this one case, they were able to take his visible genetic characteristics and look at his DNA from the basis of the characteristics and find him. It was really a great detective story. Even without him being on, you know, one of those DNA organizations, you know, you sign up, give him your DNA. They didn't have his DNA, but they had his family DNA. And they could use the characteristics to zero in their DNA. So it seems to me that we're using artificial intelligence. It seems to me that if you have the characteristics of the nation state or the organization that is hacking or doing, you know, undermining, you know, or fishing or doing stuff that steals money from you or lurks on your system. And if you have these characteristics, you might be able to use AI to put those characteristics together and figure out who this is. And thus, therefore, hopefully, through the international justice system, the system as it as it exists, certainly not perfect, but as it exists, prosecute these people. It seems to me that some of these big, you know, AI type organizations in the world could do that and find out who it is and prosecute them. What do you think? That's a that's a difficult topic. So I know with some of these genealogy services, like Ancestry and 23andMe, they have vowed not to use this data for law enforcement. So it's a tracked down criminals. It's considered, should I say they considered an invasion of privacy. And yet we've seen some recent arrests that do suggest that this data is being used to track down criminals. So it's kind of a touchy subject. I'm not sure if this is a way we want to go as a society, but it may be inevitable that the future is a lot like Attica, where everyone's, you know, genetic information is an essentialized database. And that is used to police everyone and everything in our society. Yeah, it could be that, you know, the characteristics of a given, a given hacker, not genetic, but sort of when I go electronically genetic, I mean, all the characteristics, and then you match up, and you find out who this is the MO of some guy in Albania, for example. You know, maybe that's coming. But there's one last thing I want to ask you about and that is the guy outside in the car. And he's he's on your wireless somehow. And he's watching your keystrokes inside your house. And he's getting your passwords. God knows what he's getting. He's getting all the keystrokes. He's getting what is on your screen. And he's sitting outside in his car looking like he's smoking a cigarette. Is this happening? How easy or hard is it for that guy to get into your machine and get all your family jewels by never actually coming into your house, never actually connecting with your machine? Yeah, I would say that probably what you're referring to is technology that's been 20 years old. Now it's done through drones. It's done over the internet. And there's nobody sitting out there to point the finger at that. That's somebody that's that's watching it. It's in a far off land, a far off country, perhaps without any extradition. And they're able to do this on a large scale. Like you said, with AI and and they're able to take that data and monetize it. So not only are they interested in what you're doing, but if they can sell access to what you're doing. And, you know, and here's the best part, Jay. So a lot of times they can just impersonate someone who's doing this. So it's not even so much that they have to say, oh, I'm inside your computer. I'm going to I'm going to watch what you're doing. They can say like, oh, yeah, we have access to your computer. We're watching you on your webcam. We know what you've been doing. Pay us money. These are called extortion schemes. And we see a lot of that also because think about it. Why bother going through all the technical and hardship of being able to break inside of a system when you can just fool someone into believing that you have. Oh, that's terrifying. Boy, I mean, the average guy gets a message like that. He's whoa, he's going to be terrified. And he's going to say, gee, I saw Attila arrest talking about that on ThinkTek or on PBS. It's a real risk. And I better do something about it. So suppose you get a message like that. What do you do, Attila? What is your step here? I know it's better to prepare in advance. I know it's better to be safe, train your people, you know, be smart. I got my about everything. But suppose you get that kind of message. What do you do? Delete it. Use your common sense. A lot of times the folks we deal with they kind of forget they're distracted, right? The phone's ringing, the phone, the other phone is buzzing, you know, there are people are coming in and out of their office. And, you know, being present and using common sense solves a lot of problems. You'd be surprised looking at an email and saying like, look, you know, we have a good cyber security firm protecting our systems. Why am I getting these stupid emails? Clearly it's a scam delete or forward it off to your IT department for a review. Double checking to make sure that everything is set up correctly on your domains to make sure no one's impersonating you inside of your company. Also super important. Some basic cyber hygiene can save you so much time and energy, especially today. I mean, if you start on this stuff now it's going to take months before everything fully kicks in. So getting started on this now, looking at basic cyber hygiene best practices and putting inside a small budget that's not going to, you know, break the bank many small businesses we work with. They haven't invested in this stuff yet. But the consequence of not doing so is so great that it makes more sense to invest a small amount now to prevent a bigger problem later. So every time we talk, we, you know, we have connected the dots over what 10 years at least. And every time we talk it sounds like it's worse. It sounds like it's riskier. It sounds like the bad guys are out there in greater numbers with greater resources. Am I right about that? What's what's the direction on this? Is the government going to get really smart step in? Are our organizations like yours going to get, you know, more leverage and step in to protect or to, you know, prosecute whatever the case may be? Where are we going on this? Or is the world all going to be stuck in a cyber security cyber war that just never ends with that little budget gets bigger? That's funny. In some of my videos, I have like an alter ego character that says, Hey, I'm here from the future. And in the future, we've abandoned all technology because everything just got hacked so bad, we couldn't keep up with the hackers. Yes, and he, he comes back in time with this time crystal. That's my little time crystal here. So that's his little time travel device. But you know, so that that is one direction, right, is that we're all headed towards, you know, an agricultural society where we don't use technology or the hope is that we can invent our ways and keep up with the problems because the benefits of using technology far outweigh the problems. I mean, imagine if we didn't have, you know, webcams, webcam technology, how would we have done through the pandemic? We wouldn't even be doing this interview, right? If we didn't have camcorders, then we wouldn't have the battery technology that is going to power our transportation industry in the next 20 years. So there's there's lots of technology that's coming down and the advantages far outweigh the risks. But it's just like everything else, you know, we when, when the I was listening to a podcast where they talked about the history of automobiles and how there was this real big push to, to get those automobiles off the road because they were dangerous. But over time, we figured out things, we figured out how to make better roads so the automobiles will be safe. We figured out how to make seatbelts and safety things like airbags and, and standardizing our roads and putting in turn signals, these kind of technological advancements allowed us to use the automobile safely because at first, it was really dangerous, right? So think about that in the same way about how we're looking at cyber. Right now, there's a there's a big problem with cyber because we're in this transitional time where we are now fully online. I think COVID has kind of pushed us in that direction. We now have a truly flat workplace where anyone can work from anywhere and service clients 90% of the time, right? So for that kind of environment is going to have to be some safeguards put in place. We're going to have to have better roads, airbags, seatbelts, that kind of thing. And that's where the good technology comes in and the innovation comes in. So let's not get too worried about, you know, the world coming to an end because of cyber. It is true, it is getting worse every year, but it's because we're using technology more and more every year or two. And the future is bright. I don't want you to think that it's too dark. But, you know, when it comes right down to it, if you, if you're stuck, talk to a cyber pro, perhaps someone who's deep into cyber security. Yeah, well, the other implication of the word deep is it's therapeutic. In other words, it's, I come to you and I say, oh, these terrible things have happened to me and my company. And you say to me now, now, Jay, let me see if I can help you to deal with the PTSD that comes out of an attack on, on your computer system. It's about relationships. So Attila, let's look at your website one more time, though we can see your new name. There it is. Our cybersecurity solutions are the best in Hawaii. Cypac.com. Attila's arrest. Thank you so much for sharing your ideas, your manao and your perspective about these important and threatening issues. Aloha. Thank you so much for watching Think Tech Hawaii. If you like what we do, please like us and click the subscribe button on YouTube and the follow button on Vimeo. You can also follow us on Facebook, Instagram, Twitter and LinkedIn and donate to us at thinktechhawaii.com. Mahalo.