 Bingo, we're back here in his Friday 11 o'clock rock, and we have a very special guest. It's Terry Yanni. He is an account manager at Cisco Systems, a security account manager there. Welcome to our show, Terry. Thank you. You know, I was coming in just now, listening to NPR as I do, and there was this really interesting story on Science Friday, of course, in one of our favorite shows. The two guys, one on either side of the issue about whether we should go computer, you know, around the country on voting, because, you know, voting is a big topic this year, bigger maybe than before. And you know, it's interesting that one of them was pushing, you know, let's go more computer, and the other was pushing, let's go more paper, forget a computer. And it was all turning on the question of cybersecurity, because the great risk was, I won't tell you how the debate came out, the great risk is that somebody is going to crack the code, you know, crack the system, and elect our president for us from afar from another state-sponsored, you know, country and effort elsewhere. I mean, I wouldn't mention names, but how about China? How about Russia? How about North Korea determines our next president? And so, you know, people are worried about that. It's all because they, you know, they have a great fear of hacking. Is that a legitimate fear? It should be a legitimate fear. This should always be legitimate fear. Having consideration for the potential threat actors out there, understanding who your adversaries may be, understanding why they would have political gain are all things that we should consider when we build a solid security program. Now, should that stop us from going to an electronic voting system? It's progress. I don't know that we can stop progress, but we definitely should be considering security from the foundation moving forward. Now, I'll tell you what they came to, and they actually agreed on this. Yeah, oh, really? You can use as much computer as you want, as long as you retain a paper copy of the vote itself. Because then you can always have a recount as somebody is concerned. Yeah, yeah, but I would imagine that that might double the amount of work that you have to do and mitigate some of the benefits of using an electronic voting system, in which case I'd say maybe you stick with the paper. You're going to do them both. But yeah, it's an interesting concept. And actually, it's funny because we're doing that with electronic medical records. So you think of a doctor's office and all the files and folders in the shelving behind them. We're moving that stuff online, and that way doctors have it at their fingertips. They can walk around and they can care for patients with medical records and history at their fingertips. You can move it. You change your doctor. Your medical records are there. They move to the next doctor. They're able to access those files. But that is all personal and private information. It needs to be secured. Well, you know, I was going to ask you, you know, make me a neophyte. It won't be hard. I say, can't you guys, and I don't mean you personally, but can't you guys, the community that builds these defense systems, figure out a way to make it bulletproof? Why can't you do that? Why don't you make an algorithm? I mean, Apple kind of did it, you know, and that got very public. Although I think they got some Israeli guy to craft the code anyway. But why can't we make a perfect system? Wow, that's a really great question. So everything we do, everything that we build has flaws, period. The perfect system doesn't exist, right? One of the reasons we have these vulnerabilities is all the folks who write the code for the next generation of software that gives greater capabilities, even greater and greater capabilities. They're focused on the goal of, hey, we want to create these capabilities. And a lot of times there's defects and bugs in that software, and that's where the bad guys come in, and they're able to locate, find those, take advantage of those, and exploit the great capabilities that you would like to have. We do try, and I think the spotlight is definitely moved onto security and building that into the process of building your capabilities, so that now you can at least have some modicum of systematic and programmatic approach to building a security platform, or a secure platform for those capabilities. At the end of the day, I just, it's a lofty goal, but it's an impractical, impractical, it's probably impossible, close to impossible to have a perfect system for us, and your best bet is to build a program around it to make it as secure as possible. Let me come at it from another way. Why can't we make the internet non-anonymous? Why can't we make the internet anonymous, anonymous internet, so that if you're on there, we know who you are, and you're verified all the time in many ways, and we know it's you, Terry. So if something happens on your number or count, and we know it's you, we come for you. So I guess, just playing devil's advocate, what if I, what if I hijacked your identity, so let's say, I'll be mad. Yeah, exactly. So, so that, and that's, and that's exactly what, what the, the threat actors do. They, they can hijack somebody else's identity. And that's, that's, we talk about identity theft, we talk about stolen credentials or lost credentials, weak passwords, a great example. If you have a weak password, somebody can take over your account, take over your identity, and then how do we know it's you, right? There's, there's no non-repudiation there, it's, it could be you, but if you start misbehaving, we, the way we would come at that is potentially track your behavior. Understand, hey, really, would Jay be doing these things? Does it make sense that he's going to check his bank account 14 times and start moving money to three other accounts? Yeah, exactly. Is that something he does on a regular basis? Right. So, so there, there's, there's different ways that we have to begin to look at things like behavior. I was going to also ask you, you know, given the, the flaws and imperfections, bugs in, in what we hope to be our security software, you know, you read every day, we can make a list of all the big companies that have gotten hit and they've sort of turned their pockets out with a very piece of information you can think of. Every day. And, you know, I don't care personally if my medical records are compromised, if somebody really cares about my health, you know, let them go with God, they can have it. Yeah, it's okay. Yeah. But my, my, my social security number, my credit card information, I'm a little more concerned about that, although I can shut it down. I can shut it down. It's not the end of the world. Yeah. Even, you know, a complete identity theft, I can recover. Yeah. The problem, though, is that I've been led to believe that people have really compromised us all, everyone, everyone's records at one time or another place, one company, one, you know, a company we do business with it's one way or another. It's all been compromised. Is it true? Uh, you know, I can't verify whether it's true, but I would, I would venture to say it's highly likely. Um, what in, in the business that I'm in, we typically look at customers and, uh, uh, customers being some of the large corporations, uh, that you're speaking of, and it's really a matter of what visibility capabilities have, have they seen it? Uh, we, we, we operate from the stands that you are going to be compromised. It's not, it's not a question of if it's a question of when and do you have a program in place to deal with that compromise? How are you going to address it when it does happen? Uh, and if you start with that approach, you will likely be better prepared than if you assume that you can stop everything at the front door and have it never happen. So it's damage control. It is. It is. We assume it's going to happen. It has happened now. What do you do? Yeah. So key metrics that, that really, um, drive the, the security industry are time to detection. How quickly can we detect a breach time to containment? How quickly can we contain that breach and time to remediation? How quickly can we eradicate that from our, from our environment? And the longer it takes you to do that, the bigger the dollar signs for a recovery. Yeah, and the world is lost, you know? Yeah, exactly. So I remember, uh, where I saw it, uh, that sometimes these, these invasions, intrusions go on for years. Yeah. And the, and the guy doing it, you know, has open field season, you know, like for years, he can take it at convenience and enjoy himself and you don't know about it. We call it dwell time. So once, once a threat actor has compromised or breached your environment and typically what they'll do is they'll go lateral, they'll look for places they can hide, grab other credentials, expose more systems, begin to own those systems, but they cover their footsteps and the longer they can play dwell time on, you know, in your network, on your environment, the more damage can be done. And they can save it for another day. They can save it for a rainy day. Let's say they, you know, they've got, they've got their hooks in the light dormant. They're waiting to use your network for some, some ill will or, you know, do, do something evil, so to speak. Yeah, I want to talk about that. But then the question is when, so you figure, you make the assumption that somebody is probably dwelling on your system, you know, because that's what they do. That's their nature. Especially if you have information of interest to them. Yeah. So the question is, if you could just conceptually tell me how I can check to see whether somebody is dwelling. Yeah. Well, there's a, that's, that's a very complex question. If you can't tell me, just say I can't tell you that says classified information. No, it's absolutely not classified information. It's, it's a best practice approach. It really is. And one of the things you want to do is understand your adversary, understand how important and critical visibility is, put visibility related tools in critical points in your network, whether it be choke points, whether it be tools on the end point to look for malware, you're really orchestrating a program to create that visibility. But you also have to extend your program into what happens during an attack. How will you respond? How will you contain? And then the most important part at the end. How do you remediate? So, but in terms of finding out that he's there conceptually, how do you do that? He's, he's got it. He's, he's found an angle. He's found some way in and he's looting my, my, my treasure chest. Yeah. Conceptually, how do you know he's, and he's, and he's covering his tracks? Yeah. He's a smart guy covering his tracks. Yeah. With all of that, how do you identify that somebody's in there playing? So let's, let's start with the best practices approach. The first thing you want to do is you want to shrink your attack surface. So you want to be as let the least amount of exposure as possible. So you're going to close all of the things that are not important or non essential. So you're going to block that stuff right away. Sure. Yeah. So, so that's basic. So perimeter, defense, firewalls, things like that will stop anything that you're not using. So just don't take any connections from, from those areas. We have tools that work in the cloud for DNS, which is a domain name service. So it'll just say, hey, if I'm making a call to any of these domain names, if they're registered to a, to a malicious site, which could download malware, just block it, just stop that, shrink the attack surface. So once you've, once you've tightened up, kind of batten down the hatches and tighten that up, you're going to want tools that look internal to your network, that have the capability to look for things like malware, whether it be a signature-based thing, say, hey, we know about this malware already. It's been out there for years. If I see something that matches that pattern, I want to block it. Then you want forward thinking things that say, hey, I understand in a real-time basis what we're running in the network. I understand what these threats are. Do they match up? Are we vulnerable? And I want a report to pop up on, in my security operations center, and I want to understand, hey, we're vulnerable to that. We need to be watching this. And we need to fix it. We need to patch it and whatnot. What I get from this, though, the implication is it's a moving target. Oh, everything is changing. So, for example, if I'm coming in port 6SJ7, you know, for, you know, for a day or two, whatever, how long, I know that somebody will be looking for me and trying to figure out if I'm coming in through that port, and I switch my port, I go to another port. So it's, I'm, I'm kind of, I'm kind of tricking you by moving around. On the other hand, you know that I'm going to try to do that. So you're moving around too, watching me and seeing what other ports I might be using. So it's all time sensitive, right? Well, it's, it's, yes, that's part of the equation. And part of it is also think about if I'm, if I'm a bad guy, I'm probably the way I'm going to get into your network, I'm probably going to do a lot of research. I'm going to probably try and steal credentials of somebody who works for your company. I'm going to understand who your business partners are. And I'm going to start coming from people who you legitimately use as a business partner. So I'll come from, let's just say a third party that you work with. Maybe it's a recruiter, for example. So you work with, and I don't want to name a recruiter, but let's call it people power. Let's say people power. And this is a fictitious company, people power. And I, and I, and I, and I work with you on a regular basis to help you recruit candidates for open positions. So I'm going to send you a file and say, hey, here's a file regarding these candidates that you're, you're, you know, looking at. And I may even know as much as the actual candidate's names. And I'm going to send you that file and you're going to look at that in your emails. Oh yeah, I'm working on this case. I know these candidates. Let me open the file. And if you have not patched your systems, I might have put malware in that file. I may have just compromised your email server. Your email server typically has access to an Active Directory credential server, which has the credentials for everyone in the company. And I may have an opportunity to compromise that server and gain access to who knows what at that point. So I'm, I'm is a is a bad guy, thinking about all the different angles that I can use to make you just go through the daily motion and say, oh yeah, I'm working with this. I know this partner open the file. It's so interesting. This is like the dichotomy with paper voting versus internet voting. You know, hacking and doing all these bad deeds is not just technological and social engineering. And it goes back to when think tech first started to examine this 10 years ago. We found that a lot of people could hack in without any technology at all. Just social engineer just lie to people and get their passwords and find a way. So it's really it's a combination of that and the technology. And so think tech itself is a combination is a combination of having this discussion with you and going on a break, which is what we're going to do now. Excellent. Hello, how are you doing? Welcome to you by to talk. I'm here at Gordo the Texar on think tech Hawaii. And I'm here with my good old buddy, Andrew, the security guy. Hey, everybody, how you doing? Aloha, good to have Andrew here in the house. Please join us every Friday from one to one 30 and follow us up on YouTube and remember as we say at the end of every show, how are you doing? Aloha, my name is Danelia D A N E L I A. And I'm the other half of the duo, John Newman. We are the co-host of Keys to Success, which is live on think tech live streaming network series weekly on Thursdays at 11 a.m. Aloha, Aloha. Hi, my name is Aaron Wills. You are watching think tech Hawaii dot com. I am the host of the show rehabilitation coming soon. You can catch us live on think tech Hawaii dot com at 11 a.m. on Tuesdays. I will see you there. I bet you thought we'd never come back. You probably couldn't wait for us to come back. This is Terry Yanni, Cisco system security account manager. How often is it that you get to talk to a guy like Terry? So happy to have you. OK, so let's let's move on a little bit and talk about, you know, a concern that I have and I think most people have is OK, so they got maybe my medical records. They probably got my social security number. They probably got my credit card. Who knows what they got? I mean, you know, even even the clumsy things you see in the email, you know, where they try to suck you in. But it's much worse than that because they go to my provider and get his records. And for you know it, they got everybody's records. Yep. And what you mentioned before is really a little scary, and that is they don't use them right away. They use them later. There's a time lapse thing. What do they do it for? How concerned should I be that in a year or two or five this is going to come back to haunt me? How can they hurt me? Yeah, so. So let's let's actually take it one step up and understand what the motivation is here. And I think that'll help you understand. So they could use them immediately. They could lie dormant. They just depends on what what their motivation is. So think about the different types of threat actors you have out there. So we're talking about this a little bit in the break. They're hacktivists. They're out there to kind of do their cause, do their bidding, show the world that they're 16 year old kids and lower slavovia could be or could be could be an organization that just wants to show the world that they have a cause and they want to make their cause known. They're less monetarily driven. But then there's organized crime, which is a multi billion dollar business just on hacking just on hacking. People will actually people who write malicious code actually come to work at a desk have health insurance. They will shrink wrap the software that they use and sell it with support. So for example, the Zeus malware, you could actually purchase that with different tiers of support. You know, it's true. I mean, last time we covered the subject, I went on the web and I looked up hacking software. Yeah, you can buy it. You can buy it. In fact, some of it is open, open, open source. Yeah, a lot of find all these these and popular and everybody's all very effective, you know, does what you want. You can crack anybody in no time at all. Yep. Why don't we stop them from doing that? Well, we do. Every day we we we're working towards stopping things like this from happening. One of the most popular texts today is crypto ransomware. So that's that's something where they'll encrypt your files and then demand that you pay ransom to access your files again. Yeah. And it's it's actually been been publicly predominant in health care right now. There's a couple of articles lately about how they've locked up patient information and demanded ransom in Bitcoin, no less. Right. So so so in online currency in my Bitcoin. OK, the other categories now. Yes, the other category I would end this is something I think that that ties back to our voting or election conversation is nation states. So nation states can can try to perpetrate something like maybe election fraud that that that is a very real possibility. Huge so huge in any country who's credibility in the election public confidence in the election whole government is at risk. Yeah, I I know that in the news probably six to eight months ago our government was hacked and there were folks with top secret credentials that were exposed. That's probably not a list you want, you know, floating around out there. Yeah. So yeah, I mean, I remember one time I came from China, you know, and the government said we've been hacked and we're not sure it was the People's Liberation Army, but we know it came from a building in which the People's Liberation Army occupies the building. Yeah, OK, I can connect those thoughts. Yeah. But you know, if I'm the government of China, for example, and I do this for whimsy or for strategical purposes or just just to be, you know, nasty internationally which they sometimes do. Then I put a lot of money into this and I get some very smart guys and they do it from that building. Yeah, I think they're doing it now today. You think they're doing it right now? Yes, they are. Absolutely. Absolutely. And keep in mind it's not just what you would consider your adversaries. It's also your your allies. Right. So that makes it very complicated. So your allies are probably spying on you to get a get a little leg up on, you know, what what your intents are. And we're I'm sure not that I would confirm or deny we're I'm sure doing our fair share in return. It's you know, the information's out there. And if you're not in that game, you're behind. Right. So that that's that's one of those things where we just you need to have a reasonable expectation that this stuff is going on. And then turning that to your personal or to yourself, your expectation of privacy, there's no reasonable expectation of privacy. There's no way you can go these Walden pond is over. If you want to connect to the internet, you are you should have a reasonable expectation that your information is public. Yeah, you know, but you know, American innovation does count for something, I think. And even if I give China tons of information, even if, you know, they get through all the barriers, even if North Korea can find out everything at Sony. I mean, there's two things. One is North Korea actually did damage, right? Yeah, it's not just turning out the pockets of Sony, they they damaged Sony's ability to operate. That's hundreds of millions of dollars as well. Yeah, average breach, I think is up around four million. And we're talking about just your run of the mill breach target, for example, I think they're estimated now in two hundred and fifty million dollars worth of damage to the brand, to the lost revenue, to the disruption to the work the workflow. It just goes on and on and on. Yeah, but then you go further and there was a thing on 60 minutes with Bernd Holand in my head about a bunch of guys in a utility company somewhere, I think it was in Texas. They wanted to get a sophisticated board made. So they made it in China. Yeah. And it came back from China and it was just exactly per the specs, except there was a little piggyback chip there that was not in the specs. And they never did find out exactly what that piggyback chip did, but it was not in the specs. Yeah. And it had to be a spy chip. Yeah. So that could have brought the whole utility down theoretically. Yeah, I'm always shocked and amazed at our critical infrastructure. There's a lot of regulation around our critical infrastructure to protect it. But, you know, it's we're always one step behind the bad guys. This is a rapidly evolving threat landscape and we're, you know, we're rapid. We're generally one step behind. So going back to something, a theme we expressed in the beginning of the show, a programmatic approach where you can plug in the latest technology, but you have a program to understand stopping what you can upfront, shrinking the attack surface. That's always a good best practice. Understanding how can we quickly detect this, quickly contain it and quickly remediate. That's a best practice. So if we can architect our security posture, if you will, around these best practice principles, we stand a chance. You know, to go a step further on the physical end of damage and all that, and then, you know, pernicious nation-state kind of attack. Yeah. Seems to me, you know, I think the view is generally held that they could do more if they want it. They have the ability to actually bring the systems down. For example, if you close the internet down because of some attack in this country or a substantial part of it, it's going to stop the whole country. It's going to stop the whole economy. It's going to break our back in minutes. And that could happen, but it doesn't happen because the stakes are too high. Well, I would even debate whether it would be possible to stop the internet at this point. You know, I- Because of the alternative paths and all that. Yeah. We built redundancy in all the systems. I think this is a living, breathing animal that continues to grow. Yeah. And we just, we work with what we've got and harping on that programmatic approach. You've got to, you've got to understand what you're dealing with. You've got to work within those confines or, you know, maybe just outside of those confines. Well, that's of some relief to know that. Yeah. This goes right in the middle of that, right? Absolutely. With switches and everything. Right now in security. It's one of the number one priorities. And it's good to see. It's very good to see. One of the reasons, and I'll talk a little bit about why I think it's such a sweet spot, is as we move to the internet of things, all of the things that are coming on, and the internet of everything, think about all the things that will be connected. We cannot enable that technology without a solid security program or process in place. Right. It has to, it has to carry its own security with it. Absolutely. We can't open it up and leave it, leave the door open behind. It has to be part of the architecture process. Right. The other thing I was thinking, just to cover this before we close, is assuming, you know, they, they got all my information and I got their information, then the contest is not so much getting into the other guys, you know, information. It's what are you going to do with the information, especially with nation states. Yeah. So I can, you know, I can have tons, I can, Googles have been goggles, Googles have been, the original word Google, yeah, of information. I got tons of it. Yeah. But if I can't evaluate it, if I can't make some sense out of it, it's an exercise. And I would, I would bet that our systems in this country are probably more sophisticated than anyone else. We'd never want to assume that. There. Yeah. We'd never, we'd never want to assume that. We'd always want to assume that the, the, the adversary probably has more resources. They're better organized and that you're constantly playing catch up. And if you operate from that standpoint, I think you're going to probably have a better result than if you make an assumption that they're, that we're ahead of them. Right. Many, many people have characterized this as a war. It's not just, you know, you know, a, a attack here and attack there, skirmishing here and there. Yeah. It's really, it's global. It involves a lot of countries with, with, you know, a lot of men's ray are there. They don't have the good intentions at all. No. And they're actually fighting. Most ultimately. Yeah. Do you think this war will turn personally violent that it will result in civilian death? I would argue that in some cases it probably already has. You know, they think, and this is a mild example, but think for example about healthcare. The, the healthcare facility in Southern California that was recently breached with ransomware actually had to move patients from their hospital to another hospital who were locked down because things were locked down and shut down. It was, it wasn't just locking up their personal information. It was, it was shutting the systems down. Yeah. So they had to move and they had to move customers to other, other beds and other patients. Safety is number one in all healthcare. You don't bring people in to get worse than they are. So I guess the question I want to ask you Terry is what can I do about this? I have this sense of powerlessness we've all been compromised every organization large and small from government to academia to industry all been compromised. What can, what can little me do about this if anything? Yeah. To protect my information, my stash, my life, my systems, whatever. Yeah. So from a personal side there's probably three things that I would always recommend. First of all it's the no reasonable expectation of privacy. Assume it's going to be public. If you start from that standpoint whether it's public or private at least if it does get compromised you're not going to be that upset. Secondarily always try to keep your systems up to date. I mentioned all software has bugs. It's just the nature of the beast. Humans aren't perfect. We don't write perfect code. When those vulnerabilities are found people are there to make sure that you're not using the same password. This is pretty simple. Make sure that you're not using the same password for all of your different accounts. You should be using a key ring, a mental key ring of passwords that you rotate through and keep them fairly complex. Password is not a good password. It never is. You heard it here on that. It never is. If you can come up with some type of story or something that works for you that you can use. Machines typically aren't good at anecdotal analysis. When they try to brute force your password, if you have an anecdotal story driving your password, that may help you. Look deep into your own life history and psychology and find something. Don't name your pet. Interesting study. They said if you require a capital letter and a number, 99% of human beings will make the first letter capital and put the number through that pattern. What about these programs, which say I'm going to remember all your passwords for you. You'll never have to remember another password. It's not a bad method for keeping really long passwords because what they generally do is create really, really long in theory uncrackable passwords for you. But it's a trade-off. I feel like if that is ever cracked, then great. It's generating long passwords for you. Exactly. What about I saw recently, in the last couple of days, an optical scanner you can attach to your computer or whatever program. And you actually wave it in front of your eye or you look at it and it knows you as distinguished from everybody else. Biometrics have come a really long way. Biometric scanners, your thumbprint on your iPhone, most recent I think those are great as long as they work the way they're intended, I think those are excellent things to have. We could go on for hours, you know? We could. And I hope we can get you back here soon. That would be a real thrill. I'd be happy to come back. Thank you, Terry. Terry Yanis. Cisco. Wow. Thanks for coming down.