 Hey, we're back. We're live. It's 5 p.m. on a given Wednesday, and we are going to have a very interesting discussion with Brandon Lester here in Think Tech Tech Talks to talk about cybersecurity in the time of COVID, because if you haven't noticed COVID has changed everything. Furthermore, it is still changing everything. Furthermore, we don't know where this is all going to end. So there are going to be more changes on top of the changes. Brandon is a flexible nimble guy, and he is here for SRC Tech, and he's active in AFCEA Hawaii, and somewhere soon, Brandon, I hope you can tell us what those acronyms mean. Welcome to the show. Thanks very much for having me, Jay. Sure. So SRC, it's out of the mainland. What is it? What does it stand for, if anything? SRC Technologies is, as you mentioned, a small business out of the mainland. I moved to the islands about two years ago and had the good fortune to stay with SRC after the move, and we're a small business focused on federal, government, cybersecurity practices. It goes across Department of Defense typically, but we're looking to support wherever we can, and it's typically work based on building secure systems, but also designing from the ground up what a secure architecture might look like. Yeah, which one do you like better? You know, from an architecture perspective, or which place? Nowadays... From the ground up, or from, you know, sort of modifying and maintaining? Ground up, no question, no question. Okay, it's more creative. Now what about AFCEA Hawaii? That's an organization of computer guys and cybersecurity guys. It's a trade association. Can you tell me a little about it? What does it mean? Sure thing. So, AFCE Hawaii is a chapter within a bigger organization called FC International, and it once upon a time stood for Armed Forces Communications and Electronics Association, but a couple years ago we moved away from the acronym itself and branded as just AFCEA, and that gave us a chance to rebrand a little bit, but the fundamental core of it is focusing on connecting people, solutions, and that goes across industries from government to academia to the technology industry, as you mentioned. So traditionally... Oh yeah, traditionally it's a place where people bring, you know, a collection of problems or potential solutions and let, you know, let things happen. Well, a lot of this is going to be classified, isn't it? How can they bring that together? Can I come to a... Not that you have lunches lately, but come to a meeting and share? Yeah, we've actually made the shift much like everyone else. If we're dealing with COVID, we've turned to the virtual platforms and, you know, that's that's a project in and of itself because as a volunteer organization we're 100% spending time outside of our normal day jobs to figure those things out. We recently had a talk from someone up at USNopaycom. It was Colonel Brown now, Brigadier General Brown, and we did that via a new platform, and we had some lessons learned, you know, pros and cons and continue to evaluate what works for us as an organization. But we do foresee, even when we go back to luncheons, the the need and the change in having a virtual presence, even once we go back to in-person lunches. Yeah, I want to dwell on that. So one of the things is you went to school at the University of Maryland. I'm always interested in knowing how somebody in cybersecurity got trained, got into it because it is an easy, you got to be very smart. May I say that? And you have to have a certain way of looking at the world that the rest of humanity may not fully understand. So what's your study at the University of Maryland? Well, you know, I think a lot of folks take a kind of circuitous route to cybersecurity. Very few people say fresh near I'm 18. I want to go learn computer security. So I actually have degrees in mechanical engineering and manufacturing engineering. And that was always the beginning of something for me. Never knew what the story was going to be. But about three, four or five years into my career path, I understood I really enjoy what I'm doing. But as a family, we made a decision that we wanted to move to Germany. And we just picked up. I wasn't sure if I was going to work there or not. And along the way, I had the opportunity to study, get into IT and system administration. And I've never looked back since. So it's been a path from day one, picking up that first Microsoft admin book back then, you know, Windows XP or follow-ons and dating yourself. Absolutely. Yeah. I think Vista was out of the time as well. So it's been a while. Yes. But you know, a career like this is different. I mean, I suppose you could have a career in cybersecurity in a given company. That's it. That's what you do. You're embedded in a larger company. Maybe the fence contractor company. That's what you do. Or you could be more like in a smaller company like SRC and and be more nimble, but also maybe less job security. I mean, you have to choose that path, right? Why do you choose this path instead of the large mega company? Sure. I've worked for big companies before and there's nothing better than the flexibility of a small business and knowing the folks that you work with and really having opportunities to to build something special. So that to me is the absolute biggest reason. And there's always risks that come with that. But the risks are also the benefits at the same time. So within SRC, a company like like that, you have a lot of opportunity to build new solutions if you want to hang out and do traditional on contract federal government style work or somewhere in between. So I spent time doing both. So who is your your community in the company? I mean, you have people you can call up on the mainland and you know, shoot the breeze with them and get some advice and bounce a problem and all that. How does that work for you? Absolutely. Yeah. So I still kind of step back and marvel at all the technology that's changed even to the past three months, but really the past five years leading up to this. I remember spending very few hours of my day on a webcam and you know, obviously that's flipped on its head now. But just the nature of always connectedness is a blessing and occurs because you have the opportunity to communicate anytime and all the time, but you also have to draw those lines. So it's a little bit of a challenge going from Hawaii time to East Coast, but it gives me a chance to split my day in different ways where I have the chance to really stop and say my morning is going to be focused on East Coast folks and then they do close a business, go home and I can have the rest of the day to focus on problems that I can really zoom in on or spend time with local customers. You say zoom in. I thought you said zoom in. That's an interesting choice. Yeah, no pun intended there, but really, you know, spend time to carve out an opportunity to focus. I have a block of time on my calendar. I call it deep work. So it's really a period where I don't want to be disrupted and when I'm not working with East Coast folks, I have a much better opportunity to do that. Yeah, that's gratifying to be able to invest yourself, exclude other distractions and just do the work and get through it and come up with a good result. So one thing you mentioned a little while ago I want to cover is that the systems that you were using before, I mean, you as a cybersecurity guy for SRC, those systems have had to be modified. Necessity breeds invention, your way of dealing now over the past few months presumably is different. I can tell you my way of dealing is different and everybody I know is different. And the question is, and I surmise from what you said that actually you have the opportunity to be more efficient now. And you can find ways to do things that focus that maybe you didn't have available so easily before. So my question is, are these things permanent changes? Because we will hopefully one day, maybe not soon, but one day will be out of COVID. Well, there's a term I haven't used before out of COVID. And maybe some of these things will still be useful. Can you talk about it? Yeah, and I've also heard the term post COVID. We're going to draw a line in the sand the year 2020 at some point, at least in this generation. They'll remember what life was like before or maybe it'll all blur away. But there are a lot of changes that will stick. You see in the tech industry, a lot of the big tech companies have decided even when things switch after this back to you can go into the office. They're not going to mandate it. There's a lot of companies that might even look at divesting some of those real estate properties that they have and just maintain a smaller physical presence, save money and allow the employees to work remotely. There are a lot of companies that I think will take a look at this and say, do we have the capability to have an all remote workforce? Because if so, let's take advantage of that. Yeah, well, I think it's clear enough that downtown Honolulu is going to be a different place at the end of COVID, most COVID, because landlords will have a lot of empty space on there. When these leases come up for renewal, you know, the corporate tenants that took all the space before aren't going to need it anymore. They already know that and the landlords know it. I wouldn't build a skyscraper downtown if I were you anytime soon. Nobody will want it. But you know what strikes me though is that you're not in an ordinary business for a lot of reasons. You're in a business that is sensitive, that has security attached to it, that has got to be classified at least parts of it. And you know, you're surrounded with a myriad of regulations that force you to be careful. So query, how can you do that if you don't have an office and you're not on a dedicated network in a corporate setting or military setting and you're doing it from home in a laptop? How do you protect yourself? That's a great question. So the physical presence in those classified environments will definitely be around. That's not going to go away. But I think what you'll see in the government specifically the defense industry is focusing on allowing flexibility for things that don't need to be classified to do in a work from home opportunity or even build more systems to let folks support that in an unclassified environment. So I've seen changes that I never would have expected and obviously out of necessity where there are solutions that are possible now that would have never been entertained six months ago. And that's everything from software development to who's going to sit at the dining room table and open up their federal government email or department defense email. Yeah, what about Zoom? You know, when COVID first got started, there was all this hub up about Zoom and then a few weeks later, we found that the Zoom had security flaws in it and they were racing around to try to patch that up. And I guess they did. But does Zoom give you any concern about security? I mean, is Zoom a safe program or should I, you know, think about one of the others? WebEx and Google has one now and Microsoft has one and so forth. Yeah. I mean, that's a point where I think my phone and tablets have about five, if not 10 or more video chat applications installed. And guess what? They're all software. They all have bugs. They all have security concerns one way or another. Doesn't matter. Zoom has actually gone through an evolution faster than any other video conferencing software has because they got so much attention and they reacted pretty quickly to those questions and those needs. I think there's still a lot of hesitation because of how it was discussed in the public forums, but a bug for security concern on your computer is certainly something that's always going to happen and always needs to get patched. I don't think there's any reason to downplay that. What happened with Zoom early on was a lot to do with their security configurations were geared towards ease of use and geared towards focusing on allowing folks to connect quickly and easily. And that's a trade off with security as most people know if it's more secure, the industry has done a bad job at somehow making that harder to use. So they've had to adjust the course a little bit to understand we can be secure and provide that functionality. And I think they've been doing okay, putting that together, but they still have a little bit of staying left from those first days, especially because of Department of Defense calling them out and saying, we're not going to use you. Oh, that must have hurt. Did that stick? Are they still accepted to the Department of Defense? Well, with all things federal government, there's a lot of confusion along the way. So they have a system built in a federal approved space called FedRAMP, which is just a fancy term for the federal government has looked at this and approved that implementation of Zoom. And that's approved, but there are still some policies out there saying you can't use commercial Zoom. Well, you know, you say that they made some remarkable changes in a fairly tight period of time and then to do their credit. And they've had expansion that is like really unbelievable worldwide worldwide. I mean, we have correspondence all over the world using using Zoom, the commercial kind. But what interests me is that there are people, other companies that want to emulate, like Google is trying to emulate them. Cisco is trying to emulate them. What's the other one? Microsoft, I guess. Everybody's trying to follow Zoom, but Zoom is still the leader, at least as far as the public is concerned. And one of the most interesting parts of the competition, I don't know if you noticed this, is the sound part. Now, right now, you and I, we can hear each other pretty well, and Zoom does handle it pretty well. And I'm happy. I'm going to continue to use Zoom for that. But if you had a back with, you were in an airport or crowded room, it wouldn't be so good. Now, Microsoft came out last week with an AI sound and audio module for its meeting software, which cuts all of that out brilliantly. Say to myself, well, was it Microsoft? Google, Google came out with that. Right. And I'm saying, now that's really a good competition, because now people, some people don't want to avoid that background noise, and they'll go over the other side of the boat and they'll get to Google product. On the other hand, I also think, and this part of what I want to ask you about, you know, Zoom definitely has the resources. They make a money hand over fist. They have a following. They know about AI. They can do the same thing. Next time you look, you know, think of this discussion in two weeks time. I think Zoom will have another, you know, sound module, audio module with the A and I. And they'll be doing the same thing that Google did. It's interesting. Google has a leg up on everybody when it comes to AI, especially because of, you know, the history of their research. So when I saw that feature come out on Google Meet, it was very interesting. And you'll see little applications of AI across the board in, you know, in everyday products, because it's one thing to say, all right, machine learning and artificial intelligence is going to take over the world. It's another thing to say. What does it mean to be useful to me? And that's a great example. Similar feature set. They're taking that audio feed and you can turn on closed captions immediately. So every YouTube video that's uploaded is transcribed and you can download the transcript. And that set of features is absolutely not exclusive to Google, but you need enough infrastructure to be able to power that for however many calls at a time you're doing. So for Zoom, it's going to cost them real dollars to have a feature like that because you're doing so much processing in the backend. Well, Google, Google could just go ahead and buy Zoom, couldn't it? That would be a 50 billion dollar deal. Oh, yeah. I mean, you think back to when they bought YouTube, it seemed like a lot of money back then, but now it's, you know, no brainer. Yeah, really. Look at what they've done. On the other hand, you know that we broadcast on both broadcasts on a number of platforms, but one of them we added recently was Vimeo. We had a kind of a sleeper account on Vimeo, but now we've added and we love Vimeo. So Vimeo YouTube, they're all competing. Why? Because everybody's doing video. And why is that? Well, I think COVID has a lot to do with it. Anyway, I wanted to go to COVID and fishing. COVID and scamming. There's been a lot of talk and a lot of articles about that and that suggests to me that COVID is an opportunity thing for a lot of people who have bad intentions. Have you heard about it? Have you seen that? Have you had any experience with that? In other words, in the past, say 60 days, if I were a bad guy, I would say, hmm, there are opportunities to scam people. There are opportunities to hack that wouldn't, you know, have existed before. I want to get into it. Is this true? Is my perception of that true? Yeah, it's fundamentally always the Vimeo of the bad guy to go attack someone where I'm going to get somebody else's money. And so you look at malware, that's pretty hard to monetize. Fishing is the easiest way to get someone's credentials, login as them somewhere else and either masquerade as them or use those credentials in some other nefarious way. So in this case, what's happened is you have them logging in, it happened in Germany and it happened in the U.S. as well, tens, if not hundreds of millions of dollars in false claims for payroll relief for small business loans. And those governments are probably not going to get that money back depending on how, how well the criminals masqueraded somebody else and fishing is the first step. It's always getting someone to click that link they weren't supposed to, but you're sending them to some other website, having them log in there. And instead of it being the correct government website, it's some bad guys website where they collect all your information and then take it and do what they want to do with it. So, and you know what? My problem is I don't, I don't know what's on their, their triage Blackboard. They got a whole system, scenarios and logic chains and whatnot about how they're going to deal with me as a fishing, the fishing victim. But they got a plan and everything that happens is part of their plan and that and sort of differential, differential choices they make depending on how, how I conduct myself. So this is not something that you can beat them with. I don't think once you get into the, the, you know, the trap. They usually have a huge advantage. Am I right? They do. So COVID is, is another opportunity for them. My tax season is an opportunity for them holidays or opportunities for them. So this is just another dot on the line where they're going to take advantage of something that they think they can really get your attention on because your traditional spam emails are not really the kind of fishing that we're talking about anymore. And, and they're not the same kind of thing, right? In this case, it's targeted towards small businesses or medium businesses where they know that you're going to want to click on this link and they can cater to that. So I have a couple of more specific questions to throw at you. A couple of days ago, one of our hosts received an email that had my name on it and he was, he was quick enough and careful enough to look at the address that this came from. It was not my address. It was some kind of alphabet soup address in France with the, you know, the extension FR and he was smart enough to bring this to my attention. I said to myself, so what? Where does that, you know, I know you can't out figure these guys, but so what? He's the guy in France is sending an email to him, which has, you know, my name on it. And I guess asking him to respond to it, where could that go? Why is that dangerous? Well, it's actually easier to also spoof your name in the right way. They can adjust that email header so that it actually looks like it came from you and even if it's coming from France. The ultimate goal would be for them to give you or give, give the guests or the hosts that they were trying to reach and executable file one way or another could be as innocuous as a PDF or a Word document or could have a link in it just in the email that they're trying to get you go to. And as soon as you click on that link, it's going to run some code and exploitive vulnerability. If that's their ultimate goal, it could also be any, any other kind of scam. We just don't know about, but if they're, if they're actually phishing and they're masquerading as you, they're, you know, you better believe this. There's some reason that they're trying to get this attention. And we have the same thing in Apsiya, right? We have some websites where versions of our leadership's names and or email addresses are posted and you, you will get scams probably once a month at least where you've got someone posing as the president or posing as the chairperson of the board and says, Hey, just reaching out. I need some gift cards. Very common scam. I need you to buy a hundred dollars, five hundred dollars, a thousand dollars of gift gift cards and for folks that are not aware that their president or their chairman of the board or even an executive anywhere doesn't want that doesn't actually need that has no idea why they would ever ask for that. You really have to pause and just pick up the phone and call that person. Hey, it's really what you want. And they said, No, I never emailed you. So I guess my concern is, you know, in the ordinary course, I'm usually able to figure out the fissures. You know, if there's anything out of the ordinary, but I sense that what's happening now is different, that COVID is out there. People see the opportunity. They may not be working. They may see this as a kind of a job all over the world. Doesn't have to be the U.S. could be, you know, in Russia, for example. And they'll be more and it'll be more sophisticated maybe than then say six months ago. Am I right about that? Yeah, it's the one sad thing. I think most cybersecurity practitioners acknowledge is the tricks and vulnerabilities from 10 years ago still apply and a lot of scenarios. So even if the adversary gets more sophisticated, they are not going to go straight to that tool. They're going to use the one that costs them the least and fishing is one of those. Just general lack of patching is one of those. And the third and I think the one that affects all of us as consumers or just people that have accounts out there on the internet, password reuse. So this attack called credential stuffing, much like the the culmination of websites being hacked, all the usernames and passwords getting leaked. If you've used that password from zappos.com and that password is the same as your Amazon password or the same as your bank password. Guess what? They now have your bank password and they can try it if they are willing to. So those specific vulnerabilities have been around for a long time and it's just bad practices, but they still work. And so even as the bad guys get more sophisticated, they don't need to go straight to those tools. Yeah, on passwords, by the way, passwords have proven to be, you know, a tremendous burden. And I know it's for a good reason, but a lot of these companies you know, I want you to change your password every so often and they will lock you out until you do. And then you're walking around with password password. Hell, I call it. Sometimes you can't get in and then there's two step verification. And I know it's all it's all to protect you, but it is such such a hassle. If I counted up the amount of time I spend with that every day, it would be extraordinary. So my question to you is, can't we do better than password hell? Can't we find a way with, you know, by biometrics or or DNA or some kind of distinguishing characteristics about the individual? So we don't have to go through this. Are we heading there or we're just going to have more and more password hell? Oh, we're heading there. There's the so within cybersecurity, there's actually a subset of practitioners focused purely on what we call identity and identity management identity use for accessing those systems and password list is definitely a buzzword in the industry and has been predominantly focused on the past few years, if not more. So there are alliances of technology companies out there building this password list future so to speak and some of that has to do with two factor biometric opportunities, but some of it also has to do with advances in the partnership between hardware and software. So something like Windows Hello, if you've ever seen that it is it is specially built to use a chip on your computer so that only you know on this computer you can log in with something other than a password. Well, that sounds very reasonable, doable and maybe even, you know, work for large numbers of people and I would like to say that it's it's not crackable but then you can never say that can you? Right, right. And I think everybody really wants to give it a password. It's the same as the people that created them 60 years ago and didn't think that they'd be protecting their bank statements with, you know, eight characters and numbers and add a extra dollar sign in there. So what's the future? I'm just we're almost out of time here and I, you know, just like to get your sauce branded on where where it's all going. And I mean that in terms of your industry I also mean that in terms of, you know, consumers like me and sure thing tech what do you see down the down the highway here? Well, on the industry side there's this idea of zero trust which is kind of a misnomer but it's basically take what we just talk about from identity and passwords and make your decisions on who's allowed to do what on any given system. Based on context don't just give the keys the kingdom to everybody which is an idea called least privilege and combining those two ideas together. These are things that companies like Google have figured out and rolled out within the past five years and it fundamentally comes down to making your systems more secure by design from the beginning. So that original question would you rather build from the ground up? Absolutely. Because there are so many better ways to do things now. If we all had a chance to just get rid of everything from the past. I have no no doubt that we would all be much better off building more secure systems today as far as consumers and nonprofits and think tech and I've seen and everybody else and we're in a lot of ways we're along for the ride and and it's hard to hard to say that without feeling a little bit like I can do more to help this but as consumers you have to be interested and willing to protect yourself. So that's that common tradeoff of convenience versus secure. If I think I've said this on my previous guest appearances on Andrew Lening security matters show on think tech but if there's one tip it is going to password manager as a consumer and don't reuse passwords. Okay, and there's one other question that comes to mind before we close and so you're talking about you know your career in cybersecurity and and trying to do new architecture when possible and all that is is there a chance that a guy like you Brandon could develop a new password system and actually you know get incredibly wealthy and you should still talk to me even if you're incredibly wealthy and and change the world with this new system or is that something that only a huge big you know tech company like Google can do you need the kind of resources Google has to do you know a new paradigm like that or can anybody do it? Anybody can do it no question the world we live in today offers so many opportunities on the technology side and it doesn't even have to be rocket science brand new technology no one's ever thought of this before you just have to have a sound idea build a business plan around that and go execute and as simple as that sounds I wish I could pick that idea up and run with it tomorrow well you know given a little deep thought maybe you can thank you Brandon Brandon Lester the cybersecurity professional so nice that you join us for the show I hope we can do this again because I know that everything changes what you watch absolutely yeah thanks for having me Jay I really appreciate it being on take care Aloha you too Aloha