 Welcome back to the Cyber Underground. I'm your host Dave Stevens here at the show. Our mission is to dig deep to find out how cybersecurity touches all of us in our everyday lives. Today, once again, we have an exceptional co-host, Mr. Andrew Lanning. Andrew, the security guy. Aloha, dude. So, brother. Welcome back. Glad to be here. All right, and we also have a great guest today. Again, joining us is the president of the ISC2 chapter in Hawaii of the ISC2. What is the ISC2? Tell us again, ISC2... The International Information Systems Security Certification Consortium. Thanks for saying that for me. Is that why they have the two on there? That's right, that's right. I actually got all those words out right. So, it's the preeminent organization worldwide for certifications. They also have a foundation that does educational outreach to make everybody safer on the internet. Yes, very good stuff. Just on the internet. Now, I thought you had... CSSPs have eight domains. You even got physical security. Oh, they share information publicly on the internet that you can go avail yourself of. Yeah, the foundation is more focused on home users, the people out there, kids, adults, seniors, what they can do to keep themselves safe. Now, you have a whole new kids project going on. Yeah, you guys life and secure online. Yeah, tell us a little bit about the safe and secure online. What do we know now? It's a new program. Garfield is a spokesman. Andrew Davis created a couple of new characters because some of the other Garfield characters obviously don't know much about security. I don't think Odie can do much. No, no, no. But the kids one is focused on cyberbullying, why you shouldn't share your passwords among your friends. You know, a lot of stuff that security professionals take for granted, a lot of people just don't think about naturally. So the IEC has a URL. It's safeandsecureonline.org. And there's a section for kids, as I mentioned, a section for adults and a section for seniors. Seniors, for example, has how to avoid banking scams, how to set your computer up to be more secure, things like that. So it's really focused towards the target groups. And we as a chapter are building our safe and secure online program so that we can go out into the community and basically spread the word. This is what you can do to help yourself. We're going to provide some of that training. Oh, we're going to take the camera out. We have the mobile camera. We can go out and talk to people when we see them doing stuff. Oh, wouldn't that be great. On the street. Ask them some questions on the street. We'll just expose out bad. How many passwords do you have? One. That's the worst thing possible, right? What about having one password easy to remember across all my websites? It's going to get out there in the criminal world. I mean, look what happened to Yahoo. What was that? Billions of accounts got breached. So people's Yahoo password and their account is sold on the dark web. And if you're using that for your banking account, then the guys can get into your bank. Steal your money. They can impersonate you. Maybe not as much as a financial risk, but damage your reputation. By a house in your name. All those things. There was a hack a couple of years ago. Someone got into the Apple version of this. And of course, Apple has the ability to not only find your Mac online, or find your iPhone, but also to wipe it remotely. So people were having their Macs wiped remotely by the hacker. And it was a big problem. They corrupted their credentials. They're losing all that data all of a sudden. That's a lesson learned, everybody. Backups, backups, backups. Those are some of the things we'll be talking about today. What you can do to protect yourself. Backups, the ransomware that's out there right now is just crazy. Make sure you take your backups and disconnect that external drive when you're finished. Because if you leave it connected, it's going to get encrypted by the ransomware. Because that is a physically mapped network drive. Exactly. As long as it's connected physically to your computer. If you go out there and fish for other computers on your network, we'll recognize that as a device it wants to get. So WannaCry, who encrypted your data on your computer, would see that remote as another computer. So even the backup is available to that server messaging block. We talked about how it transfers across there. That's an open door to that service. Right. Or use a cloud backup. Backup somewhere. Make sure it's disconnected. Backup at one location. That's what's great about cloud backups, right? So you're getting your cloud certification now. Yeah. So backup locations, if you're in, say, Amazon Web Services, they have multiple regions, multiple zones, and your backups are actually two or more of them. Right. And you can pick the zones you want, and you don't have to have two Northeastern California. You could have Virginia, you could have Oregon. And so if one goes down, there's cloud certification here. So that's a lot of security, and we're talking about online stuff. So what is the cloud certification from the ISC too? It's somewhat similar to the CISSP in that security is security. So the CISSP is a certified information system security professional. So that's the gold standard overall, right? So this one, the CCSP is geared towards cloud. Cloud specific stuff. Does it have the same security domains? It has similar domains. What I found studying was maybe 40% of it was review from the CISSP side of things, but of course there's a lot of new stuff being in the cloud. You have jurisdictional differences. A lot of countries have different laws, different regulations that you have to consider. Encryption is critical. You need to do diligence with your vendors. You need to make sure the guy's not going to go out of business. If you're storing your data in a cloud with a provider, how portable is it? What happens if you want to move to another provider? Can you do that? Or are they using a proprietary format of your data? How quickly can you get to it? If there's eDiscovery action against you and your data, is it in your SLA that you're going to be notified by the provider? What is eDiscovery? eDiscovery is when law enforcement wants to come look at your data for some reason. They think that maybe you've done something wrong. There's something there that they've obtained a warrant to basically look at. You could be a piece of a puzzle on another case. You're lucky if it's law enforcement that wants to look, and not someone else's lawyer with a claim. They might be paying for all that forensic discovery. And since so much of the cloud is multi-tenant, your data could actually be scooped up with another company's data. And now you have no control. Your data is out there. Your intellectual property, your confidential financial data, all of that. And these are all the concerns that the CCSP talks about, that you really need to know before you get into these things. Now it sounds a lot like the cloud for businesses is exceptionally similar to just social media accounts. Because we're doing the same thing. We're putting our pictures in Pinterest. We're posting our opinions on Twitter. We're putting our personal data in Facebook. We're doing all those things. What's the first step? Okay, so I raised four daughters. Now this stuff is just now becoming prevalent. Now they're all growing up in their 20s, they're in college. What do I tell my daughters? You have to think twice before you put anything up there. I was talking to my nephew last week and he was telling me about this friend of his who was saying, I don't care what I put up there. It's never going to come back and haunt me. And of course, you know, we can laugh being security people. But the thing is that most people can't imagine what goes through the hacker's minds. They are so creative in the way they can use that data to get you. Which you think is an innocent thing. I was reading about a woman she had posted pictures of herself in her kitchen. So somebody could look at that picture and say, oh, you have a Cuisinart product. I'm going to craft a spear phishing email to get you to click on a link. I'm going to tell you that your device has a defect. We need you to click here to register it. And boom, now we've dropped all of it. I'll do your warranty. Let's send you a new one. The other example I mentioned before was you go into LinkedIn and you see the CEO who does a lot of charity work. So you send him an email and say, hey, we're having a charity golf meet golf tournament. Because of your work in these other charities, we want to give you a VIP package. Click here to register. And maybe just maybe it's not trained. And it's golf and it's free. If you're a golf nut and it's free. And I've seen some amazingly crafted spear phishing attempts. So let me do that. That's not true. Phishing is when you send an email to somebody to get them to click on a malicious link or go to a site and enter personal data of some kind. So you can hack them somehow. Spear phishing is a targeted email to just that individual or small group of individuals. And we want to go for the whale like the CEO, CIO, the financial controller. And we want them to do something for us. Or we want the owner of a company to do something for us. But it could be somebody minor in the organization or not even in the organization. So like you said vetting vendors. The easiest way into some place big like the DOD. You get into a vendor first. And that small company is your pathway in. Look what happened to Target. They use the HVAC contractor. And networks weren't segmented. Meaning the customer data was on the same network that the traffic for the HVAC was for. And the POS. Which is what they all do. That cracked me up. They put the POS on the same network. A POS. Very big. Very big architecture. It should all be separated so that HVAC travels over its own little network. That's all it ever touches. This is one of the reasons we have to keep as technology professionals we have to keep going back and getting more training. Keep reading. It's constant. It's constant because when you first set up a network 15 years ago I'm going to do the same thing. My network works great. Now everything communicates everything functions perfect. It's just the way I want it. I didn't think to segment all these networks. That's an afterthought. But if you'd kept up with your education taking a cyber course. You read a couple of really bad articles about stuff like this. You're starting to block off different users of your data that you don't want other people to touch. Here's one I just read about in the New York Times. When you have your home wireless network a lot of people now have smart homes. That traffic needs to be on its own network. Don't look back to your PC. Exactly. Separated from that. A lot of what we're talking about is very sophisticated for the average home user. But it's possible to do. There's plenty of stuff out there. Documentation. You've got YouTube videos. All this kind of thing. But you don't have to live a paranoid life. But you have to do more than use your best judgment. You have to be able to step back and say is there any vulnerability by me doing this? You're putting all your eggs in one basket. It's like the company that just got hacked recently. A lot of Fortune 500 companies were using it where they stored people's passwords for different systems. We won't mention the vendor. But all those credentials got stolen. All the people had to change their passwords which was a big hit to productivity. And the companies, the Fortune 500 companies using it had to recreate the secure connections to that company and jump through all kinds of hoops. And convenience. You install a new fridge in your home and say hey look at my new smart fridge and you take a picture of it. Now everybody, they can get on to Facebook and see that picture. Oh you've got that brand of smart fridge? Cool. What's the default password? Shodan.com I think the consumers, the problem with them is they really don't understand, as you mentioned when you can get an image of them or you know something that they have they are a target perhaps for their work and they just don't think about I will see if your wireless is locked down. This is what they are going to do. There are people that will pay you enough to get the information that you are seeking. Exactly. And when it comes to social media it's not just a matter of protecting yourself but also your family. I hate this. Thank God I did not fall victim to this because I don't do that but Ashley Madison. If you want to have it there you go secretly on this website and they got hacked. So these lists of people that were signed up for Ashley Madison, that's telling everybody I wanted to have an affair with my partner. How many marriages were ruined? Because these lists went public. And careers. That's a bad thing. Especially if you have a secure job somewhere, DOD, NSA, FBI you don't want that kind of stuff, public. If you have one of those jobs you shouldn't be doing that stuff. That's a good point. No matter what you do if it's a crime in the internet technology world today there is evidence of you no matter what you do to back out of that no matter what you do to race your tracks there's digital footprints everywhere. It's interesting how they have such trouble with attribution a lot of times and I don't know if they're really keeping that from us but we know that there's tracks and I often wonder why they struggle with attribution because maybe they're saving some of those final steps so they don't want to give to the bad guys where they're catching them what pathway they're coming across but it's interesting how you get from the media and from reliable sources we find that we've got all this information that really looks like this but you really hardly ever find somebody to attribute something to someone and say they definitely own this port this active address this MAC address thing from here without a doubt they know the first hop but they don't want to talk about it. They know that she printed that document on that printer from her workstation the printer puts microdops on the paper. Who knows about that except for geeks like ourselves so they know that she printed it on that printer she sent an email to I think it was The Intercept from that computer and you talk about attribution maybe somebody spoofed her credentials while she was at lunch and logged on and did that probably not I think if I have her access control walking in the building and her log her card to log into the system and all that and so we're going to have to take a break just for a second we're going to go pay some bills have a commercial here give us about a minute we'll be right back stay safe until then come back and see Andrew's security minute you're watching Think Tech Hawaii 25 talk shows by 25 dedicated hosts every week to understand the issues and events in and affecting our state great content for Hawaii from Think Tech Hi I'm Carol Cox I'm the new host on Eyes on Hawaii make sure you stay in the know on Hawaii join us on Tuesdays at 12 noon we will see you then Aloha Hey welcome back to the Cyber Underground I'm Andrew the security guide today we're kicking around a little bit of cyber security we're kicking around a little bit of passwords take time to take a look at your physical security system all those cameras the access control equipment see what kind of passwords have been deployed make sure that they're not just running administrator accounts that they've assigned users to stream video and got different passwords for those make sure they're managing that properly that's my security minute back to the gang we got the professor and we got Jeff Milford here today which we call him Mr. Perfect we got the professor you got the ok so shout out really quick to your show Hibachi Talk you and Gordo did a great show this week we had a film with Terry Rotary I had no idea what that was Gordo started a couple of clubs I just chartered this one with Josh 51 of them in Hawaii and the 51st was your guest founded that one yeah just a couple of months ago and myself helped charter it you helped charter it that's dynamite I had no idea I didn't sleep can you tell never you just do so much for the community it's fantastic and because you wished Gordo a happy birthday on the show it's fair game so you said it's this week so I'm going to shout out happy birthday Gordo happy birthday Gordo happy birthday Gordo and you held up the bottle of boneware yeah so we're looking for someone you want to be there when he opens that up so it was a good show and you guys always have a good time young guest though get back on there with us this conversation crosses all over cross pollinate let's get back to security Jeff that's why you're with us we have social networks that especially nowadays our youth uses these and not just teenagers we're talking about pre-teens we use this stuff I think their whole lives are on there realistically their whole lives for the taking if someone wants to get that data lives there forever on those servers of that provider buying large maybe some of them are show and they disappear snapchat maybe not these kids get a smart phone when they're very young they really don't understand the underlying technology no one explains it to them it's always connected to this ethereal thing called the internet it's always available and if friends can find you anywhere I wonder who else could they're not thinking that stuff so let's pretend we're parents we have small children and we actually make the terrible mistake I think of giving them a smart phone and saying here try out pinterest and facebook and all the other social media sites that pop up here all the time what would you say to parents some of the first steps to getting your kids to secure their social media accounts so they don't just broadcast all this information what are the dangers how do we stop it I think as a parent you have to stay interested you don't necessarily have to look over their shoulder constantly but you have to know what accounts they have maybe you log into their accounts and see what they've been up to periodically random audits same thing that happens to us in our work life you have to you can't scare people but you want them to understand the dangers one of the things the safe and secure online kids program talked about was the person who shared their social media account with their friend and as often happens with kids they had a fight and that person could log in as you and destroy your reputation at school by posting things or the girl that goes into the women's restroom and takes a compromising photograph and shares it with somebody I saw a video that was really disturbing because by the time the girl came back in the classroom that picture had been shared and you can't remove that it's like we say it's there forever people think oh I deleted that email well you deleted it maybe from your machine and maybe from your account but it's backed up somewhere it exists somewhere people don't understand that the internet isn't just one big entity and you can delete and post things there this is a compendium of other entities they're all millions and billions of physical devices and each time you go from device to device to pass your message along to its destination it leaves a little bit of itself behind and it's up to that device whether or not it wants to clear that out or keep it around and if it's a server and it's got a lot of memory and it's not set up right it could keep it forever there's a lot of tools that are constantly scraping all of those little hops for information that they can sell or use against you or whatever and I think people don't understand the information gathering power that's out there sort of against you if you put numbers in line it look like a social security number or it look like a bank account number it gets scraped it's just tools you hope that your email is encrypted but is it through every hop in between every hop that it takes things like that it's not always clear that you're being protected that way even going to the dark web on tour like we talked about before the last hop from the tour network to your destination if that's not HTTPS it's in the clear and people can see where you came from and what you're doing and all the traffic goes back and forth and people should assume that their information is in the clear when you're putting that stuff out there you should just assume your grandmother is going to read it whoever that you would be most embarrassed by reading that kind of information you should presume that they're going to have access to it and don't get mad that people do that I hear people so this comes up in my classes every single year the Edward Snowden debate good guy bad guy and I just let it go I want to hear what people think I'm not going to issue an opinion right on the show however I will say that everything Edward Snowden did that he exposed was already put into law in 2002 we did the Patriot Act had you read the Patriot Act I did it was boring as hell however it was a little bit scary I knew that this could happen it didn't say this will happen but we're giving permission for people like Verizon to do exactly what they did they weren't breaking the law and it was no surprise to me but nobody else read what they were voting for so be aware that's a good tip you talked about how to start kids off and if you can make that child your child or your neighbor's child whatever that mouthpiece for that to help their friends be secure we shouldn't talk about this you shouldn't do that online and here's why if you can get them thinking securely because I think the US is probably a little further behind that than countries like Germany where there's a little more awareness there about privacy privacy and there's law coming out a year to change the game of the international business so I just think our education process is starting too late we're willing to give the device and you go lose your mind but we're not giving you any guidance to take along with the device we need a little training program there I really think so imagine the CISSP for youth that's a great idea why don't you start them off young one of the things I see kids doing a lot is sharing passwords and sharing it but to share the username and password of the text for our audience members out there cell phones are radios they broadcast in all directions all the time unencrypted unless you specifically encrypt something so when you text you're telling the entire world that text and there are Linux distributions that you can put on a laptop that have all the tools a hacker needs the reason there of course is for the white hat hackers to do good things however you could sit in a Starbucks or any other place with public wifi you can do lots of really bad things and kids will use open wifi a lot to save on cellular transmission costs we have data levels now and to save the companies tell you hey keep your wifi on and use somebody else's wifi and we won't charge you your cellular data on your data plan oh great I got free wifi but it's not secure it's just open probably not even the you're probably not even on the access point you think you're on somebody sitting there you should run Wireshark on that first so they should teach kids to use Wireshark that would be an interesting class in high school let's break open Wireshark Wireshark is a network protocol analyzer we scan traffic, we can see what's in the packets we can see all the clear text it's not encrypted when you see that when you see the packet capture and go oh my god that's my password right there wow I do that with my students unfortunately our average age student is 26 so by the time we get them they've been doing this for a lot of years when should we start them 14, 12 when are they getting these devices these kids are getting it at ages 8 and 9 a phone, a smart phone I see that all the time and that's not recent when I was that age her friends were having a smart phone it's just a little scary so getting back to what you said one of the filters you could use for the kids is I don't want to ever see anything on your social media account that you couldn't tell me or tell grandma tell grandma or something like that anything you say you need to you need to filter yourself tell them you're watching don't think you're watching it's weapons free because you know how kids are because they're going to do whatever you tell them not to do that was the easiest punishment I can't believe we're coming up in the last minute of the show we've got to do this part 2 of the show we've got to come back and let's do more social media security because there's all kinds of settings we can go through on Facebook and Twitter so we'll do that really soon hardening an app you've got to harden your security account you don't want to post to everybody what's the biggest tip you can give us in the last minute of the show for everybody watching do a backup you never know when ransomware is going to hit you there's a company called Cyber Reason all one word that has a free version of ransomware and it creates folders traps on your machine to try to trap the ransomware it's not enterprise ready but it's something so do your backups also do your updates so it doesn't occur to people smart TVs have updates there's security updates your router from oceanic or hawaiian tell Apple TV those updates the updates for your phone all of those things need to be run immediately in the past we used to kind of laugh and giggle because some of Microsoft's updates were not as friendly as they could have been they've got much better so the second Tuesday of every month is when Windows releases its updates patch Tuesday yep I live for those patch Tuesdays make sure all of our machine the windows 10 does it automatically if you set it that way but I go back in make sure all the updates have been applied and then I remember oh this is a good time to go in and look at my router check my router to see if there's an update so backups are a good tip we're going to have to wrap up the show thanks for being with us and remember when you're out there stay safe