 voice scam, a tsunami of, I love tsunamis, but not this kind. Okay, with Attila Suresse, I'm Cylanda. Welcome to the show, Attila. Hey, thanks for having me, Jay. So this is, I think, Tech Talks with you, and we got to keep up on, you know, on the trouble out there, or actually the trouble in here, the trouble with every electronic device, and especially the computers, which we are wedded and married to these days, especially in the time of COVID. So give us a handle. You talked about this in a PBS roundtable discussion. I thought it was excellent. I thought you were the star of the show. Actually, Attila, you had more to offer. You had more thoughtful, you know, contributions to that discussion. So tell us, you know, where it's going here. What's the trajectory here in 2022? Well, it's the same thing that's happened in cyber crime over the past decade. Every year, there's more. You know, people forget about these major breaches from Home Depot to Target. Well, that was like three, four or five years ago. I mean, that's old hat by now. You know, the kind of breaches we see every year, just keep getting bigger and bigger. And there's two ways to look at it. You know, one is that you look at the headlines and, you know, read those articles about how much data is out there and how much your compromises are at risk or, you know, like we get calls here every day about all the kind of scary things that are happening to people or you focus on what you can do. And that's about, you know, looking for ways to maintain or increase the revenue potential of your organization, putting in safeguards and protective services and protective things and protective activities and behaviors and structures that can keep your organization resilient and, by extension, our community resilient against the types of cyberattacks that are evolving and getting better and better every year. Better and better for who? Well, they're getting more sophisticated and in terms of payouts, they're definitely getting better. I'll tell you that much. And I wanted to address your tsunami analogy. I think that's the best word that you can use to describe the types of scams and cyberattacks that we see here almost every day. In fact, we just had one probably about an hour ago just come in. It was a major business email compromise. And yeah, we have to constantly try to remediate this stuff. But I'll tell you, it's a lot harder to clean up the spill once it's on the floor. You're better off getting a good grip on that cup that's got your water in it if you get my analogy. Yeah, it's so poetic. So, okay, we live in a time of stress of difficulty. It's the third year of COVID. I told you before the show began, there is a really interesting article by David Brooks, a columnist for the New York Times today. And he's a very conservative, thoughtful writer. He doesn't jump to conclusions. Sometimes I hate him for being so laid back. But he wasn't laid back in this article. What he did is he took stats about how people are getting more angry in COVID probably because they shut in. And maybe they have a different view of the future, you know, their level of hope is not that great. Their level of worry, concern, you know, is greater. And there's a lot of factors that make for that. And he looked at various stats around the country and our lives and our society about how, you know, it was more violence, more, more threat, more confrontation, airplanes, highways, really everywhere, and crime. And I said to myself, gee, I'm going to talk to it till it's the rest of the minute. I have to raise this because, you know, I think that this has to be involved in the, you know, the whole thing about hacking and this, you know, talk about tsunamis of fishing and what not. It's got to be related to the way these people, these criminals, I'm very clear about that, these criminals, you know, feel and why they get into it. So I think there's a couple of factors. One is that we are more dependent in the time of COVID on our computers. I can tell you, for myself, I spend more time on the computer doing stuff, trying to be productive. And I don't think it's just me. I think it's the whole society. There's been a number of articles about workflow and offices, how people are, you know, connecting by the various remote, you know, software and doing their job that way. Well, they're relying more on computers and software. And I do too. And the other thing is that there's a lot of people responding to that. I don't know if I've told you before, but, you know, we love software. ThinkTek has, you know, 70 operating pieces of software. And I'll tell you too, that a lot of the software is not US software. Europe is heavily involved in building software for offices and individuals that that is just as good or better and often cheaper than American software. You know, I mean, I'm sure we still have the edge in many ways, especially with the big software companies. But for these little guys, you know, who want to help you with a specific task, the European companies are in the market for sure. And that means that you don't know exactly what the origin of this code is. You don't know exactly who is playing it. I know there's a bunch of software companies right now very successful in the US market, you know, who are home ported in Russia, in Moscow. How do you feel about that? I mean, this is a level of concern there. So what I'm saying is that we are in a transformation in office and home, in the way we relate to the computer, how much we use it, our level of interest in new softwares, our level of interest, maybe in justifying the risk by the benefit and not thinking a whole lot about, you know, fishing and hacking and ransomware and all that, which makes for an open opportunity for the hackers, because their pomegranate is now riper than it was before. And they, if you follow the David Brooks article, and they are possibly more aggressive and less restrained by notions of law-abiding than they were before, wherever they are. Your thoughts, please. Well, when it comes to COVID, I think everyone can agree that we are going to be a little bit different than when we went into it. A good example as it relates to technologies, think about grandma, right? Well, grandma have, you know, done her pharmacy order online before COVID, or with a smartphone, maybe not. But all of a sudden now, that's the only way you can get your medicine. So there's been some learning, there's been some technology adoption. There's this notion that perhaps the remote workforce is here to stay, at least to a certain degree, that a good percentage, well, that is like a significant percentage of people when given the option to go back to work in an office won't take it. And what does that mean in terms of collaboration, right? Is collaboration going to go down? Is productivity going to go down? Are we going to experience different types of homes now that have more home offices built into them? Is the demand for that going to go up? A lot of questions we don't know. And I think you'll also agree that there's going to be studies and books and reports and papers written about COVID-19 for decades to come. It's going to be a real interesting economic experiment. And we don't know what's going to happen. Of course, I think we've always been plagued by correlation versus causation in any sort of study. And there is a tendency for some, maybe for some people to get some attention by correlating two things together that maybe are not related, I don't know. And the big question you need to ask yourself is how confident are you in anything that you come across in the news? From what I'm telling you, have you Googled what I'm saying about these kind of events? Because we haven't even talked about the Google scams. But yeah, you'll see that there is a great deal of source amnesia when it comes to these kind of studies. There's also a good deal of just follow-up research. So if you, before jumping to conclusions about us becoming a more aggressive society, maybe it's a good idea to look at that history book, because we've done some pretty nasty things, I'll tell you. And I think during the time of COVID, we've also done a lot of, we've done a lot of really good things to help each other out. I mean, we are experiencing inflation this year. So there are some economic changes that are occurring that we experienced some last year. But that was because in order to stabilize our economy, a lot of money was pumped into the business community to keep jobs. So yeah, there is some inflation, but you know what, at least we still have some jobs and we still have a working society, because it could have been disastrous if they hadn't jumped in. And not just America, but all the countries around the world. So yeah, we do have inflation. You asked earlier about if you could get your laptop fixed. Well, of course you can get your laptop fixed, but it might cost a little bit more because there's supply chain shortages when it comes to electronics. And that trickles down to everything from computers to cars to industrial control systems to the raw materials sometimes that are needed for building. There's been a huge supply chain disruption. And you know, there's not going to be much, it's going to take us some time to catch up, but the supply chain could have been completely shut down. So what's the alternative, right? A little bit of inconvenience, but you can still get a laptop for your day to day work, Jay. You don't have to worry about that. You're still covered. You can still get your laptop fixed if things occur. It could just take a little bit longer than you're used to. Let's address that for a minute. You know, because there's a lot of people out there that say, you know, you're right. They got amnesia about all these stories, including stories of, you know, big tech companies, because we are more dependent, like it or not, on these big tech companies now. And they're also vulnerable. And we'll talk about the Google, you know, phishing and all that in a scam. But what strikes me is that people have in the back of their mind that either A, those big tech companies are going to put patches through. They're going to somehow protect us. I know it's not true. You don't have to argue that with me. It's not true. But here we are. And we would like to feel complacent about it. And we do. And when people say, and this is what they say, this is what they say, if, if I get ransomware, assuming I have backup, because there's no, there's no, there's no excuse for not having backup. There's no backup to not having back, either have it or you don't. Okay, assuming you have backup, and the machine goes down, and they're trying to do a ransomware attack on you or something else. Yeah, it's okay. You know why? Because I'll treat the machine as a loss, as a total loss. I will put, I will, you know, either reset it, if I can, or I'll just go down to Best Buy or somebody and get another one. And then I'll, you know, reload the software on the new one, then be back in business. It's like an adaptation approach. I will adapt to the attack. I'm not going to chase them around. I'm not going to pay any money. I'm not going to worry my head about all this. I'm just going to reset. I'm just going to do a reset. And there are problems with that. And I was going to ask you, what are the problems with that very simplistic approach? You're completely right, Jay. You know, when I hear that kind of argument that, we can just get some other equipment, and we'll be back up and running, that, you know, this didn't really cost us anything, then I worry, because that is, that's not a sustainable way to run an organization in general. Imagine, imagine if the DMV had to do that. You know, that would be a, you know, you really depend on the DMV to get your, well, or let's just say a hospital. You depend on a hospital to, to be there when you need them. A laxadaisical approach like that isn't, isn't sustainable. As an organization, what you want to look for is you want to show the competition and your clients that you have the best in class service, that you value your assets, that you value the security of your assets, especially when it comes to customer data. That is what's going to put you ahead of the next guy. That's what's going to make your business succeed when the other one does not. Protecting customer assets, protecting the revenue, and really looking at your costs. So, you know, what is the difference between 1% of uptime versus, let's say 99% of uptime versus 98% of uptime, right? Any sort of disruptions in your business. Business disruptions are huge, especially when you start to look at organizations of greater than 100 people. Think about this. 99% uptime means that you can be down for about three days per year, right? 99%, 98%. What is that? Another, yeah. So what does that mean in terms of cost? Well, if your cost of operation, and we'll just do some spitball math here, is $100,000 per month, right? Well, let's just do it for easy, man. Let's say it's $30,000 per month. You're very, very lean organization. That's a very lean organization. That's not even realistic, but anyways, $30,000 per month. That's how many thousands of dollars per day. A company with 100 employees is probably at $300,000 per month. They're probably roughly at around $60,000 loss at being a 98% uptime. So moving from 98% to 99%, you're looking at roughly a $30,000 gain. And the tools and software and everything that you need, the procedures that you just described about having a good backup plan or a good business continuity plan, a good DR plan, having the proper safeguards, having a security operations team monitor and maintain your network to ensure that all these patches that you just described from your manufacturers are coming through and that your systems are secure and they're watching for lateral movement and bad guys attacking in there. All that costs less than downtime. It's simple math and you can't even put a dollar amount on customer trust. And because once you break that trust, that's it. And I'll tell you right now, for anyone who's listening, Windows, or not Windows, Microsoft released a whole bunch of updates last week. Be sure that you update, there are six zero days in that update pastures about 97 CVEs in there. So there's quite a lot. It's one of the largest we've seen to date. And of course, it stems from a lot of bad actors finding holes in the net. They are finding ways to get inside of those systems, especially servers, exchange servers is the big one, for example. The biggest thing that gets harped on by us from Homeland Security when we have our conversations is to ensure that all systems are patched by the latest patches from software vendors. So that's Microsoft, that's into it, you name it oracle, you got to make sure that those systems are patched because as they discover vulnerabilities, they release them into the wild. And it's just a matter of days and most weeks before they get exploited. And there's major cleanup to happen afterward. So you got to do the right thing, think about your uptime costs, think about your downtime costs, think about what this is going to mean to your customers. If there's a problem, find ways to secure your assets. Be that company that you want to do business with. Do you want to go to your bank and worry that perhaps their security posture is not so great and your money could get stolen? No way. You switch banks right away. And it's the same thing with every business, whether it's a dog rumor, insurance company, you name it. Microsoft. So I have a Microsoft operating system on this computer right here. Not that I watch it all, I leave it on. Not that I watch it all day, but is it automatically downloading patches? Or do I have to take a primitive steps and what are those steps? Some of them are user interaction. It depends on the patch. Patches also stack. So sometimes they need a reboot. In fact, one of the biggest problems we have is the clients just don't reboot their computers sometimes. So we have to kind of do that for them. Because if you don't, the patches sometimes don't get applied. It's very important. So I reboot every so often checking for those Windows updates, making sure that you're not running any end of life software. We come across software out there that's Microsoft Office 2007. Well, I'll tell you right now, that's a very easy piece of software to compromise. You don't want that out there in the wild. Make sure you're running the latest version of QuickBooks. So how do I know whether it's been downloaded automatically or whether I have to do something affirmative? Where do I go on the operating system or on the web to determine whether I'm current or whether I need to do something? Well, I'll just tell you the easy tech support answer. Press the start button in the bottom left hand corner of your screen. Type the words Windows space update. And it'll come up with a Windows update. And the window will show you whether your system is pending patches, if they need to come through. Sometimes, like let's say if you have a Dell or Lenovo, they have their own update tool that will update critical firmware patches. So it'll say, hey, we have a new BIOS firmware patch. You need to push this through right away. Otherwise, you risk having a brick for a system. So those will pop up also. Look for those user interactive pop up boxes. You mentioned zero day. And I recall that was particularly threatening. And there was an issue about phones that had zero day nefarious software on them, where you didn't even have to do anything with the phone. But the bad guys would have control of it and get your data. Am I right? What is a zero day software? What is that? Zero day means it's something just like what you describe. It is a that needs to be patched right away. They can't wait any longer to patch it. It's a critical thing. It's a critical hole that can allow a bad actor inside of that device. And then they can leapfrog from there across other points in your network. Part of last week's patch Tuesday, release did have a zero day in there that specifically had lateral movement for networks that were unpatched. And it was zero user interactivity. So what that would mean is that if you received an email with a zero day attached in a Word document macro, that was, let's say you open that with an older version of Microsoft Office and or you just simply allow it, even with the new version of Microsoft Word, it could then traverse the network, gain footholds inside of the network. And from there on out, they could do whatever they want. Everything from selling access to your network, which is one method of stealing your data, another method. And I know ransomware keeps coming up as a as a topical piece. But I'll tell you ransomware is the very last step in a bad actors playbook. They're not there to encrypt your systems until they have already taken everything they possibly can looked at everything they can look at stolen all the possible emails and correspondence and put in additional footholds so that after they do deploy the ransomware, they can redeploy it if they want to. Well, you know, it strikes me there's a tremendous inequity here. It's sort of like if you're in a negotiation with a pathological adversary, you know, he has the advantage because he's willing to he's willing to do things that you wouldn't do. I mean, see this happening in national government these days. But if I'm if I'm a bad actor, unless I come from Bulgaria, just for example, I get to know when Microsoft is downloading patches, I get to know what the holes are because they're publicized, because the guys on the other side of the equation are relatively speaking, they're transparent. So I know what my job is and I and I have tools now that are more sophisticated than they were a few years ago. So in many ways, I as the hacker, the one who wants to get into the machine, and maybe ultimately do a ransomware attack, I have an advantage because guys on the other side are open, transparent, and innocent, relative to my, you know, villainous intent. Am I right? Is this the way it's going? Because it sounds like as we as we proceed here, and even with the best efforts of Microsoft and the others, the hackers develop an advantage because their programming is unknown. You know, no, it's not transparent. And the Microsoft programming relatively speaking is transparent. What do you think? Well, I think it's, you know, you mentioned inequity. I mean, they don't see they don't see what they're doing as villainous. They see themselves as like Robin Hood. You know, we are the wealthy rich Americans who can afford to eat and can afford, you know, we can afford a few dollars here and there to kick it over to some poor folks in other developing countries. And, you know, I think the way that they see it is that their needs are greater than yours. And that's that's just a common human need. I think you get into trouble when you start to, you know, dehumanize anyone, whether they're the ones doing the the bad acting or not. That's where that's a problem. They know it's wrong, though. They know it's criminal. They know that they're, you know, visiting harm on people, right? To a degree. But, you know, in the in the same way, the perception in foreign countries is different for those that do this kind of work. So for example, the Indian scammers that, you know, we've, we've, you know, done some work with, they see themselves as, as heroes, right? Like, you know, little Johnny goes to go to school and he says, yeah, my dad's, my dad's a scammer. And he takes money from those rich Americans and distributes it to our poor community. So a democratization of sorts. Yeah, it's, it's a different perception. And I don't think that's going to change unless you change the perception or they have other means by which to feed themselves. The scan that we're going to talk about at the beginning of the show, but the Google voice tsunami is exactly that. They find ways to infiltrate free services like Google voice. They look at, you know, us rich Americans posting things on, on social media like Craigslist or Facebook Marketplace. And they reach out to us and they say, Hey, I want to make sure that you're not a scammer. So I'm going to send you a code and you just tell me what that code is. Well, what they've just done is they've opened up a Google voice account or just a Google account in general. They've authenticated with your phone or they've done a password reset with your account. And now they have accessed all your stuff. They can go inside your bank accounts, they can repost, you know, your ad and repeat the, the scheme over and over again. There's lots of things they can do once they're inside your Google account, but that's the gateway to the Google account, which is why we sent out that email blast as a warning, where if you're ever asked for your Google authentication code, do you not give that to anyone? That's someone trying to break into your account. So that's, that's, that's a big, that's a big no, no. So hopefully what's the Google authentication account? What is that? So when you sign up for any sort of Google service, you have an option to do two factor authentication. And that two factor authentication usually comes in the form of a text message. So you tie your cell phone with that. And that, you know, the password reset come request comes along and it says, Hey, we've just sent a text message to your cell phone. Let's make sure that you are who you say you are. And so the scammers have figured this out. They say, Hmm, if we're trying to do this to someone, if we're trying to find a victim, we all know that they have a cell phone. All we need to do is find out that cell phone number, which is readily available. I'm just looking at the latest T-mobile breach. And they'll, and they'll say, Hey, look, you know, I just need to make sure that you are who you say you are. You know, I see that you've posted, you know, that you're missing a pet, or that you're selling a couch, or whatever. But I've been burned before, right? They play the victim. That's how that's how the play goes. They play the victim. Oh, no, I've been burned before. I need you to tell me that you are who you say you are. I'm going to send you a text message. You just verify that with me. And sure enough, the text message comes through, they verify and as soon as you give them that number, they change your password, they can start resetting your accounts, start getting into your bank accounts, etc. That's all you have to do is give them that number. So this is called SC or social engineering. It's a hot topic. It's been around a long time. I think in the movie hackers, they had something like this where it's not necessarily all these, you know, technological safeguards, behavioral safeguards, education, skepticism, being aware that these kinds of scams exist, knowing if you're a target. These are all really important things. Some industries are being hit a lot harder than others. Financial services, real estate, mortgage brokers, big time, title companies, right? They all are regular, regular targets because they deal with high dollar amounts on a regular basis. And they're wedded to the computer. I'm sorry? What is it? They're wedded to the computer. They do business online in so many ways. They do and each transaction can be, you know, hundreds if not millions of dollars, hundreds of thousands, not millions of dollars, depending on the type of transaction that is occurring. We've, you know, we covered some time ago about how an AOAO was duped out of a quarter million dollars. And that one made pretty big local headlines. But we've seen that kind of activity happen at other AOAOs, you know, different dollar amounts, but still very substantial. It's very easy for once business email compromise occurs, meaning a bad actor has gotten inside of someone's email account. The first thing they do is they download all those messages and they start going through them, see what they can do. If you've ever emailed someone a credit card number or an identification card or any of that stuff, that's fair game. Information is power. So, but, you know, I want to try to, you know, get people protected. So what I'd like to know is how do you spot the fishing? Now, you know, you're right. I mean, fishing has been around for a long time since the 90s. And social engineering is, it's an art form. And a lot of people fall for it because they're silly. They're not being paranoid enough. Smart people do too. They're smart people do too. They get conned, yeah? So it's the human condition. And we're not talking about patches. We're not talking about sophisticated things. We're not even talking about, you know, making sure the ports in your network are closed up properly. No, we're just talking about you getting fooled. So what I'd like to spend a minute on here, Attila, is how do you know when you're being fooled? Give me an example of when my radar should be, I know they're very creative, so it ain't easy. But when should my radar go up? So we do quite a lot of this in our Employee Security Awareness Training programs. But I'll give you a big red flag. Anything that calls you to do anything urgently. If you get a call from someone claiming to be from the IRS saying that you need to pay us right now with gift cards in order for you to not be arrested, and you need to go pay us right now. So, you know, you may not know that the IRS does not get paid in gift cards, I promise you. But you may have a spidey sense tingling if they're asking you to do something right away right now because it's very urgent. So that should be your big red flag. Anything right now? Oh, oh, you need to read me this text message right now. All you need to click on this link right now. All you need to pay us right now because your computer is infected with something. All these scams all have a common thread of immediate, like some sort of immediate need. The long ones, like the romance scams, that's one of the also the top three that is reported to the FBI. Many of those don't get reported because of shame. Just be aware that there's a lot of shame involved in this. Companies that do have an incident, if they don't have to, they don't want to let everyone know about it, and they don't really need to because it makes no difference. So we are very confidential with who we work with for that reason, because we understand that the reputation damage can be very devastating for something that may not be all that serious, could be relatively trivial, was just an accident, and you know, hey accidents happen, right? No one wants to know that think tech could be breached, right? We don't want that out there. Nobody wants to be embarrassed and tell the world that you've been made a fool of, especially if it's a phishing scam, especially. Let me ask you one last question before we go until I'm referring back to this sort of practical solution I was proposing to you. Suppose I have a duplicate of my system. I build a shadow system. For every computer on a staff member's desk, I have another one, not even plugged in right now, brand new, and it has the same software on it. Maybe not completely configured, not completely connected, but it's there. And aside from my backup, you know, I have backup somewhere, maybe maybe in some safe cloud somewhere. So what about that as a modus operandi, to have a backup system ready to go ready to plug in, you take the old one offline, put the new one on, and you don't even have to go to Best Buy. I hate to say, J, because we have to deal with ransomware on a pretty consistent basis. And I mentioned earlier how ransomware is the last step on a long line of plays in that bad actors playbook, right? Well, guess what? They've probably been in that system too. Some of these guys are in there for months, sometimes years, for a long time, because it's far more valuable. Just think about it like COVID versus anthrax, right? COVID, you can carry that around for a few weeks and spread it to other people, and you won't have to show any symptoms. Anthrax, boom, you're dead in four hours, right? Which one survives? You don't have anthrax outbreaks all the time, right? So in the same way, they will get access to a system and they will milk that for a long time. And that can be even more embarrassing, like no one wants to hear about the fire and the fireworks factory, right? It's the same kind of analogy here. You can have someone in there for a long time watching employee transactions, and yeah, maybe you could swap out a system, but if they have that foothold, they'll just spread it into that system, even if it is brand new. And if it's just a few months old or if it's been imaged, can you bring it back up? Well, guess what? That one's infected as well. Still there. Okay, very, very last question, because we got to go one last question. And I always think about this when you and I talk. At some point, a small or even a medium-sized company is going to say, I need to have somebody in-house looking at this. I need to have a dedicated person right here in the company who will spend all day doing this. At what point does that become a practical and real necessity? At what point do I have to do? Do you think I have to do that? Well, I believe that having security expertise, yeah, either in-house or on hand, either is fine. I'm talking about in-house. I know I can always call you. And there's a whole industry being, but what about in-house right there next desk? Some large organizations will have a security team. We typically don't see that until, let's say they're almost at the multinational level. We'll have a security team for this. Most of the time it is outsourced. So if you have, let's say fewer than 5,000 employees, usually it's an outsourced activity. Otherwise, yeah, there are typically security officers for large organizations. They understand, when I say they, I mean these large organizations, understand that the cost of not doing it is so great. They want to protect their revenue. They want to protect their increase in revenue. They want to protect their shareholders. These are all key activities and this is where you'll get your chief security officer on staff and they'll be there for this. And I'm not sure if there's many of those kind of roles here in Hawaii. I'm not really familiar with that, but I do know across the country that that is a very coveted role in a security company. Becoming a security officer for a large insurance company or a bank is very prestigious. So, yes, for sure. This is an important role. Well, you know, it's just one more reason why ThinkTech has to consider expanding its staff to 5,000 or more. And thank you for pointing that out to me. Well, you know, I do know a security professional or two. So probably help you out there as well, Jay. Thank you. Tell us a long time friend of ThinkTech and the founder and CEO of Cylanda. Thank you so much for joining us. Always appreciate your discussions with us and how much we learn. Aloha. Appreciate it, Jay. Stay safe. Stay safe.