 Hey, Aloha, and welcome to the Think Tech Studios. We are back with another episode of Security Matters Hawaii. I am Andrew Lanning, Andrew the security guy they call me, and I'm here with Dave Stevens today and we're going to talk about access control. We're going to talk about physical access control. We're going to talk about logical, electronic access control, and then we're going to kind of talk about the convergence of those two. Dave, welcome brother. Thanks for coming in. Good to be here, man. Dave's the founder of Kapu Technologies and he spends a little time at UH helping those folks out as well, driving a few programs over there. Just a few? And he can catch you here at one o'clock if you don't get enough. He drives the cyber underground for the Think Tech studio as well. Come on back and join us. So thanks for taking some time today. I've been starting off my guess with this one big question. Oh no. Because you're a security-minded guy. What keeps you up at night? Other people. Ah. It's people. People are the problem. We're always the problem. Throughout the history of humans, we've always been the problem. We are the problem on the earth. So no matter how good we make our electronics and engineer our devices and put all these layers of security in there, it just takes one idiot to blow the whole thing. And so training is my big thing. Training. And you're an educator. And I'm an educator. I'm no longer having a career. This is a crusade. This is a crusade. I am at the vanguard of the assault. So what's the absorption level? I mean, what kind of exam results do you get? 90s, 70s? That's very interesting. You know, I get between 70 and 90, and the absorption rate depends on how much I feed them, and I have to play to my audience, just like you're talking to an audience when you're doing a PowerPoint or something. You got to gauge the reception of your students. You're going to get a different crowd every class session, and they're going to be able to learn at different rates. And if you're not able to adjust and you just spit it out, the retention level is really bad. And that's where most training programs go wrong. You got to gauge your audience. Play to your people. So since we're on the topic of people, so do you teach like social engineering as well? Do you teach them the problems about the people? So I know you teach them all the tech side. Well, social engineering is an enormous component of cybersecurity. Social engineering is probably 90% of how the hacks get in. You set up all these defenses, and then that one phishing email gets behind your firewall, and that's how the malware gets delivered. One person clicked it because they weren't paying attention, and that's a guy that scored 65 in your class. Instead of 75. He didn't score 95. The passing grade of D, but he's still graduated. Man, so to get to access control, you know, we have that same failure of people. You know, let's start out at the perimeter, okay? Let's say we're starting on a property. We'll start with some physical. Let's just say we've got a parking lot, and we've got a bar up, and we've got to present our card to get in, right? So I pull up there in my car, put my card up there, doesn't work. Put my card up there again, doesn't work. Hit the intercom button, call the guy, you know, hey, I don't know. My car's not working, and what's the guy do? Without really knowing who I am, the intercom's lousy, probably. He can't really hear me. Well, he's going to ask for the serial number on the card, because the bar code's going to happen. Think? Yeah, he should. I think he's just going to open the gate and let me in. Oh, no, no, no. You've got to train that person. You've got to authenticate the person before they get in the door. Yeah. So that's, and so, you know, hopefully, but this is a problem in the industry, right, where people for convenience, he's like, there's five cars behind me. Everybody's honking their horn. Oh, I know Jerry. I can let him in. Yeah, yeah, I know that's him. I've heard him before, right? And they don't know if there's somebody in the car that's got a gun to his head. Right. Who knows? He's not working. Maybe he got fired yesterday, and this gate guard just made this decision to let him in. Now, this is a great example of that. Hollywood actually did a really good social engineering example in a 1994 movie, I think, Sneakers with Robert Redford. He's standing at the counter with a cake and some balloons, and he's trying to get into the building, because he said he's there for a birthday party. He's got to get there right now. And at the same time, another person comes up, I think it's Dan Ackroyd, just as a UPS driver, and he's saying, hey, I got to get in. I got to deliver this package. But it's just enough to overwhelm the security guard. And so he's like, OK, fine. And he lets Dan Ackroyd in. And then he lets Robert Redford in. And that's how they get into the building. But it was a social engineering demonstration. And it's perfect. Hollywood does a great example of that. And they put that in many movies. Just to what we just started first talking about, it gets to the point of people and people not maybe having a procedure to follow or a policy or a process and understanding the value of that, and then training them on it, so that they recognize the risk they create when they just get overwhelmed and make a decision. You know, instead of stepping back and saying, wow, this is our perimeter security, I've got an unknown entity out there. I've got to confirm what this is before I can go any further. And just let everything stop and wait. The line of cars will wait. The guy may or may not be the right guy, but we've got to figure out what his situation is. So now let's go to the digital perimeter. Let's just, well, let's presume, because we don't really run ISPs here. We're not Verizon or something like that. But let's presume a business guy. He's probably connected through a router. Should be. Right. Should have a router there. If you're out there in Wonderland, don't let the ISP service and his little cable modem be your router. That is not secure. So he has a router of some type. And the router has some configuration settings. Now, if you went and bought your own router, hopefully you looked at these things and there's a way in. Just like this gate operator I just had. There's the bar down. You've got to have a card. Let's talk about getting in. So what's available for someone to just get in? You know, maybe by default it's even open. Well, by default you're going to get the managed by LAN or managed by WAN. I mean, wide area network. It's going to allow you to come in through the internet to manage. And the old ones like Linksys, I'm not going to pick on Linksys, but everybody did this, Belkin, D-Link. They had the web interface that you could log in through the internet if you knew your external IP address for the rest of the world. And that would let you in and you could manage. And all it asked you was a username and password. And there was no guest three times and it shuts you out. You could guest endlessly and do a brute force attack and get into this thing. Or worse yet, when people set it up, they say, hey, cool, it works and they walk away. And they never turn that. And you can turn it on or off. And they never change the default password. So why would a homeowner, even a small business owner, why would anyone, for that matter, because it's just not safe, need to manage their router remotely? I could think of one instance in my life and I shouldn't have done it. But I left my router open because I was traveling internationally and my family had no idea how to operate the computer network that I left behind. And so if they had any trouble, I could log in. From across the world. Super safe. Yeah, and I was in China. So I'm real safe. But this is like a decade ago. But I would never do that anymore. I would just teach them how to do it. So there's an analogy there for the digital access control and the perimeter access control on a facility. And this is this gateway. Now there's been another, obviously, some people exposed for writing a hard-coded remote pass through on might be another port. So there's other devices that have been found to have written in them code so that the manufacturer could get into it for service, for example. So it isn't that there's always just that's the only way you can get to it from external. There may be, or there have been some devices compromised by a hard-coded password being in there that lives on port, what, 8051 or something like that. And that's where we diverge between security professionals and engineers. Engineers are just there to make things work. And they're paranoid as hell about locking your system up and not being able to recover. So when they make a box that locks and they make that thing that's electronic box that locks, they make it so if it fails, it unlocks. Because they don't want to be locked out and throw it away. So that's the engineering perspective. I want to be able to make that work. So it's useful. It's useful to them. But when it gets to the consumer, if they don't remove that, it's horrible for us. So it's a useful engineering tool. But I like then more that bigger universities now, in their engineering programs, they're putting security in to their engineering programs, secure coding, and things like that. So we don't get those kind of security breaches that are built into self-driving cars right now. You can hack a Jeep. Because the engineers made it work, and it works great. But a little too easy to get in, if you're an engineer. I've read about that with OnStar and some of those types of services. We saw that at Black Hat last year. Oh, that's right. Yeah, with the vehicle hacking. Right. So access control has quite a, if you're talking physical, it has a meaning. If you're talking electronic, it has a meaning. But the vulnerabilities for when it's breached, when your access control gets breached out on that perimeter, can be devastating. So back to our scenario. So our guy, let's say our guard was smart. He went out there and checked the guy. And his car's just not working very well. So at least he verified him, sent him off to the office to get him a new badge. So he goes and gets a new badge. And he goes to his office door. His access control privilege has been changed. It allows him to get into his office door. Now, this is inside the network. He's got the proper privileges configured. And we have an analogy for that on the network login. Right? OK. So that's just a standard privilege. You may use your login credential and then some password that you've been given. And now you get network access. Now, talk a little bit about the problem. If my network access is, let's say I have administrative access for a particular device, for example. And someone were to emulate or fake me the way we were trying to talk about someone faking the badge earlier at the reader. So what could someone do on a network if they sort of have breached that access level of that person and became that person? Now they have that sort of guy's privileges. And then what can be done with that? Well, first of all, let's talk about you having those privileges. You should have multiple accounts in that case. You should have that access to those devices that are administrative level for you. But you should also have a user account. So that if you were ever breached in some respect, more than likely your user access is going to be breached, because that's more commonly used by you. But if someone got your network credentials, well, it's the end game for whatever device. It's devastating. You can't be. They can shut things down. They can turn things off. They can steal information. They can destroy things. If they have control over systems, like electronic system, SCADA controls, they can burn out motors. They can release valves. They can turn off heat sensors and wreak havoc across actual physical plants that handle things like oil and gas and they could do it purposefully or they could do it negligently. Right. If they've been given the wrong level of privilege. So if in my example where I had gone to get my card replaced at the badging office and they gave me access to places I wasn't supposed to get, for example, if you're in access control, if you're in the industry that we're in, you make these access levels, right? So basically I'm a level three. Level three should give me my office door, maybe the front door, eight to five, things like that. Come on to room B. If I give me the wrong one and give me 24 access everywhere. You got the CIO level. Woo. Yeah. Then I can basically move all around. I can perhaps take advantage of information, see things I'm not supposed to see, gather things I'm not supposed to gather. Now ideally someone in security would be monitoring your access and know that you're at level three and your employment record and you've been going to the C level suites and using the employee. And so why would they catch it if I got, maybe I got promoted. You know, the security guy may not know. A lot of times they should know. They should know. I agree with you, they should know. In the security industry, we sort of married up HR. HR is kind of HR and access control tend to kind of go there, so you're brought in and maybe your privileges get issued from HR sometimes. Or at least when you get fired, they'll go, they'll alert security to turn off your physical credential. They should. Do they sometimes forget to turn off your logical credential? Lots of times, yes. And that's why the insider thread, if you let go of a disgruntled employee and you do it in the wrong way and it's antagonistic or there's some kind of animosity there when they leave, if those credentials aren't turned off, they still have access to your systems and they perceive you're treating them badly and they're going to try to take revenge. And that could be devastating to your company. Especially they've already been terminated so they're truly became a criminal. Now they're really a hacker. That's right. And once you're a criminal versus hacker, we like to make that distinction. Some of that criminal activities is... But not all hackers are criminal. Some are security engineers. Yeah, I've seen more and more people bristling at that, like, make criminals or criminal, a hacker, but I'm not a criminal, you know? That's an important distinction. We're gonna pay a few bills, I think, for about a minute and then we'll be back and we'll move on with our access control story. Thanks for watching. Are you tired of sleep walking through life? Are you dreaming of a healthier, wealthier, happier you? You're not alone. And that's why thousands of people tune in each week to watch R.B. Kelly on Out of the Comfort Zone Tuesdays at 1 p.m. Make a change, get the help you need and stop sucking at life. The army, we're going to go live. Hello, it's 1 p.m. on a Tuesday afternoon and I'm your host, R.B. Kelly. Welcome to Out of the Comfort Zone. Aloha, I'm Jay Fiedel, one of the hosts of Asia in Review, which is broadcast Monday afternoons on thinktecawai.com. We cover, we study news and politics in and affecting Asia. We work hard to bring you the most interesting subjects and guests who will raise your awareness. Please join us Mondays every week on Asia in Review on thinktecawai.com and also on YouTube and iTunes. Thanks for watching, we'll see you then. Aloha, Xie Xie and Sajian. Hey, welcome back to the thinktec studios. This is Security Matters, we're with Dave Stevens, we're talking about access control, physical, logical, electronic, all things. So, we kicked the can on getting in, we kicked the can on getting around a little bit, we kicked the can a little bit on being given sort of the wrong level of privilege or being given a privilege that you misuse either negligently or, like you said, the insider threat gone bad maliciously, right? And I have a good story for that when we get back to it. Oh, so we have that sort of issue. Now, let's, I want to talk a little bit about convergence but I want to make a couple of points first. We can, sometimes at our facilities, we'll control access with multiple levels of authentication. Oh yeah, should layer security, defense in depth. Sure, and so basically it could be where I have a high security room where I ask for another credential, maybe I've got you present a card and then you have to put a pin or maybe a biometric or all three. And perhaps I do that by time of day. So maybe on Monday through Friday, eight to five, I'll let you move around with your card. But from five to five at night till eight a.m., I'm gonna make you ask for a second credential and maybe on the weekends we're gonna ask for all three. So there's always this trade-off for convenience and security. And we have that also in the digital world. So multi-factor authentication has come around quite a bit. Is that a thing now that is sort of, we're using in the enterprise space to move around? Is that something that I can make different identities with? You gave the example of me having my basic network log-on credential, but then also having an admin log-on credential for the things I need to manage. And so would that have two different MFA's or would it be the same thumbprint with both? So what do you think, how does that work? Yes and no. And I wouldn't use the same biometric for multiple accounts. Would I do something like Google Authenticator? It's an algorithm that gives you a unique number based on unique algorithm in the time of day or something like that. And you run that application and you tell your authenticator using surface like Active Directory at Microsoft, use Google Authenticator or Microsoft Authenticator. And they run the same algorithm and they have matching numbers, but they're only good for about 30 seconds. So you enter that one, your password and your username and you get in. Now if you want your network access, it's a level up. You have to log out, log back in with your other access credentials. Your password for that account, which hopefully is different, please let it be different. And then the Google... Can you force that? I think you should force that if you can. You should force that. And then Google Authenticator again because this is a unique number based on another algorithm. So you can use MFA for two different accounts and you really should. And even biometric as well. You can use the little USB biometrics we have. You could and I would do this though. At different accounts, I would take a different biometric reading. I wouldn't use the thumbprint for both because it's like using the same password, right? You could have an optical reader. You could have a voice imprint. You could have fingerprint. There's multiple biometrics. Yeah, they have the video on the surfaces now so you can just use your face if you want. That's very interesting. No, has it been fooled? There's big brothers out there and yes, it has been fooled. In fact, I have the iPhone that's supposed to recognize your face. And if I have my glasses on at night... Well, it doesn't like you. With your glasses. Not with my glasses at night. So what if you make your original image with your glasses, then if you don't have them on it, it won't recognize you either? Glasses off at night, recognizes me. Glasses on in the daytime, recognizes me. It's only dark, like low light and glasses, then I don't know why. Interesting. So the same... I'm trying to point out with this episode that the same principles really do apply for physical access control. And when you're trying to manage physical access control, I think a lot of people really get lost on the logical access control and all that can be done. And the reason that we wanted to talk about this is the converged piece of this that the industry's been doing really quite a while through LDAP, Active Directory, some of those sort of directory level services are... Let me just give you a good converged example would be if I have come to work, I've come through the front gate, I've logged into my office, and I'm using my... Let's just say I'm using a card to log into my PC as my another form of authentication. Well, if someone were to try to VPN or remote in using my remote credentials... Those should be shut off. Yeah, they should be shut off as soon as I've gone local because the system itself knows that I'm local. And vice versa, if I haven't come into the building or into my office door, my internal log on credentials are not authorized. So these are called carry credentials. You should carry these credentials. There's something you have and something you know. And it's like your ATM card. And you can't get remote access without it. So you should have your card, your Google Authenticator, plus your username and password, all three of which will get you into the system. And a lot of companies that are high-security, their PROC card or their radio frequency card, you have to set it on a reader or stick it in a slot before you can do anything with your computer. And if you walk out of the room without your card, you walk in the hallway, you can get out into the hallway, but you can't get back in your room because your card's in your computer, right? So you're supposed to remove the card. And when you do, it automatically logs you out. Logs you out. So a lot of people will keep one of those little spring-loaded things on their card. So when they walk away, it rips it out of the computer and keeps you safe and doesn't get you stuck in the hallway. Yeah, it's really popular. Our DOD clients all work that way, right? So that's how they're moving around. And they're using that single, that CAT card, right? The common access card is what I think it is for their logical and in some instances for their physical credentials as well. This is not well monitored. And as recently as about 10 years ago, I approved it on a military installation when it will shall be nameless. I was able to not only drive in the back gate without being identified. And mind you, I had hair down past my shoulders at this time. I was dressed like a surfer. I had my surfboard on the top of my head. You were going surfing. Somewhere in the league. I just come back from surfing. So I was still soaking wet. And so I drove on a base. No one checked me. I drove up to the gas station. I pumped gas at the gas station. No one was at the gas station. I just used my regular old credit card. I didn't have to ID it. I walked into one of the buildings. And I stood there with my phone, just checking my email until someone walked in. And I just walked in behind them. And I did that same process through the entire building until I got to the place where I needed to go to meet the person I was going to meet that day. And when he came into his office, I was already there. Sitting there. Sitting there. And he had access control read on his door as well? Well, I didn't need it because his secretary would come in and open the door to let it air out, I guess, in the morning. Oh, it was propped open. It was propped open. So security to his office was useless. It was a, well, the S1 wasn't really happy about that. I bet. Yeah, so I had to talk to the gunning about that. Sure. So we have, in the access control world, we have door held open, door forced alarms, things like that. So that door held. If there's a reader on that door, should have been going off. Someone should have been paying attention. It's a budgetary decision, right? Because there's levels of this stuff. I would just go into the software. Some of them don't have that level of sophistication. Or they're not paying attention to it, right? They're shunting the alarm or turning it off because the colonel always props his door open. So you don't mess with the colonel. You just turn it off, right? Because when you go, colonel, sorry, your door problem, he says, yes, it's what, we're having an alarm. We'll shunt that alarm, son. And then you go shunt the alarm, and then that becomes the SOP. Sounds like the colonel needs some training. It's always people. It's people, man. Sure. It's going to come down to that. Yeah, so I'm interested in where you think access control is going to go. So there's a lot of, I guess we could talk a few minutes about escalation of privilege. So what occurs if someone can compromise your credentials on the network, and then they can try to move you up, move you into, find something that you can manage and then turn those management credentials into management of other things or move horizontally across the fabric of the network, maybe into another device, ultimately into wherever you're crowned. That's the goal. Your crown jewels are. Let's discuss something like Equifax or the Sony hack of 2014. It's the same thing. We discussed this last night at Rotary, right? The first hack of Equifax happened in March of that year. But it didn't get reported because it was a breach, but no data was ex-filled. Nothing got taken, right? So reporting-wise, they weren't required to report it. But what was really going on is when you're in there, you escalate privileges. That's one of your first things that you do. You try to find the God rights on that machine. When you do, you do something called a pivot. You pivot to the next machine over and scan. Pivot to the next machine over and scan and scan and scan and keep pivoting until you've mapped the entire network. Once you've mapped the entire network and God rights on all the network admin rights on all the systems, then you can start seeing what's on all those systems. And that's why three months later, all the data left because it took them all that time to map and to find that data. And then that's the goal. Were there perhaps some credential level that they needed to achieve to be able to execute that exfiltration? Well, there definitely was a credential level. I don't know if it was network admin level. It would have to be network admin level to open up the ports to let you ex-fill the data, right? But really, when you're getting into the database, you don't need tremendous rights. You just need certain rights that database admin would have. And potentially they were, while they're in there, they're installing like keystroke loggers. So whenever other people are logging in, they're harvesting those credentials till they get the guys. That's dangerous because so those are active. Oh, they see that running. Yeah, they see that running. So that's gonna get caught. So what you wanna do is stay passive. You wanna stay under the radar and do as much as you can without doing stuff like active monitoring. Active thing, okay. So if you stay passive as long as possible, then when you do go active and someone catches you, you're already on your way out. So it's fine. So the relationship, I think, for that with physical access control is the guy who's going around and he's checking doors to see, you know, where is he authorizing? Little tickle here, little jelly, yeah. He got that new card issue to him and he realized, wow, I'm able to go to places. I wasn't able to go before. Maybe they've changed something. So then he's checking doors and the guard's not realizing it. Especially when you see that, I've always used to tell folks that we're managing these systems that when you see that unauthorized card read more than once, someone might do that one time and it's like, oh, I'm at the wrong door, whatever. But when you see people doing that, that's an insider threat problem. Potentially, it could be negligent, but it could be malicious and that's the kind of thing you've got to pay attention to. Someone that hasn't, or what if they just, you leave your card laying on the desk and you have more privileges than me and now I'm taking your card, getting into some room I'm not supposed to be into, harvesting information I'm not supposed to be harvesting because we didn't use like 2FA, for example. So there's quite a bit of, I think when people, I think physically, they can usually see that in their head about how to manage and the importance of managing credentials for people to move around a facility, but I don't know if they see how that ties to electronic access control and what we call logical access control and some of the problems that can occur because this is really how hackers, what they're doing, they don't just get into my workstation here, they're trying to attack into the network and keep it moving, right? And so access control, so we want to get to what's it called least, what's the least amount of privilege? Least privilege, can you talk about that just for a little bit? Least privilege is when I assign you the exact amount of access rights you need on my system just to do your job, period. Okay. Nothing more, if you need to do office work, you need Word, Excel and PowerPoint, you get that if you need to get onto the company share drive and you get an email. Great, that's it. But you don't get the database privileges, you don't get into the HR system, you don't get sales data, you don't get the CIO reports or the monthly accounting because you don't need those to do your job, so you get the least amount of privileges to do your job. That should always be the rule. However, that takes a lot of work. Yeah, sure. When someone gets hired, you have to examine their, what's their job role, exactly what network access do they need and you provide that to them. There should also be a process so you could get promoted. Three years later, you're the manager of accounting, you need more privileges, so now you need to go under a review to see what privileges that position requires and that's, again, that's a challenge. So access control requires a lot of management, both physical and electronic. Make sure you're implementing the policies and that you're managing those policies and following them to protect your company. Thanks for joining us on Security Matters. Dave, thanks for being here, bro. Appreciate it. Good to be here, man. We'll see you next week. 10 o'clock Friday on the Think Tech Hawaii Studio Show.