Hello everybody. This is Becky Daniel's team Supplier Diversity Officer at the University of Delaware. Welcome. Today, we have Mr. Tony would talk with us. He is from Cybersecurity Consulting apps. He is the CTO and I believe that's the chief technical officer and owner of the company. So Tony, Welcome. Thank you. So Tony, why don't we start off with you telling us a little bit about yourself and how long you've been in the business. Well, thank you for that and thank you for inviting us to be a part of this program. My name is Tony. I'm the owner and director and CTO of Cybersecurity Consulting ops. So we've been in the technology space since 1996. I started out as a technician for Comcast. And as I went to college, I got involved with C programming and just fell in love with programming. And from there, I went on to become their Director of addressability, which was, you know, some type of cybersecurity. Because what we were doing, we actually launched the digital video. And your digital video basically help customers too, um, watch video on a two-way box. But we provided the security to prevent customers from hacking the system backwards. And then from there I went to Cisco working on Comcast Cloud products. And that also help us in the areas of scripting, um, you know, a Unix admin and network. And so that kind of help us to hone our skills. And so that's how we got involved with cybersecurity and technology on the security side. Okay. I understand that technology is your is your extra curricular activity. That's correct. I guess that's the right way to say it. Extra curricular activity, you love technology. But technology. Can you explain to the audience? Technology and cyber because when I think technology, your company is a cybersecurity company, correct? That's correct. Isn't that isn't that technology. I mean, what's the difference between IT and what you're doing, but why isn't it IT security, right? Yeah. So IT is the infrastructure that that cybersecurity resides in. So think of it this way. So IT is responsible for the devices, you know, passwords, the entire infrastructure or the router to computers and so on and so forth. What cybersecurity is responsible for is to protect the data within that infrastructure. So think of it this way. Every IT system should have a database. So the job of the cybersecurity personnel is to make sure that they protect the data at rest. That mean a backup data system and the data that travels. So where we come in is basically look for ways that when that data is at rest, the data is secure. And when the data is moving, that the protocols that protect that data is secure. So that's basically how it works. You keep freezing up on me. I see that. Let's say it's me. I don't know why keep freezing up. Okay. Alright. I guess we can keep going. So if I'm a small business and I have an IT department, I shouldn't have an IT department as a small business, right? That is correct. So the way we look at this as everyone should have a high tea company and everyone should have at least an assessment from an independent cybersecurity once a year. And the reason for that is machine-to-machine. There's Machine to Machine Protocols. And you wanna make sure that the protocols between the machines are secure. So give me an example. There is a protocol called TLS. And so if you're running TLS one, that's zero, right? Because you never, you never had an assessment. That protocol would allow a hacker to he's dropped and steal information. So one of the things that we do when we do cyber audits, we look for this thing called TLS and look for TLS one that's zero in particular. For him, I'm sorry, what does TLS Transport Layer Security. Okay. So we look for that to make sure that the product, that protocol is up-to-date and is working the way it should. What do we mean by that? If you have TLS one that's zero and you have sweet 32, it simply mean that your system is vulnerable. And so a hacker could do this thing where they call a man in the middle. Does that mean it simply means that someone could be in Australia and they can basically listen to the traffic between those two servers and steal that information without them being on your system. So we call that man in the middle attack. And a lot of times we see these types of issues on websites where the websites are running. The look good, they may be great, you know, have great information. But what hackers we're looking for is how can I get in-between the input on the website and the destination to steal information. It could be credit card information and it could be PII information, whatever type of information there might be that's important to them. Oh, I'm, I'm, I'm kinda understanding this. But wouldn't hackers be more interested, enlarged in potential large transactions, large information like large companies, large banks, hospitals, and things like that. Why would they be interested in small businesses? Small businesses, perfect. Because if I if I could ask 1 million small business and only take $1, that's $1 million a month. So the thing is, you're looking at it from most small business owners, look at it at all. What I mean is they, you know, they don't want me. But at the end of the day, if I can make $1 million a month by only taking $1, something that you may not miss, then that's a big, a big pile of cash for me. There's also another thing to look at them, right? So most of the time when you get hack, small business getting hack, they could get hacked for several reasons. Number one, they could become a botnet. And what does that mean? It simply means that I can infect 2 million cameras. And by infecting 2 million cameras systems. I now want to attack the University of Delaware. So what I would do then is tell those 2 million cameras to attack a Delaware. Given an IP address of Delaware, what is going to happen is that server is gonna give up and then exposes database. So that's why you hear the term botnets. Botnets simply means that you get a bunch of IoT devices, Internet of Things devices, and you use it to Storm, sign on or are paying or whatever. It may be, a certain device that you want to hack. Caused this thing a buffer overflow. And by doing that, that system is just, just gonna give this self up until I give up. You could have everything that you want. And so that's why hackers Create button and they can really do that. That's a fact. How would a company compact it? I mean, how would they know? So most companies use something that would prevent dos. They call it DDos attack. And so I use, for instance, I use a firewall company that protect our website from DDos or or or firewall. For office. We use a company that protect us from DDos. And what does that mean? It simply means that if it sees if he's receiving too many attacks is just stopped, is your shutdown pin and say, I'm not talking to anybody else. So the DDos, you have companies out there that will protect you from DDos. And the reason why is because if they continue to listen and accept all the commands that are coming in, they will basically give up their database. But how, how, how do you ensure that the company you're working with doesn't have the same issue. Well, again, when it comes to technology, there are companies out there that understand how DDos work. So give you an example. One of the thing that we have done is that we turn off this thing called Ping. What is pain? So if you have an IP address of your router, I can pin your IP address. And by opinion, your IP address, it will tell me that it's alive. So it's just like calling into dark. Ms. Daniels, are you there? Daniel doesn't answer. I don't know if she's there. So what happened is I basically turn off pain. When I turn off ping and is a DDos coming in, I'm not going to answer. So if I don't answer, there's nothing you can do it and you don't know that I'm there. As a small small business. I'm putting my place in myself, in a place of being an owner of a small business. I have a website. Maybe I have someone that is hosting it for me, or maybe I'm doing it internally. How do I combat against this? Is it or requisite to have an audit? How often should I have an audit? What type of things should I be looking for? Do I give this to a third party to use? What would I tell? Alright, so number one, the first thing you need to understand is there is a difference between cybersecurity and IT. That's the first thing. Then the second thing you have to ask yourself, what type of data do you store? If you're storing medical device or medical information? You want to make sure that you have a regular cybersecurity audit and any audit. These are some of the things that a good cybersecurity consultant would advise you to do. The second thing is if you're in the financial business, because the two highest hack places, for lack of a better word, is going to be medical and financial. Financial. You may want to have an audit every week. Okay. Because again, there's someone always knocking at the door and you probably want to maybe do every quarter for medical providers. But if you have an audit, you want to make sure that you're asking the right question. You want to make sure that when you add Smith particular, if you're storing database, you want to make sure that if there is data exfiltration, was that mean it means that you have a database and if someone is stealing your data, you get an alarm or you can block them. So you have to make sure that you have the right monitoring in place. That if someone is stealing your database, that you, you get some type of messaging or some type of warning to let you know that there's something going on. Okay, When you say finance, so I'm thinking of banking, but are you talking about someone that has a desk selling products on your website? Know, if you're selling products on your website, you want to make sure that you have inflammation. That you want to make sure that your credit card information on your website is not stored on the database at a website. So for instance, you may want to use PayPal, you want to use one of those things that actually collect money securely. If you are, if you're taking money from people or from customers. You also want to make sure that you're not storing it somewhere with their credit card information that can be easily access without security protocols. So there's many ways to look at this. Most people take credit card, but they use PayPal or something else that actually store that information somewhere that's secure. If you're taking customer information, just make sure you're not saving it to an internal database that can be hacked. So going back to a small business, I'm starting a business. It's just one of the first things I need to be thinking about as I think about opening a bank account, getting my LLC and filling all the paperwork I need to do to start the business. Is this something that should be like right up there in the top ten things that needed to be done? Yes. One of the other thing that you have to look at, not to say anything bad about cable companies. But one of the thing that you wanna do, most cable company router will not protect you. Um, I know, I know that's pretty broad to say, but they all say they do. I'm sorry. They all say but they were all right. They absolutely. But you want to make sure that you have a router that you can create V lands. And let me explain what that is, right? So any router that you can get into by sending a phishing email. And you have the coconut effect, right? Where his heart and the outside but soften the inside, soften the insights simply means that you can go from device to device without being hampered. So let me kind of draw a little picture for you. Inside your house. So you build a house and then you want to put up security measures around your house, right? So for security measures around the house, you want to have lights, right? Windows? Yeah. You have doors? Yes. You have cameras? Okay. Yeah. And then you have rooms? Okay. Okay. If someone walking through your house and they're able to see your bedroom, your living room. All at the same time. Was that Talia, Florida? Yeah. That's right. So think of it this way. The Internet is the same way. So when someone, if someone gets to break into your system in your house, you want to at least have a locked door that leads to your prize possession, correct? Right. Okay. So that's what a VLAN is. That's why you need a router that you can have different V lands with access control. So if you have a house and you have a safe, let's look at it this way now. So you have a safe people did in your basement basement as a locked door, then you have a common area. Before that come in here, you have a door, so you see that data is buried three levels deep. Okay? So for actually for, because it's safe, is locked, right? So if you have a system, a router that allow someone to get in and right away they are able to see your prized possession, then your system is not secure. In an audit will reveal that an audit when we read that, yes. So is it best to get an audit quarterly? Yearly? How do you know when you need an audit? Every day? The nist, an IST, which is run by the government, released vulnerabilities. So we recommend and what is good today, it could be bad tomorrow. In other words, what mission, depending on what's running on the machine. So you may have, say you have a Dell computer, right? That Dell computer could be bad, could be good today and next week it's bad. So what I mean by bad mean the government did release a vulnerable, well, the Dell releases a vulnerability that you don t know about, alright? And so what an audit is going to reveal is that you have a system that's vulnerable. You, the business owner, you're too busy to actually find these vulnerabilities. So basically, the audit is going to reveal the vulnerabilities for you and it's going to give you the fix. So you have to make sure. And that's why you need to audit. Because it's good today. It's gonna be good tomorrow. The audit would reveal what you need to do to fix that vulnerability. In your IT department, you're the person who is handling your website can't do that for you. So it's not that they can't do it. We just haven't found a team that is able to do all the work that they do everyday and do the audit properly. The mindset for cybersecurity is, how can I get in. The mindset for IT is how can I protect cybersecurity fall more under NIT? There's there's two different mindsets. I'm a small business owner and I'm afraid afraid off. Have you had instances like that where have you been able to speak to suppliers that are small businesses that have running these type of problems. Yeah, I mean, I have a story to share. I think what we're seeing is that if you don't understand that there is a difference between the IT and cybersecurity. This Tory would be PER is perfect for you, right? Because this customer got hacked. The information was being sold on the black market. Someone from another state call the customer of the call the customer customer. If if if I'm explaining that right and let him they call it your customer, know that my customer my cut. Well, let me let me let me backup. So we receive a call from a local small business. They got hacked. The way they found out about the hack was a detective from another state, called their customer and let them know that their information was for sale on the black market. And the record that is onset that was for sale. Tied to a company. Now, they didn't want a company that they got hacked. They want the customer of the company that they got hacked. So what happened? The customer pick up the phone and call that customer. That customer end up calling us to tell us that they've been hacked. And so basically the hackers did the broadcast for them. What am I saying? It simply mean now that that customer could face some type of lawsuit because their information was stolen from them. Their record was tied to them on the black market. So there's no denying that that breach happened to that company. With this customer information. Is there a requirement that a business has to be notified if their information is on a black market in this bound like that, instead of the detective calling the customer, shipping they had called the company? No. So there's no really rules to this. In some states. I know in New Jersey, if you find out that you have a breach, you should you have to report it as state. You have to report it to. You have to also notify your customer. Then you also have to help the customer to understand that things are controls that they need to put in place to prevent any further damage. So refusal to do so. We'll pause you and your company and you'd get fine. So you have to want you to know that you've been breached. It is your responsibility to reach out to your customers to let them know that you have been breached. And you would have to notify all of your customers. All of your customers, even if they weren't impacted by it. But you don't know if they were impacted by it. Because once the database is stolen and the information is in that database, you could say you could say they have been impacted. Is that a possibility that the business they contacted you, that it wasn't stolen from them? No. It's a possibility, yes. And is it possible to know now and now that record is on the black market? Right? Because more than likely there's gonna be some inflammation with your record that will say that it came from your site. Now, there's a site called Have I Been pond that you can put your e-mail address in. And the government has a way to track your email address and tied it to a company, that it was breached from. There. There is more than likely that once that information is on the black market, it can be identified by the FBI that it came from you. What you just said, would you advise every business owner to go to that website and put their information in? Absolutely. Absolutely. I might have been pawn. All you have to do is put your e-mail address in and it will show you all the companies that lost your email address or one part of a data breach. But once they supposed to alert you that they did, they probably did an email. You probably saw the e-mail on, thought it was fake. It also depends on the state that you're in. So I know in New Jersey that you have to report it for Delaware, Pennsylvania may be different. So depending on the state that you live in, you doing business and they have different laws. So there's not a federal law around cybersecurity and what websites and businesses are supposed to be required to do? They are, but they're not strictly enforced if you take for instance, HIPAA, right? So HIPAA law is on the federal books, but it's not really enforced. It's not strictly enforced. So you can get around. There's a lot of companies that found out they'd been breached through an audit, but they will never tell you. Well, this is all very interested and very scary stuff. Is this very interested and very scary stuff? One thing I want to let me have this too though. So let me kinda go back to where we talk about small businesses and and, you know, while they want to, you know, why would you want to worry about protecting the system? One of the thing that We have seen this happened very early when it went up before I got into this business, cybersecurity consultant ops. What hackers like to do is to take over our system, particularly a consumer system, and attack a federal governments or attack someone else. And the reason for that is if I come to your business website or your network and attack, the government is easier to seal your identity. Because what the government is going to see the IP address that's going to are doing the attack is going to show that is Ms. Daniel's IP address, not there's IP address. And that's why hackers love to use VPN, right? Whether it's an efficient scheme or whatever scheme it may be, is because they can easily, easily hide their IP address. They could rent Amazon bucket and do all the mystery from Amazon bucket may, may take a few months before Amazon realized that this particular bucket is doing malicious things. But by the time they realize it, you already got what you need and you're gone. Okay? That's a lot for social media presence. Social media presence that may accompany not want to have a website. Here's another thing that you should do, it talking about social media presence. So when you take a picture of yourself, one of the thing that you wanna do, you wanna delete as much information from that picture because that picture had your computer inflammation and the coordinates of where that picture was taken. So you want to produce it talks about if you go to the properties of the picture, That's correct. So when you wanna do is you want to delete as much information about your coordinates and the information in your picture. Because, because of coordinates, you can do that coordinates to kinda figure out where you are, whether it's your house or whether it's your business, the business doesn't matter, but more likely your house. And so by eliminating the coordinates, it will prevent hackers from finding your router, finding where you live, and things like that. So those are some of the things that small business owners, especially, particularly those that are working from home, need to be aware of. What about the intellectual property? Well, that has to be protected to. When we started out, we had a guy from India that was using cyber security ops in India. So you definitely want to talk to interpret that to a lawyer and make sure that you're covering especially a slogan. You the name cybersecurity consultant ops. You know, that's probably not as easy stolen because if you have, you know, that information is tour, you know, you have to store that information where no one can get into it, that website information. But your slogan is what you must protect. So for instance, if you say we are a first to serve, someone can steal that if you don't protect it? I don't think that a lot of people understand that. No, no. I mean, the thing is most people just put a website together. They may have a slogan. Slogan sounds good, no one else has it, but they're not thinking, Okay, what about if we get really big, what is going to happen? Can someone still slogan, and so on and so forth. Again, they also could take over your website. That's one reason why you must always do multi-factor authentication, especially where your website information is located. But Tony sure gave me the audience. I think there's a lot to think about. I'm thinking that we probably need to have a part two of this conversation at a later date. As you tell me, what's good today may not be good tomorrow. That is correct. It's ever evolving cybersecurity. That's why we always say, if you could just fix it today and it's good tomorrow, then you wouldn't have over 3 million job openings. Cybersecurity is very, very complicated. You could have someone who, you know get your certification. It could be any type of cybersecurity certification, but they don't really understand the full scope of cybersecurity. Cybersecurity comes with a lot of experience, a lot of working with a command line interface, meaning the backdoor if you found the back towards your laptop, the back door of your website. Most cybersecurity professionals that are really good at this, they don't work with buoys. You have to know a little bit of everything. You have to understand. You know, when you get that sense that something is wrong. There's no cookie cutter way of actually saying, Oh, we're gonna go down this path. And this is the only path that we gotta go down. A lot of times we do assessments. And that assessment, the first assessment maybe with a pay to the PE tube, may not find vulnerability. So we go with free tools because hackers use free tools. And so we use the free tools and were able to find vulnerabilities with free tools where we weren't able to find what we wanted to find with the PE tubes. Right? That's one thing and it's telling me to pay stub isn't worth anything, is worth something. But the free, like give me an example. So Virus Total is a website that you go to and you can scan to find out if the URL that you receive is bad or malicious. Okay? Well, how to scan their URL to make sure that there's any hatch hash that's bad, they fix it. When you go and scan if he calls back lean because all of these tools are available to all of us, right? And the tools are available to all of us are for the freeze, but the tools are available to all of us. Then the bad guy, the good guy and all the guys and girls is going to try to make sure that they can hide what they're doing and do it very well, right? Like I said, we don't have to have another conversation. We're going to have to come back again and have some more conversation about cybersecurity because this is not just a one and done conversation. So we're going to have to come back again. Thank you, Tony, for talking with us today. I appreciate it. Thank you. Thank you. Thank you. We wouldn't be talking again. Everyone. Thanks for sitting and having a chat with us today, listening to our conversation with supplier diversity, cybersecurity Cybersecurity Consulting. Ask the attorney with TOC. We will be out and we'll see you again. Thank you very much. Thank you. Buh-bye. Buh-bye.
Comments
Post a Comment