Hello everybody. This is Becky Daniel’s team, Supplier Diversity Officer at the University of Delaware. Welcome. Today, Mr. Tony will talk with us. He is from Cybersecurity Consulting Apps. He is the CTO; I believe that’s the company’s chief technical officer and owner. So Tony, Welcome. Thank you. So Tony, why don’t we start with you telling us a little bit about yourself and how long you’ve been in the business? Well, thank you for that, and thank you for inviting us to participate in this program. My name is Tony. I’m the owner, Director, and CTO of Cybersecurity Consulting ops. So we’ve been in the technology space since 1996. I started as a technician for Comcast. As I went to college, I got involved with C programming and fell in love. And from there, I went on to become their Director of addressability, which was, you know, some cybersecurity. Because of what we were doing, we launched the digital video. And your digital video helps customers too, um, watch video on a two-way box. However, we provided the security to prevent customers from hacking the system backward.
How Did I Get Into Cyber Security And IT Services?
And then, from there, I went to Cisco to work on Comcast Cloud products. And that also helps us in scripting, a Unix admin, and a network. And so that allows us to hone our skills. And that’s how we got involved with cybersecurity and technology on the security side. Okay. I understand that technology is your extracurricular activity. That’s correct. That’s the right way to say it. Extracurricular activity, you love technology. But technology. Can you explain this to the audience? Technology and cyber because when I think technology, your company is a cybersecurity company. That’s correct. Isn’t that isn’t that technology? What’s the difference between IT and what you’re doing? But why isn’t IT security, right? Yeah. So, IT is the infrastructure in which cybersecurity resides. So, think of it this way.
Explanation Of What Part Of The Network Is IT And Cyber Security.
So IT is responsible for the devices, passwords, the entire infrastructure or the router to computers, and so forth. What cybersecurity is responsible for is protecting the data within that infrastructure. So, think of it this way. Every IT system should have a database. So, the cybersecurity personnel’s job is to protect the data at rest. That means a backup data system and the data that travels. So we look for ways that when that data is at rest, the data is secure. And when the data is moving, the protocols that protect that data are safe. That’s basically how it works. You keep freezing up on me. I see that. Let’s say it’s me. I don’t know why it keeps freezing up. Okay. Alright. We can keep going.
All Small Companies Need An IT Department.
So, if I’m a small business with an IT department, I shouldn’t have an IT department as a small business. That is correct. So we look at this: everyone should have an IT company and at least an assessment from independent cybersecurity once a year. And the reason for that is machine-to-machine. There are Machine-to-Machine Protocols. And you want to ensure the protocols between the machines are secure. So, give me an example. There is a protocol called TLS. And so if you’re running TLS one, that’s zero. Because you never had an assessment. That protocol would allow a hacker to drop and steal information. So one of the things we do when we do cyber audits is look for this thing called TLS and look for TLS one that’s zero in particular.
What Is TLS? TLS Is Transport Layer Security.
So we look for that to ensure the product and protocol are up-to-date and working as they should. What do we mean by that? If you have TLS one that’s zero and sweet 32, it simply means that your system is vulnerable. A hacker could do this thing where they call a man in the middle. Does that mean someone could be in Australia, listen to the traffic between those two servers, and steal that information without them being on your system? So we call that man in the middle attack. And often, we see these types of issues on websites where the websites are running. They look good and may be great, you know, have great information. But hackers are looking for how I can get in between the input on the website and the destination to steal information. It could be credit card information, PII information, or whatever type of information that’s important to them.
Why Are Hackers Interested In Small Companies?
Oh, I understand this. But wouldn’t hackers be more interested, enlarged in potential large transactions and essential information like large companies, large banks, hospitals, and things like that? Why would they be interested in small businesses? Small businesses are perfect. If I could ask for 1 million small companies and only take $1, that’s $1 million a month. So the thing is, you’re looking at it from most small business owners; look at it at all. What I mean is they, you know, don’t want me. But at the end of the day, if I can make $1 million a month by only taking $1, something you may not miss, that’s a big pile of cash for me. So there’s also another thing to look at them. So, most of the time, when you get hacked, small businesses get hacked, and they could get hacked for several reasons.
Hackers Can Use Customer Devices As BotNets.
Number one, they could become a botnet. And what does that mean? It simply means that I can infect 2 million cameras. And by infecting 2 million camera systems. I now want to attack the University of Delaware. I would tell those 2 million cameras to attack Delaware. Given an IP address in Delaware, what is going to happen is that the server is going to give up and then expose the database. So that’s why you hear the term botnets. Botnets mean that you get a bunch of IoT devices and Internet of Things devices, and you use them to Storm, sign on, pay, or do whatever you want. It may be a specific device that you want to hack. This caused thing buffer overflow. And by doing that, that system will give me up until I give up.
DDOS attack
You could have everything that you want. And so that’s why hackers Create a button, and they can do that. That’s a fact. How would a company compact it? How would they know? So most companies use something that would prevent dos. They call it a DDoS attack. And so I use, for instance, a firewall company that protects our website from DDos or firewalls for the office. We use a company that protects us from DDos. And what does that mean? It simply means that if it sees that he’s receiving too many attacks, is just stopped, is your shutdown pin, and says, I’m not talking to anybody else. So the DDos, you have companies out there that will protect you from DDos. And the reason is that if they continue to listen and accept all the commands, they will give up their database. But how do you ensure that the company you’re working with doesn’t have the same issue? Again, when it comes to technology, there are companies out there that understand how DDos work. So, give you an example. One of the things that we have done is to turn off this thing called Ping. What is ping? So, if you have an IP address for your router, I can ping your IP address. And your IP address will tell me that it’s alive. It can also reveal important information that hackers can use to hack you later.
A Regular Cybersecurity Audit Is Very Important For Your Business.
So it’s just like calling into the dark. Ms. Daniels, are you there? Daniel doesn’t answer. I wonder if she’s there. So what happened is I turned off the pain. When I turn off ping and a DDos is coming in, I won’t answer. So if I don’t answer, there’s nothing you can do, and you don’t know I’m there as a small business. I’m putting my place in myself as an owner of a small business. I have a website. I may have someone hosting it for me, or I’m doing it internally. How do I combat this? Is it required to have an audit? How often should I have an audit? What type of things should I be looking for? Do I give this to a third party to use? What would I say? Alright, so number one, the first thing you need to understand is that cybersecurity and IT are different. That’s the first thing. Then, the second thing you must ask yourself is, what type of data do you store? If you’re storing medical devices or medical information? You want to ensure a regular cybersecurity audit and any audit. These are some of the things that a good cybersecurity consultant would advise you to do. The second thing is if you’re in the financial business, because the two highest hack places, for lack of a better word, will be medical and financial. Financial. It would be best if you had an audit every week. Okay. Because again, there’s someone always knocking at the door, and you probably want to do every quarter for medical providers. But if you have an audit, you want to ensure you’re asking the right question.
Add Data Exfiltration Software To Alert You If There Is A Problem.
You want to make sure that when you add Smith, particularly if you’re storing a database, you want to make sure that if there is data exfiltration, was that mean it means that you have a database, and if someone is stealing your data, you get an alarm or you can block them. So, you have to ensure you have the proper monitoring in place. If someone is stealing your database, you get messages or a warning to inform you that something is happening. Okay, When you say finance, I’m thinking of banking, but are you talking about someone with a desk selling products on your website? If you’re selling products on your website, you want to ensure you have inflammation. You want to make sure that the credit card information on your website is not stored on the database at a website, so you may want to use PayPal, and you want to use one of those things that collect money securely. If you are, if you’re taking money from people or customers. You also want to ensure you’re not storing it somewhere with their credit card information that can be easily accessed without security protocols. So, there are many ways to look at this. Most people use credit cards, but they use PayPal or something else that stores that information somewhere that’s secure. If you’re handling customer information, ensure you’re not saving it to an internal database that can be hacked. So, returning to a small business, I’m starting one. It’s one of the first things I need to consider as I think about opening a bank account, getting my LLC, and filling out all the paperwork I need to do to start the business. Is this something that should be in the top ten things that need to be done? Yes.
It would be best if you Had A Router That Can Create VLANs. This Is Network segmentation.
One of the other things you must look at is saying everything correctly about cable companies. But one of the things that you want to do is that most cable company routers will not protect you. That’s pretty broad, but they all say they do. I’m sorry. They all said, but they were all right. They. But you want to make sure that you have a router that you can create V lands. And let me explain what that is. So, you can get into any router by sending a phishing email. And you have the coconut effect. Where his heart and the outside soften the inside, softening the insights means you can go from device to device without being hampered. So let me draw a little picture for you inside your house. So you build a home, and then you want to put up security measures around your house. So, for security measures around the house, you want to have lights. Windows? Yeah. Do you have doors? Yes. Do you have cameras? Okay. Yeah. And then you have rooms? Okay. Okay. If someone walks through your house, they can see your bedroom and living room. All at the same time. Was that Talia, Florida? Yeah. That’s right. So, think of it this way. The Internet is the same way. So when someone breaks into your system in your house, you want to have at least a locked door leading to your prize possession. Right. Okay. So that’s what a VLAN is. That’s why you need a router to have different Vlans with access control. So, if you have a house and a safe, let’s look at it this way now. So you have a safe people did in your basement as a locked door, then you have a common area. Before that, come in here; you have a door, so you see that data is buried three levels deep. Okay?
The US government runs the NIST Framework.
Because it’s safe, it is locked, right? So if you have a system, a router that allows someone to get in and right away they can see your prized possession, then your system needs to be more secure. An audit will reveal that an audit when we read that, yes. Is it best to get a quarterly audit? Yearly? How do you know when you need an audit? Every day? The US government runs NIST. They release vulnerabilities. So what is good today may not be good tomorrow. It may not be good tomorrow. In other words, what mission, depending on what’s running on the machine. So you may have excellent software today but harmful software tomorrow. Say you have a Dell computer. That Dell computer could be contaminated and sound today and won’t be good next week. So what I mean by evil is the government did release a vulnerability; well, Dell releases a vulnerability you don’t know about, alright? And so, what an audit will reveal is that you need a more robust system. You, the business owner, need more time to find these vulnerabilities. The audit will show the exposures for you and give you the fix. So you have to make sure. And that’s why you need to audit. Because it’s good today, it’s going to be good tomorrow. The audit would reveal what you need to do to fix that vulnerability. In your IT department, you’re the person who is handling your website, and you can’t do that for you. So it’s not that they can’t do it. We have yet to find a team that can do all the work they do every day and do the audit correctly. The mindset for cybersecurity is, how can I get in? The philosophy for IT is how can I protect cybersecurity fall more under NIT? There’s there are two different mindsets. I’m a small business owner, and I’m afraid of off. Have you had instances like that where you have been able to speak to suppliers that are small businesses running these types of problems? Yeah, I have a story to share. We see that if you need help understanding there is a difference between IT and cybersecurity. Would this story be PER? It is perfect for you. Because this customer got hacked. The information was being sold on the black market. Someone from another state calls the customer of the call the customer.
People Can Find Their Stolen Information On The Dark Web.
If I’m explaining that right and telling him they call it your customer, know my customer is cut. Well, let me back up. So we receive a call from a local small business. They got hacked. They discovered the hack when a detective from another state called their customer and told them their information was for sale on the black or dark web. And the record is that the onset was for sale. They are tied to a company. Now, they didn’t want a company that got hacked. They want the customer of the company that they got hacked. So what happened? The customer picks up the phone and calls that customer. That customer called us to tell us they’d been hacked. The hackers did the broadcast for them. What am I saying? It simply means customers could face a lawsuit because their information was stolen. Their record was tied to them on the black market. So, there’s no denying that that breach happened to that company.
With this customer information. Is there a requirement that a business has to be notified if their data is on a black market in this bound like that, instead of the detective calling the customer, saying they had reached the company? No. So, there are no actual rules to this in some states. In New Jersey, if you find out that you have a breach, you should report it to the state. You have to say it, too. You also have to notify your customer. Then, you also have to help the customer understand that things are controls they need to implement to prevent further damage. So, the refusal to do so. We’ll pause you and your company, and you’ll get fine.
What Happened If You Are Breached?
You are responsible for contacting your customers to inform them that you have been breached. And you would have to notify all of your customers. All of your customers, even if they weren’t impacted by it. But you don’t know if they were affected by it. Because once the database is stolen and the information is in that database, they have been impacted. Is it possible that the business contacted you and that it wasn’t stolen from them? No. It’s a possibility, yes. And is it possible to know now that the record is on the black market? Right? Because, more than likely, there’s going to be some inflammation with your history that will say that it came from your site. Now, you can put your email address on a Have I Been Pond site. And the government has a way to track your email address and tie it to a company it was breached by. There. It is more than likely that once that information is on the black market, it can be identified by the FBI that it came from you. What you said, would you advise every business owner to go to that website and put their information in? Absolutely. Absolutely. I might have been a pawn. All you have to do is put your email address in, and it will show you all the companies that lost your email address or one part of a data breach. But once they were supposed to alert you that they did, they probably did an email. You probably saw the email and thought it was fake. It also depends on the state that you’re in. So you must report it for Delaware in New Jersey, and Pennsylvania may be different. So, depending on the condition that you live in, you are doing business, and they have other laws. So, there needs to be a federal law around cybersecurity, and what are websites and companies supposed to be required to do? They are, but they’re not strictly enforced if you take, for instance, HIPAA, right? So, the HIPAA law is on the federal books but has yet to be implemented. It’s not strictly enforced. So you can get around.
Companies May Hide That They Were Breached From Their Customers.
There are a lot of companies that found out they’d been breached through an audit, but they will never tell you. Well, this is all fascinating and very scary stuff. Is this very interesting and very scary stuff? One thing I want to let me have this, too, though. So let me go back to where we talk about small businesses and, you know, while they want to, why would you like to worry about protecting the system? We saw this happen very early when it went up before I got into this business, cybersecurity consultant ops. Hackers like to take over our system, particularly a consumer system, and attack federal governments or someone else. And the reason is that if I come to your business website or network and attack, the government can easily steal your identity. Because the government will see the IP address making the attack, it will show that it is Ms. Daniel’s IP address, not there’s the IP address. And that’s why hackers love to use VPNs, right? Whether it’s an efficient scheme or whatever scheme, it is because they can quickly and easily hide their IP address. They could rent an Amazon bucket and do all the mystery from the Amazon bucket. It may take a few months before Amazon realizes this particular bucket is doing nasty things. But by the time they know it, you already have what you need and are gone. Okay? That’s a lot for a social media presence. Social media presence may accompany not wanting to have a website. Here’s another thing that you should do: it talks about social media presence. So when you take a picture of yourself, you want to delete as much information from that picture because that picture had your computer inflammation and the coordinates of where that picture was taken.
When you post pictures online, please delete as many details as the picture property allows and make a copy.
So you want to produce it. It talks about if you go to the picture’s properties; that’s correct, so when you want to delete as much information about your coordinates and the information in your image, Because of coordinates, you can do coordinates to figure out where you are, whether it’s your house or your business. The business doesn’t matter, but more likely your home. Eliminating the coordinates will prevent hackers from finding your router, finding where you live, and things like that. So those are some things that small business owners, especially those working from home, need to be aware of. What about intellectual property? Well, that has to be protected, too.
When we started, we had a guy from India using cyber security ops in India. So you want to talk to a lawyer to interpret that and ensure you’re covering a slogan, mainly. You are the name cybersecurity consultant ops. That’s probably not as easily stolen because if you have, you know, that information about the tour, you know, you have to store that information where no one can get that website information. But your slogan is what you must protect. So, for instance, if you say we are a first to serve, someone can steal that if you don’t defend it? A lot of people don’t understand that.
No, no. Most people just put a website together. They may have a slogan. The slogan sounds good; no one else has it, but they need to think, Okay, what about if we get huge? What is going to happen? Can someone still slogan, and so on? Again, they also could take over your website. That’s one reason you must always do multi-factor authentication, primarily where your website information is located. But Tony sure gave me the audience. There’s a lot to think about. We may have part two of this conversation later. As you tell me, what’s good today may not be good tomorrow. That is correct. It’s ever-evolving cybersecurity. That’s why we always say if you could fix it today and it’s good tomorrow, you would have less than 3 million job openings. Cybersecurity is very, very complicated.
Command Line Interface And Cybersecurity Professionals.
You could have someone who, you know, get your certification. It could be any cybersecurity certification, but they need to understand the full scope of cybersecurity. Cybersecurity comes with much experience and working with a command line interface, meaning the backdoor. If you find the back door towards your laptop, it is the back door of your website. Most cybersecurity professionals that are good at this don’t work with buoys. You have to know a little bit about everything. You have to understand. You know, when you get that sense that something is wrong. There’s no cookie-cutter way of saying, Oh, we’re going to go down this path. And this is the only path that we must go down. A lot of times, we do assessments. And that assessment, the first assessment, with pay to the PE tube, may not find a vulnerability. So, we go with free tools because hackers use complimentary tools. So, we used the free tools and were able to find vulnerabilities with free tools where we couldn’t find what we wanted to see with the PE tubes. Right? That’s one thing, and it’s telling me that a pay stub isn’t worth anything; it is worth something. But the free, like, give me an example. So Virus Total is a website you go to, and you can scan to find out if the URL you receive is harmful or malicious. Okay? How do you monitor their URL to ensure there’s any lousy hatch hash? They fix it. When you check, if he calls back, lean because all of these tools are available to all of us, right? And the tools available to all of us are for the freeze, but the tools are open to all of us.
Then the bad guy, the good guy, and all the guys and girls will try to ensure they can hide what they’re doing and do it very well, right? As I said, we don’t have to have another conversation. We must return and have more conversations about cybersecurity because this is not just a one-and-done conversation. So we’re going to have to come back again. Thank you, Tony, for talking with us today. I appreciate it. Thank you. Thank you. Thank you. We wouldn’t be talking again. Everyone. Thanks for sitting and chatting with us today, listening to our conversation with supplier diversity and cybersecurity Cybersecurity Consulting. Ask the attorney with TOC. We will be out, and we’ll see you again. Thank you very much. Thank you. Buh-bye. Buh-bye.
