Industrial Automation - It Doesn't Have To... Be Risky

Show Notes

With cases of cyber-crime occurring at an alarming rate, industrial manufacturing is caught in the crosshairs. What steps should you take to protect your systems?

We talk to an industry insider, Keith Moore.  Keith has spent the last fourteen years in industrial IoT device development and has immense knowledge of internet protocols and their weaknesses.

Before Keith joins the show, Brandon rants about what IoT is and what it isn't.

We discuss how manufacturers can secure their data.

The differences between a cyber risk and a vulnerability.

The factors that can impact a risk assessment.

How a threat analysis should be performed.

If cybersecurity is a concern for your facility, you don't want to miss this episode!

No matter where you are in your automation journey, elliTek will meet you there!

Reach out to us with any questions or future topics.

• LinkedIn:  www.linkedin.com/company/ellitek-inc
• Instagram:  www.instagram.com/ellitek
• Facebook:  www.facebook.com/ellitek
• Twitter:  www.twitter.com/elliTek_Inc/media
• Watch👀 on YouTube:  https://youtu.be/v_8SHqYhx1g 

If you don't want to click on those links, pick up the phone and call us at (865) 409-1555 ext. 804.

#CyberSecurity #elliTekAutomationNation 

Chapters

• 0:00: Welcome & Thank You for Joining Us
• 4:25: BrandRant - What IoT is and What it isn't
• 15:15: Today's Title
• 15:49: What's the difference between structured data and unstructured data?
• 17:41: How can manufacturers secure data, according to general internet research?
• 23:35: What's the difference between a cyber risk and a vulnerability?
• 31:19: What is a risk assessment and the factors that can impact one?
• 34:08: Industry Expert, Keith Moore's Interview
• 1:11:21: Brandon's Social Media Advice
• 1:12:29: Thank You For a Great Season Three & Happy Holidays!

Transcript

Industrial Automation - It Doesn’t Have to be Risky

 

Brandon Ellis  0:00  

Hey, guys, and Merry Christmas. It's Industrial automation - It Doesn't Have to… Christmas edition. I'm Brandon Ellis, your host. And I'm here with Beth Elliot and the Christmas tree glasses. 

 

Beth Elliott 0:10

Hey, Brandon. 

 

Brandon Ellis 0:11

Yeah. So, if you're not watching our live video feed, you may want to tune in because I've got the Santa hat, and she's got the Christmas tree glasses. And we're feeling really festive today. 

 

Beth Elliott 0:22

That's right. That's right. 

 

Brandon Ellis 0:23

And festive is what we need. Because we're gonna be talking about something that's kind of dark: cybercrime, and cybersecurity. This is a hot topic today with instances of industrial cybercrime occurring at an alarming rate, and that's just with industrial manufacturing. What steps should you take to protect your systems? And how does that affect your IoT goals? Let's dig in. Join us. 

 

Alright, Beth. Christmas tree glasses in full effect.

 

Beth Elliott  1:30  

That's right.

 

Brandon Ellis  1:32  

The Santa hat is heating up under these headphones.

 

Beth Elliott  1:37  

You want to take a little break and take it off?

 

Brandon Ellis  1:40  

We'll see how long I can make it. Okay, if I start sweating, maybe I'll get electrocuted. I don't know. So welcome to the show. Today, cyber security is kind of the topic, and I don't mean to jump in on the title, we'll hold the title for your big deal there. But that's the thing we're gonna be talking about. But updates.

 

Beth Elliott  1:59  

Yes. What updates do we have? 

 

Brandon Ellis  2:01  

Well, we've been doing all kinds of stuff with robots and welding and IoT. And we're doing even more stuff with IoT and robots together. As you start bringing in more of the IoT, it's interesting. 2021 has been an interesting year. A big push for automation, especially amongst the need for labor. So, labor shortages have spurred a lot of automation. In our last podcast we talked about some interesting things there. Some new Brandology as far as the four things… If you think you've got something that's just a drop in the bucket, no brainer application to automate with, specifically with a robot be it collaborative or industrial. Check out that podcast and run the litmus test on the four extra things that you may want to think about.

 

Beth Elliott  2:50  

It's the Brandology new list.

 

Brandon Ellis  2:55  

We keep building upon it. Brandology never stops. It's some interesting things there. But we also in 2021, I felt like from our experience, in the beginning of the year, that we had, you know, IoT in general, was a really trending hot topic, and then in 2021, it kind of… 2020 pandemic year. Everything kind of pressed pause, except, we began more of this remote work and remote support and remote kind of push. That said, IoT didn't go away, IoT changed definitions. And I'm not so sure if we the people changed that or if marketing changed that. And it kind of brings me to a bit of a Brandrant. Because as we're talking about cybersecurity, I kind of have to say, what is IoT? What is it and what is it not? Now, you and I in past podcasts, we've talked quite a bit about not just cybersecurity, we've talked about that before. But IoT in general, the number one reason for any manufacturing organization to implement an IoT system is to make educated business decisions. That's a result of a successful IoT system. And that's what I want to point out in this little bit of a rant. Can I rant?

 

Beth Elliott  4:26  

Please.

 

Brandon Ellis  4:27  

What IoT is not is it is not remote support. And I recently saw, and I've heard this before, from various folks, not just one person, but various folks, integrators, machine builders, suppliers, and then just the manufacturers that sell the black box solutions, saying, you know, you can buy this, you know, $75, $80, $100 box, and securely, securely allow remote support between the machine builder, the machine manufacturer, the integrator or whatever. And, of course, that sounds fantastic. And in 2020, we had to do that. Of course. So, people are trying to go that route and 2019, 2018, 2019, building into the pandemic, and it was always pushed down, pushed away. Why?

 

Beth Elliott  5:15  

Because of IT, they wouldn't allow that vector in. 

 

Brandon Ellis  5:18  

Cybersecurity concerns. Well, 2020, we were forced, and the IT was forced to change the way, because manufacturers were still trying to produce. The interesting thing about the pandemic. There was a time of, you know, a couple of quarters that a lot of companies did shut down, but quite a few did not, they were considered essential. And they had to keep manufacturing, because the demand, the consumer demand, whether it was food, automobiles, whatever. Did not subside.

 

Beth Elliott  5:54  

It didn't go away. Yeah.

 

Brandon Ellis  5:56  

So, they had to keep manufacturing. So, machines had to keep running. But no one's allowed in the plant. No one's allowed to travel, none of this stuff is done. So, IT had to essentially, honestly, they had to step aside. They had to let their guards down. They had to ease their security concerns, if they were, in the cybersecurity fold of understanding all that was at risk. They had to lower their standards…

 

Beth Elliott  6:22  

Yeah.

 

Brandon Ellis  6:24  

…to let people remote in. And somehow, we define that as IoT, and it's not. It's remote support. So why do I bring that up? Well, because today's topic is not IoT. Today's topic is cybercrime, and cybersecurity. But with industrial manufacturing, that largely lends itself to IoT. And so, my rant comes down to whether you define it as IoT or not. If someone says, “Hey, for $75, I can put this thing in, it's gonna allow me to remote in and do that”. And, again, integrators, whether they're a single, single person, you know, one person, integrator companies, you know, single employee companies, or their huge multi-million dollar, multi-billion-dollar machine builders, machine suppliers, OEMs, or integration companies. That same device will allow them to do this. And honestly, it's probably secure, it probably encrypts everything and allows a connection directly to their machine. It's not a bad thing. But the rub is this. When you promote that, as the integrator, in my opinion, you are taking responsibility for that connection. So as long as you're using that connection, you need to make sure that it's used correctly. And IT should hold you to that, if they allow it, if they allow you to do that. What this means is, and I think about the largest data breach in history was the Target data breach. Now it's probably been five or six years ago. Target had paid an HVAC company to do a unified HVAC monitoring system and control system, basically a SCADA system in HVAC world that would control, regulate, turn on, turn off and monitor all of their systems for all the Targets in the US. And they had the ability to remote in on that network and set it up. Now IT did make a little bit of mistake here. They allowed that same system to be integrated with their point-of-sale system, POS, point of sale, cash registers, card readers all that.

 

Beth Elliott  8:33  

Sensitive information.. 

 

Brandon Ellis  8:35

And so, we're going to talk a little bit about that. But that was the case. So, here's what's interesting, because this really defines what cybercrime looks like, today. 2021. They came in, what happened was: they compromised a PC, for one of the technicians for the HVAC company. They got the username and password. Now we're gonna assume that the company, the HVAC company had no knowledge of this, which is entirely possible, had they had knowledge and they did not disclose that. 

 

Beth Elliott 9:06

Oh, that’d be bad. 

 

Brandon Ellis 9:07

They are 100% liable. In my opinion, now, I'm not a lawyer. I'm just saying, as far as ethics and morals, they're a 100% liable. And so, I'm gonna assume they didn't have knowledge of this. And so, what's interesting is the cyber-criminal organization that gained that, figured out that that username and password gave them access to this network that was part of the Target, they may not even realize it was Target at the time, I'm sure they probably did, gave them access to the HVAC system. What's interesting is, through that whole data breach, the heating and cooling system worked flawlessly.

 

Beth Elliott  9:47  

So, they had no clue. 

 

Brandon Ellis  9:48  

It was not, don't confuse cybercrime for thinking that the effects are as simple as they're going to go in and disable the heat on, you know, a negative 24-degree day in Minnesota, and see if they can, you know, freeze the pipes. I mean, that's the kind of stuff, you know, hackers used to do, the teenage hacker kind of used to do to, to, you know, back in the 80s, and 90s. What this is about is they came in on the HVAC system, and then they started rooting around, they realized we have another system that's on here, Windows based, Windows XP systems that had not been updated, that were no longer supported by Microsoft, vulnerabilities were known and published by all those not by Microsoft, but all those that know those things. And they use those vulnerabilities to collect every person's credit card swipe, their debit card swipes and collect their PIN numbers. For every, what ended up being every transaction in every store for three months.

 

Beth Elliott  10:53  

That's a lot of information. 

 

Brandon Ellis  10:56  

So, an analogy. Let's pretend like we're in a strip mall, and one of the stores is a fine jewelry store. And right next to it is a bank. And we figure out, we steal one of the key fobs from the employees, and we're able to fob in and go into the jewelry store, undetected. But what we realize is there's a door that we can easily pick the lock to, that leads into the vault of the bank. We never steal a single jewel. But we take all the money from the bank, without them realizing it. That's what cybercrime looks like today. And that's if I'm stealing stuff. What if I'm threatening to give everybody this access? That is the difference. Now. So how does this all tie together? If you basically promote a vector, you are taking risk. Now if they came to you and said we would like you to do this, would you use this and that's, that's different, but I'd get that in writing for sure. But if you promote it, and you use it, and it's found that someone came in through the vector you introduced and maybe didn't touch the machine that you're responsible for but jumped out on the network and begin ransoming other assets there, and it's traced back, which is entirely possible to do, just through IT forensics, to see where they came in, and it's traced back to you. I would maintain that you are liable. 

 

Beth Elliott  12:32  

That’s a big responsibility. 

 

Brandon Ellis  12:34  

And that is something no one talks about. The whole room goes to crickets, because the company that made the device, even though It's 100% secure, it's encrypted, that kind of thing, they're not responsible for your PC and your handling of that piece of equipment. And everything they have will say that. If you're going to a 5G cellular bridge past IT, you, read the EULA, whether it's Google, whether it's Amazon, we can say that those by their standards are secure. But if you read their EULA, it's gonna say, number one, no one can sue us for the intellectual property you place here, but we're not responsible if it gets out. Why would they be? You know, they can't manage that, they’re not gonna manage that. So, if you're an integrator, machine builder, OEM and you're promoting this, my question to you is, who is responsible if it's found that your vector, you're the HVAC system, you're the people that were allowed in, you couldn't contain your system. And, and through your carelessness, other people were able to use your access as a vector and wreak havoc for this company. And we're talking about some expensive things. And we're gonna talk a little bit more about that. So, this is a little bit more of a rant. I didn't mean to rant so much. But the important thing is, remote support is not IoT. So, what do I define IoT to be… I’d define IoT to basically be the secure transference of data. That's it, everything else is a result. Your machine monitoring, your AI for preventive maintenance, your dashboards for making business decisions, those are results, you cannot do any of that if you don't have the data. But if that data is not securely transferred, now you got a problem. So, you've got to make sure that aspect is transferred, do not confuse this with remote support. Remote support is a totally different thing. And in IT your responsibility is to handle that in a responsible way. And integrators, machine builders and OEMs, your responsibility is to make sure that you handle your systems in such a way that you're not careless about giving that away. And that is the only way we're going to get past the fastest growing business I guess, be it legal or illegal, which is cybercrime and ransomware activity. It's a big deal. So that said, give me the title.

 

Beth Elliott  15:15  

Oh, I wonder what it is. Industrial Automation - It doesn't have to be risky.

 

Brandon Ellis  15:25  

So, it kind of does. You gonna loose ‘em? So, the riskiness… So, you've done some research on this on the internet. Tell us a little bit about what you've found. What's the internet say?

 

Beth Elliott  15:49  

Okay, so with industrial espionage a growing threat, a lot of manufacturers' intellectual property is in the form of unstructured data. What's the difference between structured and unstructured data? And it says structured data is typically stored in relational databases and displayed in defined columns and rows, so data mining tools and algorithms can analyze it. Examples include inventory management systems, sales controlling and analysis, customer relation management. So unstructured data is not organized, but it's stored in easily accessible and shared formats, such as emails, spreadsheets, word docs, PDFs, images, audio video files, social posts, and texts. So, that’s pretty typical there, isn’t it?

 

Brandon Ellis  16:41  

I think, I think for the internet, which is sometimes painfully bland, in general, that's probably… I'm agreeable with that. Okay. Structured data just means it's in a structured environment. Now, I mean, unstructured means it's not organized. And, but emails, spreadsheets, word docs, PDFs, yeah. Okay. But there's the thing called data lakes. There's, I guess we call them un-relational type databases. So, they don't have database forms. They're still databases. I refer to them as data lakes, where we just kind of throw everything in and then you subscribe to what you want. There's back and forth about that all day long as far as usability. But from a cyber security standpoint, really, between structured and unstructured, it really comes down to where it's stored and how it can be accessed in my mind.

 

Beth Elliott  17:35  

So that kind of leads us to, to what the, from general internet research, to protect from insider and outsider threats, manufacturers can secure data across endpoints, networks, storage and the cloud in these ways. The first one, ensure all the patents and copyrights are secured in a protective environment, educate employees about safety and security. Label valuable intellectual property. Know what tools are being used to protect the intellectual property and where it is, and perform a risk analysis, cybersecurity risk assessment. So, Brandon, tear that apart.

 

Brandon Ellis  18:47  

Number one. Ensure all patents and copyrights, I don't know why specifically patents and copyrights, but patents and copyrights are secured in protective environment. What is a protected environment? It's easy to say, that's a nice word, that's good for a sales brochure. But what is a protected environment nowadays?

 

Beth Elliott  19:03  

I don't know. I mean…

 

Brandon Ellis  19:05  

Even if you put it on a hard drive, yank it out of the computer and send it to the landfill, is it protected? Is it still protected? The answer is no. It's now out of your control. 

 

Beth Elliott  19:14  

If you put it in a safety security deposit box, at your bank?

 

Brandon Ellis  19:19  

Maybe, but now accessing it's pretty hard. But the other thing is, from my experience with patents, you know, the patent stuff we have done and, and copyright law, and even trademarks. Which, you know, you basically have to disclose that

 

Beth Elliott  19:37  

All the information that you…

 

Brandon Ellis  19:39  

You don't have to throw out all of your stuff. But if you don't, it's called a trade secret. And that's a different thing. You can't patent a trade secret, you can, you can register something as a trade secret, which means basically, we're keeping it a secret. But you have to be very careful about how you label all that. And it talks about labeling valuable intellectual property, maybe that's what that has to do with. To me, if you're labeling it, especially online folder structures stuff, you're really telling the thieves “this is the stuff you want to encrypt and ransom me for”. With patents you open up, you kind of open it up to say this is how we're doing this, and this is the thing, the process, the method, whatever we're wanting to patent, this is it. This is how we're building this thing, or this is how we're making this thing or something, you have to open that up, it’s called schematic. You open that up, so I don't really understand what the internet is saying there. But my real rub is what's a protected environment? I mean, we used to say a hosted environment is a fairly protected environment, but it's not. Not anymore. The other thing is, yeah, educate employees about safety and security. We’ve talked about this before, it's kind of a humorous story, I've got a customer, he was telling me that their IT group sends out fabricated phishing emails that they fabricated themselves, to help with educating their employees and if you click on it, it's the wrong thing, and you get dinged, you have to do so many hours of training. And he said it was almost shutting down the engineering group because so many of them had such a backlog of training requirements now because they were falling for these. Apparently, their IT group was really good at fabricating these phishing emails. And they had to get them done by the end of the year, and they were like, we're gonna have to take off all of December to get our training back up, because we just keep… So, he was just like, I just don't even open emails anymore. And so, you know, it's counter… and that's not true. I mean, I'm sure he did, but he was joking, of course, but that's the thing, you know, if, if you make passwords very difficult, what's that mean? That means they're going to go on the post it note and stick on the monitor, right? So, anybody that can see the monitor can see the password. I went to a hotel once checking in and while I'm sitting there, you know, checking in waiting for, you know, they're taking my credit card and things of that nature, I looked there and there are about four sticky notes at the base of the monitor. And it was like Google email account, username, password, this email account password, this login, username, password, they were all laid out right there, I could have easily taken a cell phone, just really nonchalantly take snap a picture of it and now I’d have all those things, very easy. If you make passwords hard to remember, that's what people do. So, educating the employees is a challenge. It's always going to be, and my heart goes out to all the IT folks that have had to deal with it. But I don't understand know what tools are being used to protect the intellectual property and where it is. Unless there's encryption software or something like that, why do you need it? You know, who needs to know that? 

 

Beth Elliott  22:55  

I would think the key people would need that information.

 

Brandon Ellis  22:59  

Because if you're coming from the cybercriminal standpoint, if I know exactly what you're using, then I might know the vulnerability associated with that, it'd be easier to know how to come at you. But really, to me, you can take a, b, c, and d, they're on our list. I know y'all don't have those letters, we do our outline here. The last one being you know, what tools are being used to protect the intellectual property and where it is. e) perform a risk analysis and cybersecurity risk assessment. That's really what it comes down to, you got to look at the risk. So how do we go about doing that?

 

Beth Elliott  23:34  

Well, what's the difference between a cyber risk and an assessment, I mean vulnerability?

 

Brandon Ellis  23:41  

The risk and the vulnerability. That's a good question. You brought that up to me before, as we were putting this outline together. I had to think about that. That's a good question that you have. And basically, what it comes down to a vulnerability is a known weakness of a system. If you're using Windows on the production floor, or in the office or anything, there are vulnerabilities associated with Windows. It’s a fact, some of those vulnerabilities, though, aren't things that are going to go away, we're not going to patch them. Because they're needed. It's sometimes necessary to bridge between, for example, to be able to bridge network ports, to build a bridge to networks, it's sometimes necessary, and sometimes very, very beneficial. Some call that a vulnerability of Windows, being able to bridge networks, that’s really according to the perspective you're coming from. From a cybersecurity standpoint, yes, that's a vulnerability. From trying to grab the logistics network and all the stuff that's set up on it, and the accounting network and all the stuff that's on that within the ERP system and get those two to where they can share data between them easily without having to go out and reassess all the IP addresses and the network structures and keep them on VLANs and things of that nature, that is key. So, it's not so much a vulnerability, it's a nice feature. And so how you think about that? So, a vulnerability is a potential weakness that exists on a system. But the, the cyber risk, or the risk in general, is what's the chances that someone's going to either be able to use that and take advantage of that vulnerability, or that if they were able to, that it would lead to make it worthwhile. So that's really the way I would define those two. A vulnerability is something that exists on a system, a cyber risk is what's the chances that someone's gonna be able to take advantage of it. If you have your whole office network set up and it all ties to a modem that has a public IP address, and there is no firewall whatsoever, your cyber risk is pretty doggone high. But if you have firewalls, if you then pull that down and have VLANs, and all these different layers of security that IT implements, each one reduces that cyber risk, okay? Now, and there's always the folks that say, you know, well, there's no risk on our side, because we're not connected, this computer never gets connected to the web or anything like that. We're going to talk about that. So that's called a vector connecting to the web, it presents a vector. But even if you're connected to the web, you should have all these layers or some layers, some amount of layers of security, before you actually get out to the public, public side between your system and their… even on your system, virus, you know, engines and things of that nature if you're a PC based environment, And honestly, It's just as bad nowadays for the larger, you know Ubuntu and various Linux based really Windows like boxes. So, PCs and things of that nature, just because it's a Linux OS doesn't mean… especially if it's a full functioning PC based environment, desktop-based environment, there's just as many vulnerabilities there. But having those layers of protection help reduce that risk. But it doesn't completely alleviate it. This is where we've talked about 5G. The cellular-based marketed by, you know, many product builders out there and manufacturers, OEMs, do the 5G thing. Again, this is remote support, remote machine monitoring that kind of thing. As soon as you do that, that 5G signal bypasses all those layers of support. And if I plug my PC into that, that PC now has just bypassed, represents a new vector, rewind back to my rant, who's responsible, who's liable, it may be going to their cloud, it may be going to an Amazon Cloud, Google Cloud, whatever. And those folks are going to say “Yeah, we're secure. But we're not responsible, even if we're not”. So, who's responsible? So if someone's doing machine monitoring, they're doing their cloud based dashboards and things of that nature, they're wanting this via 5G or whatever, that bypasses ITs layers of security, if that's done with or without ITs knowledge, then now you're really reliant, any system that's connected to that, is reliant upon their cloud based system, their security, because again, it's not necessarily about getting hacked, and someone stealing, you know, this machine data, it's what I've heard, well, we don't care if they get that information. Remember, the jewelry store, we go in that way. And we don't want to interrupt that. When viruses come into a host, they really don't want to destroy the host right away. They need to replicate, they need to infect others, that kind of thing. That's how they propagate in humankind and animals and whatever. So, we want to go in, we want to keep that pristine, that connection pristine and unknown, because that's our in, and we want to start looking around. And that's really what cyber-criminal activity is today. Because here's the thing: most corporations, most manufacturers that you work with, will have you sign nondisclosure agreements and things of that nature. And in those non-disclosure agreements, it basically says that you're responsible for protection of any intellectual property, any trade secrets, any of their stuff that's confidential. If you store it in any way, on your computers, on your servers, in your cloud space, whatever, that you are responsible for that. And what some cyber criminals have been doing, this is not new. This is what's been happening in 2021. As ransomware has grown, what it comes down to is it’s not going to be… They steal your company's information, open a credit card account, and they go do identity theft and buy $30,000 worth of Amazon stuff. I mean, that's personal level. On the business level, as cybercrime goes, what amounts to is it comes down to an individual or a few individuals or small business or something like that, and says, we have gained access to your systems. We have encrypted all this data that we know belongs to this other company. And if you don't pay our ransom, we're going to make it public record, we're going to notify them that you have not been able to maintain your agreements, your confidentiality agreements, things of that nature, and we're not going to destroy you, we're going to let them destroy you. Unless you pay the ransom. And that's the kind of stuff that can end a smaller company, even a medium sized company. It can end them. And so, it's not something to be taken lightly, guys. This is real stuff. And it's really happening, and it's really happening in 2021. So how can we get past that? What are the factors that really, we can do and what it comes down to, is to really do a risk assessment? 

 

Beth Elliott 31:18

Okay, so what is part of a risk assessment? 

 

Brandon Ellis 31:21 

Well, you have to look at what's the threat or threats. What's is vulnerable in the system? And if it's breached, what's my recovery plan? Is there a recovery plan? Because you've got two sides of the coin. You've got: can I build it back? And just ignore it. Sorry. Yep, you got me, whatever. I'm ignoring you. We don't negotiate with terrorists’ kind of mentality. And you've got the backups where you just go, “Oh, let me step back in time, pull everything back, we're up and going and we're, we fixed the vulnerability”. You know, we fixed it and you go. But you can't do that, because that's the one thing. The second thing is how do you control the damage. And I don't know how you do that. But you’ve got to decide. The way you have to do that is you got to be reliant upon those, those constant layers of security. You need to be careful about what you agree to store on your server. And from an integration standpoint, especially with some of the smaller integrators that we deal with. And I know, many, many that own companies that are smaller and larger, and things of that nature, they need to be careful, they need to take that seriously. No longer are the days of just… Remember walking in back in the 80s and 90s and we'd walk in, I'd walk into a customer and say you need to sign this non-disclosure agreement. Whatever, sign it, let's go. You need to read it, we read those now. Those things have to go to the law office and things of that nature, for good reason. Because, in my opinion, you are taking responsibility for your actions if you do that, and they're very serious about that as well. Because they're larger manufacturers, they're also giving their word that their contractors, their suppliers, their vendors are also being held to the same. 

 

So, we're privileged today to be able to have a special guest, an individual that I have worked with in the past, and I've just always been blown away with his knowledge, but specially we have, we've just had so many conversations about risk analysis. Now, he's not going to tell us what you should and shouldn't do, and if you do this, then there's no risk. But the conversations I like to have with him is more so about what in general, what are some of the key things that makes for a healthy risk assessment? Because there are different levels of risk. And you don't want to treat everything as if you know, it's Fort Knox or, it’s all of the personal employee information or something like that. You don't have to, to hit it with all that kind of armor. So that said, Beth, tell us about Keith.

 

Beth Elliott 34:09

Our special guest today is Keith Moore. He's also known as a network protocol guru. Keith has been programming for more than 40 years. He was a senior research associate at the University of Tennessee Knoxville for more than 15 years. While at UT Knoxville from 1996 to 2000, Keith was the Applications Area Director for IESG, Internet Engineering Steering Group. It's the steering group for the Internet Engineering Task Force. As the Applications Area Director, Keith supervised the development of protocol specifications and other standards. I think that's pretty impressive. He spent the last 14 years in industrial IoT device development. Due to Keith's wealth of experience with Internet application protocols and architecture, he is a champion for IoT cybersecurity. Welcome to the show, Keith.

 

Keith Moore 35:12

Thanks.

 

Brandon Ellis 35:14  

Keith has worked with us in a consultative role with our IoT products multiple times and multiple ways and I've always had ample respect Keith, for your viewpoints and your experience, certainly a lot more experience than I've got, but we've had some fantastic conversations. And so, we're talking about, we just finished talking about the difference between cyber risk and, and a vulnerability and how vulnerability could actually be not a vulnerability but a feature, according to which perspective, you're, you're coming from. Sometimes bridging a network cards on a Windows based system is a good thing, you know, it's a purposeful thing. But sometimes it's a vulnerability. But the cyber risk really decides how, how exposed is that vulnerability. And so, what we're drilling down to, is an actual term that I actually learned from my conversations some years ago with you, which was basically you really need to start with kind of a risk analysis. You remember those conversations, I'm sure, we've had it many times.

 

Keith Moore 36:28  

Yeah. It's a favorite topic of mine.

 

Brandon Ellis 36:33  

I think it's a very wise way to look at things, to kind of put that together. From your vantage point, I want to know what a risk analysis is. But first, I want to talk about basically an analogy. For those that aren't IT experts. An analogy that I often use is the human body, versus, you know, a virus, how it affects the human body, and how that relates to a computer system, or a phone system or whatever you've got, some type of an IT based device. And so, I’m not getting off in the weeds, we’ve been talking about, this country’s been through, well, this world has been talking about viruses a lot. But I think it's relatable in that it works kind of the same way. So, for those of you who may have gone through eighth grade science class, we learned that there's viruses all around us at all times, there’s various types, common cold, whatever. And they can sit on our skin, they can sit on your hair, or they can sit on your clothes, it's no big deal. For a virus to do anything, it has to find an entryway inside the body. And that can be orally through nasal passages through your eyes, through cuts, scrapes, things of that nature, but it's got to get in. And then it may or may not do something according to immunity and stuff like that. We'll get to that in a minute. But in a PC system, isn't that the same thing? Keith, the USB ports, ethernet ports, Bluetooth interfaces, aren't those the same kind of entry points on a PC system?

 

Keith Moore 38:04  

I think it's a valid analogy. There's always some way that some sort of attack has to penetrate into your facility or your network or your computer. And the places that I would start looking are exactly those, I would look at any kind of well, you know, any kind of communication support that exists on a device is a potential way in, whether or not something's hooked to it normally. And I would also look at… there's many layers that you need to look at including physical access, if someone had the ability to open up a box, then there's all kinds of ways to attack a box from the inside. But even if they don't, then communications ports, whether by directly connecting to the device, or over a network, taking a rogue device and plugging it in, like say to a USB port. But I'd say almost anything that has a connector on it is something that you'd want to look at. You also want to think about wireless access, and the device that supports that, Bluetooth or Ethernet or anything else. Wi-Fi. And so yeah, there's a whole lot of things you want to look at it, that's a good way to start analyzing a particular device, what are all the things that can connect to it, and then what kinds of threats could emanate from something that you connect to this device, either directly to the device or over a network or something, some other device?

 

Brandon Ellis 39:35  

So, let's talk about direct interfaces. And when I think of that, I think of things like, you know, thumb drives, you mentioned a USB thumb drive, you know, those types of devices. Or if you're plugging you know, a network cable or connecting wirelessly to something or some network, then that really is no different than plugging a USB port in, you've introduced that same level of communication. And so, here's some of the things that I've heard about and honestly know to be true, but I thought you might have some, some thoughts on. So, one of the tricks is that folks are running around various companies, whoever they're wanting to target, and they'll plant, I guess is the way to say it, they'll plant these USB drives, they'll put them near entrances or in parking lots or maybe drop them just off the sidewalk where employees walk a lot and things of that nature, just baiting them hoping that they'll grab them. Because the only way you can know what's on this USB stick, is to plug it into a USB port. I'm right about that, right, Keith, there's no other way to know…

 

Keith Moore 40:44  

You could plug it into something else, you don't, you know, don't necessarily think well, you've got a PC on your company network, then they have access via that network to any number of other things or whatever. And if you plug that drive in, at least some PCs could be set up to auto launch software from that drive. And so, the mere act of plugging it in, can cause your system to be attacked. So, you have to be very careful about that. And also, any USB device, you may think it's a thumb drive, even think it's only a storage device. But a single USB device can act like several different USB devices on the wire, including a network adapter, or anything that you could get via USB. And so, there's systems can be attacked that way, you plug in something you think is one thing. And it turns out to be, you know, in addition to whatever it looks like, it's also something that looks like a network adapter that will then start talking to your computer and attacking it. So, you have to be very careful with these things. They're very deceptive. 

 

Brandon Ellis 41:50  

I heard a story of an employee who actually ended up with a mouse, now I don't know, I don't know where the mouse came from. I doubt it came from Best Buy or Amazon, or maybe it did. I would think not. But I'm guessing maybe it was a trinket kind of mouse, or maybe from a trade show, you know, trade shows are kicking back up in 2021. They're pushing forward in 2022. And there's no shortage. And Keith, I think you brought this up in a conversation with me that people hand out these thumb drives, and some of them are in business cards shapes, some of them are little trinkets that you can open up and plug in. And I as a, you know, a techno weenie, gearhead kind of kind of engineer, always liked those things, I thought was pretty cool, you know, to have, you know, pull out a credit card in my wallet, and it actually flips over and it's a USB drive, you know, that kind of stuff. And we, from a marketing standpoint, we've talked about that endless, endless amount of time. But is that really the wisest thing to do?

 

Keith Moore 42:47  

I don't think so. And again, you really don't know, even if you buy a device from a reputable manufacturer, or a reputable store, you know, you don't really know for sure, no one's exerting that kind of quality control or, you know, source control over these devices. But my rule of thumb is, I'm never going to use a device that someone gave me for free. You know, that's not perfect, but I'm like, you know, if someone gave this to me at a trade show that I probably don't need it so badly that I need to trust it. I'm going to trust as few things that I need to trust.

 

Brandon Ellis 43:27  

So here we go. So, so now the skeptic in me. I mean, really, Brandon, is that? Is that really, Beth, is that really going to happen? I mean, is somebody really going to try to plant USB sticks out there, is somebody really going to give away and plant them, you know, in their booth or whatever. And the answer is yes, it's happening. It's absolutely. Go ahead, Keith.

 

Keith Moore 43:50  

Yeah, it’s not unheard of. And it's not something that's restricted to like three letter state supported agencies. You know, you never know in the supply chain for this USB device, who has some motives to attack, you know, random computers that this thing might have been plugged into. And it's just, you know, with things being sourced from all over the world, and, you know, various agencies would like to attack computers, say in the United States for whatever purpose. You just don't know. And I don't know of a good way to make sure that such a device is not threatening. I wish I did. It'd be nice if we had some sort of magic oracle that you can plug a device into. And it's “Oh, yeah, this is good”. I don't think it exists. I'm not sure it can exist.

 

Brandon Ellis  44:44  

I agree with you on that. I don't think so either. So, my answer to that is, well, let's talk about, let's forget the thumb drives, compartmentalize that for a second. And let's look at other ways people are trying to get into your system. Phishing emails. I mean, I get phishing emails, even with spam, you know, spam filters and everything that I get, our employees get phishing emails. We all get them, and we have to keep the employees trained. We talked a little bit about that, Beth. The IT departments’ ongoing goal of training employees. In fact, Keith, we were talking about, before we got you on the line here, I had a customer who told me that their IT group at their particular facility has started creating bogus, but you know, their own phishing type emails and they covertly send it out to employees to see if they click on it. And then if they do click on it, it flags them, and they have to go do so many hours of cybersecurity training. And he was saying half the engineering department had so much backlog of training because they had fallen, fallen captive to these really good phishing emails that the IT folks have been sending out, that they were going to have to, is going to shut down their engineering department for a month because they had to go to training for so long, to make up for all the stuff. So clearly there, there is such a push for phishing, and, and then, you know, web links, HTML links, all this kind of stuff. I mean, what's really happening, if someone clicks on one of those?

 

Keith Moore 46:16  

All kinds of things can happen, I think. I mean, Windows systems are a little bit better than they used to be. But for many, many years, something that you launched from an email or from a webpage, could fire up some local application, and then that local application might not be secure. So, it might have various ways of being used differently from its intended purpose. Like you could put macros in a Word document, and then that could do almost arbitrary things on your computer simply by viewing a Word document. And again, some of those things have been improved over the years, but the potential is quite large. And web browsers and computer systems in general are very complex beasts, and they have lots of security holes. No matter how much they work at eliminating those holes, the more lines of code in a piece of software, the more vulnerable it is likely to be. So, you know, I mean, one of my rules would be like, you should, you should just never click on a link in an email. I mean, at least if it goes and loads the webpage, maybe it's okay. But it just, you know, really, especially if someone says download this piece of software in an email, just don't do it. And no matter how legitimate it looks, because the attackers are getting more clever at disguising things to look like they're legitimate. And I get these all the time. I do, there's a couple of things I do, personally, which is I just don't use my, I use a different email address, for instance, for business transactions, or for personal ones, or for anything I do business with is on a different email address then I use for any other purpose. And so, when I get an email, say, claiming to be from a certain bank, even if I have an account with that bank, I know it's not legitimate because it's going to the wrong address. So that helps me. But I think it's sort of like you have to kind of have things like that, so that you can more easily detect whether something's bogus. And sometimes it's a little tricky, I'll have to look at a message very carefully and look at all the message headers and things like that, and say, I'm not convinced that this is legitimate, so I'm just going to ignore it or delete it. So email’s a little different than the web, there's a sort of a different set of threats. But they’re... and it's not just that your computer system might be compromised. Everyone is trying to monitor people's behavior. And this can be used for business purposes too. Is just find out, you know, sort of get intelligence on some other business to see how they can utilize that against you. And so, there's various ways of websites, you know, contacting each other and exchanging information about you. And, again, be careful what you click on, maybe just don't click on anything in an email.

 

Beth Elliott 49:23  

So, may I ask a question real quick, Keith?

 

Keith Moore 49:26  

Sure. Sure.

 

Beth Elliott 49:28  

This is from my perspective, as a marketer, so if I want to send a link to someone, how do I, you know, get a link that I'm expecting from someone, do you copy and paste it, rather than clicking on it? Or it doesn't matter.

 

Keith Moore 49:50  

I think that doesn't actually help. Yeah. I don't know of a good way, I think.

 

Brandon Ellis 49:56  

It’s like the USB stick, there's not a good way to know, is there? 

 

Keith Moore 50:03  

The internet grew up very quickly, and I was reflecting the other day that we really, a lot of this stuff was not designed for the kind of hostility that we're seeing. So, a lot of these things got settled in the mid-1990s, let's say, but the internet was still rather small at the time. And the scale of threats is much more profitable now to do various kinds of attacks, because there's so many billions of people using the internet. And when the internet was small, these things weren't such a concern, but they are now. And the other thing, any kind of mechanism that gets designed to try to protect, you know, the users or their privacy or anything like that, it gets designed at some point in time, but over time, people figure out how to exploit it. And so, the design is more or less frozen, because it's hard to change things once there's a lot of inertia around it. But the exploiters keep working so they can work at this till the end of time. Figure out, you know, how they can use this against people. Well, yeah, it's a mess.

 

Brandon Ellis  51:15  

You hit the nail on the head, it's profitable. And when there's profit, when there's money to be made. So, going back to my point of opposition to myself about, you know, how big a deal really is this? It's a huge deal, because there's all kinds of money to be made, so what's been learned, and we talked about this across the last year, is that there is a lot of potential money to be made just in ransomware. But one of the clean targets is OT, because up till probably this year, maybe last year, the OT side, the operational technology side, the machine side was not known to most of your cyber criminals. It's not a known asset, and it's different. Our IIoTA helps bridge that difference in a secure way. But it's a difference. Well, now all of a sudden, it's kind of known. And in knowing, as they’ve learned the OT side of things, they've learned inherent vulnerabilities. For example, most of those systems do not have credentials. And they should. But we don't think about that. Because nobody ever comes here to, you know, you don't, you're not going to lock the door if nobody ever comes and try to break it down, right? But now all of a sudden, people are trying to break that door down. And so that brings us to the next thing. So, we've talked about injection points, if we, you know, we're talking about the way viruses inject themselves into the human body. And if you look at your, your PC, whether it's Windows, whether it's Linux, whatever, if it's a desktop-type environment, if it's on a machine on a device, if that device has got network capability be it wireless or wired, if it's got Bluetooth capability, if it's got USB capability, those kinds of things, probably not so much serial, serial is probably not as big a threat. 

 

Keith Moore 53:15  

You might be surprised, but it does exist. Yes, it's a threat. 

 

Brandon Ellis 53:19  

Yeah. And so, anything that can let you into that box as an interface is a threat. So, what's the next thing? So, the next thing I always hear is, Well, we're not connected or we’re isolated or something like that. So, isolation, in my opinion, is probably, it's according to how you do it. It can be better, or it can be false security. But then we now have a lot of companies’ manufacturers, and these again, are manufacturers of quick solutions and quick fixes that are pushing with the invention of 5G technology, are pushing industrial manufacturing folks to install their little device that's going to do direct connection to their cloud-based environment or their servers or whatever over 5G cellular, and my rant is doing that introduces a whole new injection point. Because even if your IT departments are doing all they can do with all these multiple layers in order to get their cyber risk reduced, a 5G connection bypasses all of that. What do you have to say about 5G?

 

Keith Moore 54:28  

Well, I don't… You know, to me in some ways, 5G it's the new buzzword. It's the new hype technology. In my view, it's kind of just another wireless networking technology. So, it's not necessarily, fundamentally different, but they're trying to sell it more than they have in the past. Yeah. I think under some circumstances this can be okay. I mean, I once worked on a product. It wasn't 5G, it was 4G, every one of these devices had a cellular connection back to our central server, it uploaded things to the cloud, and so on and so forth. But those devices did not talk to anything else, but this company's products. It’s just a very limited niche application that had a wireless connection back to that company's servers. And it didn't connect to anything else, not via the internet or anything, or Ethernet or anything else. So, in that case, I think the potential for damage is relatively limited. But when people say, “Well, you should tie all of your devices into our 5G provisioning” and you trust that. And then I think, no, now your devices are at least potentially talking to each other, and that there's potential for threats to propagate from one device to another. And so, I'm not, there's multiple issues I have with this. And again, one of them is why would you trust some big company to care a lot about your small operation, if you have a small operation, because, you know, it’s an imbalance of power, they are going to care a lot about a big customer, but a small customer, they're not going to have a lot of resources to devote to making sure that the small customers’ operations are secure. So, it's just, it's just economics. You know, they'll assign someone to talk to you. But that person will not be the person that really understands the system that well. They're not going to be in a position to fix things that are obvious or to go hunt down the vulnerabilities. They're basically just trying to talk to you and make you happy. I'm very skeptical of that approach. 

 

Brandon Ellis 56:46  

And to that point, I made this point earlier in the podcast, that if you look at the EULAs, with any of the cloud-based services, be it Microsoft's or Amazon's or Google's or any of those, if you read the EULA, which nobody does, right? But if you read the End User License Agreement, EULA, then it basically says, “You can't sue us, if you put something on our server that shouldn't be there. That's your fault, not ours. But also, if something happens to it, we're not responsible”. If they shed all responsibility. So, who's responsible?

 

Keith Moore 57:17  

Well, presumably, you, but in and of how all those things hold up is a question for, you know, legal experts, but I think it's another example of the same thing, they are dictating the terms to you, if you were a peer, if you were a big enough concern, that this big company has to talk to you and negotiate with you, well, then they're not dictating the terms anymore, you negotiate them. But as long as you're in the position of take it or leave it, you have to take our terms or don't use our product at all, you know, you're not probably going to get what you need. And, and I think it's, yeah, it's just a mess. So, I don't. I don't have a lot of faith in those kinds of arrangements.

 

Brandon Ellis 58:01  

Well, and so then the question comes back, “Brandon, really how big a deal is this to me?”, I mean, really, how many people are actually getting ransomed in industrial, you know, industrial manufacturing, industrial companies, how many are really getting ransomed? And I tell you, as we have talked about cybersecurity, Beth, with you over the last few months, and just across the last year, I've been so surprised, because I've kind of been a skeptic at times, too. I'm guilty of that, of saying, you know, yeah, this is a big deal. If you're, you know, if you're some huge company, or huge target or something like that, but, but what about smaller companies, and that kind of stuff is probably not a big deal. And, and I've been surprised with how many people I've talked to just this year, and I'm not gonna mention any names, but I will say this, they're not saying, “I read about this company on Facebook or LinkedIn or Twitter”. No, no, my company, the company that they work for, “We were ransomed”. And in a couple of months, just like, you know, you work for a pretty, pretty broad facing company. I can't believe I hadn't heard anything about this and read anything about it online or anything, “Yeah, that's because we keep it under wraps, because we don't want anybody to know”. Because especially if they're publicly traded, they don't want you know, to lose the confidence of their, of their stockholders, and all that kind of stuff. And so, so they're trying to keep that now, some of them. Some of them had the wherewithal, we haven't really gotten into this with Keith and of course, we're going a little bit long but I love talking with Keith and this is why; is, you know, what to do, how to prepare yourself as far as risk analysis, and one of the things Keith, that you had told me before was try to make the ability to, to put the system back to back it up, have a good backup means, right?

 

Keith Moore 59:46  

Absolutely, I would go a little further than that, which is you should be able to restore your entire operation to a known working state. And that's every device in your system, every network device, every firewall, every intrusion detector, everything that you have, that you rely on to keep your operation working satisfactorily, you need to be able to, in a very short amount of time, just reset everything and put it back in a state that you know works. And I would actually say that that's maybe the first step, having a recovery plan is maybe even more important than any kind of vulnerability analysis of that you need to do that too. But the first thing is like, because if you get ransomwared, you know, in a way, the first thing that you want to know is, well, you know, what does it take to get back to a state where we're not vulnerable? And so, I think that's maybe the first thing because you can plan that, you know, you have to pay attention to it, you have to be like backups can certainly be part of that. But you have to be a little careful with backups. Because you want them to be, you don't want to backup things to a local USB device, for instance, because if your computer gets infected, it will affect the backup too. So, you have to be careful about how you do those. Maybe you can store them off site and all that. But you also need to make sure when you're restoring from a backup, you need to make sure it's a good backup and that that backup has not already been compromised. So that's a whole, that's a whole kind of planning operation in itself. But yeah, and you need to keep those plans up to date, you need to be ready to be able to do that at any time.

 

Brandon Ellis 1:01:29  

So be prepared, put a plan in, a recovery plan in, and then start thinking about your systems, not just the systems, but the data that's on them and decide what the risk is, in terms of what should I do with this. And then if it's highly high risk, you gotta start thinking about a way of putting that somewhere separate, doing something kind of like your analogy of using two emails and you know, doing that type of separation, those kind of tricks. But you got to come up with a means of arresting those risks to the best of what you feel is reasonable. Is that Is that a good way to put it?

 

Keith Moore 1:02:03  

Yeah, you certainly have to do it, I would start by just trying to understand what all the potential holes are in all of your systems. And that's a tedious process, because you have to look at every device, every communications port on each of those devices, you have to look at how you manage credentials in your organization, you have to look at how you manage physical security, there are layers and layers of defense that you need to have, you need to at least know what the vulnerabilities are. And I would say you want to do that before you even think about what the risks are, you just want to start by counting these things. Because you just need to have a broad picture of what the potential ways that your operation can be attacked are. It's not a fun exercise. But once you have it, you're much less likely to overlook something. There's a very strong tendency. I call it hand-waving attacks or wishful thinking or whatever you want to think, “Oh, that won't be a problem”. And often, it's because it's too hard to look at, you want to resist that temptation to make that snap judgment. So, the first thing you do is just list all the vulnerabilities and don't pay any attention to how likely you or they think they are to be used or anything like that, just go through and make that list. And again, it could be like not only every device, but every network service on that device, and so on and so forth. Once you have that list, then you can go through and say well, what do you think the likely kinds of threats are? And that will help you sort of amplify which ones you pay more attention to. Ideally, you would address every threat that you have identified. Sometimes you're going to say I don't know how to address that threat. And that's fine, you're still better off having made that identification, even if you don't know what to do about it yet. And sometimes even a simple measure is better than nothing. So, you've got to be pragmatic, but you really have to start from a point of view of having a broad view of your system and kind of an on this view.

 

Brandon Ellis 1:04:08  

So, I was just thinking about the concept of putting it all back quickly. And so, a lot of times when I think about that, I think about backing up servers and mail servers, database servers, things of that nature. I want to throw it out there to those that are listening. This also means backups of all your machine programs, all your PLC programs, your HMI programs, your robot code, all that kind of stuff on the OT because, because that's where the crosshairs are facing you right now. And it's on that OT side that we're seeing a lot of this marketing push for IoT disguised as or remote support, remote access disguised as IoT, we're seeing 5G, let's bypass IT because they're the enemy, they're the troublemakers and, and as soon is, all it takes is someone to inadvertently connect, you know, make a connection between that 5G network as Keith pointed out, and bridge it over to through a hard connection or whatever, bridge it over to the rest of the OT devices, that now someone has access to that if they can overcome whoever's, you know, controlling the 5G side, just like the Target breach, and the HVAC situation there. So, Keith, always a pleasure to talk with you. Oh, you got something.

 

Beth Elliott 1:05:26  

I was going to ask if that was all of his tips 

 

Keith Moore 1:05:32  

Well, I mean, I don't know how much time you have, because I could talk about this all day. I'd be happy to talk with you more about it. I was gonna say, is there any sort of major point that I would make? And, you know, one, one point I would say is don't place all your trust in perimeter security, like a firewall or a fence around the building or the guard out front. You want to build systems that have defense in depth, so that if an attacker is going to be successful, they've got to penetrate multiple defenses. And you don't want to be like the Far Side cartoon with the polar bears in the igloo saying, hey, these things are great. They have a crunchy outside and a chewy center, you don't want to have a chewy center. You want to make it difficult for something to attack you. And I think the other thing is, once you have this sort of list of vulnerabilities in place, this is something that you want to maintain over time, so that you always have a view as to what your vulnerabilities are and what you've done about them. And then when you start planning future operational networks, you'll have that experience to know what things do we want to make sure that we're not as vulnerable next time. And you have this set of vulnerabilities that you were familiar with, and you know how to address these things when you build the next one. So yeah, and also you just want to keep that list of vulnerabilities very closely held, because it's basically a blueprint for how to attack your system. So about two to three people should know about that and that's enough. But yeah.

 

Brandon Ellis 1:07:09  

That's good advice. It's good advice. Did you have anything else?

 

Beth Elliott  1:07:11  

That was it. I just wanted to give Keith a chance to share some last thoughts. 

 

Brandon Ellis 1:07:17  

Well, and so. Of course, I agree with you 100%, Keith, and I appreciate your insights. I think about our IIoTA, and how the Data Commander, and then now IIoTA is designed and how the appliance is designed, and Keith is familiar with that appliance. But it's designed such that we aren't, we are not claiming that it's a cure-all, do all for cybersecurity concerns. But as far as how we isolate the two networks, if it's used in that, in that regard, across the network ports, the NIC ports, there are hardware based. It's called hardened. So, it's not a firewall, it's a hardware based hardened gateway. Yeah, it's a hardware-based solution. But what that means is, is that means they've got to break down a wall and then break down another wall and then break down another wall before they can get, they can do any damage. Well, we take pride in those three walls, that three wall approach, which means it's better than two walls, and it's certainly better than no walls. But it doesn't mean that it's the cure all. There has to be other walls. And then just like Keith has pointed out, it doesn't mean that it keeps people from breaking into your building, or employees coming in with contaminated thumb drives or unknowingly especially work this remote work, this new work style, right? The hybrid work model means that you've got people working from home, and then they're coming in and working. So, they're either remoting in, so remote access, but on the same computer, I promise, they're out shopping Amazon, they're out doing their own personal email they’re you know, they're playing games, they're going to websites, they may be going to websites they had no business going to, that kind of stuff, because it's on their network at home. And then suddenly, they remote in. Well, now if they've got an infected computer and they’re VPN in, Keith, am I wrong here? Is there any difference? If you're doing a remote access, even if it's encrypted and all that kind of stuff? Is that any different from taking an infected computer, bringing it inside the workplace and plugging into the network there?

 

Keith Moore 1:09:23  

I mean, I think no, not in practice. But I would say don't even trust the machines that you know are on your floor connected to your local network. You know, again, it's that perimeter security, there's no magic about the firewall, that just because someone can tunnel into your internal network on a VPN does not mean they're trustworthy, but I wouldn't even trust, you want to trust those local computers as little as possible. So, when you have a system that's based on the idea that says, anytime you're inside the firewall, you're okay and trustworthy. That's a pretty dubious assumption. And, and I think you have to build systems that are more layered and where the defenses aren't only at the perimeter so that if someone tries to do something from any computer wherever, whether they remote are not, that you have defenses against those things. And it's a lot more complicated. It's a lot harder to understand. But that's the reality you can't trust. Most attacks are internal, whether they're, you know, by a disgruntled employee, or whether they're by some system that got inside the network, and that was already compromised. It's the same problem that way. And, you know, being safe against external attackers is not sufficient.

 

Brandon Ellis 1:10:47  

Yeah. Well, we're rolling in long podcast. But it's been a great podcast, I think. We've covered a lot of stuff. But we do want to wrap up now. So, Keith, thank you very much for your time and for your expertise and sharing that with us today. Is there anything else you want to add? Do you want to give out a contact or?

 

Keith Moore 1:11:09   

No, no, no, that's fine. Nothing comes to mind.

 

Brandon Ellis 1:11:12  

Do you want to give out your social security number, your personal email… My favorite is, by the way, if you guys’ listening are on social media and you see these cool little games where it says like, answer all the following questions and paste the answers and send it to five people, you know, and it's stuff like, “Where were you born? Where did you go on your honeymoon?” You know, those are security questions, stop answering them. They're not cutesy. It might be cutesy for grandma, and for you know, your grandchildren and all this kind. It's not stop, stop it. 

 

Keith Moore  1:11:52  

Don't tell people anything they don't need to know, that you don't think they need to know. I don't even accept connection requests on LinkedIn from strangers. I don't do it. This is not… having more people know, you know, somewhat personal information about me, even if it's just work history, that's not to my advantage. I don't want to disclose that to lots of people. So yeah, be careful about what information you give out.

 

Beth Elliott 1:12:19  

Yes. So, this is not Keith Moore.

 

Brandon Ellis 1:12:21  

This is someone playing Keith Moore. So, Keith, thank you again very much for taking some time. So, Beth, this is our final wrap up podcast for 2021 and season three. And so, we will return in 2022. There might be some changes, maybe some change the whole platform, the way we do things, that kind of stuff for 2022. We'll certainly let you know if that rolls around. 

 

Beth Elliott  1:12:48  

I would suggest that people subscribe to our RSS feed or to whatever platform they listen on. And then that way they can get updates. They'll be notified when we get one and also follow us on any social platforms because they'll get notified when a new episode drops.

 

Brandon Ellis 1:13:05  

But you won't get emails with links in them. So, all that's voluntary, but certainly, we want to be very, very astute when it comes to cybersecurity, and we want you guys to do that as well. We also want to wish you and everyone a very Merry Christmas and a Happy, Happy New Year. And Keith, I wish the same to you.

 

Keith Moore 1:13:27 

Thank you very much.

 

Brandon Ellis 1:13:28 

Thanks for being with us. Beth.

 

Beth Elliott  1:13:30  

Yes Brandon.

 

Brandon Ellis 1:13:31

If they need elliTek they can call us 865-409-1555. Check us out online on www.ellitek.com. And then of course, YouTube, LinkedIn, Facebook, Instagram, Twitter.

 

Beth Elliott 1:13:47

You got it. 

 

Brandon Ellis 1:13:48  

All right. Beth, have a fantastic and wonderful holiday.

 

Beth Elliott 1:13:53  

Merry Christmas and Happy New Year. Thank you all for listening. 

 

Brandon Ellis 1:13:56  

Bye, guys.