Business as Usual Featuring David Kane at Ethical Intruder

So good afternoon and welcome to today's session of business as usual. I'm Audrey Russo, President and CEO, the Pittsburgh tech Council. And I'm joined by my co host of all things media, Vice President of anything that we do in terms of storytelling and marketing. And that's Jonathan kersting. So a few things about today's call wouldn't have been possible without the support of these organizations and companies.

That's Huntington bank. They stepped up back in March to help us bring this series to you and they play a critical role in helping small businesses navigate the pandemic and is the region's most active SBA lender. We're also proud to have the support of two additional sponsors both sheets and Deloitte. If you don't know sheetz, they have a mission to provide fast, friendly service and quality products and cleaning conditions. at locations, they are known across the industry as an organization that constantly reinvents themselves while bringing a steady stream of innovation to their industry. You're going to see more of them as they've opened up an innovation center, right here in Pittsburgh, and Deloitte. They're a force in business from innovation perspective, they've been at the forefront of revolutions in business for 175 years. And they probably have about 85% of the Fortune 500 companies as well. So this a couple of things program note, we have some great things coming up in business as usual, including an information session this Friday about the Keystone Innovation Zone, some of you may know them as KIZ. We will be hosting the lead official from the Pennsylvania Department of Economic Development, who administers the KIZ program as well as our friends from KIZ resources, who will talk about the $100,000 in tax credits that are available to KIZ companies. Each and every year, talk about the process of selling unused credit to generate immediate income. It's a great advantage for those companies that are just starting. I also want to tell you about a few programs that are upcoming and you can go to our website at PGH tech. Tomorrow we're hosting a fabulous CIO insights program, with Chris Caruso, CIO of PPG. Gary Dick, cio of Highmark health. Catherine Allshouse, global CIO and head of operations at Veeva systems out of Columbus and Annlea Rumfola, SVP, Information Technology Segment CIO Medical Segment, Cardinal Health  also out of Columbus. So we're excited about our regional approach, you can go to our website and then on August 12, and 13th We're kicking off tech fest 2020. It's a two day program aimed at software developers as they hone their skills through multiple workshops hosted by their peers.

And then finally Finally, we're hosting our annual technology leadership golf outing. We have honored co hosts this year with Ed McCalister. He's CIO of UPMC. And Richard Smith, CIO of labtech, which recently acquired GE transportation. So that's a lot. And we're working feverishly each and every day to make sure that the tech community is connected. So we've muted your microphones. We've done that on purpose. So hopefully to eradicate any of the noise around us and we also want the call to be interactive.

There's chat at the bottom of your desktops, ask questions, just do not use it as a way to sell. That's not what we're looking for today. So really quickly, we're gonna get started and I'm bringing David came to the forefront. He is the founder and CEO of ethical intruder. And we're going to talk about all things security today. So I'm pretty excited to do a little bit of a deep dive in lots of the things that matter to each and every One of us and lots of the things that many of us don't really think about day in and day out. So welcome, David. And we have a lot of things to talk about today. But first, what I want to do is just introduce yourself and your company. Let's start with that. And then we'll do some deep dives.

Okay, great. Thanks, Audrey. Excited to be here today. So ethical intruder is a cyber security and compliance company. We've been in Pittsburgh, for the last 10 years. We started out focusing around the country, but we primarily focus on the Pittsburgh region right now. We don't sell any products. We're not the company that will come in and tell you here are the 15 things you need to buy in order to be secure. We primarily provide services around three different areas. One technology, we're penetration testing, so we're ethical hackers, by permission, we are allowed to hack into people's systems. The second is compliance and risk helping companies to build security and compliance frameworks. And third is user awareness and just making sure that the user is now The reason why you have a security problem?
How did you get into this business?

That's a good question. So
years ago, I worked for another Pittsburgh company, and one of my jobs was to constantly look at the technology curve. They were a consulting services company. And, for instance, we had going way back in 1999, we had all these, you know, as 400 programmers, we had to figure out what to do with them when y2k ended. So we started moving them into this new internet space with Java and ASP. And so they actually the company did a great job of looking ahead, and sort of redesigning the people that they had. So that was my task for a couple of years. And at one point, probably about 12 years ago, we sort of saw this curve of ethical hacking coming up in cybersecurity as good as being big. And so we sort of moved into that space and tried to get in. So we've been doing this for 10 years, which is not super long for technology company, but it's pretty long for dedicated cybersecurity. That's how it started.

That's great. So you've been in tech most of all of your career, right?
Correct. Yep. Absolutely.

So, you know, we are approaching, I think, our 95th edition of these dailies zooms. And when we launched the series, we did so in the context of quite a few businesses actually banning zoom as a platform that seems so long ago but that was what was happening. And Brian on our team just was adamant about using zoom because he felt it was the easiest and most inclusive and that we could reach the wider you know, number of people, but it sometimes it made it difficult at the beginning for some of our guests and you know, in that process you helped provide us with some education and information that really helped us boost our security, and hence, you know, our attendance and interaction and to ease The level of comfort of some of you know, many of our guests and their related, you know, companies. The security, you know, for the platforms like this remains a top concern. I mean, it's not like it's gone away. So that's for schools. You know, as you knew what happened with zoom in schools in New York City, there was a big, you know, fall out there. And I know, zoom has made some changes. Can you talk about the current state of security a little bit across all the platforms? So that's zoom teams, WebEx Hangout, etc. Yep.

So yeah, the that the security and the focus has definitely increased, right. I think that's one of the reasons why, you know, we have companies moving to Pittsburgh that are dedicated to, you know, increasing including zoom. A security focus, it was a little bit of a wake up call, right. So zoom got caught off guard a little bit. They are the platform that super super easy to use, and a lot of a lot of people liked but no We had in our guidance early on while there were some security concerns, a lot of it really had to do with how you used it, the features, the controls that were built into it. So I think a big part of the problem was people not necessarily knowing all of the controls and what they could do, and having sort of the waiting rooms and letting people in and muting people and not allowing people to share their screens. And that's still the same with all platforms. So the guidance that we provided back then still holds today that if you don't pay attention to those options that you have, you can still have some, you know, pretty significant issues. That being said, I think everybody in those spaces, the ones that you mentioned, have really decided to put a lot of attention into security, as well as there is a race to be like zoom as far as how easy it is to use. So Microsoft Teams I know has been announcing forever that they were going to go from four people to eight people, 16 people to sort of keep up They've finally just started to release that. So they're trying to blend a combination of security with functionality. But I would say right now, we would be comfortable with people using any of those platforms. If you're going to share intellectual property, if you're going to have a client discussion, take a little bit more time to set up an individual password. Don't reuse those passwords, you know, make sure you're controlling who's in it, be careful about how you share screens, but I would say all of them are doing a really good job. I think we would be comfortable with any company really using almost any of those platforms. And I know it's not really a part of the program, not trying to make a pitch, but there is a local company called kinetics, who also has a bunch of really great products to do the same thing here in Pittsburgh, so they're, they're worth checking out. But yeah, I think everybody's doing a really good job in that, in that space.

compumedics, the founder of compumedics Dr. Giorgio Cora, loopy is one of the founders Members of the tech Council.
Yeah, another great organization. And they have a lot of different products, from video call centers to just I mean that there's just a whole array of things for small businesses, big businesses, and they, they really do a nice job.
I'm not hearing as much about zoom bombing, but boy, we heard some really interesting at the at the onset of all this, are you seeing that less and less of that, David?

We are. So I think the reason again, is people are starting to learn about again, the various controls where you could put in place not allowing anybody to should simply just share their screen add contents, join a meeting people are, you know, using passwords in the various controls. That's definitely gone down quite a bit. I think what's, what's increased is that people are taking advantage of people using zoom in these platforms with phishing and other types of activities. We're trying to steal people's passwords because Cuz once you steal somebody's passwords, even if you have it password protected, now it makes it easier to get into those sessions. So I think I think that's happened a lot more now with zoom and some of these platforms, then the zoom bombing.

and also paying for it, right? I mean, those additional controls, correct, hey, when to pay for the technology, the freemium one, tend to not have what's needed. So that's great. Thank you for that overview. And the shout out for compumedics. So, as a famous elected official once said that we should never waste a great crisis, right. So the criminal element has really worked to leverage, you know, the pandemic as an opportunity to take advantage of people. We heard that early on when we had our Western pa ag on the show, and he talked about the proliferation of the kinds of infiltration that was occurring with the pandemic. So I don't know what's happening now. So I'm doing a little check in with you. Can you think about the common code COVID? No schemes that you're seeing now, when he was on the show, we were seeing very, you know, an array of things. But what about now, so almost 10 weeks later.

so they're increasing, unfortunately, in a lot of it is, is again phishing social engineering related or just simply taking advantage of, you know, people who who are at home working at home defenses are down. Probably the three common COVID fishes that we still see. Well, I guess before I get into that, I think the important thing to realize about why this is effective is that phishing and social engineering has little to do with it, or HR wanted to do a training. It's about behaviors, and it's about humans and how they interact. And so the reason why these are working, is because they're playing on the susceptibility of people's behaviors. So a couple of things that we're seeing a lot of our, you know, I could send something out, you know, from my own company and say, you know, here's a heatmap of what's going on in Allegheny County of where the cases are, you know, click on this to see where it is, well, behaviorally, we're concerned. So you may click on it right. Or you may get an email from somebody that says, you know, that we're a part of, you know, some COVID committee and basically, you know, we can send you updates, just log in with your user credentials. Again, behaviorally, you shouldn't use your login credentials to get information on COVID. But that's what that's what people are doing. And another one that's real popular to look out for, that we're seeing is that as people are coming back to work, maybe they're getting something from a CEO, somebody that they don't usually hear from that says, we've put together some guidance on what to do when you get back to work. Please download this, you know, you know, PDF, and so now you have people that are causing issues with clicking with entering credentials with downloading malware. And so I don't the numbers, you can see them all over the place you hit 300 500% increases. But that's, that's probably been the biggest attack vector with COVID is just reaching out to the users and affecting their behaviors.
Until you see that increasing, not decreasing.
I think it's going to keep, I think it's going to keep going.

There's just there's just, again, with all the uncertainty and we're home, we're not at home or, you know, if people are people really want that information. So it's really important to share the message with your users that if, you know, you can tell them where to go. You can send them very specific information, but especially when they're working on their, you know, work assets, they should probably stay away from anything unsolicited related to COVID. And that, that should protect them quite a bit. And that's probably the biggest thing that we've seen.
And what about changing people's behavior a little bit. There's some tools that you actually use to help you know, give a little In this test of how an organization is doing.

yeah, so, you know, there's training you can send out information yourself. Probably the biggest behavioral change that you can try to get people to do is to hover over links and make sure they see what they're, you know what the link is. So unless you're on a Mac, iOS, Mac, fix this. When you hover over a link, if it just becomes a behavior that you always do this, we literally send stuff out that when you hover over it, it says this is efficient, or something similar. So if you could simply get that behavior, you probably would eliminate the largest amount. But what we do and what a lot of companies do is we will work with companies send out phishing tests, work with them behaviorally, try to find out who is susceptible what they fall for. And the more you find out from your employees what they're susceptible to based off of your industry, the easier it is to give reinforcement, you know, behavioral training, but the number one behavior is for sure. Hovering over the link and trying to know who you're, you know what you're clicking on. The second one probably is if you get anything from somebody with a link to click, and it's from a bank, it's from a credit card agency from anybody else, just go directly to that website. it'll it'll take you to the same place. Go ahead and log in from there.

It's an ad is amazing. And so you said that on a Mac, you're not you're not really able to do that.
Maybe they've changed that. I think they've changed that now used to be that was a little bit more hidden. But
I think it's there. I think it's now good.

So, you know, during last week's CIO of the year event that we had, virtually we heard that security is like the top two issues, right? The key areas that companies are still making key investments in and obviously because everything going on with COVID and the things that you just articulated about our behavior, you spend time with with chief information security officers, that's who you talk to, and what are they telling you like? are they telling you anything different? Are they talking about different ways that they're spending time? and addressing the issues? Yeah,
so So it's, it's, we're hearing a lot of stuff, right. So it really depends on the industry, the size of the organization, what they have the capabilities to do. A lot of people of course, when this first started, had to expand, you know, the amount of VPN licenses so that people can get in externally.

That that was really big, a lot of people are finally starting to use multi factor more and moving towards it because especially when you're at home, that's our number one, as ethical hackers as people who hack, that's the one thing we don't want to see is we don't want to see you have multifactor. So if it's bad for us, when we're doing our exercises, it's bad for the hackers. A lot of I think a lot of people are working on tuning the products they already have in play so people are at home and you have office 365 a lot of people are spending time Going through those products and making sure that, you know, they're sort of buttoned down because most breaches a lot of breaches have to do with just configurations and not properly having your settings in place. And then the one that I think is causing a lot of pain for the CSOs and it goes back then to the boardroom, is that more partners are starting to ask that you meet security and compliance frameworks. I mean, that has just mushroomed over this. So if I want to work with a company, and I am not sure what's happening while they're working from home, I may ask them to align with a framework or a compliance, and we're seeing a huge increase. And this really takes a toll, especially on smaller businesses or startups who aren't able to do that. So I think balancing being able to meet the requests of the partners and just to be clear, when they get those requests, that's something that allows them to either continue business or grow business and so it may not be the main thing that They want to work on but if they can't get new business or grow business, they very often have to start staring down those those frameworks.

So what's your advice for people who have significant IP? And they're small and they're starting, and they can't necessarily afford or scale that kind of infrastructure? What's, you know, sort of basic advice right now?

Yeah. So again, number one, which I've already mentioned, is regardless of how big or small you are multi factor, multi factor, multi factor. That is just absolutely, you know, huge. If you're a smaller organization, for instance, we work with customers that are three five people, employees, but maybe they're partnering with a large medical organization, they need to be high trust certified. Well, how do you do that when you're just three or five people? Well, you know, you can work with someone like us, you can work with other partners and try to find out what are the most important you know, pieces that You can put together, I will tell you that regardless of your size, there is absolutely a path and a way to stay secure as you get bigger gets more complex. So multi factor is huge, you know, make sure you have cyber liability insurance, it's really important. Oh, don't have, you don't have that that could be a big problem. And then, again, sort of our three areas that we focus on, not that people need to work with us, but you know, protect your technology. Make sure you're meeting your business obligations with your customers and try to train your users. And the more you can do that, I think the more you can stay safe.

So we have seen some recent high profile attacks, obviously, and including a breach on Twitter security last week, and then breaking news about, you know, theft, international theft of intellectual property. So why do you think these attacks continue to be successful? And do you think that the security level lapses are a real threat to the US economic growth.

I don't know how much the threat has changed to the growth I it's meaning that it's bad. And it's probably always going to get worse. I think what's changed is the vector of how people are doing attacks, maybe because of COVID. So, for instance, the Twitter attack while we never like to really say exactly what happened, because we're just reading the same reports everybody else has, you know, it appears that either it was an insider or an insider who was influenced and of course, Twitter announced, like a lot of us that are working from home, right. And so it makes it a lot easier for somebody at home to possibly have somebody else get a hold of their credentials, or in this case, you know, they said maybe to, you know, somehow they were, they were influenced. So, intellectual property.

I think one of the big things that we're seeing with companies so if after MFA MFA, MFA multi factor. segmentation is really important. So for intellectual property, I think you just have a lot of customers, that they have a lot of data sitting in a lot of places that everybody can access because it's easy, right? So whether it's COVID, or any other reason, if you're a startup, you know, protect someone from getting from the inside and make sure that your data is segmented. So you know, people who don't need to see the data don't have access. I think that's that's just huge. But as far as the recent breaches, I mean, Twitter again, we think it's, you know, it's an insider, the, you know, intellectual property probably is linked to people having too much access segmentation, people stealing credentials, and then the recent one Garmin, you know, we're not exactly sure what happened there, but that was a ransomware attack. And I think the problem there was there are so many parts of a security framework such as doing a test recovery of your battery. Cops doing a tabletop exercise that people aren't looking at some of these may be less sexy approaches in security. But you know, that Garmin attack, they've been down for a couple of days that are their flights that can't happen because they can't get GPS that are runners and bikers like Jonathan that can't, you know, necessarily use their tracking piece. And the problem is when you talk about the economy is that this is a direct hit to financial and reputational strength of a company. So if you can just segment your data, protect people from coming in, train your users, you know, the worst pieces, if you get hit like a Garmin, it's, it's hard to recover.

So there are two questions. I wasn't paying attention to the chat. I think we answered Zen's question, but maybe not a netus.
Okay, absolutely. And I said that went on the private chat as well to auto submit some great questions coming in here. So start with a nice questions he wants to know do local internet providers like Armstrong and Verizon and others have a role to play in protecting their customers?
I think that's a good question. I think that they can offer through their services, they may offer additional suites of services for you. But at the end of the day, I know I mean, I mean, they may offer some additional things that you could you could do. But I think most of the ways that people get in has to do with protections that we can put in place and has little to do with the ISP. You don't hear a lot about people. You know, because of Verizon. Somebody gets in.

Our next question from Coleen fetter wants to know, I have not heard of this. So I'm sure you have though. pen testing is one of the recommendations that she received through an IP audit. How often should accompany you complete a pen test? Is there a different recommendation for a small nonprofit company? And I want to know what is a pen test because I have no clue.

So it's not a test with a pen. Hoping Come on, like so now. So it's a penetration test. So a penetration test is basically, you know, as I discussed earlier, we do ethical hacking and penetration testing. It's when you pay somebody and you give them permission to actually hack into your system. But then you show them actually how you got it and how you can stop. So that's that's something that we've been doing since the beginning for the last 10 years. Yeah. Annually, if you're a nonprofit usually is really important. A lot of people are moving towards doing it, you know, semi annually. The problem is, is that if you do it annually, it's great for a report and an audit.

The problem is, is that a lot of changes changes over the course of a year. Many people that we work with, do it, you know, do it quarterly but if you can at least do it annually. And then I think the big key here is penetration test is a really generic word. If somebody's being asked so in this case, if A small nonprofit is being asked to have a penetration test, the best thing is for them to go back to whoever's requesting it, and see if you can actually get the wording of what they're actually looking for. What they're actually usually looking for is a vulnerability evaluation. The difference is a vulnerability evaluation tells you whether circumstances are correct that maybe somebody could break in a penetration test is when we actually hack and do the exploitation, almost every single time when somebody asks you as a third party to do a penetration test, they're really looking for a vulnerability evaluation, the cost is half to 75%. Last, so it's really good to sort of figure that out. But again, that's something there's a bunch of companies in town that do that. That's something that we specialize in, and we'd be happy to talk to anybody that has questions, but that's definitely a requirement.

That's it, David, we just got some breaking news. And this is pretty exciting stuff. You won't be the first to hear this. Yeah, UK just sent this to me, but we're announcing so our cyber event is coming up at the end of August on it's a three day event starting on the 31st. We are announcing that Anthony Lauderdale hit a cyber defense presume is going to be our keynote speaker. We think that is pretty exciting. So I had to break it and bring it up. And, and I know that you're always at SEIBERG with us, man, because, as you demonstrated today, no what's up with all things cybersecurity?

So, David, let me ask you something. What is your if you have a recommendation about executives to getting training, like there's a lot of you know, certification and, and things that are happening that are sort of stewing all around in the marketplace. Do you have any thoughts about that?
by General cyber security certification or more, like you said, for the executive, about general cybersecurity. Um, I think it's good.

I know, it depends. I mean, at one point, you know, when you talk about the executives, I mean, I think maybe that's a slightly separate piece. I I think it's really important for executives and boards become as aware as possible about what's going on with cybersecurity. I think any training that you do is wonderful. The problem is that some people are really good at doing tests, and some people are really good at practically actually applying the information. It's always better to have a certification than and not to do it. So we're definitely an advocate, there's, there's a lot of training out there, there's a lot of free stuff that you can do. So it's definitely a good idea to do any kind of training and get certifications, but it's definitely the learning how to apply it, learning how to actually you know, use it as what's really important. So, there are certifications that are practical, meaning that you have to actually practice penetration testing, practice hacking, not answering questions. You know, when we started out our business, we we brought on a lot of people that had great certifications and had worked great places, and they and they were great people, but they didn't necessarily know how to do some of the work that we were that we were looking to do. So it's that practical approach is is really huge but certifications and training is great.

And and for publicly held companies, you probably know this is that they're looking more at bringing people on their boards that actually are have experience practical experiences, Chief Information, security officers, not just BIOS but definitely cis O's. So yeah, absolutely. Hi.

Yeah. And so and there's a lot of options out there. So one of them which is something that we do is we do a Sisa service, a lot of companies have that. So again, if you're a company with three 510 2050 people and you can't afford a C so methacholine shooter as well as other companies do allow that where we can talk to the board act on behalf of the company. But larger companies, you're right, they definitely are trying to bring in more people with expertise, practical expertise. And it's, it's definitely a really good, it's a really good idea. But again, there is no barrier. If you're a small company, a medium sized company, a large company, you should be able to find the right resources that can help you out for what you're looking to do. And, you know, again, we're happy to help out I'm sure to the tech Council, you guys know a whole bunch of companies that can do that. But nobody should feel that their size or being a nonprofit. So again, we work with fortune 50 companies, we also work with small charitable nonprofits and companies with three to five people and you find out a way to make it work.

And so just as a last piece is your company's penetration test, the pen test recognized by government, by government organizations.
Well, there isn't necessarily a standard I mean, a lot of our customers, our department, department of defense contractors, right, so we do work for them. That's accepted. There is a New which you guys did a series on cmmc which government that's replacing this 801 71, which is something that we already do. We're in the process, like a lot of companies have getting certified, you know, for that. But so far that actually has not even happened yet. There is no exact certification. But we've worked again with, you know, some of the largest names in the industry. And I think as long as you have a reputation, you know that that works for you.

Well, David Kane, founder and CEO of ethical intruder, you can find that out on the lab easy. And if you can't find him, just let one of us know. And we'll make the connection. I cannot thank you for passing in so much information in 30 minutes or a little bit over. And thank you, everyone. Please join us tomorrow at the same time. Thanks, Jonathan for for being my partner on all this work, and we will join you Will you join us tomorrow at noon? Thanks again, David.

Thanks, everybody.