Join occupying the communicators is moulton, what do you do. Guest we work for a variety of clients, mostly federally focused and how to protect their networks for cyber attack0 vulnerables. We do a lot of risk assessment, vulnerablity and penetration and work with the Insurance Companies to see who did it, the extent of the damage, how per. Host why dots last stayed have a Cyber Research dont. Guest you may not be familiar with the Innovation Center in louisiana. So we have a presence there. I would argue that its probably not as mature as id like to see it but its becoming more and more mature every day. I like to say we have notes on the stand. Were not exactly making music but i came from georgia tech and i have a big history in the cyber world and have been doing this for many years. Bobby jindal in the day, king alex dislsu wanted to invest strategically and they thought that creating silicon bayou is a way to do that so they asked me to come down, and i took a look and liked what i saw and i like the people 0 im working if there and theres a lot of Good Research louisiana. Host is this a growing industry . Guest absolutely. In many facets. A lot of expansion in the insurance world. I think Cyber Insurance is the most rapid growing segment among the people that i serve. As you can imagine, hacks like what happened to target and to the hospitals being attacked almost daily, the federal government, the market, the industries, the banks are getted hacked almost daily now. Some of these attacks are being very theyre complex and very pervasive and attacking the infrastructure or the networking components and also doing a lot of social engineering. And one thing i like to say is the people that are more vulnerable that canned be patched. Dont have an educated work force and people on guard all the time, your probability of getting exposed or exploited is a lot greater. Host mr. Moulton, here at black hat, were hearing the term social engineering. What does that mean. Guest taking advantage of people and theres a lot of different ways to do that. The class i just taught in estonia was all about social engineering with taught people have to find the people who are people that would click on an email with mamalicious packet so they can explode their credentials and network ask thats called targeting spear fishing. We taught them who is who in the zoo and who can compromise your identities. Host what this point of getting into a network . Guest it depend on your motivation. Basically financially driven. If you want to beat your competition to market and you want to go out and figure out their secret sauce or get intellectual properties, theres a lot of reasons, but the n the Defense Department its the weaponization of the military advantage, whoever gets to own the network rules the battlefield. So theres depends on your application. I would say that for mow most part its right now agreed, financial advantage, people trying to steal. Host we all know about what happened to target. Wellexplain what happened to target. How much did it cost the corporation and did they ensure again such an attack. Guest their case study is fantastic. Its classic example and i use that consistently when i teacher a class. Talked about it yesterday. Tarring did not get hacked. Target was hacked through a Third Party Service provider that went to roof and were fixing the hrac system and tarring did not segregated their system so when the plugged into the network, the plugged interest the entire network and the people working on he hvac had malicious satisfied software in their Computers Computers any point of sale system are targeted through that vulnerability. It wasnt targets system that was attacked. Was the hvac company. That said tarring last i heard was almost 500 million cleaning this up. It is very expensive proposition. Host do companies insure against this now . Guest absolutely. That what i said at the beginning of the interview, the most rapidly growing industry. The Cyber Insurance its the cow that keeps getting mick. Cannot hire fast enough. Digital Forensic Experts are a specialized you need to have the csi cyber, if you ever watched the show on television, its pretty much that but not as sexy. A lot of devil in the details to get things to court and have the chain of custody and preservation of evidence so you can admit the things you find in court. Then its a little bet even more challenging to prosecutorment dote hasnt enough cyber lawyers and not enough judges to understand the intricate details of what happened. Host what does a cyber detective do in a case like that. Thats a lot longer than we have time to talk about. But we go out and take we have three different we take a snapshot of what happened so we have the cyber host a cyber snapshot. Guest of the entire network, what happened and and we reverse engineer see what happened, insurgencing where they are. Writ indicate from. How did it propagate, who touched it, where did got, how pervasive was it, especially in medical community, its really important because of the hipaa regulations. It is a criminal offense if theres medical record order medical identities that are stolen. People can go to jail for it. So in the medical community theyre getting whacked almost daily now, and thats fascinating. Theres more and more look at the experience forecast right now, the medical community will continue to get hacked and its a significantly higher in that particular industry than it is in others. The reason is because why did jesse james rob banks . Thats the where in the money is. Theyre 20x more lucrative than credit card information or personal information. So 20x more. Thats a lot. Host why are they worth so much . What kind of information do you get . Guest everything. Just about everything. Look at the major one that was that affected me was anthem. That one was just a comedy of errors. I teach this again as a case study on what not to do. So, they got everything from my mailing address, credit cardings in, name, Social Security number, home of record, but they claim that there was no medical identity or medical information stolen. They claim that because, a. , they dont want to go to jail, b. , had very hard i have a very difficult time believing the fact that truly they were they know what actually was compromised. But they put that out in the letter to cover their butts so i they didnt get put in prison. This is happening more and more. Dont have the same rights to your information. In fact you dont have very many right at all when it comes to medical record. Your financial record, you can look experience, transunion, he can we fax he can we fax, and you can see who is opening accounts under under Social Security number. In the medical community you dont have that the record belong to the medical institution which provides the services so theres a lot less very its very difficult to understand what is truly being kept on you and more importantly, when you transfer from one doctor to the, its almost like. Life away to move the record temp record does not belong to you, how theyre being used and maintained and disposed of is a mystery. And theres no standardization across the industry. So, you may be compromised and you go 0 for an emergency and come to find out someone has had it in your name. You only have one appendix. Its a very we areplexing problem and the medical community is not doing enough to protect us. Host you taught about they dont want to go to jail. In this case would they be anthem . Are they liable for this . Guest absolutely. Yeah. This anthem is just one example. Theres thousands of examples out there. In fact in louisiana we have had a couple of hospitals victims only ransom ware, ransom ware is not something that it i going to compromise your identity. Just make the business or the hospital harder to do because they have frozen your records. You have to pay a ransom to get to your access back. So its a little bit more difficult but its also safer for the individual because your data wasnt compromised so to speak. But the hospital itself has a very difficult time, unless they pay the ransom, to get their information back so they can continue to do business. I tell people all the time, the number one thing in rainsesome ware is to back up your data every single day. Make backups. That way if somebody does take you down, freeze your hard drive, thats okay go back one day, lose one days information so you can still recovery. So, there are some system steps that people can take. Guest absolutely. Teach a class called low Tech Solutions in hightech world. Teach my mom how to use cyber hygiene, how to practice cyber hygiene and thats one Motor Vehicle most popular classes dont have to be a ph. D to understand how to take care of yourself. Use this analogy quite a bit. I tell people were not going to beat i would argue james clapper, the director of national intelligence, reads this to the House Armed Services committee back in 2015. The cyber threat will never be eliminated. I agree with that. Everything we do at lsu starts with that premise. Were not going eliminate this threat. We have to learn to live with it. Its a flu virus. Never eradicated the flu virus elm learn to live with it. You do certain things when youre exposed and the flu is going around, get a shot, isolate yourself from other folks that have the flu. Theres high generallic measures to take in the physical world that are now being used in the digital world. We have a hard time getting our head wrapped around and now with social media, its getting worse, not better. Ill talk bat that in a few minutes. Eye that analogy a lot because people understand that. They dont always understand the ones and the zeros. Host well you mentioned you were going to talk more about social media. Guest social media in my mind is dangerous. Dont think that we truly understand the reach and what were actually giving up. One of my other briefings is called the this is personal and we there is no privacy anymore. We have back society where we value convenience over security and privacy, and i think that is a very, very dangerous aspect. Everything that you do, everything that especially this younger generation, they share just about everything, things that you and i in our generation would never think about disclosing is now out for the world to see. You look at facebook, giving you friend your personal information, where youre at, out there all day. Your pictures on snapchat. All of the world for anybody friends you if you wanted to do reconnaissance on an individual, we have made so it easy. Social networks and friends and linked n, where you have been and where youre going on google map. Pay all. Amazon. Scares me more than anything is the mindboggling to me is biometrics. The office of Personnel Management hack occurred, affectedded misand other federal people. Our fingerprints were in files. My rid until a scan retinal scans worry those files. Thats government. My database out there who have is, the chinese or russians or whatever. These things were doing now we dont even blink, dont even think about it. This generation needed to start thinking a little bit more about security and privacy as opposed to just convenience. Host so, back to lets tie in the insurance again bathroom to the opm hack. Who is liable, who is paying for this . Guest well, two different question. Who is liable . I dont know. Theres very little responsibility at that level of the government. The last i knew it took a long time to finally the opm director resigned, and that took quite a while. The whole opm case study is fascinating. Use it as what to do in securing digital records. Who is paying for it . Were all paying for it average this will individual hacked,hundred million of us and our family and friend. Own go for security clearance you have to put people down core close to friends, relatives, people you have worked with in the past, references, all their information, all that was compromised. Every bit of it and then they send me a fourpage letter, which everyone 100 million of us got that says cracked me up base i use this as case study. This letter opm has absolutely no responsibility or accepts any responsibility for this breach. Im like, who the hecks problem is it . You had the data in your servers, unincrepted, install one file, out there for the world to steal, but yet youre not taking responsibility in this fourpage letter. The next two pages counsel me on cyber hygiene. That blew my mind, jive you were running the corporation would you have the cto or the cio in the office next to you. Guest the ciso in a very short leash where i the chief Information Security officer. Their duty different from the chief Information Officer but a they should be working hand in glove die. Not recommend dish do the fresh lick do not recommend ciso, the security officer, report to the cio. Wants that person reporting to me and having un i am a ceo of the company. Want that person coming straight to me with any kind of problems theyre not being filtered through a bureaucrat or a someone who has a different agenda than the security of the operation. Too catastrophic. When your businesses come down if you lloyds of london put out a forecast that a major digital event could reach the proportion of the major hurricane, between 50 and s 20 billion to clean its up. Thats big money. One of the biggest the biggest insurer in the world. And thats kind of scary. I well tell you as a grandfather, of three, and two of my flee grande babies have had their digital identities stolen. I am kind of a prophet for cyber hygiene and i speak all over the world, almost every week. One thing tell people, parents, anybody that has children or even closely associated with children, that they need to start watching their childrens from day one. I recommend just like everybody else, if you have a Social Security number youre into ited to free credit checks. I rem people start running credit checks on their children at age 2. A little announcement for you. I wanted to show you this. This is the fbis warning, last week, about the exploitation of children and toys. Again, i spent a lot of time out there taking about this i. Want people to understand the dane their children are facing. Children are 35 more likely to have their identities stolen. Their bad guys know they have a 15 year head start. If your child has a credit problem at age three you have a problem on your hands, mattel was sued. Why . Because they manufacture barbie dolls. The barbie dahl dolls but in the new generation likes interactive toys to the barbie doll speak back to you. The conversations are stored in the cloud. Why in the world would they want to know what a twoyearold child is saying . Everything in that doll records everything being said. So its not just the childrens conversations being had. Its your conversations being added. This is care scary but this the world in which we live. Make a point to brief parentses on that would do for their children, and thats what gets me. Again, this is personal, one of my bigger briefings called this is personal. I tell people what happened to me. If it can happen to me ive been doing this most part of my entire adult life it can certainly happen to you. Host you need a Computer Science background to do what you do. Guest absolutely not. Helps to to do what do on a technical level, absolutely of not Computer Science but information systems. Networking anthropology, crip cryptograph, one thing we do as an industry and take the long approach on this is something i ash a prophet for cyber, a preach a lot and im in d. C. Almost every week of my life. The people on the hill say we have approached this problem in a very we need to look at imfrom a disperspective. One thing that i think we need to do is we need to emulate the medical community. Talk about the flu this time. Time talking dot doctors. When you go to be a doctor, what do you do . First four years of schooling you go through the biology, radiology, physiology, all the ologies and all thesologies. Then you decide if you want to be a certain kind of doctor inch cyber we dont that. Its got son complex that jack of all trades, master of none theory doesnt work anymore. We need specialtime. Thing yuzhny energy sector, for example, and Nuclear Power plant, versus a bank. You could create a mushroom cloud. You need to understand what youre doing and be focused and specialize. You need triage teams. Stop the bleeding, contain as much as you can and you eradicate. When it comes down to the actual specifics specifics of that nuke plant you better note what youre doing. We dont train that way in cyber. We dont need to train specific specifically for the infrastructure but the big six is important. All comes down to money and sometimes i that alwayses put in the second place. But its not working now. What we are doing right now is not effective so what we have done at Louisiana State is taken that approach. We work hand in glove with Louisiana National guard, the governors office, homeland security, emergency preparedness, and this is a local problem. We are doing a great job at the nation and state level. You go to d. C. And harv has their plan and their contingency of operation and incident recovery and thats good. We need that in the government level. But this is personal. Title of my briefing, this is a local thing. If youre going tis 12 can at night when the flag go up, the balloon goes up, the first time you ever mets that person . Not going to work. This is literally a local problem. The government, the federal government, needs to be there to support the local Community Just like they do in a natural disaster. Unfortunately thats not the protocol right now. Were trying to change that. Host you mentioned that you have been working in this field for quite would while. Where did you standard . Guest i started back in the military. I was 24 in special operations, special time in communication. We didnt have computers back then so i grew up with it. I was cyber before cyber was cool. I grew up with command and control and then command and control communications and then computers and then now its cyber. I joke, before the internet i had a job. Host what about about thenars . Sunny dont like to talk about that too much. We had a lot of fun. Host jeff moulton. Estonia. Whats specia