For a living . Guest well, i run all of lsus Cyber Research and their applied research portfolio. Host and what does that entail . Guest for the most part, we do work for a variety of clients and helping them protect their networks from cyber vulnerabilities or cyber attack. We do a lot of risk assessment, we do vulnerability and Penetration Testing for clients, and more and more now were actually working with the Insurance Companies to go out and actually see who dun it, what the extent of the damage, how pervasive was the attack, were the mitigation strategies effective to get rid of the attack, and what details were actually compromised. Host why Louisiana State . Why does Louisiana State have a Cyber Research department . Guest well, you may or may not be familiar with the Cyber Innovation Center up in northern louisiana which was state of the art back in the day when it was built. So we have a presence there. I would argue its probably not as a mature as id like to see it, but its becoming more and more every day. Id like to say were not exactly making music yet, but we have notes on a stand. I came from georgia it can, nsa before that, so i have a big history in the cyber world and have been doing this for many, many years. Bobby jindal in the day, president King Alexander of lsu decided they wanted to invest strategically, and they thought creating silicon bayou was one of the ways to do that. Theyed asked me to come down, and i took a look and liked what i saw. Theres a lot of really Good Research going on in louisiana. Host is this a growing industry . Guest oh, absolutely. Its an exploding industry. Growing is an understatement. And very many, many facets. Theres a lot of expansion both in the insurance world, i think Cyber Insurance right now is probably the rapid, most rapid growing segment among the people that i serve. As you can imagine, you know, hacks like what happened to target and to, you know, the hospitals being attacked almost daily, the federal government, the market space, the industries, the banks are getting whacked almost daily now, and some of these attacks are becoming very, very more theyre very complex and theyre very pervasive, and theyre attacking not only the infrastructure or the networking components of that infrastructure, but theyre also doing a lot of social engineering. And one of the things i like to say is the people, the people are the one vulnerability that cant be patched. If you dont have an educated work force and people that are on guard all the time, your probability of getting exposed or exploited is a lot greater. Host mr. Moulton, here at black hat were hearing the term social engineering quite a bit. What does that mean . Guest it means taking advantage of people, and theres a lot of different varieties of ways to do that. The class i just taught in estonia was all about social engineering. We taught people how to do reconnaissance, figure out who they should attack in a corporation that would have the most high probability of actually clicking onen an email so we could exploit their credentials and potentially their network, and chas called and thats called targeting spear phishing. We taught them how to do that, whos who in the zoo, whos the most likely person would give you the most beneficial access the that n. Host whats the point of getting into a network . Guest ah, it depends op your motivation, but basically its financiallydriven, right . It depends. The you want to beat your competition to market and you want to go out and figure out their secret sauce or get their intellectual property or their Market Strategies from an acquisition and merger perspective, theres a lot of reasons. But in the defense department, of course, its weaponization of the military advantage, whoever gets to own the network, basically, rules the battlefield. And so theres it depends on your application really to answer that questionfectively. But questionfectively. I would say for the most part right now what im saying is its greed, financial advantage. People trying to steal. Host so we all know about what happened to target. Well, explain what happened to target. How much did it cost the corporation, and then did they insure against such an attacksome. Guest yeah. The target case study is absolutely fantastic. Its a classic example, and i use it consistently when im up on the podium teaching in class, in fact, i talked about it yesterday. Target itself did not get hacked. Target was hacked through a Third Party Service provider that went up through the roof, and they were fixing the hvac system. They did not session reget such a segregate. What they didnt realize was the people had some Malicious Software in their computer. Once its in their computer, it got in the target computer, and they had at it. The point of sale systems were compromised through that. Target itself, yes, theyre to blame because they didnt do their due till generals in shutting diligence in shutting their networks down, but it was that hvac company that got whacked. That said, target is now last i heard it was almost 500 million cleaning this up. Its a very expensive proposition. Host do companies insure against this now . Guest absolutely. In fact, and thats what i said at the beginning of this interview, i think that is the most rapidly growing industry that im seeing right now. Cyber insurance, its the cow that keeps getting milked. I cannot hire enough. Forensics experts are difficult to find, its a very specialized discipline within the cybersecurity realm, and you need to have the csi cyber be youve ever watched that show on television, its pretty much that but not as sexy. A lot of devil in the details this getting things to court and be able to have the chain of custody ask the preservation of evidence such that you can admit to the things that you find many court. And then its even more challenging to prosecute. We dont have enough cyber lawyers in the country, and we certainly dont have enough judges that understand the intricate details of what happened. Host so what does a cyber detective do in a case like that . [laughter] guest well, thats a lot longer than we have time to talk about on this interview, but we basically go out, we basically take a snapshot of what happened. So we have a cyber snapshot of the entire network, you know, what happened at that point in time. And we basically go back and reverse engineer to see what happened understanding where the attack came from, you know, how did it propagate, who touched it, where did it go, how pervasive was it. Especially in the medical community its really important because of the hipaa regulations, the Health Insurance portability and accountability act, it is a criminal offense if theres medical records or identities actually stolen. People can go to jail for it. In the medical community, and theyre getting whacked almost daily now, and its fascinating in and of itself. More and more, you look at the experian forecast, theyre saying the medical community will continue to get hacked, and its significantly higher in that particular industry than it is in others. And the reason that is is, you know, why did jesse james rob banks . Thats where the moneys at. Medical identities on the dark web, on the places where they exchange and trade are 20 times more lucrative than credit card information. Thats a lot. Host why are they worth so much somewhat kind of information do you get . Guest oh, everything. I mean, just about everything. Lack at the last the major one that affected me personally was anthem. And that one was just a comedy of errors. And i teach this, again, as a case study on what not to do. [laughter] so, and they got everything from my mailing address, billing address, credit card information, name, Social Security number, home on record. But they claim there was no medical identity or medical information stolen. Well, they claim that, a, because they dont want to go to jail. B, i have a very difficult time believing the fact that truly they were, they know what actually was compromised. But they put that out in the letter because they wanted to cover their butts so they didnt get put in prison. And this is happening more and more. You dont have the same rights to your information. In fact, you dont have very many rights at all when it comes to medical records. Your financial records you can go out and look at experian, transunion, by fax and get a Credit Rating, they understand where youve been, what youve done, what your Credit Rating is, you can see whos opening accounts under your Social Security number. In the medical community, those records belong to the medical institution which provides the service. So theres a lot less, its very difficult to understand whats truly being kept on you and, more importantly, when you transfer from one doctor to the other, its almost like signing your life away to get them to move a record. Know whats in them, how theyre being maintained, how theyre being disposed of is kind of a a mystery, and theres no standardization across the industry. So, you know, you may be compromised, and you dont you go in for an emergency appendectomy and come to find out someones already had it in your name. Its a very perplexing problem, and the medical community, i dont think, is doing enough to protect us. Host jeff moulton, you talked about they dont want to go to jail. In this case, would they be anthem . Are they liable . Guest oh, absolutely. Anthem is just one example, theres thousands out there. In fact, in louisiana weve had a couple of hospitals victims of ransomware. Thats not necessarily going to compromise your identity, it just makes the business of the hospital a lot harder to do because they encrypt the records, and you cant get access to them, and you have to pay a ransom in bitcoin usually to get your records back. Its a little more difficult, but its also safer for the individual because your data wasnt compromise, so to speak. But the hospital itself has a very difficult time unless they pay the ransom to actually get their information back so they can continue to do business. I tell people all the time the number one thing is to back up your data every single day. Make backups, that way if somebody does take you down, they freeze your hard drive, you lose one days worth of information so you can still recover. Host so there are some simple steps that people can take . Guest absolutely. I teach a class called low Tech Solutions in a hightech world. How do i teach my mom how to practice cyber hygiene, and thats one of my most popular classes. You dont have to be a ph. D. To understand how to take care of yourself. Were not going to beat and i would argue james clapper, director clapper, briefed this to the House Armed Services committee back in 2015, said the cyber threat will never be eliminated. And i agree with that. And actually everything that we do at lsu and all the research we do starts with that premise. Were not going to eliminate this net. Weve got to learn to live with it. We have lived for millenium with the flu virus. Weve never eradicated the flu virus, right . We learned to live wit. You do certain things when you know youre exposed. The flus going around, you get a shot, you isolate yourself from folks that actually have the flu. Theres hygienic measures that you actually take in the physical world that are now in the digital world. We have a hard time getting our head wrapped around that. Now with social media the way it is, i think were getting worse, not better. And ill talk about that in a few minutes. I use that analogy because people understand that. They dont always understand the 1s and the 0s. Host well, you mentioned you were going to talk more about social media. Guest absolutely. Social media, in my mind, is dangerous. I dont think that we fully understand the reach and what were actually giving up. One of my other briefings is call this is perm, this is personal, and there is no privacy anymore. We value convenience over security and pryce, and i think and privacy, and i think that is a very, very dangerous aspect. You know, everything that you do, everything that and especially this younger generation, they share just about everything. Things you and i and our generation would never even think about disclosing is now to out there for the world to see. Look at facebook. Youre giving all your personal information, where youre at out there all day. You know, your pictures out on snapchat all over the world for anybody that befriends you can actually i mean, if you wanted to do reconnaissance on an individual, i mean, weve made it so easy. Your social americas and your friends and linkedin, where youve been, where youre going on google maps, paypal. All your records in amazon web services. And what really scares me more than anything, its just absolutely mindboggling to me, is biometrics. I mean, the opm, the office of personal management hacked not long ago affected myself. Our fingerprints were in those files. My retinal scans were in those files. Thats really personal. If i ever wanted to go upside cover, i could never do it because my biomet rake data biometric data is out there. These things we are doing now, and we dont even blink. This generation needs to start thinking more about security and privacy as opposed to just convenience. Host so back to, lets tie in the insurance again. Back to the opm hack. Whos liable . Whos paying for this . Guest well, those are two different questions. Whos liable . I dont know. Theres very little responsibility at that level of the government. The last i knew it took a long time, but finally the opm director resigned, and that took quite a while. The whole opm case study is absolutely fascinating and again, i use it as, again, what not to do in securing digital records. Whos paying for it . All the individuals that got hacked, 100 million of us and our family and friends because when you go for security clearance, you have to put down friends, relatives, people youve worked with in the past, references, all their information. All that was compromised, every bit of it, you know . And they send me nice little fourpage letter which everyone, you know, 100 million of us got that basically says, and it really clacked me up because cracked me up because i use this, again, as a case study in my teaching. Opm has absolutely no responsibility or accepts any responsibility for this breach. And im like, well, who the hecks problem is it . You had the data in your servers, unencrypted, in one file, out will for the world to steal, yet youre not taking any responsibility for it . The next two pages counselings me on cyber hygiene. That just blew my mind. I could not believe they had the awe it is aty after they lost durao dasty after they lost our records to do this. Host would you have the cto or the cio in the office next to you . Guest i would have the ciso on a very short lease host stands for . Guest the chief Information Security officer. Their duties are somewhat different, but they should be working hand in glove. But i do not recommend, and i do this quite frequently, i do not recommend the Security Officer report to the cio to. I want that person reporting to me, and i want that person having unobstructed and i am the ceo of a company. I want that person coming straight to me with any kind of problems that are not being filtered through a bureaucrat or someone else that has probably a different agenda than the security of the operation. This is too catastrophic right now. When your business has come down if you just saw last week, lloyds of london put out a forecast that a major tingal event could reach the proportion of a major hurricane, somewhere between 150 200 billion dollars to clean it up. Thats the biggest insurer in the world. And thats kind of scary. But i will tell you as a grandfather of three and two of my three grand babies have had their digital identities stolen, i have them on im kind of a prophet for cyber hygiene, and i go out and speak all over the world almost every week. One of the things i tell people, parents, anybody that has children or even closely associated with children that they need to start watching their children from day one. I recommend, you know, because just like everybody else if you have a Social Security number, youre entitled to three credit checks. I recommend people start running credit checks on their children at age 2. And i actually brought an announce for you. I didnt know if you saw this or not to, but i wanted to show you this. This is the fbis warning last week about the exploitation of children in toys. Again, i spend a lot of time out there prof sizing this. I want people to understand the danger children are facing with these new devices and toys even. Children are 35 times more likely to have their identities compromised than adults. 35 times. Why . The bad guys know that they have a 15year head start. So if your children, if your child has a credit problem at age 3, youve got a problem on your hands. Mattel, a few years ago,ing was sued. Why . Because they manufacture barbie dolls. The barbie doll is made by mattel what the new generation likes is these interactive toys, righting . So the bar barbie doll speaks back to you. Those conversations are stored in the cloud. Why in the world would they want to know what a 2yearold child is saying . Guess what . Everything in the purview of that toy, that doll records everything thats being said. So its not just the childrens conversations that are being had, thats your conversations that are beinged had. This is scary. But this is the world in which we live. If i go out and make a point to brief parents on what to do for their children. And thats really what gets me. And, again, this is personal. One of my bigger briefings is called this is personal, and this is why. If it can happen to me and ive been doing this most of my entire adult life, it can certainly happen to you. Host do you need a Computer Science background to do what you do . Guest absolutely not. It helps well, to do what i do on a technical level, absolutely. I would say not Computer Science, but information systems, networking, cryptography, the different aspects of cybersecurity. One of the things we do as an industry and i think we take the wrong approach on, and this is something, again, im a prophet for cyber. I preach a lot, in fact, im in d. C. Almost every week of my life, and the people on the hill say, look, we need to look at it from a different perspective. One of the things that i think we need to do is we need to emulate the medical community. Im not talking about the flu this time, im talking about theres. When you go to be a doctor, what do you do . First four years of school youre going through biology, radiology, fizzology, and then you decide if you want to be a neurosurgeon or a podiatrist. Same human body, seriously different ends, and you need different skill sets for those different things. In cyber we dont do that. This cyber its gotten so complex. A jack of all trades master of none theory is not going to work anymore. We need to specialize. Thing that is you do in the energy sector, for example, a Nuclear Power plant from an Incident Response perspective versus a bank . I mean, theoretically you could create a mushroom cloud, right . You need to understand what youre doing, you need to be focused and specializedded. Yes, you need triage teams, stop the bleeding, stop the attack, make sure that you contain as much as you can. Then you eradicate. But when it comes down to the actual specifics of that particular, you know, say a nuke plant, you better know what youre doing. We dont train that way in cyber, you know . Im not saying we need to train specially for all 16 Critical Infrastructure structures, but i think the big six would be ad good start. Ive been working that quite a bit, and unfortunately, it all comes down to money, and sometimes that gets put in the second place. Its not working now, what were doing now is not effective. So what weve done at louisiana are state is taken that approach. We work hand in glove with the Louisiana National guard, the governors office, homeland security, emergency preparedness. This is a local problem. Were doing a great job at the nationstate level. You do with to d. C. , and everybodys got their plan and their incident recovery and all that. And thats really good. We need that at the government level. But then it onlies when it comes down to it, its personal. This is a local thing. If youre doing an Incident Response and its 12 00 at night when the flag goes up, the balloon goes up and thats the fist time youve ever met that person . Thats not going to work. I mean, this is literally a local problem. The government, the federal government needs to be there to support the local Community Just like they do in a natural disaster. Unfortunately, thats not the protocol right now. And were trying to change that. Host you mentioned that youve been working in this field for quite a while. Where did you start . Guest i started back in the military, i was 24 years in the air force, special operations. Spent time in communications. Back then we didnt have computers. [laughter] so i kind of grew up with it. I like to say i was cyber before cyber was cool. I grew up with command and control, and then command and control communications and then computers, now its cyber. I joke once al gore invented the internet, i had a job. [laughter] host what about the nsa . Whatd you do guest i dont like to talk about that too much, but we had a lot of fun. [laughter] host jeff moulton, estonia. Whats special about there . Why do you travel to estonia . Guest two several reasons. One, estonia is probably the most Digital Economy in the world. Granted, theyre a lot smaller, about 1. 3 million residents, so its a lot easier for them because the scale is hess difficult. But they were hacked by the russians several years ago, and they learned a valuable lesson. They basically stated this will not happen again, and they have done a tremendous job. The guy that runs the University Cyber program is a good friend of mine. Hes a german fellow, olaf manuel, and he actually came from the University College of london which is where i first met him, and he asked me if id be interested in coming over and teaching them in their summer programs. And its really a fascinating curriculum because this is not the normal, conventional course. This is a handson exercise that takes theory and puts it into an application mode. Ill give you an example. Last year we had lawyers working with Digital Forensics investigators, hand in glove, to go out and actually investigate the crime, put the evidence together, bring it to the court and actually do a mock trial and present their evidence. And this is, i mean, this is the way you should be teaching. Pact couple along with theory its a really good program. Id like to see more of that in the united states. Host as we move to be a more and more and more Digital Economy and country, arent we just asking for more problems . [laughter] guest absolutely. We, if we dont get to our act together, i think were going to get youre going to see some major, major catastrophes. So theres a couple of things that id like to, you know, again, i like to soap box every now and again. As a professor, you get to do that. We are behind, i think n a lot of things. We are very, very good technologically, but we cannot keep our laws up. One step behind all the time, and i would argue ten step behind. The European Union has just now instituted and, in fact, it goes into full effect in 2018 the gdpr, and it basically holds Companies Accountable for Identity Theft and breaches. And theres a lot of basically, it gives the individual the right to control their data regardless of who keeps it. If you want to opt out, you can opt out. They must actually send you out. You know, i have a couple of things that i usually use for my predictions. I have people ask we ask me where do you see the world going, i think youre going to see the Cyber Insurance company go crazy, more sophisticated attacks that are going to be targeted at specific businesses. Youre already seeing that now in the banking industry, exploiting protocols. Youre going to start to see companies, and i would argue even individuals held liable if they dont secure and lets use an example of the gun industry, right . So if you steal a gun out of my house and use it in a crime and i didnt secure that gun, i can actually be held liable for the prosecution of that crime. Because i basically did not do my Due Diligence this locking that weapon up. Its going to be a while, but i think its coming. The ftcs already sued Wyndham Hotels more their last breach because they did not do Due Diligence in securing their america come pones. I think components. I think your home routers compromised and used in the per wation of a crime, i think youre going top held liable for that. The industrys moving that way. Thats why the Insurance Companies are getting ahead of it, they see it too. Once that happens, then people will start that taking this serious. Host jeff moulton with louisiana are State University where he runs the Stephenson National center for Security Research and training. Thanks for being with us on the communicators. Guest thank you for having me. Cspan, where history unfolds daily. In 1979, cspan was created as a Public Service by americas Cable Television companies and is brought to you today by your cable or satellite provider. Weve been on the road meeting winners of this years student cam video documentary competition. At East Lyme High School in east lyme, connecticut, second Prize Winners jack, mikhail and victoria were handed 1500 for their documentary on environmental justice. And then at east lyme middle school, Honorable Mention winners cannon, sacchi and jasper receive 250 for their documentary on health care. And then to concord, massachusetts, to hand out a second prize awards to students kara, charlotte and caroline won a second place prize of 1500 for their documentary on the wage gap. In northampton, massachusetts, students from north hatchton high, phoebe and elena, won an Honorable Mention prize of 250 for their documentary on sanctuary cities and immigration reform. And in ludlow, massachusetts, kendall, liz and braden of paul r. Baird middle School Received an Honorable Mention prize of 250 more their documentary on the opioid epidemic. Thank you to all the students who took part in our 2017 student cam documentary competition. To watch any of the video, go to studentcam. Org. And student cam 2018 starts in september with the theme the constitution and you. Were asking students to choose any provision of the u. S. Constitution and create a video illustrating why the provisioning is is important. Provision is important. Now, middle east analysts discuss the israelipalestinian conflict and how the territory of gaza factors into the peace process. Hosted by the middle east institute, this is about an hour and 35 minutes. [inaudible conversations] good afternoon, everybody. My name is paul salem, im the Vice President for policy analysis here at the middle east institute, and ill be the moderator for todays discussion