Inspiring Innovation: Leaders in Manufacturing

It’s a dangerous digital world out there, with many threats facing all businesses. In this episode, host Sean Frost is joined by Rob Ward, Polo's VP of IT, who shares his experiences in the company, on his past projects and the role IT plays in the manufacturing industry. He also provides insights into cybersecurity threats, discussing how bad actors manipulate systems and breach security walls, as well as practical tips and guidance on protecting oneself against these threats.

01:17 Guest Introduction: Rob Ward
03:20 Role of IT in Manufacturing
03:46 The Importance of IT in Problem Solving
06:22 Challenges of Cybersecurity
09:17 The Reality of Cyber Attacks
12:31 Understanding Social Engineering
16:07 The Threat of Deepfakes
24:30 Polo's Cybersecurity Measures
28:07 Personal Cybersecurity Tips

Resources:
A Triple Play for Industrial OEMs - Polo Custom Products

https://www.youtube.com/watch?v=xuYoMs6CLEw

https://www.youtube.com/watch?v=SHSmo72oVao

Learn more about Polo Custom Products

Polo Custom Product designs, engineers, and manufactures custom products for OEMs in the medical, fire & safety, and defense industries. Polo Custom Products has experts on staff to globally source and procure your specialty formulation materials. Our experts in quality assurance test and ensure all custom products meet standards and your requirements.
 
This show is part of the ICT Podcast Network.  For more information visit ictpod.net


What is Inspiring Innovation: Leaders in Manufacturing?

Host Sean Frost is joined by experts in the manufacturing industry to discuss bringing big ideas to life. Join us every episode for a deep dive into manufacturing trends, processes, innovation, and how to be successful in the ever-changing world of manufacturing.

Ep09_RonWard
===

[00:00:00]

Sean Frost: welcome back to another episode of Between Two Ferns.

That's what our guest today, couldn't stop thinking of we are actually kind of between two ferns here. So this works out well. So welcome back to another episode of Inspiring Innovation, where we talk all things manufacturing. Today, we're going to talk about all things IT related manufacturing.

So we're going to get into how we help our customers. We're going to get into what IT does in [00:01:00] manufacturing and then we're also going to talk about cybersecurity today. So, please like, subscribe, comment about, you know, anything that you took away from it or anything you want to see in future episodes, but we're really grateful that you are listening to the podcast and we're looking forward to

having Rob Ward, our vice president of IT on today. He's been with the company for 33 years. And, he doesn't know that I'm going to ask him this question, but he's the only other person at Polo that can relate to the pain that I have in working with my father. And so Rob worked with his father and Rob, can you tell us a little bit about what,

what your dad did at Polo, and when that was, and how you guys got started at Polo? Sure.

Rob Ward: So, my father, he was a CFO and Executive Vice President. And, when I started, they needed a programmer to help them convert from an [00:02:00] IBM System 36 system to an AS400 system, which is a different, just a different mini computer system as a conversion.

So I was hired on while I was still in college to do this part time to help convert this. But at the time they had, no place for me to sit. So I ended up sharing an office with my father, which was a little uncomfortable. But it was helpful because he was the one that did all of the programming on the System36.

so that was helpful to try to understand when converting these systems over. and from there, over time, you know, this is early days, we're talking 30 plus years ago. It was, there was no IT, you know, so that was, I was just the lone programmer working on stuff. And over time, of course, we built up and, you know, as technology expanded, the IT department.

And then today we're, you know, a little bit larger than one person. And of course, we have a lot more, a lot more infrastructure to handle. And of course, technology now is a key part of the business.

Sean Frost: Absolutely, and I was [00:03:00] blown away when I came to Polo just a couple years ago with how robust all of our systems are.

And so you guys are doing a phenomenal job and you have a great department and do great work. And so I'm excited to, to share your expertise with, with our prospective customers and our suppliers and all the people that tune into this. So thanks for joining us today. And where I wanted to start was just talking about what does Polo IT department do to help our customers?

Rob Ward: there's a myriad of things that we do and have done in the past. a lot of integrations with either customer systems or we have customer integrations within our system. Things, order processing, things like EDI, traditional EDI or even customer integrations.

we help them solve problems, whether within their supply chain. We provide customizations within our own ERP to accommodate unique situations a customer may have. And then, the one [00:04:00] thing that I'm proud of is that we really do help the customer solve problems within their own supply chain. It's not just IT, but the whole team is on board when we have a new customer to help them succeed.

And, so in that, we really do try to help be Just another segment of that customer's own business to help them along.

Sean Frost: Yeah, no, that's a really good point. That was one of the early things when I got to Polo was, you know, looking at what we market. And to me, it was all of those things.

Our product development team, our supply chain team, our quality team, our Manufacturing team and our IT team because it takes the whole, bit and caboodle working together and moving in the same direction. and you guys have been extremely instrumental in getting those third party systems to work with ours and, and creating reports, like you said, that help us [00:05:00] identify issues before, they become, you know.

big issues for our customers.

Rob Ward: Yeah. We try to help mitigate that, try to make things more efficient. Yeah. Full. We're always a full partner with all the departments and our customers and trying to make things move as smoothly as they can.

Sean Frost: Yeah. Yeah. And you guys do a great job and have a great team. What, what all does IT do at Polo?

there's a lot of buckets there.

Rob Ward: A lot of times people have a connotation that, you know, IT is just a bunch of nerds hacking on a computer in the background.

And there is a little bit of that. I'm not going to lie. But, you know, at a high level, basically IT is that we through the use of technology, help the company solve problems, maximize efficiencies, and innovate. And that's kind of the top high level overall. Now underneath there's a lot of stuff happening under the covers, you know.

All the servers, the networks, the [00:06:00] devices, they have to be efficiently managed and audited and logged and there's a lot of stuff happening along many different levels. We also have to govern the whole system, so through that governance it's either through policies, procedures, training, and then of course we have to protect it all as well.

And of course everyone hears about cyber security these days. So protecting it's very important to protect the company's intellectual property and data. And we do that through a myriad of things. It's a never ending battle, really.

Sean Frost: Stay ahead of the bad guys.

Rob Ward: Yeah, you try to. Try to stay ahead of the bad guys. Unfortunately, you know, you try to secure your system, train your people as well as you can, but, you're always the, you have to cover everything, and the bad guy only has to find a single point of failure.

which, unfortunately, that really is, our most important asset in the company is people. And that's also our most vulnerable asset, so training is probably the highest point of any [00:07:00] security program that you can put in place. It's to make sure your people understand how bad actors will, use you to, just basically find a way to hack you.

Right,

Sean Frost: right. Yeah, it's amazing to me the amount of effort that these bad actors go through. I'm like, just, you know join a company and do something productive in the world,

Rob Ward: rather than hold them hostage. It's a multi billion dollar business, and they run it like a business. They have quotas, they have campaigns, and so you have to think about it that way, is that if they're a business, and their business is not, you know, it's like organized crime, so you Have to protect yourself in ways maybe you don't always see, but you also have to realize that you can't be 100 percent protected, and that you could have a breach, and so you have to have a plan for if a breach happens, what do you do, and how do you deal with it.

Sean Frost: [00:08:00] so you gaVe a lot of examples of what IT does. Can you give us an example of A concrete example of those things. I mean, I think about the ERP system and, how, you know, all the inputs and outputs

you could answer almost all the questions when we've got these collaborative team meetings. So, could you talk a little bit about that? Because that was a huge undertaking to implement that system, I know it was a number of years ago now, but can you talk a little bit about that and give some other examples, too, of what

Rob Ward: IT is?

Yeah, sure. you know, one of the advantages I see that IT has with the number of years my team has with the business is the experience we have within it, not, and then IT has the unique opportunity to touch every aspect of the business. And so, when there are issues, we understand how A and B fit together, so

sales may not understand what accounting does in the background, but IT does. So if we're included in those conversations, a lot of times we can help them understand what the limitations or restrictions may [00:09:00] be on implementing some kind of solution or fixing a problem. You know, why is it we have to do it this way?

Those kinds of things. and that also helps us innovate, with that knowledge, so that if we're working through an issue or a restriction, how can we work around it? How can we make it better? Work smarter, not harder. That's right.

Sean Frost: You guys help us a lot so, let's dive into cybersecurity cause there are crazy things happening on a daily basis.

I remember a couple of weeks ago now, and not at this. Won't come out for, another couple weeks, but there was an instance where, two major casinos were cyberattacked. And I think they took different, different courses of action. but can you, can we talk about cybersecurity and some of those incidents and, and then we can get into some of how they engineer these hacks?

Rob Ward: Sure. So, if I have memory serves me right, [00:10:00] both casinos were attacked with a version of ransomware, which is basically, the bad actors get into a system, and they figure out how their network works, and put in their back doors, and then when they're ready to execute, they send out software that encrypts their data, en masse, and so, and usually it'll happen, you know, when there's the least amount of activity by the IT team, weekends, holidays.

so it's a nightmare for IT and the business, but then when you are in a ransomware attack where you've got encryption, they'll send you a message saying, Hey, if you want your data back, send us this amount of money, usually in Bitcoin, and we'll give you the encryption key. Now, our government will tell you don't ever pay them. Sometimes a company will decide that it's their best way to recover quickly. But the problem there is you don't know what else they got into. You haven't figured out yet where the back doors they put in were. you need to do a bunch of forensics.

So, best thing is don't ever pay them. But in the case of a casino, one [00:11:00] casino didn't pay. I went and said, we're just going to recover all our systems, figure out, you know, the forensics and everything. So they were down for a little while, while they did that recovery. And of course, with that, having a good recovery plan, knowing, what your critical, most critical systems are you have to bring up first.

and so that's the ones they focused on, did the forensics on first, and then just go through the system. It can take them weeks to get it fully recovered, or months, I believe, one, judicial system here in Kansas is still working on a recovery, and that's been months. The other casino had a, a large conference coming up that weekend, and they couldn't afford to be down, and so they took the risk and paid the money.

So that they could get their systems decrypted. So, each business has to weigh the risks. So, ideally, you want to have a good recovery plan and a way to recover, but there is problems with that to the business because of the amount of time it takes and resources.

[00:12:00] And, so why did these companies get hacked? Again, I mentioned earlier is that you can have, you know, of course casinos and banks and other high value companies spend a lot of resources on cybersecurity. The problem is that every company has the most valuable asset, people, and people aren't 100 percent secure, no matter how well you train them, because social engineering is the main vector in which they get into a system.

And, So you have to train on that, and social engineering is, it plays on our emotions, and it's easy to, pick up on, especially someone maybe when they're not paying attention, or they're busy, or something else on their mind, they may do something and not even realize that they did it, so you have to train, associates to always be aware, always be a little suspicious of anything that's asking for something, or playing on a fear, and [00:13:00] that's part of the training that you really have to get into.

Sean Frost: you told me previously an example of what some people try to do to prey on big companies, and that was new employees. Can you share that

Rob Ward: example? Sure.

so, if I'm a bad actor and I want to try to gain some information out of the company, I could, Go and browse LinkedIn and see if I can see some recently created profiles or profiles that have changed recently. Hey, I just got a new job at Polo, you know, and they might be posting something or they, or you might just be looking at that

they changed job positions recently. so once you've got that associate, you figure out, well, what position are they in? And then you might go dig into the company's website and see, well, who are the executives of the company? Set position with that, you know, try to, basically, we'll try to connect the dots.

They'll do some homework first, try to connect the dots, and then they'll, use a social engineering, tactic to [00:14:00] contact the associate. Maybe it's a simple, okay, this is, a large company, they just started, so I'm gonna call them and pose as IT. and say, hey, this is IT, I need you, we're going to do an update on your laptop, and I need you to go to this site and, put your login credentials in, and then it's going to have a file for you to download.

Associate being new, maybe not trained yet, is going to, probably do that. And then, that's the attack vector then that associate does. Now, bad actors are very patient. they won't immediately attack a system just because they got in. This could have happened months ago. And they've already got in, they kind of weed their way in, they try to keep their activity on the down low so that it doesn't trigger all the other tools we have to try to find those kind of anomalous behaviors.

And so once they can get into a system and figure out where the good pieces of data are, then that's when they're ready to trigger. It could be that they use ransomware, or actually it could be all three. They could use [00:15:00] ransomware, and they could have downloaded all your IP data, and they could have, Basically put in other tools so that even after you think you're cleaned out and got it fix it after they say they ransomware You're encrypted, but they've also got your data besides ransomware.

They're telling you. Hey, we got your data We're gonna put it on the dark web for anybody unless you pay up extra because maybe you recovered didn't do the ransomware so they'll do that. And then the other thing they can do is with some of those other tools is they can bring your system right back down If you didn't find them Yeah.

So they're really nasty.

Sean Frost: That's terrifying. And I don't envy your role at all. I guess, especially you said they like to target nights, holidays, weekends. that's yeah. looking around the corner at every turn almost.

Rob Ward: Thanksgiving recently, so every holiday, do a little extra work to ensure, you know, looking at the, our learning system to see if there's something weird going on.

Especially when we know people aren't at the office. So if we see activity, logins happening and stuff, those [00:16:00] kind of alerts happen over the weekends.

Sean Frost: Alright, yeah, so, now that I'm sufficiently terrified, Rob, what, let's go even deeper. What are the different types of social engineering that people can do and some examples of those?

Rob Ward: Sure. so all social engineering attacks rely on, communication that invokes some sense of urgency. Or fear, or empathy, or similar emotions. it leads the victim to react and reveal sensitive information, or maybe click a link, download a file, anything that basically gives that attacker some kind of in into the company.

there's several different types of ways that they'll use that. You know, email is the most common, you'll, phishing is what they call it. cause it's cheap and easy. So, you'll see, There are spam filters catch a lot of it, but there's a lot of what we call spray and prank, where they'll create this, email that maybe it looks like it's from Microsoft or something, but it's got some dispelling in it.

The from address doesn't say it's from Microsoft. You know, it's pretty easy to catch. And so [00:17:00] those go out, and once in a while, one will get through the filters. And so we want to make sure people are well trained on identifying those. the more difficult ones is where, say an attacker has breached another company.

It's one of our customers or partners. Now we're getting an email from someone we trust, and they'll craft the email using their signatures, they'll craft the email with their logos, it will look legitimate, but it's, again, you have to teach the users to look for those, social engineering triggers.

Since the urgency, it's an unusual request, it may be out of the blue, maybe you haven't talked to the supplier in months, and all of a sudden, they're sending you something requesting, something, and so you have to always, be suspicious. What do they call that? Trust but verify? Yeah, yeah.

So, email is the most common. text phishing is another one that, you can get. They call it smishing. you'll receive a text, and it could be So, if we're doing a targeted attack and, I want to target, say this new employee, I figure [00:18:00] out that, her mobile number is, and so I'll send a text, and I can even spoof the text, number that it's coming from to make it look like it's from the CEO's phone.

Say I know the phone number of the CEO, the mobile phone of the CEO, you can spoof it. So now the user thinks it's actually coming from our CEO, and then in the text I can say, Hey, I'm at this meeting or something, and I have a really urgent request for you. Can you go get me some gift cards for Apple, right?

And so the associate may go like, well, geez, the CEO's asked me to do that, I better go do it. You know, and so they'll go out and, you know, say, get me a dozen 500 Apple gift cards. And then they'll, once you've done that, then they'll ask you to scratch off the code on the back or something, because that basically gives the hacker.

So that's one, one that's common, but, I think it's gotten less now because people are more aware. So the other, dangerous ones is obviously if they're spoofing the [00:19:00] number and they're asking a request. Again, always be suspicious if it's something out of the ordinary, urgent, tries to play on your sense of empathy, fear, and

other emotions.

on the tech side where, this happened actually happened to my mother. My mother got a text from, especially from my son, saying that, he was traveling in Mexico and had gotten into some trouble and needed some money wired immediately. And, she was really concerned.

Luckily, she called me and I said, no, our son is not in Mexico. No, don't send any money. Just don't respond. I said, he wouldn't have sent you a text anyway. He would have called you. So that's also another way that they can get you. And then that kind of gets into what I'm gonna going into next, which is, it's called phishing, which is a is voice phishing or social engineering with a voice call. Now, with these, if your attacker's actually talking to you, they're gonna be very charismatic and very convincing. It's very easy to, to [00:20:00] let your guard down. an example, and I saw this at a video that they had a security conference.

it's basically, the attacker used a YouTube video of a baby crying in the background and then called in to a mobile phone company posing as the wife, of the account holder. And so the account holder couldn't remember the account name, so they didn't have a login name and she was desperately needing to get in the account to make some kind of change.

And so talking with the support representative and with the baby crying in the background and stressed mom and everything. The support representative ended up giving out the account name, even added the attacker to the account, and then changed the husband's password on the account. So he had full access to this account within about five minutes.

Crazy. And, now this is a little bit back. I think mobile phone companies caught on to this, and they have a lot more rules involved. So if you're seeing this and think, hey, maybe I can do that. Don't try it.

Sean Frost: [00:21:00] Yeah. This podcast is not for giving ideas for your cyber attacks. this is actually for protection.

Rob Ward: So another one, that was pretty interesting, and this uses a little bit

AI

and this was, this happened to a large bank is that the attacker, spent time taking recordings that were public of an executive at the bank. Took the voice of those recordings and fed it into an AI engine to, generate, basically have the computer generate his voice.

And so then he used that to call into, the assistant's office to talk to the assistant. But he picked a time when he knew the assistant was going to be out, so it went to voicemail. So the You know, that way the assistant couldn't talk back or ask questions. It was just a direct, Hey, I need you to do this.

I need you to do it immediately. Anyway, when the assistant got it, and hearing a voice that just sounded like her boss, she went ahead and did the request, which was transfer a lot of money into the attacker's account.[00:22:00] And so that was, I think, the first incidence that the FBI had heard of someone using artificial intelligence to Hack someone else to get that.

So, and that's what they call it, deep fakes. And so now DeepFakes aren't only voice, they can use it for images and video. And, there's been instances of that happening where they will, you know, send to someone and then blackmail 'em saying, you know, they'd say, me, it's a, an image or a video that's, compromising.

Put your head on someone else and then say, I'm gonna send this to your spouse or your boss, or hr. If you don't, you know, give us money or do whatever they want, you know, give us some information, give them login credentials, whatever. And that's pretty scary that's out there.

Sean Frost: Yeah, it's an extremely scary and we're going into scary times, I feel like, where people can manipulate, you know, with propaganda, with all sorts of different [00:23:00] messages that look fairly real.

At this time, Can you kind of tell? Are there signs that a certain video might be a

Rob Ward: deepfake? Luckily, the AI engines aren't, as sophisticated yet where we can't tell. There's a few telltale signs, you know, unnatural eye movements, lack of blinking, unnatural facial expressions or body shape. Just something that looks a little bit off and usually can tell, but they're getting better.

And, fortunately, I mean, I'm not even sure. I guess they'll probably use AI to determine whether it's deepfake or not. But yeah, it's scary because now some of the news content that you see on the internet may not be real. I mean, it may have taken one thing and then deepfaked it to make it another because they're pushing their own agenda.

Sean Frost: That is really scary because people are already having a hard time trusting information and knowing where to get it from, and now we're throwing in new factors to make it even more, untrustworthy. So,

Rob Ward: you know, I'm feeling old now, because it's like [00:24:00] the old days. you had three outlets for your information.

You had newspapers, radio, and TV, you know? And so you had to trust that because you weren't getting it from everywhere, which again, you know, luckily we live in America where it wasn't Controlled by the government, but, now when you can get it from everywhere, you don't know what's real and what's not.

Sean Frost: Yeah, so It's a little scary. It is. Scary times. so,

Now that we're all sufficiently terrified, what are some of the things that Polo does to protect our

Rob Ward: information?

Good question. So, what we implement at Polo to help protect our systems is we use a framework that is put out by the National Institute of Standards and Technology, or NIST. they have a framework, specifically a publication called 800 171 that is used by the, Department of Defense for controlling unclassified, information.

And that framework has also been vetted by a lot of companies and other federal [00:25:00] organizations besides military. And so it's becoming probably a standard now that you'll see, in other companies or other, state agencies and stuff are starting to, Bring this as the standardized, cybersecurity framework to use.

so we're following that and, what that entails, it's about 17 different areas, and I don't want to go into a lot of detail because it gets really technical. But I'll kind of give you an over, overview of a few of the major ones. So, obviously cybersecurity training and insider threat training and the, social engineering tactics are all really important.

that's a key piece of it. And then, things like access control, so, you know, making sure that you have a good onboarding and offboarding process. That you have users only have access to what they need to do their job. So, and that's not necessarily to prevent the user from knowing more about the company or anything.

it's to say, if that user got compromised, what could they get into? So, we don't want them to be able to get into the whole system. So, there's two different parts. Of course, what if that user's an insider [00:26:00] threat? So, we don't want them to get in the whole system. So, those are all important things.

Of course, authentication, you know, multi factor authentication, now you should be using on everything. and then, knowing what you, your devices that are on the network, and the users you have, keeping all that inventory. Of course, auditing everything, and logging what they do is really important.

Not, the auditing helps us, and logging helps one, for if there's an anomaly, something happening that looks out of the ordinary, that we have systems in place to help us determine that's a threat, possibly, that we need to investigate it. The other thing it also lets us do is basically report on changes to the environment, so we have, you know, some configuration management within the environment.

And then, the other part of the framework that's really important is the risk management. So it allows us to basically identify what's the important things to put more resources on, what's the things that, okay, we can't, you know, [00:27:00] what do we do to mitigate this stuff. And so you basically, you layer your network out, you know, like an onion, where you want to keep your important stuff really secured as much as you can, really, audited and logged, and then as you build your outside layers.

You still need it all, but you only have so many resources to deal with, so you try to keep it where it's really important. and then of course, the last one and most important thing is incident response, because a breach is going to happen at some point, possibly. And it could be just as quickly as, hey, we got an alert, but something was out of the ordinary, and we find, oh, they got in.

So then we've got to know, how far did they get? Did they get anything? Do we kick them out in time? You know, those kind of things. And so they want to have an incident response plan that everyone knows what to do. Once we say, hey, we had an incident and, you know, if IT contained it early, then that's great.

But if it got out beyond that, then you want to make sure that everyone in the company understands what we're supposed to do. Yeah, shut it down. Shut it down. [00:28:00] That's right. Don't turn off

Sean Frost: your computer. Just don't plug it from the network. Sorry, don't literally shut it down. So, along those lines, can you talk about some things that we as individuals should be doing to protect ourselves on the internet?

Rob Ward: Yeah, so I'll give you some basic things. the most, the easiest thing you can do is make sure that on any sites that you're getting on is you create unique pass, passwords. Actually, I'll say passphrases, because they're a lot easier to remember. But they should be unique for each site, because if a site got breached, then that password is now on the dark web that they'll use tools and bots just to hammer every other social site out there, or bank, or whatever, to try to, see if your name and password is reused.

So you always want to use unique passwords, or passphrases. longer is better. Anything, I think today now, they're suggesting over 20, 14 characters, 16 [00:29:00] characters. I'd say 20 and 25 is good. But again, having to type that password in, you know, a lot, it can be daunting. And of course, remembering all those is really difficult.

So, you're going to use a password manager, which basically the password manager is, it uses an encrypted vault. So you create one nice long passphrase that you remember. Don't write it down and stuff. And that's the encryption key for your vault. And then the software, it's basically a service that you'll Some of them are free, some of them are paid, but it allows you to install on multiple devices and then you can have them and you can share out passwords with family members or whatnot.

So, so like financial sites, you know, your bank site or whatever, you can use that. Always set up multi factor authentication. that's extremely important these days because if they do get your password, that's your secondary level of protection that they can't get in. and then with multi factor authentication, it's better to have an authentication app on your phone than to allow a site, if they offer it, to allow a [00:30:00] site to text you or send you a voice call, because those can be spoofed, and so the authenticator app is a little more secure.

one of the things that, that bad actors have figured out a little bit is that, okay, so they have this authenticator app, but it sends them, notifications every time. So sometimes people are paying attention and they can like, oh, okay. Yeah. Yeah, I authorize that. I authorize that. And they may have just authorized someone into their bank.

Unfortunately, I think we had an associate here that fell for that not too long ago and didn't realize what it was at the time or was busy and thought, oh, yeah, that's me and authorized it. It was actually so their account got compromised. That was not a company one, that was a personal account, just by the way.

So, that can cause you a lot of pain, so you want to be careful of, you know, I still get on a regular basis. Facebook, [00:31:00] or my Google account, I'll get the account, you know, the verification to allow it or not. And of course, it's not me. It's someone trying to get into my account. The other thing that you can do, on your personal devices, ensure that your personal device, keep your software up to date, your phone, make sure the operating system on the phone is up to date, the apps on it are up to date on your, home laptop or workstation.

Windows patches to be up to date. If you have other software like Office will not make sure that all those the software is up to date with the security patches Because the security patches help basically, there's a whole community of researchers who help find known vulnerabilities in software and they report those to the software companies and software companies Hopefully patch them quickly, and if they don't, those researchers will then publish their work out on the internet.

And then it's up to the company, like, now they have to [00:32:00] scramble because they didn't do what they should have done in the beginning. But those vulnerabilities, when they're known, the companies will patch them and send out the patches. a lot of, especially nation state hacking, stuff, they look for what is called zero day vulnerabilities.

And they pay sometimes a lot of money for them. I'm getting on its head and it has nothing to do with protecting, but just the thought of that is that it's kind of interesting that it's, there's a whole market out there that, people will, research a software system and try to find a vulnerability in it.

And if they can find a vulnerability, that's really high level where somebody just has to go to a website or even just download an image and they can get into someone's system. And get what's called root access, which basically means they can do anything they want in that particular system. those are worth a lot of money.

Yeah. It's a

Sean Frost: whole economy out there. Yeah, there is.

Rob Ward: People's access. I got off on a tangent. I'll get back on here on your own device. I was going to say, you're back to scaring us again. I know. [00:33:00] So protect yourself. It's supposed to be the uplifting, yeah. Well, that's why you do the patches. Do your security patches.

And make sure you have endpoint protection. It used to be called antivirus, but now it's, uh, endpoint protection, that the systems are a lot more sophisticated. They have some machine learning or AI built into them. So they're a lot more sophisticated than what old antivirus used to be. then. If you're really paranoid, and you want to do your activities, then use a sandbox or something.

Use a virtual machine or a sandbox browser where anything you do within that browsing session is deleted as soon as you, in that session. Can't access anything within the operating system. You don't really have that capability, out of the box in most operating systems. So you'll have to, but there is software out there you can do that with.

Interesting.

Sean Frost: Never heard of those before.

Rob Ward: Yeah, sandboxing probably gets a little more too technical. Sure. Well, I mean, I bet there are, you were doing some research in an area. [00:34:00] Yeah, say like researching hackers or had to get on the dark web to do something. You definitely would want to be protected, protect yourself.

Sean Frost: I was gonna say those are probably things that people that are legitimately worried about nation states and dark web stuff need to worry about more. Yeah.

Rob Ward: the nation state stuff's kind of interesting because you would think, Oh, we're, you know, a small medium business. Why would they want anything from us?

But, you know, we do a little DOD work, so, there may be something they're interested in, or again, they're just looking for hapless victims because some of these state nation states are looking for money. So you would think like North Korea would be one or even Russia. Or sometimes they just, you know, they put pieces together.

Just because we have a piece of a component that seems totally innocent, it maybe is part of the larger picture we don't even understand. And so they're using that to try to connect the dots. That's how the Chinese government ended up making, what is [00:35:00] the latest plane? F 15 or something like that? They basically made a copy of American F 15.

And they did that by connecting the dots over multiple years. From different

Sean Frost: suppliers,

Rob Ward: right? Yeah, different suppliers all over the country, all over the world that were making components for this machine. And it's kind of a, the leakage that you don't quite get until you start looking at the bigger picture.

So if I have a company, that's producing wheel bearings for the landing gear assembly, but then the contracting company that sends out that, somebody can be a subcontractor. Sends out that information, sends the, engineering specs for the entire landing gear assembly. When really they only needed the specs for that wheel bearing assembly and maybe what weights and stresses that, you know, so there was a lot less information they required to be able to build the part, but they sent more than that.

And then that company, which might've been very small, they get in, they get that little piece of information, they get a little bit more here and there, and pretty soon they've got the specs [00:36:00] for the entire plane.

Sean Frost: It's pretty crazy. Yeah. Yeah. so. What I'm taking away is that nobody's safe and that there's a lot of ways you've never considered that they can get into Information but trust

Rob Ward: but verify

Sean Frost: yes, if IT's calling you and saying you need this upgrade or links are coming I'll

Rob Ward: call you back at your published number.

Yeah, whatever number you tell me Yeah, same thing if you get someone saying it's the bank and there's a problem and you need to do something go. Okay You hang up and then go call the banks, you know, go look up the bank's 800 number. don't use any information they give you. Just have to be more, more aware of these type of scams.

Yeah,

Sean Frost: that's sufficiently terrifying. Well, Rob, thanks for joining us for the most terrifying episode of Between Two Ferns.

it was great to have you on and thanks for the practical tips on how to protect your information and what you can do. So, We appreciate, [00:37:00] yeah, thanks for coming. We appreciate everything that you do for Polo to protect us. on weekends, holidays, crazy night hours. you and your team do a phenomenal job.

So we appreciate you coming on and representing. It's hard, I know it's hard to get the nerds from the background out onto the camera. So, so I appreciate you jumping out with us today.