And this is the panel that are joining us today and will give us this input on cybersecurity and the best practices. So we have a couple of questions. And first of all, we're going to mention about what is the description of the of the topic that we're applying to discuss today. So we want to discuss about best practices for data privacy in cybersecurity, where you will gain valuable insights and practical skills to protect your personal and organizational information. Led by industry experts, experts, we have them here. This interactive session will cover fundamental principles and strategies for safeguarding data, mitigating cyber threats and complying with privacy regulations, whether you are an individual looking to enhance or improve your online security, or a professional seeking to strengthen your organization's data protection practices, this session is tailor to meet your needs. So we're going to start with a an introduction from you on. And please feel free to jump in any any of the panels in case that if one is short with something, and you need to understand that you need to add and more information, please just jump in and and help us out. Okay, so in the first the first question that we have the introduction, we have to provide, we need to provide an overview of the session subsidies. And in general terms, we want to address the topics that will be discussed during the Columbian which is that I previously which is the importance, the impact of taking measures and not taking measures, who are the actors that are constantly assessing profiling and engaging activities to discover and disclose our whereabouts, our personal information? This is related to the previous panel that was talking about the data privacy, so and rely on the previous point? And what is our security? And of course, we want to connect this sabia to the data privacy, as we mentioned before, so where are you on? If you can? Sure help us? Well,
well, first of all, thank you for this opportunity. I really appreciated your support. And so I think that the first thing that I would like to mention is the difference between cybersecurity and data privacy. That is one of the big issues that Git has a lot of confusion there. First of all, you know, cybersecurity is mostly about protecting the system that networks, the programs, digital attacks, and obviously is connected to data privacy, but it's a different thing. Okay. One thing is defending the network. And the data privacy itself is about handling processing, the storage, the permissions, you have to use that information, I see that that is very important to classify, because there's a lot of regulatory compliance that goes around that. And they are both together. So that is something very important. Now, the impact of the measures. If we got impact, we need to talk about several things about what if we don't have those measures? And what if we have them? Okay? The impact of the data privacy helps the individuals from identity fraud, identity theft, financial fraud, financial fraud, personal harm, especially if you're talking about the electronic medical records, insurance claims, but we're talking at a national level, we're talking about our rights as individuals. Were talking about national security protection, we're talking about other transactions that can be included. Now not taking those measures are the negative part of it because then you got financial loss, you got a lot, but I mean, a lot of liabilities which translate into more financial loss, but that always that has a deep impact into our social economic life, as citizens of a country or a state and the erosion of guns of customer trust if you're a private company, but when you're talking to the government, we're talking about poly peaks, geopolitics national security. So the impact of not having proper cyber security controls and privacy controls, can can expand to a sea of problems. Now, who are the actors typically involved is not only cyber criminals, or governments that are not that are your geopolitical adversaries, we're talking about private industry, advertisers, marketers, that are brokers. And this is something that is really scary. Because if you have a business that is not regulated, and is taking information from other countries, what are the legal processes for you to protect your data that I love, by the way, the previous conference that we were that I was listening recently, because these are important things that we must take care, especially now in the quantum computing era, and deep fakes. So this is just the tip of the iceberg. But there are many things happening. And I think that will be my two cents for the introduction.
I will make a comment there. Now I'm relying on what you mentioned, and from the previous presentation, we have two components here that are the civil rights. And at the same time, in the same way, you know, we have the privacy, we have the security, we have the social components, the different infrastructures that we also as the population rely on so two things to think about it and to overweight, which is the data privacy and civil rights. But just a comment to to introduce a based on the previous agenda and an introduction of our origin. Thank you very young, for your for your introduction. Thank you. Great, welcome. So the second question goes to in guy, Mr. Oliver's. And it has to do with foundation cybersecurity, and basically what we want to do we want to A, we want to talk about have a brief explanation of the importance of security. And of course, it must be developed a rely on the on the core concept of risk impact severity or loss threats and vulnerabilities. And so if you can help us out?
Thank you. Yes, let me let me give you a brief information introduction about Sisa. If you ever hear about CISA cybersecurity infrastructure and Security Agency, the agency that is under the Department of Homeland Security, and it states, we are the alien desert there, America service Defense Agency, our main responsibility is to protect the civilian, the Federal civilian neighbors, and also, our main mission also is to protect all the critical infrastructure of the United States, the critical infrastructure is is divided in 16 sectors, and covers all energy, water, health, education, information technology reactors, and you know, it's 16 sectors. So, we our main responsibility is to go and help the private sector that because the private sector right now is the is the one that handles and operate the 80% of the critical infrastructure on the United States. So the forgetting infrastructure is not in the hands of the government, this is hands with the private sector. So that's our big challenge to get there and help them elevate you know, their cybersecurity posture and help them to minimize the risks of the cyber threats and any other threats in the in the real estate that can you know, impact national security, you can impact the services of the American citizen. So one of the main things that we do is help as a nation, they are the this the stakeholders, raise their awareness, we give free, you know, tools in order for them to help, you know, enhance their cybersecurity. One thing that I am glad that we can, you know, draw the line in the sand between the what is cybersecurity and data privacy, because there's an there's some sometimes there is some confusion there. You know, cybersecurity is you know, we want to protect, we want to prevent and help the entities be more resilience. Data privacy is about managing managing the data, data classification data retentions you know, Sometimes companies, you know, as too much information about the citizens about the clients too much information, and, and they, they put in the, in the spot that they can then have to protect all that kind of information. And, and one thing that we also always try to tell them is, you know, just ask for the right information, nothing more, nothing less. And we you know, every time we go to, for example, a medical appointment wherever they are we asking about the right information, set your sources, I agree with you, wherever there's a God that, you know, for this for America appointment, you don't need my social security number. So, we have to, you know, create that awareness. Also in the, in the hands of the consumer, you know, we already give all a personality information to all the, the, you know, all the commercial establishments, because you go to, to a pharmacy, very known pharmacy, in the States, and you for $5 bonus, you give all your information. So is that it's a responsibility both ways, you know, the consumer has to be consistent, that give you all the information for, for all for for a bonus for a credit for $5 create on store and, and the organization's entities have to be more awareness not to ask too much more information about their clients and stuff. So
in that same line, so can you then mention about the threats and the vulnerabilities and when we expose ourself in this in the open world, with these companies, we want that in the coupon, we want to we want to reward a reward or something like that. So what are the vulnerabilities and when we expose the threats, and if you can, of course, talk about something that you mentioned already about the patterns, those patterns that people should prevent, to protect themselves? A even when maybe there is a lack of regulations that companies do not handle data properly. And we are exposed as mentioned a Where are you on? So if you can give us some some sunlight of that?
Yeah, like, like I mentioned, we need to create awareness, you know, and one of the main things and tourists that we see Sardars to the private sector and public sector is awareness, you know, go there and try to tell the people that, for example, we have a phrase that says cybersecurity is for everyone. The question is what is your role in cyber security, you have to have territory is that the authorities agreed is that any more like that this is like the department they have to handle it. No cybersecurity, we have to be in the minds of everyone. Everyone in any organization, everyone buy back home, you know, because all of us have phones, smartphones, we have smart TVs, we have smart smart bots. And we're connecting a lot of these systems in our you know, in back home. So you know, in organizations, that system, for example, and they're vulnerable, you know, the list the list, the other thing that you need is the hacker hack to your home to lipo dude, you don't want that. Because live Ops is writing this marble right now, they use a username and password, you have to update the life of the framework wherever you don't get your software update. So it's very complicated. So the consumer has to be more aware about all the things that are there connecting, they're giving the data they're given to the consumers and and in the other hand, is always how the house I'm talking to the consumer, but now the organization's the entities, the entities need to be now we constantly tell them the data is important. Do you need to handle the data, you know, very responsibly be responsible, how do you handle that But more important is your operations is your operations because that is everywhere and now you know we need to protect it we need to take care of it. For more more of that as your operations the services that you provide because you can't hack it you get hit by ransomware sometimes you know all the incident I handled for Rico and the states the first thing that they ate my dad we were concerned about the data is okay the data is important but focus more importantly your operations the services that you're providing to the citizens right now, to your customers. Because if we if power plants get hit water plant get hit for Get the data, we need to make sure that operations back get back on line, what kind of threat actor is accessing that data? What is the scope of the compromise? And all kinds of so baby steps? We know Sisa they are, our main campaign is about cyber hygiene. We call it cyber again, you know, very cyber, again, you know, concepts. And these four concepts, I will tell you, it will, it will, it will some basic concepts, but there are is the same thing that is happening again. And through these four things. Have, we will see the biggest hacks in the United States. First passwords, handle handle password handling, people are still using basic passwords, basic factors, multi factor authentication, you know, there's something that can help you a lot minimize the risks multi factor authentication, there's a free tool that any portal right now website can offer you. So multi factor authentication, fishing, you know, fishing that you can have a phishing attack app, you can have a phishing by awareness, raising your awareness in your organization in your house, you know, the thing before you click them be very quick, click in if you're not, if you're not participate in, in the Amazon, you know, wherever you're not going to receive a free gift card and stuff. So and also software updates, you know, these four things, software updates, very quickly. They think they are right or Yeah, mention it. Right now we're seeing a different tactics, efficient phishing is going to be more sophisticated. One thing that we started seeing right now is the fake phishing. We're seeing right now the combination of intelligence, artificial intelligence and a social engineer, and using this the fake phishing. So this is very scary. So you've been you have to raise your awareness in your organization, because right now these guys are using your voice and calling and say, Hey, I'm the CFO of the company called the rarely financing department and ask him to do something. For example, if if I get the voice of the CFO and I the fader voice, and I call the financial department to the guy I know that usually made the transaction in a company. And they just call in and say, hey, you know, you know, I'm your boss, I'm going to send you an email right now, with a draft document, please review right now, because you need to do something, you think that that guy will verify the email, the header of the email, the email that the email that came through, now the boss just called him, so he's going to hit that document and get compromised. And this is happening right now. I don't know if you heard the news a couple of weeks ago, that in Taiwan, this guy's user is using the fake video is the CFO personnel and have a videoconference was the guy that made the transaction in the company video conference with a financial guy and talk to him or whatever, and make him make a wire transfer about $25,000,000.20 $4 million. Wow, go away videoconference? DeFi video is, you know, there's various Okay, so there's a lot of race over there that we're talking about, you know, we can we can we can talk all day long about this, you know, the time is short. But yes, you know, it's a serious, we need to take care, raise our awareness. And we need to keep in mind that and put in mind of everyone in your organization, but in your home, what is your role in cybersecurity, you have a role in cybersecurity, or what is it? Okay,
so just right there taking it from where indict a gay guy left it. Carlos Perez, just give us a mentioned something about the fish in the murderers, that the beach in the social engineering, all the things that he mentioned, if you can just give us examples and and explain us, what is the threat of not being? Okay.
Thank you. So, before starting to talk about some different threats that exist and threats and cyber possible cyber attacks. I'd also like to add about the concepts of risk analysis. And how do we prioritize because we got thin we don't have infinite resources in order to invest in in different protections, but but we do have to protect all type of data that we're handling. So for example, we have we have data from customers for an ad Different kinds of sensitive data, we got to protect the systems and the data stores where they are. So we got to perform, we got to protect them in a risk in a way that's according to the risk level. And what we do is we identify the different vulnerabilities that we may have. Because those are the opportunities that attackers may take advantage of in order to vulnerable, vulnerable or compromised or bypass the controls. So once we know the different vulnerabilities that are existent in the networks, in the systems, that's when we had to analyze the risk. So risk level will be dependent, or will be based in likelihood of in the impact of what can go wrong, how bad is it, and how likely is it to happen. So just like any kind of risk, risk applies to different industries, or, or applications, and just like that, in cybersecurity, this is based on impact, and likelihood. So if the risk is high, we're going to invest more in protecting that kind of resources, and data and systems. So we don't want any kind of unauthorized access, we don't want any kind of manipulation to the systems. And we don't have any, we don't want any kind of exfiltration of data, which is what will destroy every every attempt of protecting or keeping the privacy of the data that we're that we're working with so many possible threats that we face, every day. Individually speaking, and also for companies. There are many kinds of attacks related to phishing, that arrive to mailboxes every day. There are many ways of attempted to, to vulner that system, and we need to be able to stop every kind of attempt. So there's something very important that I like to always mention about the mitre attack framework. I know you've if you've heard of it is a framework that was built and and and it gets updated based on the different real life cyber attacks, and real life tactics and techniques that attackers use in order to voluntary systems. It's online, it's a free resource, and is great for risk assessment and great rates analysis, because it tells you what they're doing out there and how they're trying to, to expose the data and the information. For example, one of the things, one of the type of tactics that attackers use, and one of the first steps of cyber initial axis, initial access is when is still is still nothing's happening yet, but they're trying to get in, if they're successful, they will be they will have a foothold on our network or an asset. And that's when that the incident starts, that's when they're there, they're going to try after they enter the network, they're going to try to move from device to device or from account to account until they get privileged access. Because that will give them more data than then exponentially more data than than any other way. So they got if they can have administrators, administrative access to applications or databases that store the customer data, for example, sensitive data. That's what they're looking for. So there are very different motives for performing a cyber attack. But the most common and the most, the one that we will face daily is, is monetization. So they just want to get their hands. And remember these are these are people that operate and work on a daily basis to try to get into the data and get into the network. vulnerary the system bypasses the systems. So they will do everything they can to grab to get there to grab something that they can monetize. And we're talking about people records, medical records, credit card records, anything that can be monetized. Sometimes they get their hands into things that we don't know how they monetize, but they do, for example, having a mailbox access credentials, it doesn't it may not seem like this is something valuable in the sense that it doesn't have maybe a medical record or PII record personnel an individual record, but they use this to to get more access accounts. And there's a complete market in the dark web. In the deep web, there are markets that commercialize this kind of information. So for example, there may be a hacker whose operation is based on sending phishing emails to multiple companies, multiple employees, even individuals, and grab those credentials, made the individual open a link, mostly when phishing is received, they're asking for an action from the user. This action mostly is clicking on link opening an attachment that may be there may have malware to to infect the computer, extract information, maybe try to move to other devices. But most of the time, they send you to a link, where they're going to ask for credentials with saying, for example, this is this is genuine service, requesting credentials. This, these credentials are handed over to the attacker, the attacker collects credentials. And then these credentials are sold in bulk. And that's when this attacker monetizes that. But then another attacker buys that, in order to perform other types of attack. For example, if an attacker can buy an already sold database of valid credentials, to enter the infrastructure of a company, and then after his insight, he is going to perform audit or other kinds of malicious activity. So we may have heard of ransomware, where is one of the worst and most impacting threats that we're facing today, all companies are facing. And this is the mode is our monetization. Also, this is ransom, this is exfiltration. Every time there's a ransomware activated on the network, that means the attack just finished. So this is the last step of a cyber attack, the cyber attack can start very, very, very small. It's like imagine like a snowball, where it's something very small, very hard to detect. If we detect it and stop it, then we can prevent the big cyber attack, that's going to happen later. And this can this can be a timeframe of one two weeks, but can also be a timeframe of months working in an operation inside of a company's network. Most of the time, many times is critical infrastructures as guy was mentioning. So critical infrastructure is a good target is very likely target for attackers which are working with other kinds of interest, maybe sometimes they state sponsored interests, and critical infrastructure had to be very, very protected because of that. So the subject is very complex, because the attackers are trying to get into or find a weak spot in order to enter. If we imagine in the physical world, when we are trying to guarantee that no one enters a building, we can close all doors that are that does not properly close, or that's weaker, that's the one that they're going to try to attempt to enter. So it's the same thing happens in the in the digital world. It's just that there are many fronts as the tendency or the trends are to provide more everyday more connectivity. So we want more connectivity, we want more bandwidth. We want faster Internet, faster data transfers. But that's also every time things get interconnected and the bandwidth is larger, that can lead to risk. So we're trying to protect the we're trying to keep the data privacy. And we tried to comply with the with the privacy requirements. But we also have to protect all the systems in order to cover all the different doors that attackers may use in order to get their hands on the data.
Phishing is one of the examples of social engineering. But social engineering is when when attackers know that they can manipulate a human being or a person to perform an action for them. And that helps in the sense that they don't have to vulnerable, maybe very strong cybersecurity measure or protection, they can just ask a person to remove that protection or to or to provide the data directly. So what they do is they they can they can use any men and the most, the more likely the most likely resource that they use his email because we check a lot many emails daily, but actually any men where you can talk with him I mean, that's, that's a channel for social engineering, for example, phone call, we know that our frog calls phone calls. Well, phishing is the same just, it's just trying to make it on a larger scale. You know, that's, that's what the advantage that he provides, if you can do it at a larger scale, because you can send efficient to 1000s of emails at the same time. While a phone call is just just one phone call at a time, you know, is that scale is larger, but the mode is is the same. It's just we're trying, they're trying to get their hands in something that they can monetize, or they can take advantage of, to for liquidity purposes. And there's a complete market. They're trying to make a legal Of course, trying to make harm to individuals and companies in order to, to for liquidity purposes.
Thank you. Thank you, Carla, for that magnificent dissertation. Where are you on? And any one of the panelists if we if they want to jump in to things we are about to finish? What do we do when this threat takes place? When they happen? And the damage is done? What what do we do? And the second question, and of course, for about four, four panelists? How do we tie this to trust?
Okay, well, I will say I will start with another definition. I think that I got a good friend of mine always says let's go back to basics. Okay. So I believe that there is a combination between tools, technologies, but there are human factor. And this is something that we must go clear that what are the types of security controls and their functions, I mean, you don't need to be CSOD it or certified. This is something very simple, that we always try to transmit to every organization that we work with. Okay, you got physical controls, technical controls, and administrative controls. So that means that it involves your environment, that technology is around, but also your organization. I mean, that's why when Carlos mentioned about the risk management risk assessment, and the guy talk about the cybersecurity, all of these goes together, and the functions of those controls is important to understand you have preventive controls, Detective controls and corrective controls. Okay, I think that's a strong baseline. Now, for technologies. We have many tools we got now it's not called IP virus anymore either or you have it is called ers MDR XDR cm. So these are tools that helps you to detection and response. Okay. MDR stands for managed detection and response and SDR extended detection and response. These tools use mostly AI as a way to classify and identify more Cybertrust we can talk about MDR x, SDR four hours, and also seems okay, which is good, which is for correlating events, and all of those things, but I will say, implement the proper technologies. And for the privacy component, the most important thing that I will say, besides the technology that you use, like for identity and access management, multifactor, all of those things is the data classification on your organization. You will be surprised how many companies don't know what they are recollecting on where that data is. Be. Be proactive in understanding the controls, that your providers are using your data. Okay? Don't believe what the website said, call them, ask them for a sock to report. Okay, or any type of audit that controls are worried or cyber security posture, several things like that. Another thing that I would recommend is implement harden encryption technologies. We got a good conference a few months ago, in the Internet Society regarding this encryption is a cyber myth. Because if you don't implement encryption correctly, there is a false sense of security as well as in other ways. Okay. Not because something is encrypted. It means that is safe or the secure. It depends how is encrypted who manages the keys. That's another conversation. Okay. implement, try to implement PKI digital signatures for digital identity components use artificial intelligence in the positive way. I mean, we're handling a case with our friend from the InfraGard. His name was Travis, Jurgen, he developed a great adversarial machine learning for more for vulnerability management. So things like that, that you can enhance your cybersecurity posture is great. Okay, now for data protection. Try to use tokenization and automation, even if if you can do it, so you can remove the PII data and does and just use the required information. And what I call also harden encryption. Just to go a little bit more into that is that Be careful how you use your keys, verify the implementation of your encryption algorithms verify the key management, their vulnerability management and in case you use hardware security modules like for banking, PCI, HIPAA, or other type of hardware encryption, hardware security modules, verify that will net abilities as well because they do come with vulnerabilities and also in transit, Okay, be careful how you transmit that data, your your certificates and many things. And for the incident response, I will say that, like we mentioned before we got preventive controls. So, for the event, we must always be thinking in how to identify the threat. Okay? Once you identify it, how you contain it, you isolate you eradicate do do recovery procedures. But I will say this is something that happens. Many times organizations, even when they handled the incident correctly, many organizations don't do a post incident analysis. So sure, duly by by default, okay, everything was mitigated. But guess what, you didn't realize that you got something that by not doing the post incident analysis in the near future, that that medium type of, of threat now becomes a high and you can breach, okay. And always, like I say, awareness, I have to congratulate both both panelists. I know, a new guy, also, his agency is doing a lot of work. I can tell you that for sure. And there is something that the Sisa agency is working a lot in the prevention in the prevention of the cyber threat for our national security. And that is a great work. I have to congratulate them. And Carlos, I know that you're working in Clara, which you handle a lot of important information from, from our customers and people in Puerto Rico. So I congratulate you both. And thank you for this opportunity. And for anyone interested in joining InfraGard in Puerto Rico more than welcome. And the Gaya will be calling you soon for a meeting.
Thank you. Yeah. And so we weren't we receive a lot of information, as you said, from Sousa, and it provides it allows us to be very preventive. Go, you know, make sure that we cover everything. As soon as it's known by the community, then we can go and make sure that it doesn't become an incident. So it's awesome. Another thing that I wanted to mention is about the best practices. There are many best practices that NIST the NIST documents. This is this is a great baseline and best practice for the NIST cybersecurity framework that you were referencing at the beginning that are best practices that everyone can their online is a resource that's available for everyone is grateful for making sure that we're like a covering this that are the goals are provided by the by the NIST cybersecurity framework. That's a great document to view. I just wanted to mention some best practices that you can go and check. I mean, the public can go and check in and they are covering this our security goals that they should.
Yes, also where I am nice to be in a panel with you is a revelation we got also. Yes, Caesar Caesar has, like these guys were mentioned that we have a lot of tools, a lot of resources free of charge, you know, they're all free and available for you guys. Like I mentioned before we have Punia Wait is scanning freerunner with this scanning services for the private sector for all the sectors that are covered by the critical infrastructure. And also we have assessments, we have a tool that you can download from our from our website, see SATA golf, okay. CSAT, that golf is called cybersecurity, we have got the CSET cybersecurity evaluation tool is a self assessment tool, you have embedded all the frameworks, have the NIST framework, have the EBA have the CS framework, you know, you can ever wait with it, you know, with every framework available in the market, and have also some kind of assessment, you know, proprietary of Sisa that you can use. And if you if, for example, you want Sisa to go and help you with that in your organization where you know, where we want more data to go and assists you in that kind of assessments. Also very important, very quickly, we have any, and recently recently, initiatives called security by design secure by default, this is a theme that we're talking about right now, because we're trying to change the conversation, we try to, you know, tell the manufacturers and the developers, that that right, now, we have to change the game plan, we can't put the responsibility of security on the consumer, you know, the developers and the manufacturers have to have their, their responsibility of the cybersecurity the security. And that's because we name it safe, secure by design secure by default, products have to be secure from the beginning, from the development from stage one. So we're talking to the big, big things, you know, the big manufacturers say you need to develop secure products. And also you have to deliver products are secure by default. Okay, don't don't don't don't put that responsibility in the consumer, the consumer doesn't know everything about anything about secure Apple security, you need to provide secure products. Right now, we the most, you know, the most challenge that we have right now is in the we call operation technology, in the industrial control systems that are all over the place in the critical infrastructure sectors, in all the you know, the controllers, the PLC discuss or the older components that he uses to mean in automation, you know, to automate processes in them in the farmer, the farmer in the food sector, or whatever, and this little components that they're connecting to a network, they're vulnerable, they're very vulnerable. So that's something that we need to keep in mind, you know, there's a lot there's another word to talk about. But since I have the no vulnerability exposure catalog, if you want to verify if you have an application or system that you want to verify, if you have any kind of vulnerability, you can go to sisa.gov and go to the catalog that we have, and you can verify if you're proud to have a good ability and you can you know SSS or you can mitigate it and we classify the vulnerabilities in different categories and one very important, he says, if we have a classification for the assessee it will tell you if that vulnerability has been is being used or being used exploited in the wild for ransomware purposes. So that's bait with very good information to your voter, you have an application you verify you say yeah, this application have reliability and and that will never it is being explored right now, in the wild used, you know, by threat actors, but main verb ransomware or whatever. So Cseh the main data while the Dota mentioned before it, for example, the Bucha scanning will help you have that kind of visibility. Also, by law, this is very important by law. Once seasides monitoring your system will help you you know, if CSR detects that your organization's is being you know, half of the pre the pre stages of ransomware then already things like that is frustration, the communication also below that. We have one hour to notify you by law. Okay, so Sisa will get an alert in Washington DC, they will call me if it's an organization in Puerto Rico, they will come in about an hour in the day, and I have to notify you. By means any means if I have to get my car or go to your place, we have to send you an email call you we have to do it by law. So there are a lot of services that can help you can enhance your cybersecurity posture. So go to sisa.gov There's a lot information there. If you know Yeah, yeah, I after this. If you want my contact information, I can give you my card. Well, I'm here located in Puerto Rico and available to go and you know, sit with you and help you in any manner that he can.
We have time for questions. Any questions from from the audience? questions
Thank you. Morning again, everyone. My name is Chanel McPherson. Yes, I'm a student studying networker in cybersecurity. My question would be What is one valuable lesson that you could leave with a student that is pursuing or oil pursuing a career path in cybersecurity? And what are some new emerging technologies that can help us combat this evolution of digital era?
So, yes, one of the things that I say is like, you get a one of the strategies to be able to make sure that you're you don't, or do everything you can so you so you can prevent a hack or that average, where you can do is you can you can you can, you need the skills that a hacker has, you need to find the flow before the hacker finds it. So one of the things that I recommend is like, you look at tools and processes and best practices, for hardening systems, for vulnerability scanning, for penetration testing, and for security investigations. Because these are like the, you know, there are a lot of also a lot of security requirements and compliance laws and standards and record and regulations that you had to comply with. And knowing all of this will build up in your in your resume in your career. But I think like the key elements here are more technical and more preventive em, find it first. So you can remediate. You find it and don't remediate does, doesn't going to prevent an incident. But if you can find it, and if you have skills to find it, and you can remediate before you get hacked, then you're going to you're going to have a network that's better protected. But although it will be best practice role also, because you need to handle these as a strategy not as isolated activities. So I'd say you can look for best practices that are available even you can start with the ones are freely available, like land nest, there's got a lot of documents that explain and NIST cybersecurity framework is great because it shows like, what, what are the different cybersecurity goals that we have to achieve. And reference to the to an example of those controls in the NIST Special Publication 853 document, which is a huge catalog of different examples of cybersecurity controls. So you can start with the NIST cybersecurity framework. You can start developing pentesting and security, vulnerability scanning skills, incident response skills, and I think those are like the best things that you can build up as Sr.
I wouldn't, I would like to add something very quickly. Great. is like, embrace cyber security and privacy in your heart and soul. As part of your organization, don't look at it as a cost. Look at it as a heart and soul. A lot of people talk about zero trust architecture, many things like that. So trust is not a technology, then NIST has a specific guideline and even Forrester group and another NS enhance you know, trust. But embrace cybersecurity, educate yourself and your team. Educate awareness, awareness, awareness, make it even make it even an entertainment type of thing. Okay, for me, that's, that's one of the two major important thing actually the Cybersecurity Framework version two from the NIST just got out three days ago. I mean, I have been checking. I know you guys must be also updating a lot of things. But cybersecurity framework is that great tool. And something I noticed in this version, too, is that it gives you a great self assessment for gap analysis for every organization. From the get go, Okay, so is made is made in a language that anyone can can see it and understand that and grasp it for your small organization as well. You don't need to put all 700 controls on right now. You just bought what you need, based in the data that you have, and the business that you own or that you're part of. But I will say that awareness and and take cybersecurity and privacy as your heart. And so as part of your heart and soul of your business. All right, I agree.
Okay. Hello, and I more question. All right, thank you. My name is sabe. Around. And I've been following the conversation with the fact that you mentioned the organization setting up two factor authentication, which is very key. Because I've seen a lot of single sign on within an application, whereby now you don't need to, when your organization has applications connected with other finances, application and other stuff with your organization or domain meal, you can have a single sign on which connects to validate your meal, then it sends you again, so you don't need to be creating passwords. So meaning that emails, organizational meals needs to be the most priority that you might secure because of the new single sign on application and barrier that people are building. That is the first contribution parts. I want to know, since this bigger organizations are the ones that we are using the services, most of them are cloud services like Google, Microsoft and other stuff. They have a very big responsibility in terms of protesting the cyber space of all people who are under the occasion. But can they also implement further restrictions that will enforce organization to implement some of these cyber security frameworks that that will help organizations to protect themselves better, because at the end of the day, if you sign up to these services, you also as an organization have a role to play to ensure your security. So we understand that so that is my first because I want to understand how this organization can also help in terms of controlling the cyber incident and cyber crimes that organization mostly face on their system. The second question is that why is it difficult for large organizations, government organizations, institutions to share that I have been hacked? Because most organizations don't come out and say that I was, I was hard. My system was hard, trying to actually show that people can learn from it. What was the problem and causes? It's very difficult. Even some some government organization every day on the cyber index, we get a lot of report system had been hacked. There's a cybercrime mattresses, but how can we also learn from this? What are some of the problems that we can use to understand this from academia level and the industry level? Thank you very much.
Thank you. So So basically, two questions. Now, the first one is, how do we enforce companies to provide the best secure protocols to get into their internal accounts? And the second one is, in terms of a missed report, reporting exactly how the importance of reporting a cyber attacks that's most of the companies are not informed me. So that should be by regulation. So but please,
yeah, about how to enforce you know, the federal government is, you know, right now, there are a lot of laws and conversations to do that. And, for example, Sisa right now have maybe this, this this statement will answer both questions at the same time. But for example, Cesar right now, sees up by by creation was not a very good layer, regulated or agency, but because of all the things I have in there given given given us some kind of regulated regulation, authority, so for example, by 2020, in 2022, the person Sinaloa requesting that critical infrastructure sectors have to report to see if they've been hit by a rash over one and if they pay their branch away, so that law is going to be you know, it is signed 22. It's going to be effective, I think, this year 2024. So that will that will be a requirement by law that they have to report to us. And one thing that I think that around over a year I mentioned before, also, you know, organic Did you have to, you know, as to the providers be more like, you know, I supervise about the deregulation, their compliance, you know, forced them to you provide to you if they comply with the cybersecurity frameworks, okay? Because that's, you know, federal government has, you know, can can do and can go, you know, to a certain point. But, you know, we, at this point we can go for, we're doing a lot of things with Dota. There are a lot of conversations right now, because there are things happening right now. And to give us a little bit more power to enforce, at the moment where to have doubt, but But yes, that's something that we need to help, you know, it will we work together as a team, the federal government and the private sector to force these companies to be in compliance, to be you know, to adapt this type of cyber freight service with the framers, and then you we need to, you know, try to force you into that reporting, that's very important. Very important. Okay. And, and also, you know, we work very, very closely with the FBI, sorry, sorry, securities squad in Puerto Rico, a member of the salary Task Force in Puerto Rico, the FBI. So there's two types of reporting, very important. They there is reporting that essentially is happening, you know, an intent that you receive and attack but doesn't happen, nothing happened, you're gonna get compromised, were you seeing IPS information and trying to I, you know, attackers, countries, IPs are trying to get access to your network. So that can report in that information is very useful for us. So you can report it to Sisa am seeing that, you know, some IPs from Russia, they're trying to hit my networks, and we're very consistent. So give us give us that information. That's very helpful. If there is a crime, cybersecurity crime, then you need to report it to the FBI to the IC three.gov Work portal, you can report it that we work together if you report something to Sisa we relate to that we are you report subsidiary QPI, we they relate to us? That's pretty important. Okay, reporting, reporting reporting.
So to add something about the reporting part, I think some companies may not be may or may not have established the procedures of how to handle a crisis or an incident like that. And that's when you define like, how, how, when, and which means and what information you're going to provide? How, how are you going to contact impacted customers, for example, in case of customer data, exfiltration. So we're talking here, a lot about preventing the incident, but we got to be ready for it to happen, because it is the subject is very complex. And if you don't, if you leave one single point of entry, it may happen. So every company should have established the whole strategy and in handling of crisis, a cybersecurity crisis, took out the whole company, how the company is going to respond to that and report what's going on.
So I will, I will also like to ask something very quickly. First of all, great question. Very, very great, important question. As he mentioned, as you mentioned, single sign on, there are several threats on that there are several associated risks with that. There is a saying single sign on single breaking, okay. And it's very important that all of those SSL providers do evaluate their security posture, you evaluate the information, also, the there is a difference between having a regulation and enforcing that regulation. Okay, because if we go here into the details, HIPAA, in Puerto Rico, and even in the United States, you will be surprised if we go and do an audit. In every single health care provider. We measure right now today, their HIPAA compliance in privacy, and how they manage that information, and even other organizations as well. You will be surprised. So one thing is having the regulation but how you enforce it, because enforcing it and having the proper controls and the legal framework to work on them. What are your rights as a patient? What are your rights as a citizen? Your privacy, your your security are I mean, right now Puerto Rico made privacy law recently. But right now, there is no real way for I mean, I know many people will fight me for this. But I mean, we have to be very careful how we write our laws. Because a silly sense you have certain rights, but how you enforce them is a big issue. And also many gardening companies, you're talking about reputation on the company. So one of the things that I always suggest to customer organization is that the cybersecurity component, who would have at the level of your board of directors and executive don't put us on the Department under another department, because that causes many governance problems. And that hits even more, the company's reputational risk. So when you're talking about a company that has millions of users, and they have a breach, if we follow the statistics, the breach typically costs about $185 per user. And if he's healthcare is even it can go up to $350. So a lot of organizations fear to report these these breaches, because it's a it's a cost issue is wrong, if you ask me is wrong. Okay. So that's why for for companies to have this, they must have a full framework, mitigate, prevent, and have all of the things that we have mentioned here.
So well, so thank you. Thank you very much. I think our time's up. Thank you for joining us. Thank you for your your patient and participation. Thank you, Ryan, for your for being with us, Carlos and Nick, I
