Sandia Labs talks cybersecurity at NAIOP roundtable

RIO RANCHO — The NAIOP roundtable Feb. 20 at Presbyterian Rust Medical Center featured Sandia National Labs cybersecurity experts Chrisma Jackson and Alex Quintana, who talked about different threat levels in the business world.

“Fundamentally, I think every day about balancing risk with our budget and our mission. It allows me to be educated on the breadth of risk across our cybersecurity platforms,” said Jackson, who spent the last 26 years focused on risk assessments for nuclear weapons.

“What many people are thinking about right now is digital transformation, advanced IT tools to help you become more efficient in your business as you think about the idea of digital transformation and Sandia International Labs is looking at that from our engineering tools,” she said.

That’s something she is working on with her team at the labs.

Jackson said she and Quintana help companies protect themselves, but adds that the government has many online resources that can increase awareness and knowledge about cybersecurity.

“There’s also regional DHS (Homeland Security) representatives that can help if you’re part of the critical infrastructure. They’re here for you,” Jackson said.

Jackson addressed concerns about ransomware attacks as well.

“As one thing becomes more secure, adversaries are shifting to other low-hanging fruit,” she said. “You are all familiar with software as a service. ...When you keep paying an annual subscription, that software is a service. As we think about that, most of those ‘software as a service’ [option] are on the cloud. So you’re actually interacting and dialing in or logging into a cloud-based system, which is a remote server system that is not on your premises, not in your building,” she said.

Jackson said the labs have seen a 75% increase in cloud intrusions, a 110% increase in cloud-conscious cases and a 60% increase in cloud agnostics.

Quintana’s presentation was next and he focused on thinking like a hacker; something he’s done for 25 years, applying his knowledge to helping others.

He went into the different types of cyber attacks besides cloud hacking.

One was server-side exploitation, which happens when people have services connected to the internet such as a mail or web server. Quintana said that since they are connected to the internet, everybody on the internet can connect to them and test their vulnerabilities, then possibly exploit those vulnerabilities.

More often than not, this happens because the person clicks on a bad link. He talked about hidden codes and how browser plug-ins can run in the background. He said phishing, which is a way cyber attackers get people to reveal personal information, has been a concern of his for 20 years and keeps increasing.

A common phishing trend is people receiving an email or message from their boss that turns out it is a facade.

Rio Rancho is not immune from such attacks. In the past couple of years, residents have reported getting calls from people pretending to be the police department, Chief Stewart Steele, the IRS and more. Others reported getting USPS notifications when they didn’t expect a package.

Quintana said when he gets those kind of calls, he won’t even say anything because it is possible for scammers to copy voice patterns.

“If I choose to answer it, I will sometimes pick up the phone and just grunt. That’s all I’m gonna say, because I’m not going to give them any information about me. I’m not even going to give them my voice, because if they get my voice, they’re going to use AI to replicate my voice and call somebody with my voice,” he said.

When it comes to emails from familiar people that are phishing attacks, Quintana says it is just better to assume that company associates have been compromised. He said when that happens, a hacker is usually “sitting” in the email box of the associate and watching how they send emails.

His suggestions for minimizing how often this happens is to change passwords regularly and not use one that can be recognized from previous passwords. He said even two-factor authentication can be hacked. One method he said he was a proponent of is biometric authentication, such as using a finger print to log in.

Another thing he warned the group about was plugging in USB drives if people don’t have verification of who it came from. He said if people find a US, they shouldn’t plug them in.

“If you do, have a process to analyze them first to make sure there’s no malware on them before you actually look to see what the content is,” he said.

Then, he went into the types of cyber criminals, saying it can even be a nation behind the attack.

“It might be some big country that has a lot of resources, and they have some goals somewhere, and they’re willing to put the money and they’re patient, and they’re working. They’re actually creating a capability to compromise your system,” he said. “Countries are targeting intellectual property, and so you have a company put millions of dollars into the technology, and then some other country’s small little business will just pop up and replicate that for cheaper,” he said.

But he said companies will be better off at least having the wherewithal to hire a company to take care of their systems.

Both Quintana and Jackson recognized how expensive it can be to protect against large cyber attacks, but Jackson asked if it’s worth the cost of losing business, investments or even customers to an attack when there’s no investment in cybersecurity.

“As you’re thinking about the risk of a fire in your building, a risk of theft in your building, physical theft. We can all contemplate that and think about that because it’s something we’ve seen as something that’s been in front of us for years. How do we contemplate the idea of not having access to any computational network for one day or three days or three weeks or three months?” she said.

For more information on cybersecurity and access to protective resources, visit the Homeland Security website at dhs.gov.