Returning guest Christophe Foulon is back for another great discussion on this week’s episode of the UNSECURITY podcast. Evan and Brad pick Christophe’s brain and discuss a day in the life of a cybersecurity professional, his passion and drive as a security pro, and why security boils down to helping people. Don’t miss this one! As always, questions, comments, and feedback are welcome at firstname.lastname@example.org.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Brad Nigh: Good morning everyone. Welcome to another episode of the un security podcast. This is episode 42 I’m Brad and I’m your host today joining me today is my good friend. Evan Fracen. Good morning Evan.
[00:00:32] Evan Francen: Good morning Brad. How you doing?
[00:00:35] Brad Nigh: Good. Been working this uh Ir it’s been a little bit crazy. I got to put everything away because you saw where I was headed down the rabbit hole.
[00:00:45] Evan Francen: So yeah, I mean, you were doing high are before the call here.
[00:00:48] Brad Nigh: It’s not all right. So we have a jam packed show this week. Um, hopefully you’ve seen the show notes on Evans blog. We’ve got a lot to go through. So yeah, we’ll start with the crazy weekend. We’ll talk about Evans week and figure out what’s going on. I don’t really know half the time at this point.
[00:01:07] Evan Francen: You know, it’s crazy man. So, uh uh Christoph is joining us. We don’t know when he’s going to dial in. We just know that it’s going to be probably sometime during the show. So we’ll just transition when he gets here. Crazy week. Yeah, you have a different sort of crazy than I did this last week.
[00:01:25] Brad Nigh: We have had so we put in the team has put in since the I gotta look up the date. Hold on Since like a week and 15th we’ve put in almost 180 hours on this. IR there’s been some good amount on this one has been a good amount of training for uh you know, some of the younger members of the team, which has been good and that counts towards training time in that. But it’s been a mess.
[00:01:53] Evan Francen: It has. So we had a call on saturday. It’s rare when we call hold calls on saturday was with the chief operating officer of this company, the C. I O. U me an Oscar and I was just there to provide moral support has had this more than in hand. But yeah, it got out of him quick this one.
[00:02:16] Brad Nigh: Yeah, I think they uh that was a that was a little bit of the awkward set up to because we had to our daily status call on friday. And the Ceo said yeah can we have a call tomorrow? We just, yeah, just dinner chip. Yeah, how is that going to go? But you know, I think on the plus side they are both very much wanting to do this correctly. The Ceo was, I would say he was upset that he thought he had a good program. I mean this is a good example of you can’t just buy blinky lights software and expected to,
[00:02:54] Evan Francen: yeah, they spend a ton of money on security and nothing was configured
[00:02:57] Brad Nigh: crown or well it would assume not. So the big update on this one. I don’t I’m assuming you know talking with Oscar he found in a memory dump where the Attackers were injecting malicious code into valid Windows services and execute doubles so
[00:03:19] Evan Francen: no
[00:03:19] Brad Nigh: excuse me. So overwhelming Svc host. Yes Svc host. So you know The memory dump he looked through a 16 gig and he found that that’s that’s pretty impressive. That’s a hell of a memory.
[00:03:32] Evan Francen: Don’t…
[00:03:33] Brad Nigh: so keep in mind this is something that we were seeing the connections out. We saw the malicious connections to malicious I ps known malicious I. P. S. Carbon black was finding those connections but didn’t find what was happening. Hunters didn’t find what was happening bit defender didn’t find what was happening. We ran Mcafee Stinger and claim a v nothing had found that it took that manual level of intervention.
[00:04:00] Evan Francen: Well sometimes you have to go there. It’s insane. I remember when this incident started it was because the C. I. O. Of this organization is a a friend an acquaintance. And so he had this kind of initial thing and he called me and I was in the car and I was like all right. You know I can only do so much triage in the car. Um but to me it seemed like it wasn’t going to be, we thought it was just a brute force right? A brute force attack on some accounts and we talked about this in the last podcast man. Oh yeah Whoops.
[00:04:33] Brad Nigh: So
[00:04:34] Evan Francen: It turns out that essentially everything. Right. four different
[00:04:38] Brad Nigh: we look. So we found we found virus or trojan on there. Domain controller. So what it looks like is not good.
[00:04:52] Evan Francen: What I’m trying to find your text, we believe you experience could be do extra pulsar.
[00:04:59] Brad Nigh: Yeah, we’re not sure on that one, but its indicators of it and that would explain why we didn’t catch it on anything. Um there was, I don’t have it open but like, oh, there was three or four other ones as well. So I found uh you know, it was interesting to see IO yesterday or see how r colo was going to put something together to send out to the company and say, hey, what here’s what you should put on. Yeah, Your personal one. So everything that we found so far ran through virus total and sent it over and you know, it none of them caught everything, but there was a couple that caught the vast majority. But it sounds like they want to do things the right way and they thought they were sure.
[00:05:45] Evan Francen: Yeah, the C E 00 was pretty surprised when I was on the call on saturday. Like why didn’t anything we have catch this? Yeah, Well it’s not just having the tool that matters. It’s using the tool correctly and you know, we don’t want to draw too many conclusions at this point yet because the investigation is still very much active. But it really appears like things weren’t configured. Well, there’s a lot of throughout the environment.
[00:06:14] Brad Nigh: Basic hygiene. From a security standpoint that wasn’t followed. Right. So I think we counted 50 something domain admins, the I. T. Group. And how many employees? Around 3 50.
[00:06:25] Evan Francen: So 350. So
[00:06:27] Brad Nigh: a lot of them are service accounts because. Okay, Right. I think the, I think it was like 10 or 15 actual users in the domain admins. And then the rest of our service accounts, which doesn’t make it any better. And the users were it was defended as well. These are regular users, those R. I. T. People. Yeah. But it’s their normal account with email and internet access. So, mm hmm. And we’ve definitely seen multiple instances of machines with infection where those accounts were logged in. So it’s a mess. But yeah, key credential harvesting
[00:07:08] Evan Francen: and so you get to a point in an incident response, you know, one like this anyway, where you get to a point where it’s should we cut bait. I mean, should we just install a parallel environment and air gaps, parallel environment and they’re clean
[00:07:22] Brad Nigh: kind of where we’ve landed with them. And hopefully we can give them if we can lockdown what exactly the signature is we can give them a little bit more assurance to do this correctly. Instead of rushing through it. Right? Because they’re in a dirty environment and they have been for who knows how long. Right.
[00:07:42] Evan Francen: The evidence doesn’t go back far enough to support where they started.
[00:07:45] Brad Nigh: No, not even close.
[00:07:47] Evan Francen: So you speculate you know what could have happened
[00:07:50] Brad Nigh: and yeah. How long has this been? Yeah. I don’t know
[00:07:55] Evan Francen: when you installed it may be right. Eld app was open.
[00:08:00] Brad Nigh: Oh yeah. Yeah. Although the internet, the internet unencrypted. Yeah. That doesn’t help. Did you
[00:08:05] Evan Francen: Hear that 1? Yeah. Okay. Yeah, I heard that. So what uh for listeners uh for listeners, what sorts of what sorts of advice do we have?
[00:08:17] Brad Nigh: I think. You know, so both some basic stuff if you’re the basics, isn’t it? If you’re gonna have domain admin, have a separate account for that. Have a jump server set up that you would log into to manage all that stuff with. Right? That that privileged user account, no email, no internet access. Right? You want to contain that? Really restrict. I mean that’s the keys to the kingdom restrict access to it only only what it needs to do. Uh Service accounts create a special group and set permissions as necessary. Where necessary. Don’t just say well it’s easier this way. Right.
[00:09:01] Evan Francen: Yeah. It certainly makes it work when you give I mean giving excessive privileges makes
[00:09:06] Brad Nigh: things work. Sure. Oh yeah. I mean then you walk away. We’re good. So mike and I one of our I. R. Guys work together in the past and you know, we were talking it’s like it’s kind of like what we came into
[00:09:18] Evan Francen: what’s mike’s nickname.
[00:09:19] Brad Nigh: Pinky. Pinky. Yes. All right so you and Pinky? Yes. Yeah I’ll call him that. Uh It’s weird too because I knew I was Pinky and then sometimes it’s mike and I never know what to call them. I’d rather call him Pinky. Okay I’m gonna call him Pinky. It works for me. So we work together and we were talking about mm very similar situation where we had both come in and it was hot mess you know every person in I. T. Was in domain admins. That was you know including the C. I. O. When we told him he was like why? What? It’s just how they’ve done it. Every help desk. Every developer everybody you know they file shares on their domain controller. They had You know I looked at the event log and there was three minutes of logs in it Because it is rolled. It was default setting so 20 meg or whatever I think it’s 20 but it had it was the primary loss pds or primary domain controller for the site. So everybody was authenticating against it and it had the file server on it which had you know 250 or 300 gig of data. So yeah you had like three minutes of logs I’m like well that’s functionally useless. We don’t have logs period.
[00:10:37] Evan Francen: One of the things that was surprising on saturday when I was talking to the Ceo it was just this false sense of security that he had. Yeah, he thought that all the money they had spent on all these tools, all these blinky lights that, well, how could this possibly happen? I thought we were secure.
[00:10:55] Brad Nigh: Well, and then I think the call yesterday with the entire team, their team and Oscar pinky and I that was a little awkward. Uh You can tell maybe some of those I. T. Staff are starting to get a little they’re they’re definitely getting burned. All right. They’ve been working so hard, but
[00:11:16] Evan Francen: not just work
[00:11:17] Brad Nigh: it out. But they’re getting I think they I think they’re starting to see maybe some
[00:11:22] Evan Francen: like oh crap, we should have taken care of this.
[00:11:24] Brad Nigh: Yeah. We said, hey, we’re seeing this traffic from these hosts and they didn’t get us a list of all the host. They couldn’t figure out some of them.
[00:11:32] Evan Francen: So they don’t have any inventory.
[00:11:35] Brad Nigh: They had some but not a lot. Right. And then, so are you telling me we can’t uh we can’t validate and ensure that there’s no data exfiltration. No. Why don’t we just shut it down? Like cut the internet like yes. Yeah, like that. Yes, but that’s a business decision. Can you can you work without having internet access and then kind of right? So it’s like we’ll find it. So yeah, the Ceo was like all right, call me right after this because we need to put together playing and get them what they need
[00:12:13] Evan Francen: when I know I notice the Ceo personally he’s not happy. You know somebody unfortunately we’ll probably lose their
[00:12:21] Brad Nigh: job. You know I hate you hate to see that you really do. However there’s just so much.
[00:12:29] Evan Francen: Yeah I mean in I. T. You have to at least I mean I know that information security night er different things but in it you need to know your take the technology part of security at least the basics and like you started off with the basics we’re missing here.
[00:12:46] Brad Nigh: Yeah. Oh yeah.
[00:12:47] Evan Francen: I mean this isn’t rocket science it’s basic
[00:12:50] Brad Nigh: and it’s not anything about you know from what I’ve seen from that team that I’ve worked with technically they’re very capable. Right? I mean there’s not that they’re not skilled. They just weren’t doing it right. Yeah. Yeah. I think it’s going to be a situation where somebody is gonna
[00:13:09] Evan Francen: when somebody has to answer for L. Dap. Open to the my God encrypted. I mean that’s why would why
[00:13:15] Brad Nigh: would you not your domain controller directly to the internet. I know and not check the box for encrypting nailed to have.
[00:13:23] Evan Francen: Well I think some of it is ignorance. You know they just didn’t know any better. Some of it is um laziness.
[00:13:30] Brad Nigh: Yeah. Well in my will. So the CIA is still really new there. Listen you know less than six months which is never a fun position to come into and have this happen.
[00:13:43] Evan Francen: But the good thing is he when he came in he was preaching security records about
[00:13:47] Brad Nigh: absolutely
[00:13:48] Evan Francen: he knew he he knew and recognized early on so I think it just validates.
[00:13:53] Brad Nigh: Yeah I would agree. But you know we don’t know I don’t know which of these people were there when this was set up. Did they come in and just manage status quo like you know I don’t know that historical piece. If they had set it up this way then yeah by but somebody did you know but even coming in and and not I’m putting back my ideas hat on right even coming in and not learning the environment like that was one of the first things I did before I found We have found users that had six character passwords that never expire that had not changed him for 678-10 years like nope everybody has to do this. Oh yeah we got to do these things but you’ve got to learn the environment. Got to know this stuff if you’re going to manage. That’s the
[00:14:47] Evan Francen: best thing for security the better you know your environment the better secure it’s going to be because you know the back doors you know the little holes you know the things you’ve looked at and the things you haven’t looked at and so yeah get intimate with your I. T. Environment
[00:15:00] Brad Nigh: and you can’t fix everything but you got to know okay right this window is broken and there’s a neon light flashing arrow flashing at it. Yeah I should probably watch that
[00:15:13] Evan Francen: one back to the basics. So uh advice is a lot of advice you know in terms of clean up. But then what about testing? I mean did they ever test this environment? Did they were they doing external vulnerability scans? Did they know that Eld app was open all these tools and you know money that they spent on all these really cool flashy blinky lights. I. Right. Exactly. God don’t get me started on that. But does any of it work you know and the only way you’ll know for sure if any of it works is to test it you can’t just plug it in and let it go
[00:15:48] Brad Nigh: and to be honest I’m gonna guess. No I don’t I don’t know how could they there’s no way that
[00:15:53] Evan Francen: unless they just ignored that. Unless the test sucked. Just ignore the test results altogether.
[00:15:59] Brad Nigh: Yeah. Yeah I would say not recently. Right. Yeah we’re struggling for them to get a list of their external I. P. S. They got it from there I. S. P. They didn’t have anything internally that documented what was going on now they had some translations and they were able to fly that it’s like piecemeal. Yeah. Anyway.
[00:16:23] Evan Francen: Well the good thing is you know and that was our recommendation is Continue down this path a little bit more and then prepare yourself for rebuilding building a brand new environment and air gapped from this dirty one
[00:16:38] Brad Nigh: and I will say I’m not I don’t want to sound like I’m just trashing their team. Their team has been very responsive. They really have put in a lot of hours to try and help with this. Yeah. Yeah but that’s a good thing for them right? Like I don’t want to sound like I’m all super negative. It’s frustrating from an I. R. Perspective right? They have all their logging was local.
[00:17:01] Evan Francen: one on where I get frustrated is we have to hold ourselves to a higher standard. You know our our oversights are mistakes are lack of skill or laziness. People get affected. Hey is that christoph?
[00:17:17] Christophe Foulon: Good morning. Yes
[00:17:19] Evan Francen: christoph is here brad and I are here brad take it away.
[00:17:23] Brad Nigh: Yeah we were just ranting about incident response and The basics of of like not having 50 users in domain admins and not nodding your domain controller to the Internet with unencrypted eld app.
[00:17:36] Evan Francen: Would you know
[00:17:37] Christophe Foulon: better?
[00:17:40] Evan Francen: See we got to laugh at this stuff starting your your monday morning with a with a good laugh.
[00:17:47] Christophe Foulon: Yeah. I mean did you see the 60 minutes episode last night about Texas?
[00:17:52] Brad Nigh: No I didn’t see that. I
[00:17:53] Evan Francen: didn’t tell but tell us about it.
[00:17:57] Christophe Foulon: I mean it was They started out with the 22 cities in Texas and then they went through all the other cities. um Unfortunately the only thing that they didn’t do while they have that captive audiences give any suggestions on how to improve. Um Really just talked about the problem that’s and that’s the problem with our industry, we just, hey this is a problem, that’s a problem, but don’t suggest any any recommendations on how to fix it.
[00:18:29] Brad Nigh: Although I’ve seen some of the things they do and maybe that’s not the worst you should get the right people giving those uh suggestions.
[00:18:38] Evan Francen: Yeah. When when you listen, when you listen to this episode, christoph, you’ll hear about this incident response we’re currently working on and just a complete lack of basic hygiene here. Uh But do you think it’s time for us to revisit the call to action again?
[00:19:01] Christophe Foulon: I mean the call to action is one thing um uh they’ll bring the awareness from the citizens and standpoint, but I don’t think they even are aware of what to do. It’s made aware. So we almost need an awareness campaign. Yeah.
[00:19:20] Brad Nigh: Yeah, I mean, I know with, you know, kind of my side of it, it just kind of fizzled. They said, okay, yeah, we’ll make you kind of advisors as they’re moving forward and I haven’t heard anything
[00:19:31] Evan Francen: just disappeared. So raising the awareness, raising the priority level.
[00:19:37] Brad Nigh: Yeah, they were doing some right good steps, but yeah, no, nothing. So
[00:19:43] Evan Francen: so Christoph, it’s been a while since you’ve been, you know, on our show what you’ve been up to.
[00:19:50] Christophe Foulon: Uh today’s my first day is a professor uh teaching online at Bellevue University. Um and then outside of that pretty much same old, same old,
[00:20:01] Brad Nigh: just that. So where will you be
[00:20:03] Christophe Foulon: teaching? Uh This uh semester’s course is interest to cyber threats, um actors and security.
[00:20:17] Brad Nigh: Very cool.
[00:20:18] Evan Francen: Nice. So is this is this teaching gig in addition to your other job? Or is this is this all full time now? Okay.
[00:20:28] Christophe Foulon: No, not not full time. Just teaching on the side. It’s an online format, so it’s mostly engaging the students with the material that’s already prepped out, but I plan on adding additional relevant content and um asking the hard questions.
[00:20:46] Evan Francen: Cool, cool. Are you nervous? Yeah,
[00:20:50] Christophe Foulon: no, I do this all day on twitter and linkedin.
[00:20:53] Brad Nigh: So that’s
[00:20:55] Evan Francen: very
[00:20:56] Brad Nigh: true and I have people that are seeking it out to learn. So it’ll be uh it’ll be good.
[00:21:03] Evan Francen: So how’s how’s your podcast going?
[00:21:08] Christophe Foulon: Uh we’re running a year. Um it’s going good I think um sometimes I feel like we need more guests, but um we’re starting to hit different types of individuals now. We’re having uh like sales of cyber sales folks, uh And a career transition. So folks that are in their 60s and 70s coming over to cybersecurity. So um definitely that’s why I love seeing is just the diversity of guests that we’re having now.
[00:21:44] Evan Francen: Cool. So for for our listeners, tell us about your podcast. Tell us, you know, tell us where to find it. Tell us what you guys are trying to do and what kind of the mission is
[00:21:57] Christophe Foulon: the whole goal of the podcast is to Have an interview, a conversation with someone who’s been in the industry for less than five years And they shared their personal journey. So rather than having someone uh that’s been in the industry, 2030 years preaching about what they did back in the day, um hear from someone fresh that just came into the industry, uh share what works, what doesn’t work from their point of view. And then hopefully by having a diverse group, I guess they can have uh tips from each person that they can take into their own journey, breaking into cybersecurity.
[00:22:37] Evan Francen: Okay, so you’re you’re trying to get are you trying to get more people into the industry or help people get into the industry? Both. Okay, good, good. Yeah. And and you mentioned you’re looking for guests that are, you know, sort of new to the industry less than five years.
[00:23:00] Christophe Foulon: Yeah. I always looking for guests. Um someone’s, we’ll find that were booked out for a couple months and then uh Bill dry up. So we’re always looking for for guests when they’re available.
[00:23:12] Evan Francen: Awesome. Cool. Because we have some people, I know we have some listeners of our podcast who are looking to break into the information security industry. I just gotta on our email, our podcast, email uh was a trucker who does a route from Yeah. From ST louis to Minneapolis? Right. And so he listens to our podcast on the road and he wants to get out of trucking and get into information security. I thought awesome. So it’s great that you’re putting on this podcast. Where can people find it?
[00:23:47] Christophe Foulon: Uh well, we have a Youtube channel breaking into cybersecurity. It is also on the podcast from Itunes and I think it picks up everywhere else because we hosted on some clouds. So and yet our podcast applications that go to Soundcloud to pick them up um they get it in their feeds as well.
[00:24:09] Evan Francen: Okay, so breaking into information security,
[00:24:14] Christophe Foulon: No. Breaking into
[00:24:15] Evan Francen: cybersecurity. Breaking into cybersecurity. Okay. And then um people can find it by going to Like give give somebody one place to go find it.
[00:24:29] Christophe Foulon: If you go to Youtube, you’ll have their recorded videos there. If you search it in the podcast that for those on the road. Um Breaking into cybersecurity, it’s there as well and you can find it on my linkedin profile and it’s linked in my profile
[00:24:45] Evan Francen: as well. So this uh I’m thinking of this one person who wrote into our show about being the trucker on the road. What one piece of advice would you give a, you know, somebody in a completely different industry would you just say start off with, you know, listening to your podcast like yours. And and do you cover what resources they’re going to need to learn?
[00:25:14] Christophe Foulon: Yeah. The guests typically will mention the resources that they’ve used in their journey. So the piece of advice that I would give is figure out what makes you passionate about this industry. So for the truck or it could be um the insecurities that he sees in the trucking industry and how that is a critical infrastructure for the United States and how he went. His experience can now help secure that industry. So he’s taking transferable skills from his current role, adding information security to that and then helping improve society as a whole.
[00:25:52] Brad Nigh: You know, I think that’s a really good point is because people a lot of time, why are you doing this? Well, I don’t know because I hear a lot of buzz words around it, but to what makes, what makes it you passionate about this, what is it, how do you relate? You know, I think that that’s a really good point and yeah, we’ll help people be better at it, right? I’m just doing it because, you know, it’s the next way versus here’s why I’m doing it.
[00:26:20] Evan Francen: Well, exactly, yeah. I mean for people like you and me, and it’s funny because you you mentioned, you know, 0 to 5 years experience or whatever, uh that disqualifies brad and I, but brad and I are both Still, you know, as passionate. I think today as we were day one it’s uh the passion doesn’t go away. If you find it, you’ll you’ll latch on
[00:26:42] Brad Nigh: its that you find your why. Yeah you find that why and it just everything else just falls into
[00:26:49] Evan Francen: place for sure. So uh
[00:26:53] Christophe Foulon: yeah I think the passion never goes away but I think what changes is how to get in um uh with this many years of experience, the approach that you will take um is going to be different than someone breaking in for the first time. So the challenges that they will face, whether Applying for 200 jobs or um getting a long list of credentials on a job wreck that they think that they need to meet, or all these skills that is listed for an entry level individual, how to combat those challenges and advice from individuals that have done it I think is what changes um as time goes on.
[00:27:36] Evan Francen: Yeah for sure. What are some of the common what that you hear? What are some of the common challenges for people breaking into the industry? Is it just lack of experience?
[00:27:47] Christophe Foulon: Some of the things yeah some of the things you’ll see for entry level roles, they’ll call for um three years of experience which for someone trying to break in in an entry level is really hard to get because most of the times they’re coming straight out of college or they’re coming from another industry like trucking and they don’t have that experience. Um Oftentimes you’ll see a long list of certification even C. I. S. S. P. For entry level roles Which is crazy because that requires at least five years worth of experience. Um Then you’ll see a long list of technologies must be experienced and this must be experienced in that and that’s one of the reasons that we’re hitting this talent shortage is employers are putting out these job wrecks that are very very strict and new entrants to the new candidates their market are going well I can never meet that and then they’ll never apply. Whereas I think if they take a more strategic approach like easier to skills and competencies that will make you successful. These are the types of technologies that you should be um fairly confident in and and take that sort of approach then you’ll have a more diverse set of candidates that are applying for those roles.
[00:29:06] Brad Nigh: I think that yeah that’s something we’ve identified and that’s why we hire for you know the person those intangibles like you know who they are, what they’re things we can’t teach because you can get exactly what you said right if they have the good basic foundation we can get security we can teach them security right? But it’s finding the right personality to begin with is that’s more important.
[00:29:33] Evan Francen: Yeah for sure. So is there an opportunity so it sounds like there’s a good opportunity to educate hiring managers as well I mean they need to write these wrecks better, would you agree?
[00:29:47] Christophe Foulon: Definitely. Yeah, definitely. And that’s why um I love the approach that our podcast is taking me. Um there’s myself who has been a hiring manager um looking to develop talent as well as my co host who’s in recruiting and we’re spotting these trends all the time and we’re informing those on the hiring side and a recruiting side of what to do and what not to do, But we also have a lot of hiring managers that listen to the podcast um for up and coming talent so they’ll hear someone and their passion and then that will end up getting them a role as well.
[00:30:26] Evan Francen: Awesome. So the audience for your podcast is kind of kind of diverse itself, like your, like your, I think shooting for, you’ve got the candidates who people who are looking to break into information security or cybersecurity and then you’re also catering towards those hiring managers to help them find these right people.
[00:30:46] Christophe Foulon: Right. Yeah. Yeah, definitely. And it’s about changing that mindset of opening up the horizons and um looking for that more diverse group because I think what of talent that we have, we can’t keep up with the ever evolving cyber threats that are out there.
[00:31:09] Brad Nigh: Yeah. Well when you think about it, you know, it’s pretty obvious that the vast majority of people don’t don’t understand or just don’t get cybersecurity and then you have those people writing job recs are interviewing, you know kind of that initial HR interview where they don’t they’re interviewing for something they don’t understand, right? I mean a lot of times they’re googling
[00:31:31] Evan Francen: uh you know I was just talking to a a company that’s hiring see so and they went out and googled see so job description and then copied and pasted that one. It’s like really maybe when I kind of look for a certain set of skills that will help drive your business forward, I don’t know. Uh huh.
[00:31:54] Brad Nigh: Probably a little more successful. That’s another challenge
[00:31:57] Christophe Foulon: that the other challenge in recruiting you have uh HR recruiters or HR representatives that are using traditional approaches for looking for uh cybersecurity talent and they don’t have the same motivations when you’re looking for a new role, especially if they’re more experience. They’re looking for the passion challenge and less about the dollars. And you have these individuals that are focused on trying to weed out those just looking for the dollars but they don’t know how to hone in on that passion.
[00:32:34] Evan Francen: Yeah. So the now what would you say? So it seems to me I’m gonna I could take a guess at it but I’d rather ask you uh Christoph what’s what’s what’s your passion, what gets you pet, what’s what’s so passionate about security for you,
[00:32:52] Christophe Foulon: I love helping people. I I find myself in between the security engineers have a passion for the security field but I also like helping the business helping people do things more securely. I found in my first role as a help desk individual that individuals were doing things that left them exposed to common tactics that criminals would use and just by sharing tips here and there, I saw the impact that it had on their lives and seeing that impact just made me want to continue doing that. That’s
[00:33:28] Evan Francen: cool. And what do you do, what do you do for your day job? What can you share about what you do kind of in your in your free time?
[00:33:37] Christophe Foulon: Yeah. So for my day job right now I am a cybersecurity risk consultant. So we’re helping government agencies that are looking to conduct a digital transformation. So moving from traditional systems to cloud systems and in that ensuring that they are taking cyber risks into consideration there, taking advantages of what cloud has to offer as well as ensuring that security and risk is taken into consideration all along the way. Okay.
[00:34:16] Evan Francen: And you’re out in the Washington D. C. Area?
[00:34:20] Christophe Foulon: Yeah. Ok.
[00:34:21] Brad Nigh: Yeah. May may not. It’s still early. Could be out there in of october what are you doing? Uh I got to ask if we could potentially speak for uh Nash was some school board
[00:34:37] Evan Francen: business professional.
[00:34:39] Brad Nigh: No, no, no, it’s like a national association so if that happens we’ll have to try and uh meet up.
[00:34:47] Evan Francen: Yeah. Yes. At this point,
[00:34:48] Christophe Foulon: definitely
[00:34:50] Evan Francen: at this point our relationship is all electronic. It’s funny how you, you find people or people find you on twitter or linked in, right? And then you just, you know, you start this kind of relationship and it’s like, I’ve never even met this person so
[00:35:05] Brad Nigh: far. So let me ask you this christmas, because I still, it’s weird to me, do you have people coming up to you and like there, they’ll introduce yourself themselves and be like, this is so weird. I listened to you all the time. Thanks.
[00:35:18] Christophe Foulon: Yeah. Yeah, I had that, a couple of conferences. I love to go to the local B sides conferences, whether trying to speak their or volunteer there or just go there to enjoy that, the topics that are put on, and um I’ll introduce myself and you go, oh, I know you you’re like, I listen to your podcasts or I saw your presentation that the B sides and um that just makes me happy to see that I possibly had a positive impact on someone’s journey.
[00:35:50] Brad Nigh: Yeah, it’s, I don’t know, it’s, you’re right, it’s amazing. And it is very humbling. But it’s still so weird to me when we shot used to
[00:35:59] Evan Francen: this when we share a lot of the same passion. So when you said that you’re you’re passionate about helping people, uh both brad and I mean, we’re sitting in the studio looking at each other, we looked at each other like, yep, that’s that’s our passion to, you know, so you have and there’s enough room for all of us in this industry, right? You’ve got you helping people break into uh the information security field. We do some of that here from a different sort of angle, but then we try to make plain english, easy to understand security things. Right, Right. You don’t hear a lot of technical jargon, but at the end of the day, it’s all about helping people, Right, So that’s cool.
[00:36:42] Christophe Foulon: No, definitely. And I I like to help people both in their personal lives, as well as their professional lives. So that’s another reason that the podcast started as between Renee and myself, we would get asked like what do we do, what can we do? And because we’re getting so many of the same questions over and over, we thought how could we scale ourselves and uh podcast is a perfect way to do. So
[00:37:06] Evan Francen: that’s cool. So share a little bit about your journey, How did how did you get into this industry?
[00:37:15] Christophe Foulon: Well, I started one of the more traditional ways, um I started in I. T. I first role was a Sony style backstage engineer um helped prep computers that you would buy from the Sony style store and ensure that when you walked out the door, you knew how to work it, it was all set up, it was all secure rather than you going home and trying to figure it out yourself. Um we were the services in the store to help with that. Um then I moved up to uh help desk for a regional bank then leading their team um doing some physical security along the way helping a regional medical or a national medical provider. And then um just moving up keep helping keep growing being that bridge between business and security and that’s how I landed myself here today.
[00:38:14] Brad Nigh: It’s yeah it’s funny like that how much uh you know kind of similar that approach was Evan came in from the networking background. I came in from I. T. Ops and working on the way up on that you just kind of stumble into it and then look back and you’re like oh no I’ve been doing this a long time. Right?
[00:38:36] Evan Francen: Well I think once you get into the industry there’s so much opportunity and where you can go what what branches you want to get into securities. Such a broad topic. It’s such a broad discipline but you know there’s such a huge need for what Kristof and Renee do in their podcast because the hardest part I think is just getting
[00:38:59] Brad Nigh: daunting. Yeah. Yeah I really like the your you know the approach that you guys are taking with it and helping people get over that kind of like again the big barrier right? It’s tough. Yeah.
[00:39:15] Evan Francen: Yeah.
[00:39:16] Christophe Foulon: One of our recent guests was a military veteran and he talked about how his career as an intelligence officer helped prepare him. But there’s a lot of things that, for example, our military does that’s very similar to what we do in information security, whether it’s Ir or it’s planning its building out. And there’s so many transitional skills that we can take from this workforce that’s transitioning out from active service and we can we can engage them in in service and the information security community. Next
[00:39:53] Evan Francen: Yeah, that makes perfect sense. We you fired a couple of, um, people transitioning out of the military
[00:40:00] Brad Nigh: and
[00:40:01] Evan Francen: there are challenges. There’s unique challenges in dealing with the way things were done in the military, to the way things are done in the private sector. You know, I know one person uh, on our technical services team. I couldn’t believe that you wrote this thing in policy. How could you not be doing this? And he just couldn’t get over the fact that people weren’t following policy like, Well, private sector man. Yeah. What’s uh what’s cool. So, um, breaking into information security or cyber security? Uh, and then now you’re teaching how, how how, tell me about your class, Tell me, um, you know, how many nights a week you’re are you teaching nights, I assume?
[00:40:46] Christophe Foulon: Uh, no, it’s it’s online. So I did my Bachelor’s and my masters online and I figured this would be a good way to help give back to the community as well. And it was ultimately one of the reasons that led me to go do my masters of what I would have the capability to teach, but it’s online through discussion boards, through conversations with the students, We have prep material that and of course laid out for them, but my goal is also to bring in current relevant situations that are happening uh and sparked that train of thought as to what’s happening and how they could take the material, that that’s that we have prepared for that and related to what’s happening today. Um my goal is for that, once they do leave school, they have more of a functional knowledge of what’s happening than just a theoretical knowledge.
[00:41:42] Evan Francen: Okay, I like
[00:41:43] Brad Nigh: that. Did you have to create the material or did it have did you have like a framework already that you just were able to, you know, refine?
[00:41:52] Christophe Foulon: Yes, there’s there’s definitely a framework that’s that’s there already. And um being my first class, I’m going to stick with the framework, but I think as things go on and then we can go in and and add my own touch to it.
[00:42:06] Brad Nigh: That’s cool. So it’s, you mentioned what it was about, like I guess can go into a little more detail on, you know, what exactly is covered. Um you know, is this kind of a, I don’t want to get 101, like a entry level where where is the difficulty? Yeah, yeah,
[00:42:29] Christophe Foulon: yeah, it’s definitely an intro level class and it goes into the different cyber threats, the different motivations for um cyber threat actors as well as the different technologies that are involved. It gets the students thinking about the security process from start to finish including I. R. Along the way and just getting them a good solid foundation of what their um should be preparing for with the rest of their studies.
[00:43:01] Brad Nigh: Okay. That’s cool. That’s uh that’s interesting because it goes right in line with your podcast and everything else you’re working on of getting people going in the industry. So that’s pretty cool.
[00:43:14] Evan Francen: Yeah. Absolutely.
[00:43:15] Christophe Foulon: Should we compare the stars do a line
[00:43:17] Evan Francen: like that well so uh where can where can people find you? We we talked about the breaking into cybersecurity podcast. You’re also on twitter. Where can people find you there
[00:43:34] Christophe Foulon: um at chris underscore flown F. O. U. L. O. N. On twitter as well as on Lincoln
[00:43:42] Evan Francen: perfect. Yeah
[00:43:44] Brad Nigh: I still can’t get over help how much you post
[00:43:47] Evan Francen: he uses but he told us they told us they trick
[00:43:51] Brad Nigh: I need to do. I haven’t gotten any better.
[00:43:54] Evan Francen: Yeah I love that trick too. It’s
[00:43:57] Christophe Foulon: all about killing yourself. Right.
[00:43:58] Evan Francen: Right. Yeah. I watch you know I follow you and uh love to love the content you post. Um I think there’s never 100%. You know where you see Things the same way other people do. 100% and you don’t ever want that right? You want the diverse perspectives and views on things And uh, but I would say 80, Yeah, it’s the same. And then where it’s not, this is what, why why christmas is a good person to fall. It challenges your thinking on those parts that you’re
[00:44:32] Brad Nigh: Yeah, I would agree. And you don’t want somebody who you’re lockstep with all the time.
[00:44:37] Evan Francen: So follow, follow chris on twitter. Uh, we should get to some news. one
[00:44:44] Christophe Foulon: Of my commenters, um, sorry about, one of my commenters yesterday mentioned how they could follow it if they weren’t engaged in my class. So, um, in line with your 100 days of truth, I’m posting one question. We um, to engage the audience that are not in my class, uh, already went ahead and posted the question for this week. So those following me can go in and um, do your own research for this week’s question.
[00:45:10] Brad Nigh: 42
[00:45:13] Evan Francen: It’s the answer is either 42 or seven. Everybody knows that. No. So, um All right. So one question a week, do you post that question at a specific time of day when people can, you know, make sure that they they grab it because I’m assuming you
[00:45:34] Christophe Foulon: probably try to do it. I’ll try to do it monday mornings.
[00:45:37] Evan Francen: Okay, So one question a week. Yes. Okay. So monday mornings, I’ll be watching for
[00:45:45] Brad Nigh: it to go
[00:45:46] Evan Francen: find it and I will not probably won’t post an answer because, you know, we don’t
[00:45:51] Brad Nigh: want to ruin it for everyone else.
[00:45:52] Evan Francen: Yeah because we basically I mean if you know brad and I we basically know everything. So yeah we don’t want to. Yeah that’s a joke. Should we get to some news because I know Chris has another probably 5/7 minutes or something before he’s got to go and do real work.
[00:46:12] Brad Nigh: Yeah we can talk about some of these stories. I’m sure you may have heard of them um You know so from Krebs breach at hy vee supermarket chain tied to the sale of five million stolen credit and debit cards. So people still sell those apparently lot of things out there. So is that they’re so two
[00:46:33] Evan Francen: 1015
[00:46:35] Brad Nigh: is that their restaurants and has it
[00:46:38] Christophe Foulon: has some monetary value?
[00:46:40] Evan Francen: Yeah. I know it was funny though when because my work on the on the target breach back then. I mean this was every credit and debit card breach with such huge news nowadays. You know one I think due to breach fatigue just in general and two people don’t really suffer. They don’t think they suffer because the bank just gives them their money back. Uh And the market is it hasn’t gone away but it’s certainly tanked from what it was four years ago.
[00:47:12] Brad Nigh: So the dumps are being sold from 17 to $35
[00:47:17] Evan Francen: per dump or per per card
[00:47:20] Brad Nigh: it says uh I see The card account records apparently stolen from that are sold for prices in 17 – 35. So I get a text record with all your information
[00:47:37] Evan Francen: because it wasn’t that long ago usually. I mean I think kind of before um, before chip and pin here in the US anyway. Uh I can remember when cards were sawn for 17-35 bucks apiece
[00:47:51] Brad Nigh: now. Now the money is in insurance and selling that ransomware. Yeah, ransomware, yeah, uh shockingly capital one. Their stuff stolen. This one was interesting. Suzanne Krebs as well. It was an insider that did it. So Seattle woman was charged with stealing data for more than 100 million credit applications. Um
[00:48:17] Christophe Foulon: but let’s clear that up. Um she was uh individual that worked for capitals one cloud service provider and possibly still possibly worked on the project where they rolled out those services for capital One, but no longer work for that cloud provider
[00:48:36] Brad Nigh: anymore. And she’s been arrested
[00:48:40] Evan Francen: In jail one that quickly and that news broke last month. Um but you know, they’re still digging in and they’re still finding more and more because she did work for what AWS, I think at the time she worked for amazon.
[00:48:56] Brad Nigh: Yeah, it’s amazon.
[00:48:58] Evan Francen: So she had access to
[00:49:00] Christophe Foulon: And you’re finding 30 other companies that she possibly also reached as well.
[00:49:05] Brad Nigh: That’s crazy. And what was, so what, why I brought it up was just the how brazen she was posting on social media about it. Um you know what, there’s screen shots in there that show exactly what she did. She’s hey you don’t have to do the investigative work. I’m going to tell you how I did it
[00:49:26] Evan Francen: well and she uh isn’t part of a part isn’t part of her defense I think mental. Uh Yeah. Which isn’t surprising. I mean truly I mean if you follow her story because she used to be a man right and you follow the story and some of the things that that she posted online and uh you know she wasn’t all
[00:49:49] Brad Nigh: there will be interesting to follow.
[00:49:53] Evan Francen: Um So how would you prevent a breach like that?
[00:49:57] Brad Nigh: Probably better logging. Why why did somebody download a 16 gig my sequel database?
[00:50:04] Evan Francen: Right mm. Do you think do you think we would have, do you think we would have identified this because this was an inside job? Do you think background checks I don’t think would have identified. Probably not. No. Maybe because it wasn’t a criminal record there. I don’t think
[00:50:22] Brad Nigh: so. No. You’re you’re really looking for more detection and quicker detection on this. So you know that unusual behavior. Did this person have a reason to be accessing these things and you know downloading that much data. Yeah it
[00:50:40] Evan Francen: was. Well this makes a case for
[00:50:43] Christophe Foulon: the privilege escalation as well.
[00:51:25] Brad Nigh: Right? Yeah, it’s a good idea, yep, I did have the texas ransomware in there um you know, that was, but there was texas ransomware, the coordinated effort. I will say that the oh, I forgot which county it was, there was one, was it like lubbock county? They actually caught it pretty quickly. I was impressed with that
[00:51:45] Christophe Foulon: one, but they, the interesting part of that texas friends more as they went through a managed service provider that allowed them to, To the Pivot 22 or 23 different clients all at the same time.
[00:52:01] Evan Francen: Did they name the managed service provider? Has that been publicized?
[00:52:05] Brad Nigh: Yeah. Mhm. You would think it will be eventually, yeah, Well we’ve worked on, you know, a lot of MSP s don’t have we had, we had, we could mention some names, we had one where they put in a new firewall and left it any any enabled and they got hey,
[00:52:23] Evan Francen: but network traffic was flowing, wasn’t it? For a while
[00:52:27] Brad Nigh: anyway, um
[00:52:30] Christophe Foulon: but it’s like, it’s like the cloud hoppers operation that happened um over the past couple of years where you had a state actor targeting MSP S and M. S. S. P. S for that reason, is that if they breach this um supply chain provider for these big companies or these countries, they could get access via that way rather than targeting them directly.
[00:52:56] Brad Nigh: Well, it’s kind of what we’ve been saying
[00:52:59] Evan Francen: the best paying for the book,
[00:53:00] Brad Nigh: right? They’re going to target the highest value. And If I can breach one company and have access to everyone else, why would I try and individually breach in this case? The 22 cities and counties just hit one and get
[00:53:12] Evan Francen: in. And I think N I S T miter and somebody else is working on information security standards for MSP s. I
[00:53:22] Brad Nigh: didn’t see that.
[00:53:23] Evan Francen: Well, it’s it’s not really publicized, but I was talking to one of the MSP s here, it has 35,000 customers and they struggle with, you know, how do you maintain the operations? Keep margins at a point where you can still make a profit, uh you know, and secure it at the same time, it’s it’s a challenge. So anyway, and one of the things you said, christoph was uh you know, I think we need to raise awareness and like you said, provide solutions, this is how you protect yourself against this.
[00:53:58] Brad Nigh: Yeah.
[00:54:01] Evan Francen: Yeah.
[00:54:01] Christophe Foulon: And for example, what No, no. What my organization, one of the things that we’re doing with the federal client that we’re working on is we’re helping them to improve their overall maturity prior to them possibly considering going to a managed service provider is because if you’re not mature enough to do it yourselves, how can you even monitor a service provider doing it And if you don’t know what to monitor or what sort of expectations to set, um, you’re just walking into a situation
[00:54:33] Evan Francen: blind. Exactly. Yeah. I think a lot of companies go to an MSP because they feel like they can just hand it off and not have to worry about it anymore. But you still have responsibilities. You still have, you still have to have the oversight.
[00:54:47] Brad Nigh: Yeah. We talked to one MSP that had an incident and their insurance got involved and you know that that stops everything. But yeah, we were asking them if they had segmentation between, you know, their clients know everything’s flat
[00:55:05] Evan Francen: when a lot of them are using the same. Admiral. Super admin across all of
[00:55:10] Brad Nigh: them, all of their clients. So it’s a lot more common to see that I think than people want to. I want to know about
[00:55:18] Evan Francen: what I’ve seen one. We have one customer who uses one of our products for vendor risk management for third party risk management and uh sent a questionnaire through the tool to their MSP and their MSP refused to answer the questions, right? Sorry, what? Right. Time
[00:55:37] Brad Nigh: to get time to look for another
[00:55:38] Evan Francen: MSP
[00:55:41] Brad Nigh: it’s nuts. Um, so next one, I don’t know if you saw this info, security magazine, it’s a the headline is very uh, I don’t know. I think it’s misleading. It’s click click bait. Thank you. City of London. Hit by one million cyber attacks per month. And when you actually dig into it, Like, so from the way they have it, it’s like April 2018 in March of 2019, they suffered 7.2 million attacks. Well, 6.9 were spam. I mean, that’s, I think that’s that’s
[00:56:14] Christophe Foulon: or a pink sweep or something like
[00:56:16] Brad Nigh: that. Yeah. And then the second highest was spoofed mail, which is phishing attempts 244,000. Uh, I mean, they did say there were 17,000 quote unquote top malware now, what does that actually mean? I don’t know, I mean, there’s still a lot of their, but like to say there we have a million
[00:56:35] Evan Francen: well defined attack, you know, because everybody in our industry still struggled. Not everybody, but we still struggle in this industry with just common vernacular common definitions of words. So attack versus event versus incident versus
[00:56:50] Brad Nigh: you know, these are not attract these are
[00:56:53] Evan Francen: Yeah, it depends on how you define attack. Right? If you’re defining an attack by an attempted something fine, I would, I would call it an an event, but its headlines like this that do get clicks
[00:57:06] Brad Nigh: and then don’t think it helps. Right. Right. Anyway. I was just
[00:57:12] Christophe Foulon: Yeah, I mean if it raises awareness, it helps. But you don’t want to sell the fear, uncertainty and doubt and um kind of like that 60 minutes commercial that our airing last night, they talked about the ransom more in texas and they talked about all the other cities that got affected by it, but they didn’t really share at least some common tips and tricks that um small medium sized businesses or even small municipalities can use to help protect themselves um for the future.
[00:57:45] Evan Francen: Yeah. Right? Like backing up data and protecting it, right? Which we’ve been preaching Since the 1980s,
[00:57:53] Brad Nigh: it hasn’t changed
[00:57:55] Evan Francen: still the same thing
[00:57:56] Christophe Foulon: backing up off line. Not on premise, not keeping it connected because one of the city’s had backups but they were still on the same network and still connected live.
[00:58:07] Evan Francen: Well, right? And it’s and that’s always been part of it too. It’s it’s backing it up and then protecting that back those backup files, you know, whether it be we used to be physical right? We back up to tape and you have to store it, you know, 5 10, 15 miles away so that if a disaster hit that physical location, you’d still be able to go and get your backups and recover now that most of the backups are done online. It just takes a different sort of protection shift. Right? You have to have them air gapped uh offline. Maybe even go back to physical backups, you know I mean they’re still but they
[00:58:41] Brad Nigh: work, you know, we had gone to a hybrid approach for was that right back up to disk? Local replicate the disk and uh D. R site and then once a week are fools went to tape an offsite just because of the value of that data. Yeah, it sucked. But
[00:59:01] Evan Francen: but it’s a simple, it’s a simple effective backup strategy
[00:59:05] Brad Nigh: but I don’t think tapes will ever fully go away. There’s always gonna be a need for them.
[00:59:09] Evan Francen: Well being an old school guy like I am and just generally old and you know, in general, I like to I like to take backups. They’ve worked, they were slow but they worked
[00:59:23] Christophe Foulon: as long as you test
[00:59:24] Brad Nigh: them. Yeah. Yeah.
[00:59:26] Evan Francen: Yeah, very true. And that reminds me of the same MSP that we were, I was just thinking about who does a they have a service, It’s uh backup as a service or whatever. It’s just another thing that they sell people and when we do an assessment of their clients, that’s what we asked, you know, do you test you test restores, you do a bare metal restore, can you recover? Uh and the MSP doesn’t do that for them. They said, well we can do that for an additional charge but we don’t do that as standard practice for 35,000 clients. Are you kidding
[01:00:01] Brad Nigh: me? Yeah. Yeah. Anyway we’ll move on from that Gillespie.
[01:00:09] Evan Francen: Yeah I’m not gonna mention the name, I’ll mention the name some other day.
[01:00:13] Brad Nigh: So the other one this one was just a face palm the Ukrainian nuke plant workers that tried to mine Cryptocurrency so they took a supercomputer which was air gapped and hooked it up to the internet. Yeah my crypto currency. So they’ve been arrested. Um
[01:00:34] Christophe Foulon: there’s an incident in Russia last year that did something similar. They were using their supercomputer to mine Cryptocurrency as well.
[01:00:44] Brad Nigh: Yeah. Yeah it’s actually so I found this on info security magazine as well and it does link to uh that that story about the Russian nuclear center being arrested for doing Bitcoin mining but on a nuclear power plant. Yeah. Excellent. So that this was interesting. I think you know those those uh employees are going to probably not see the light of day anytime soon because they’re saying they unwanted unwittingly disclosed information on physical security measures in place at the nuclear facility which is a state secret this the state typically does not like when you do that.
[01:01:23] Evan Francen: Well. I mean the Ukrainians I think number one adversary on the geopolitical scale is Russia right Russia was already there anyway so
[01:01:31] Brad Nigh: well they definitely are now but if it was their gap there was at least right the theory. But yeah Uh the last one I had was good.
[01:01:47] Christophe Foulon: I was gonna say did you see the store of Nasa where one of their either contractors or employees um put in an IOT device because they wanted to access their things remotely and it was um online for over eight months.
[01:02:03] Brad Nigh: No, I didn’t see that. I
[01:02:08] Evan Francen: did see the hacking. Yeah, there was the Nasa hack the astronaut hacked from Space. Did you see that 1? No?
[01:02:16] Brad Nigh: Oh yeah.
[01:02:17] Evan Francen: Uh
[01:02:18] Brad Nigh: she
[01:02:19] Christophe Foulon: she hacked her spouse’s bank account from space. So now you’re thinking um how to how to approach it? Which countries love that they need to approach to
[01:02:30] Brad Nigh: tackle the situation?
[01:02:31] Evan Francen: I mean that’s epic. What hacker wouldn’t love to hack something from space. Crazy.
[01:02:37] Brad Nigh: No, I hadn’t seen that. I’m telling these I are you like lose track of so much you Yeah, I feel like I feel like I’m I’m so far behind Uh last one I had was on ZD net medical device cybersecurity will be rubbish for 20 more years and that sounds click baby. But having seen what we’ve seen. I don’t disagree. Um do
[01:03:00] Evan Francen: you think so? I think this will be one part of information security where you know, there’ll be a direct correlation to death and whenever somebody dies the government. Well it wakes
[01:03:11] Brad Nigh: up. I think the problem you’re going to have is they’re still working on standards and I’ve, you know, we have had family that’s in the healthcare industry and they don’t replace things unless breaks and they have to write. So you’re going to have a lot of legacy stuff out there.
[01:03:29] Christophe Foulon: Do you have the same thing in like environment as well? Um, because what a x ray machine is? What 20 $50,000? Um, you’re not going to replace it just because it can connect to windows 10. Uh, it works fine on windows XP. So they’ll keep it running
[01:03:50] Evan Francen: well. And what we do with healthcare or entities is we where you can’t patch and you can’t, you know, mitigate some of these vulnerabilities. Isolate. Yeah. I mean there are mitigating controls you can put in place to make it better, you know, it’s funny the on our board of directors, the security studio board of directors is Pat Joyce, who’s the Ceo at Medtronic. I should have him. He probably won’t because you know, politics but would be cool to get his take. I think I have lunch them on friday. I’ll see. I’ll see if you’ll come.
[01:04:23] Brad Nigh: Yeah. Yeah. I think it was interesting uh in the article is, is that there again, it comes back to the basics. So they did a trial run with three hospitals over three months, uh, to find it was out there and they found equipment with default credentials, default config sitting in A D. M Z. Right? So there’s a lot of things that can be done, but I think that built insecurity into the devices themselves is going to be a while because a lot of legacy stuff out there. People will
[01:04:54] Christophe Foulon: die. And then they also rely on their vendors provide support. And the vendors will go, well if you don’t leave my default credentials in there, I can’t service you and therefore I can’t help you. So it will be considered out of warranty. And so they take that risk or they leave that default credit there so that they get it serviced by their vendor.
[01:05:17] Evan Francen: That’s true. It’s good point. Well, the whole health care industry is such a mess. I mean, we work, you know, one of the large healthcare systems here in Minneapolis, very large. uh, they only make 12, 3% profit. So they don’t have a lot of money to, you know, to tackle some of these issues. And so if if you’re not going to get vendor support and, you know, to chris Kristof’s, uh, point replacing machines is not an option, They can’t afford it even if they wanted to. Right, That’s a big issue. We should do a whole show just on that.
[01:05:56] Brad Nigh: Yeah, yeah, it’s a mess. All right, well, Kristof, thank you very much for joining us today.
[01:06:03] Christophe Foulon: Thank you. Thanks for having me
[01:06:04] Evan Francen: again. I love this. I love his perspective. We’d have to have them on again,
[01:06:09] Brad Nigh: agreed. So, uh, you know, happy anytime. We’ll definitely have you on again. Um, so thank you Evan, uh, special thank you to all of our listeners. Uh, it’s crazy to watch the show growing every week. Just more and more people every time. Uh, love the feedback. So you can reach us on the show. You can email us at insecurity at proton mail dot com, or you can get us on twitter. Evan. Is that Evan francine? I’m at brad and I and apparently Evan has already got a great show planned for next week.
[01:06:44] Evan Francen: I do have a really good show planned for next week. And once again, two for christoph, I don’t normally uh, tout following as much as I do, but chris does have a really good perspective. So again, at twitter uh, at C H R I S underscore F O U L O N. Uh, follow him to. Absolutely, yeah. All right. Thanks. Good show. Yeah.