Podcast

BCP vs DRP for CISSP

Brad and Evan take what's happening across the country and look at it from a business and information security lens and explain BCP vs DRP.

It’s hard to talk about anything other than current events with the events that have transpired over the last few months, really. As always, Brad and Evan take what’s happening across the country and look at it from a business and information security lens and explain BCP vs DRP.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey there. Welcome to episode 82 of the Unsecurity podcast. Today’s date is june 1st 2020 due to a lack of personal hygiene. Uh, mostly haircut. I’m actually getting one tomorrow. Thank you. Yeah, I’m your information security chia, pet Evan Francen joining me is my good friend and co-host Brad Nigh. Good morning Brad

[00:00:43] Brad Nigh: Morning Evan. Hopefully we can even listen to nothing but the best after the craziness that’s been going on. Hopefully everybody being safe.

[00:00:55] Evan Francen: I don’t even, yeah, I don’t even know where to go get started on that. Uh, but you know, we do have some serious stuff to talk about in today’s show. One of the most serious things for me at least is talking to you Brad catching up. How you doing?

[00:01:08] Brad Nigh: Not bad. It’s like, yeah, like you said, it’s been a little overwhelming the last week or so, but got out this weekend and got in a nice like five mile bike ride with my daughter. So it was, that was good. It’s fun to see them

[00:01:21] Evan Francen: and I was good.

[00:01:23] Brad Nigh: Yeah, it’s fun. Lots of time outside.

[00:01:27] Evan Francen: Yeah.

[00:01:29] Brad Nigh: You know, mowing the yard and lots of chalk drawing on the driveway.

[00:01:35] Evan Francen: Mhm. The world’s gone crazy man.

[00:01:39] Brad Nigh: Yeah, it’s fun. They started playing pictionary on the driveways with chalk. So we’re doing that for a bid on saturday. Really? It was their idea so Yeah. Yeah. Also see him get along so well given this would have been cramped up since 12 for almost two months now, three months now.

[00:02:01] Evan Francen: Yeah. Have you guys gotten out anymore?

[00:02:04] Brad Nigh: Not really. I mean they’ve had a couple of what they’ve got to go to the orthodontia so they were excited to get out and be out of the house for a bit, not like riding a bike or being outside. So.

[00:02:18] Evan Francen: Yeah.

[00:02:20] Brad Nigh: Uh huh. How about you?

[00:02:21] Evan Francen: Uh trying to keep my sanity man. It seems like, you know, every time you turn around, you know, it’s just uh crazy stuff man. I don’t even know what well to think sometimes it’s uh you know, you just start feeling like you’re coming out of covid and then you know this

[00:02:44] Brad Nigh: that was well what’s crazy is it’s not like Kobe just magically went away but you just don’t hear about it, right? I mean it’s still there. The you know it’s a nurse, she’s standing they’re having to still take you know, a lot of precautions and yeah, it’s nuts.

[00:03:08] Evan Francen: Yeah.

[00:03:10] Brad Nigh: As zack would say cuckoo banana pants, right? I think that’s a pretty apt description.

[00:03:21] Evan Francen: Yeah. Well and it’s just like you know, you read just you know, maybe I should stay off of social media but you read the things on social media and it’s just like what in the hell are people thinking,

[00:03:36] Brad Nigh: oh no, it is, it’s almost it’s overwhelming the amount of things just constantly bombarding. Yeah, it’s uh

[00:03:49] Evan Francen: well, it’s there’s so much hatred.

[00:03:51] Brad Nigh: Yeah. Yeah.

[00:03:53] Evan Francen: I mean, it’s like pure hatred on

[00:03:56] Brad Nigh: uh on

[00:03:57] Evan Francen: both sides.

[00:03:58] Brad Nigh: And I think the part of the problem is he’s got an avenue for this small percentage people to region larger audience, right? So, I still think and believe it’s a very small percentage of the overall population that’s that’s driving that. Yeah, but it’s just there, it allows them to dominate the news cycle and the messaging and all that stuff. And it’s unfortunate.

[00:04:31] Evan Francen: Yeah, it is, it is because, you know, people, I mean, I’ve read uh Mhm. Yeah, just crazy things, man, because, you know, I’ve never felt, I don’t know, there’s a lot of processing, you know, let’s take place a lot of like, you know, you’re reading things from people and you hope it’s not representative of a larger groups of people. Because the things that you’re reading are things where you can’t coexist. Yeah. You know what I mean, with the hatred, you just can’t coexist. And so and the problem is we have to coexist,

[00:05:16] Brad Nigh: right?

[00:05:16] Evan Francen: Or you eliminate each other. Yeah. You know, and that’s just it’s so destructive and it’s the wrong place to go, you know, I think logic, a lot of places was just kind of being thrown out the window? Um you know, working together, love compassion, empathy, you know, the good things, you know, just seemed to be in some circles, right? It’s the it’s the vocal majority. Maybe not the numbers majority, but the vocal majority.

[00:05:51] Brad Nigh: Yeah. Well that’s I mean we’ve always I think it goes for what you hear business, right? 20% of your customers cause 80% of your problems. Yeah. It’s I think it you know, from I really do believe that that’s what it is, right? It’s just that now with the 24 7 news where they’ve got to do it is driven by ratings more and then, you know, the social media which allows them to kind of instead of being isolated pockets is now banding and getting that message and being able to kind of overwhelm the 80% that aren’t that way that don’t have you know, the hatred. It’s just I don’t understand. I mean, I just don’t get it. But

[00:06:43] Evan Francen: I mean I understand you know the frustration, I understand

[00:06:46] Brad Nigh: that that yeah, I mean just pure hatred and some of the rhetoric and just that I don’t I just I don’t know, I can’t comprehend hating anybody for something that much, right? So I don’t even know like I don’t get it. Yeah.

[00:07:11] Evan Francen: Yeah. And it’s almost like in some circles you don’t you know, people like us don’t you know, you must feel like you don’t have a right to even say anything, you know what I mean, Shut you up because what do you know? You know, it’s like, well, I don’t know.

[00:07:30] Brad Nigh: Yeah, I think the best thing that I saw because it is, I think, well, I think people’s backgrounds make a difference to, right? So I can’t understand what some of these people are going through because it’s not that I can say I have empathy. I have, I understand the frustration, right? I can hear the message and support that, but I truly can’t put myself in their shoes. But you know, yeah, I don’t, I don’t know.

[00:08:01] Evan Francen: Well anyway, so I mean that was, I mean it’s just dominated kind of the thoughts, you know, the last week we did try to get away this weekend, got you know, a motorcycle, uh, trip and then uh, yeah, he had another deer. So you know, most people, I think I’ve never hit a deer, a single deer on a motorcycle. So now I got two under my belt. So me and my wife, we were on the bike, we were on our way from one small town to another small town, got about 60 miles an hour, hit a deer came out of that just came out of the woods. It was the middle of the day to was like noon, uh, click the back end of the deer, uh, damaged the bike pretty good, but kept it on two wheels. So thank God pulled off to the side of the road, got it, you know, got it really nice people, there’s a whole bunch of stories here, but I won’t go too deep. Got it towed to Hurley dealership in on Alaska Wisconsin, uh, you know, filed the insurance claim and then, uh, I was like, well how do we get home? You know, I bought another

[00:09:16] Brad Nigh: bike

[00:09:19] Evan Francen: about another bike, my wife is, you know, trooper, you don’t let fear stop you from doing things that you love to do and you know, I’m a good writer. It’s, you know, you can’t do anything about, dear, I can’t imagine, I mean seriously that you’d ever hit three deer. It’s not like a, it’s like I’m writing in like high risk times

[00:09:40] Brad Nigh: or anything done or desk or whatever.

[00:09:42] Evan Francen: Yeah. So yeah, so we bought another bike and wrote it, brought it the rest of weekend and wrote it home. Oh, my own two bikes, because once the other one gets fixed. Yeah, and then I have two motorcycles, so I have to sell the first one, you know,

[00:10:00] Brad Nigh: the damaged one, assuming they don’t just total it out, but I’m fine, you know, probably your uh,

[00:10:06] Evan Francen: yeah, that only use any way they could total it out. There was no frame damage, it was front fender, um, broke a light in the back of a light in the front, um, crack the fairing on the front, you know, this is the front fairing. Um, yeah, I can’t imagine a total it if they do, then they give you the cash for it. I guess

[00:10:32] Brad Nigh: that would be your best case.

[00:10:36] Evan Francen: Eventful weekend and you know, you know and I did purposely disconnect over the weekend and then you come back and you know you start reading some of the, you know because I’d read the social media stuff because I want to try to understand uh not because I’m looking to start any kind of fight or anything like that. I want to understand what people are feeling. What can I do to make things better versus make things worse. And then you read the things on social media and if you’re going to the things you’re reading you can’t do anything to make it better. Just you existing makes it worse.

[00:11:15] Brad Nigh: Yeah. Yeah.

[00:11:18] Evan Francen: I mean there’s so much hatred. It’s like we hate you now because you know like you and me, I don’t think I have, I mean I don’t think I have a racist bone in my body, you know, I mean I have no discrimination or anything like that and and then uh but just me being white now is I mean it’s just crazy man because I still have no animosity. Yeah, I have animosity towards hatred, not towards people. Yeah. You know what I mean?

[00:11:51] Brad Nigh: Yeah. Yeah. Like I said I just I don’t get m lady I I had to just disconnect from social media like there’s just so much out there

[00:12:05] Evan Francen: one night reading I mean I think yesterday there was, you know, something posted on tva’s, I don’t know if it was a hoax or if it was for real, but about going after the suburbs in Minnesota.

[00:12:19] Brad Nigh: I saw something that it was a fake account. Like the national thing. It was been created very recently and had almost like no followers, that’s

[00:12:30] Evan Francen: enough to like, you know, I’m going to sleep to sleep with my gun next to me now.

[00:12:36] Brad Nigh: Yeah. Yeah, I get that. I think that’s, that’s the point of a lot of this is to try and so fear and uncertainty. Right? So,

[00:12:47] Evan Francen: but you know, it’s, can you put it past anybody? Oh, I mean, all the craziness going on, It would have been so crazy to think, Yeah. You know, I don’t know. It’s not. So anyway, I don’t wanna go too deep into that stuff. Because I think a lot of the things are deep, man. I mean, you could spend a lot of time talking about a lot of these things and uh, the good thing about that is those things were always there and it brings it to the surface and I can discuss really difficult things, um, because it’s not like, it’s not like, uh, you know, so it’s not like these events of the last week are the cause, right? The causes deeper.

[00:13:33] Brad Nigh: Oh yeah. Does that decades.

[00:13:37] Evan Francen: So anyway, one of one of the things I wanted to talk about because it’s easier to pick a topic for this week’s show. You know, we think about the world and you know how crazy it is. We encounter the events last week. So many thoughts, emotions running through our heads, everything from sorrow to anger, the frustration and everything between. Um, we don’t want to shy away from the tough issues, but we also need to keep things on topic meaning information security for this show because that’s what we talk about here. We talk about information security. We could go off on all sorts of tangents and talk about lots of other things. Uh, I’d like to discuss today is how current events apply to what we do. You know, ultimately. What do these things mean for information security? So you came for that.

[00:14:27] Brad Nigh: You must do it.

[00:14:28] Evan Francen: All right, Cindy. You would. All right. So the first thing oftentimes, you know in information security that our clients, the people we work with our businesses. Right. And so our number one, we have a set of 10 principles that we follow here. You know what fr secure. And number one is businesses and business to make money. So if the business doesn’t make money, then the business doesn’t exist, right? You know, And if the business doesn’t exist, payroll doesn’t get made, the payroll doesn’t get made mouse don’t get fat and families don’t get supported, You know, So making money is not a bad thing. A business making money is a good thing. A business making money means that mothers and fathers can feed their Children and put a roof over their heads? Uh, you know, transportation, entertainment, all the things that are good. Right? So what we’re seeing, I think, you know what I’ve seen, you know, in the riots and everything like that is, businesses are already struggling. They’re already getting their asses handed to them with Covid and then you couple that with the things that are happening now with the riots. So what can we do? I mean as information security, if we, if we believe that our businesses and business to make money and our job as information security experts is to do our best to preserve that ability. Yeah. No. Yeah, lots of ideas, lots of things to discuss. So physical security implications. So if you were a business or you, we’re consulting a business that was in a zone that was affected by riots and unrest and civil things like what we’re seeing, What are some of the things that we could do, you know, back up now because playing monday morning quarterback is something that we have the ability to do and you know,

[00:16:33] Brad Nigh: well, it would be good. This will be advice for maybe some businesses that haven’t, aren’t in those impacted areas yet. Right. If they haven’t been impacted the potential is there. So what can you do to prepare for it ahead of time? You know, hopefully it doesn’t spread that if it does, what should you do? And I think the, one of the most important things is, and we look at this is, do you know what your neighbors are, what they do, What’s, you know, we’re seeing kind of retail seems to be getting targeted because people are, yeah, they’re grabbing stuff. So if, you know, you’ve seen it in Minneapolis where there’s a lot of restaurants and small businesses that are just kind of collateral damage to the retail to know know what it is around you, What other businesses are there? What risks does that put you in?

[00:17:29] Evan Francen: Yeah. And certainly if you play it out, you know, I guess one of the things is, are you a business that looters would target, right, Are you right. Well, that was so, yeah, I think you may have a good point. First, kind of try to figure out what kind of business you are, what kind of business your neighbors are in. Are they a potential targets for looters? Um, or, you know, if I’m a law firm, you know, I may not be a target for looters, but I might be a target for burning my building down, right? You know, so thinking about, you know, that I am I a target and potentially for being destroyed are being looted. If I’m a target, Well then it might make sense to move inventory. It might make sense to move, you know, personnel movable assets, you know, to a less, you know, at risk location.

[00:18:37] Brad Nigh: Uh, yeah, yeah. Paper records, things like that, that you need to keep answering a high risk area. You probably should be considering relocating those things.

[00:18:51] Evan Francen: Yeah. So if you haven’t been hit already, but you think that maybe you’re in a higher risk location, you know, physical location. Yeah, it might make sense to seriously consider moving things. Yeah. You know, I mean, at least if you’re a retail organization, you’re gonna lose the revenue anyway. Right? Nobody’s gonna be shopping in your store if looters and protesters are Yeah, outside. So the next best thing is to try to protect your inventory, your investment, you know, maybe switch to, you know, sadly, you know, I hate to see brick and mortar going away, but you know, there’s viability of the business itself. Right? So if you need to go, you know, focus your attention online.

[00:19:43] Brad Nigh: Yeah. Well, and it’s when I read the, your nose, excuse me. Um, part of me my thought was, well, we’re already going to see a fundamental shift in how businesses operate anyway. Prior to any of the, you know, protests and riots and or whatever over the last week, just with Covid 19 mm hmm, is what businesses are going to continue to have physical locations. Is it going to be a smaller footprint with less resources? Like I think what we’re going to see over the next year and a half to two years is a major shift in how we have to look at physical security from an infrastructure perspective, because it’s what we had in january of 2020 and what we’re going to have in january of 2021 2022 whatever it is, you’re gonna look back and be like, that’s crazy. The danger is going to be just, it could be a fundamental change in how businesses operate is my guess.

[00:20:53] Evan Francen: Right? Yeah, I agree.

[00:20:55] Brad Nigh: So, you know, I think we’re gonna see probably hopefully businesses that are, are on top of it and being smart are going to, you know, Yeah, they’re still physical security implications with people working remotely. Right, well they have to have access to documents and we how do we block printing or do we send them secure threat? You know, there’s there’s a lot of physical security implications that you have to consider, but it’s going to change what those are and you’re going to see a change to more. How do we secure remote

[00:21:30] Evan Francen: workers? Yeah, I agree. So, physical security implications today, so that’s a great thing for us to plan for, right. If you’re a business, you know, planning for what your business will transform into. Um sadly, you know, a lot of these um I think a lot of the inner city uh town, you know, brick and mortar goes away. I mean, I think it, because why would I, if I was a business owner, why would I open up a business in those areas, you know, because it’s just and it has nothing to do with white or black or anything else, right? There are many, many of those businesses are owned by people who live in those communities.

[00:22:23] Brad Nigh: Yeah, our our downtowns, I think that’s another thing, you know, the cities are going to be very different and that’s going to be, I think it’s gonna be interesting to see what happens high rises, you know, if you can’t get tenants, what happens to all those high rises because they don’t need the space anymore?

[00:22:43] Evan Francen: Right. Yeah. So today for a business that has not been hit yet in a higher risk area, we’ve talked a little bit about that and even if it’s a very minimum, if you’re not ready to move things to move your critical assets, the most critical being your people, obviously then at least plan for it.

[00:23:06] Brad Nigh: Yes,

[00:23:07] Evan Francen: what’s going to be the trigger to do those things right? To protect? What it is that you still can protect? Is it going to be, you know, physical proximity, you know, if if this thing grows, you know, sort of sequentially and it starts getting closer and closer, is it gonna be once it’s, you know, six blocks away, three blocks away.

[00:23:31] Brad Nigh: Yeah.

[00:23:33] Evan Francen: You know, and one of the things we’ve seen some company or some organizations do is stand their ground hiring armed guards. If you’re going to go that route, man, you’ve got a lot of legal things that you need to work out, you

[00:23:47] Brad Nigh: know, first.

[00:23:49] Evan Francen: Exactly. Because that could turn really ugly. I’m not, I’m not saying, you know, don’t do it because I don’t, I don’t know, I don’t, I haven’t played all those scenarios out myself in my mind, but just that could be a really slippery slope.

[00:24:05] Brad Nigh: Oh yeah.

[00:24:06] Evan Francen: Because I think the pawn shop guy wasn’t there a pawnshop owner really? The first night of the protests in Minneapolis for the second night

[00:24:14] Brad Nigh: shot someone, right?

[00:24:16] Evan Francen: Not somebody killed him. And I think he’s in jail now. Yeah. Yeah, be very careful,

[00:24:24] Brad Nigh: not, not, not a good situation.

[00:24:27] Evan Francen: So let’s say, I’m a say I’m an organization who, you know, I’m not, maybe I’m not in a high risk area now, but I am in a, the population density in, you know, my physical location or some of my physical locations show that this same kind of thing could happen in the future. What types of preventative or, you know, detective controls will be put in place to limit the damage maybe or deter people from attacking our facility.

[00:25:02] Brad Nigh: Yeah, I think so. You have to look at like, like you’re saying, what, what is the type of assets you have on site, right? You know, is it just like we don’t have basically don’t have paper anything in the office or stuff. It would be, you know, monitors and spare, you know, parts and keyboards and that type of stuff. There’s not a lot of data on site. So our risk is more, those types of things. The biggest, biggest thing for us to be people, right? Making sure that we’re safe. Well we, we had the office closed for what, two months, whatever. So we know, hey, we’re going to go back to doing that. You have a lot of inventory that you’re concerned about. Maybe you look at, you know, some sort of like, gosh, you know, you have some cameras in place that are maybe a little bit more obvious and or signs that state that is being recorded. Um,

[00:26:09] Evan Francen: you know, well, I think, you know, depending on the type of business to, is, you know, we’ve talked about this before, making your building look more inconspicuous look attractive. Not, it wasn’t special about this building. You know, there’s no bright neon sign that says, hey, we’ve got critical stuff here. Nothing.

[00:26:30] Brad Nigh: Yeah,

[00:26:31] Evan Francen: Attackers will, I mean trying to understand what the potential motivation would be if it’s looting and I’m not retail, I’m probably going to be more okay. Uh, also considering that my neighbors may not be retailed. Yeah, I’m in a more like, I don’t know, uh,

[00:26:55] Brad Nigh: the office park or

[00:26:56] Evan Francen: politically active type of organization. You know what I mean? Um, maybe I don’t advertise it so much on the outside of my building or if I need to advertise it during times of normal business operations, maybe having removable signage, you take that signage down when stop going to start going crazy, you know, because if in fact a lot of these looters and things and I’m sure some of them are, I don’t know what percentage, but some of them are from out of town. So if you remove the sign, they’ll have no idea that that oh, that’s that one place, you know what I

[00:27:35] Brad Nigh: mean? Yeah, simple things like closing blinds or shades at the office, so people can’t just see in and see what’s there.

[00:27:46] Evan Francen: Right? Yeah. And I think, you know, if you have the ability, you know, in terms of site design, you know, offset the building, you know, further back from, you know, sidewalks and streets are less likely to get because you figure if the crowd is moving down the street typically is a big mass, uh, they’re less likely to go east and west, you know, on that track.

[00:28:17] Brad Nigh: Yeah. They’re not men divert off.

[00:28:20] Evan Francen: Yeah. I mean, your physical design, if you have the ability to, or if you’re relocating or you’re locating to a place that might be high risk in the future. You know, those are also considerations I think and how you would approach physical security design fences, you know, there are different types of fences that don’t make it look so, you know, high security, but they actually provide security, you know, those types of things.

[00:28:49] Brad Nigh: Yeah. You know, and well, and also, okay, so knowing the location, if you’re on the ground floor, you’re, you know, that’s a different set of risks. And if you’re on the 15th floor right? Like they’re not going to climb stairs for salute an office on the 15th floor

[00:29:10] Evan Francen: to get a laptop,

[00:29:12] Brad Nigh: right? But your risk is that there’s a fire, right? And that would probably be the bigger risk or you know, there’s the looting happens on the ground floor, you’re not able to access your office. So I think you have to take those types of things into consideration as well.

[00:29:26] Evan Francen: Yeah. And certainly from, and then from a personnel because I actually fit safety somewhat more into the physical security area. Excuse me. And for better or worse, but wherever you are, however you organize it. But you know, certainly personnel safety, communications, lines of communication. So you can inform all of your employees about the happenings, the goings on with the business, what our strategy is gonna be, the office is closed, the office is open. Uh, you know, if the office is open come this route versus that route, you know, just all those kinds of things.

[00:30:02] Brad Nigh: Yeah, well, and okay, you know, right now Minneapolis is shutting down some of the major thoroughfares, they close at five o’clock as a business, you need to know, oh, well we’re gonna have to close early because we can’t have our people stuck in the office. These are closed.

[00:30:24] Evan Francen: Yeah, for sure. So I think there’s a lot of physical security implications. A lot of lessons, a lot a lot of ideas. I think the important thing is that if you’re going to approach these things to do so mhm logically to plan document, right? Because there are lots of, lots of things to consider. It’s not just one thing. Yeah, even where we’re located, where we’re in a suburban location, we still have to consider things, right? Because we do know that there has been some, whether it’s um whether it’s just rumour or whatever, what’s to stop this from moving even further into the suburban locations. What would you do? Right? Time to figure that out is when you have to do it.

[00:31:17] Brad Nigh: Well, and we’ve already seen that with, with Covid where businesses were like, I don’t know what to do. We had to shut down. Well, like you said, hopefully people start trying to realizing, hey, we can’t just uh kind of wing it or hope for the best or it’s not going to happen to us. Like that’s not the case. So start playing and start looking at at some of these things and

[00:31:46] Evan Francen: right, in worst case it doesn’t, it never happens to you. You never have to face this directly, right? So you spent, you know, x number of hours planning and what you got out of it was peace of mind and a better understanding of yourself. It was the time.

[00:32:04] Brad Nigh: Right? Well, and that’s what I think makes BCP vs DRP. And I are planning so tough for businesses sometimes is it’s a lot of effort to put into it and if it works you go, well, that wasn’t so bad.

[00:32:20] Evan Francen: Right. Well, and people people always think wrong, I think myopically, you know about BCP vs DRP, well, it’s never going to happen to me, but that’s not the only reason why you do the rpm BCP. There are other reasons. One, you understand yourself better. One development of lines of communication that may be, it may have never existed in your business before. Two or three. You started collaboration between business groups. You’ve broken down some barriers between potentially silos in your business to do a good BCP and DRP plan. Uh huh. For, you know, you give up this, I mean I’m listing off all kinds of reasons, you know, for it gives off to your employees and your customers that you’re a planner, right? You can trust it. They move taking the right steps to ensure that the business continues to operate. I mean, there’s just so many more reasons to do BCP and DRP beyond. Well, I’m never going to have a disaster.

[00:33:26] Brad Nigh: Yeah, I totally agree. I’m just hoping that this, you know, trying to find some, some positives out of all of this. Maybe now we start seeing businesses take these things more seriously and actually doing them because I mean it’s amazing the sheer volume of places that we talked to that don’t have anything

[00:33:51] Evan Francen: right?

[00:33:53] Brad Nigh: Or even the big, we’ve we’ve got some pretty big organizations where you go in and they’re like, yeah, we’ve got one. When was the last time it was updated? Oh, we were on like a five year cycle

[00:34:04] Evan Francen: five years ago. Right?

[00:34:06] Brad Nigh: Oops. Oh, okay. Technology doesn’t change at all over five years or your business didn’t change at all in the last five years. We’ll look

[00:34:14] Evan Francen: good. Look at just how much the business has changed in the last six months.

[00:34:16] Brad Nigh: Right? Yeah. This is a beautiful thing.

[00:34:21] Evan Francen: All right. Well, there should be an operational thing, right? You should integrate it with, you know, change control.

[00:34:26] Brad Nigh: Well, yeah, but a formal formal review and approval every year. But yes, it should be. It’s a they’re all they’re living documents.

[00:34:35] Evan Francen: Exactly. All right. So one of the other things I have is what does this mean for cyber technical security, I think, you know, I saw an announcement yesterday by anonymous who just they’re just dumb. I’m so tired. I’m so tired of dumb that they’re going to start targeting things. It’s like, okay. Yeah. Uh, yeah, but we would expect to see just like any other high publicity crap that goes on. You expect to see additional attacks, right, targeted around these things.

[00:35:13] Brad Nigh: It’s unfortunately, absolutely correct.

[00:35:16] Evan Francen: Yeah. So expect to see relief, you know, fake relief funds and, you know, fake all kinds of crap about these protests and and everything um also expect to see, you know, if you are a politically uh aligned organization or, you know, an organization who does things that certain people may not like. Mhm. I lived you open

[00:35:45] Brad Nigh: back to see a chicken and attacks.

[00:35:49] Evan Francen: So be prepared for that. I mean, do you have DDOS protections? Do you have have you increased employee awareness? Maybe it’s another great topic for you to talk to your employees about information security. One, it shows your employees that you care, that you acknowledge that there are current events happening and you’re not tone deaf, you know, from from the management perspective, it’s another opportunity to give them a few tips and tricks to show you to show them that you care.

[00:36:21] Brad Nigh: Yeah. Yeah. It’s all I think at this point when, I mean, this is any time really, but if issue and so you’ve got, you’ve done your planning, you’ve got this in place, it’s going to make your employees feel safer. They’re gonna be happier. Which is going to lead to increase productivity and loyalty within there. So nobody likes chaos. I mean, well, most people don’t like chaos

[00:36:49] Evan Francen: leading the people that say they like chaos, they grow tired of it after a while.

[00:36:53] Brad Nigh: They want they want chaos that they’ve created. They don’t want to do with other people’s right,

[00:36:58] Evan Francen: and your employees want to know that they are safe and the employees want to know also that management is competent. Mhm. You know, I mean, if you have management that’s just tone deaf, blah, blah, blah, let’s go play all the time. I mean, that’s incompetence, right? You have to demonstrate that you actually are competent and leading the organization. So you acknowledge these things, you make sure that you have sometimes, yep personnel, information security implications. This is one of the things that I added here, because I don’t think you don’t want to lose sight of this. You don’t want to lose sight of the fact that certain people within your organization don’t think the same way, potentially that you do. They don’t have the same political beliefs, They don’t have the same backgrounds, They don’t have the same anything, or a lot of things are different. So they may be angry, they may be frustrated, they may have higher tendencies to do damage to your organization because of their frustration. They’re not thinking clearly. Maybe they’re they’ve got the hatred bug as well. Yeah, So, and insiders can cause, you know, from an information security perspective, can cause more damage than

[00:38:13] Brad Nigh: Oh, yeah,

[00:38:16] Evan Francen: So are you reaching out to your employees, are you asking them about their feelings? Maybe you’re having maybe it’s a a good time to happen and have a forum, people just to discuss openly and have people be heard. Uh maybe it’s good to increase employee monitoring, activity, monitoring. Yeah, um you know, and you don’t come cracking down on. I mean, I’m not, you can do whatever you want to, but I’m not one of those people that likes to come cracking down on people are hard and much rather if I saw unusual activity, like increased searches for, I don’t know, antifa riot, right?

[00:38:59] Brad Nigh: Exactly,

[00:38:59] Evan Francen: protests in my area, things like that. I would want to know about that. And maybe have, you know, obviously, you let employees know that you’re monitoring. You don’t want them to such as part of normal.

[00:39:12] Brad Nigh: Yeah. You shouldn’t

[00:39:13] Evan Francen: do this anyway.

[00:39:14] Brad Nigh: You should be doing some web filtering for sure.

[00:39:17] Evan Francen: And then have those discussions with people and however you decide to approach it if you need to go through HR legal or however you want to take care of it. But I certainly want to know if I have employees in my organization who are disgruntled, who are more prone two engage in, you know, illegal or violent activities because of this.

[00:39:39] Brad Nigh: That’s important to know. I mean, Yeah, you’re right. That’s a huge risk. You don’t you don’t want those things to happen. But like I said, it’s so much better to be proactive on this than reactive the Yeah, just limits the damage and the impact of anything that does happen if you can be prepared and watching for these things and know what to watch for and have a plan for if if you identify something,

[00:40:09] Evan Francen: right? And you may be signs that an employee is struggling. Yeah. You know, maybe, maybe they need somebody to talk to. Maybe they need some counseling. You know, I’m a big proponent of counseling for myself and for others, right? So 100% you know,

[00:40:25] Brad Nigh: Yeah. Alongside them. It’s amazing that there’s such a negative connotation to going and just talking to someone. I mean at the end of the day, that’s really all it is. You’re just getting I can tell not, yeah, it’s not even just that. But how many times have you had an issue? Like just show And I’m like, I’ll go to my wife and be like, I don’t need you to give me feedback. I just need to talk to somebody and have someone to listen so I can get this out. And it’s like, oh yes, that was it. Like there’s that. Talking to somebody is so powerful.

[00:41:06] Evan Francen: Yeah. Especially when sometimes when somebody is just an impartial third party, you know, who has no vested interests, who doesn’t know my propensities, my habits, my struggles and other areas. I just have this one topic that I want to talk about and get off my chest and to do so in a way where I’m not being judged. Actually, I’m gonna, I’m writing a whole blog post on my point myself and this is part of my therapy. Just normal stuff, you know, um, how quick we are to judge other people all the time, right? By looks, by the cars you drive by whatever it is. And truly the fact of the matter is you don’t know me. I mean you do because you’re a close friend of mine, but people who judge me, 99% of the people who judge me have no idea who the hell I really am. Right. Yeah. If you looked at me from the outside to go, I drive a pickup truck, a big pickup truck, I have a beard. I’m white. I carry a gun. Right? Right. A Harley. Why must be a redneck racist? Right wing nut job. Right. No, I’m not not close. So I think people for the way they good.

[00:42:24] Brad Nigh: Yeah. So that is one of the big things that, you know, as an S. And T. That we really gets hammered home all the time. It’s benefit of the doubt, right? Don’t just snap judgment that somebody is doing something for whatever reason. Hear them out because guarantee that at least internally it’s not malicious. It’s not there’s there’s another reason they’re doing it. And to them, it’s probably very valid. Listen to what it is and who knows? Maybe you’ll be surprised and uh

[00:42:59] Evan Francen: okay. Oh, so you’re not so you’re not a jerk. All right.

[00:43:04] Brad Nigh: Oh, you were doing it for a valid reason that I didn’t consider

[00:43:09] Evan Francen: then maybe you were helping me, right?

[00:43:13] Brad Nigh: Yeah. Yeah, benefit of the doubt is it’s cute. Yeah. Not just not just at work, but anywhere

[00:43:23] Evan Francen: life, right? Yeah, I agree. So if Covid 19 wasn’t enough to motivate you for better response planning. And this doesn’t either. I I don’t really know what else to tell you. I mean the thing about this one is the riots have been so widespread across the entire country and even the world I’ve been reading. So it’s not like it’s not like a hurricane, a single event that hits, you know, Louisiana. And while I live in Minnesota, hurricanes never gonna hit here. Okay, but this stuff does civil unrest. I’ve never seen it this widespread,

[00:44:02] Brad Nigh: not in our well yeah, I don’t know. I have to maybe the Rodney King stuff, but I don’t remember being this widespread.

[00:44:09] Evan Francen: No, and I don’t remember which, you know, hopefully will lead to some really good change. But you know, we gotta put all the rhetoric and the hatred and the bs aside if we really want to affect change.

[00:44:22] Brad Nigh: Yeah. So uh on the planning things you go off topic a little bit, but you’ll get a kick out of this. I’ll wait till you finish drinking. So you don’t do a spit take. I was doing, we’re doing some uh something erIC for business and about their incident response plan. And it was if something happens, we’ll contact an external uh company. So we don’t have daniel. So they’re playing literally was if something happens will contact someone,

[00:44:55] Evan Francen: God help you.

[00:44:58] Brad Nigh: It’s like, okay,

[00:45:01] Evan Francen: it’s not a plan. I mean, I guess it is a plan.

[00:45:04] Brad Nigh: A plan, A bad plan. Great

[00:45:07] Evan Francen: plan. Well, even in people, you know, and I tell people that, you know, even if you don’t have an incident response plan or you don’t have a disaster recovery plan, you still have a plan, you’re going to end up doing something. You just don’t know what the hell the plan is.

[00:45:20] Brad Nigh: You don’t know what, you don’t know what that is. And that’s not a good good feeling.

[00:45:23] Evan Francen: No. Uh So I think really good discussion. I think there are a lot of things. Hopefully this is the type of discussion that I’d like to see more people have more businesses, have more executive managers have is how does this, what does this mean for us? What does it mean for our neighbors? Does it mean for our partners? Um Just all these current events. Right? From an information security perspective. And you know, from just a business viability perspective, there’s a lot to discuss here. What you don’t want to do is just ignore it and just say, well, it’s going to go away. Yeah, maybe. And if it does, it’s not going to be the same as it was, you know, afterwards. A lot. There’s a lot here. Mhm. Do you have anything else to add about this?

[00:46:10] Brad Nigh: And I hope everyone stays safe.

[00:46:13] Evan Francen: That’s it. To write number one, protect yourself, your family, your loved ones, your neighbors. Uh and it has nothing to do with background race, religion, nothing else like that. I would protect any one of my neighbors as best I could. Uh regardless of any of that stuff. Right? I mean, there’s that’s the difference between love and hate, Right? Yeah. So yeah, protect yourself please all that. All right. It’s a great advice. Good discussion. You like the discussion.

[00:46:51] Brad Nigh: Yeah. I just wish I wish it was not something we had to be talking about in this context, but it was a really good discussion.

[00:46:59] Evan Francen: Yeah, I wish we didn’t have to either. But in a way, I mean, I’m a silver lining kind of guy, you know that and uh there’s a silver lining here. These were things these were issues that had been simmering for decades, maybe centuries. And maybe this is a really good opportunity for us to really address it. Yeah, directly instead of the political rhetoric. And B. S. Man, we got to do something different.

[00:47:29] Brad Nigh: An actual solution instead of just abandoned.

[00:47:32] Evan Francen: Yeah, kicking that can down the

[00:47:34] Brad Nigh: road. Yeah.

[00:47:36] Evan Francen: All right. Let’s do some newsy stuff. Even though information security may not be dominating the news. There are still plenty of information security stories to choose from. That’s for sure. You caught my eye. The first one is from zd net in the title is hacker leaks database of dark web hosting provider. So in all this data that was leaked email addresses, site, admin, passwords and dot onion domain private keys. That’s some real real sensitive stuff man.

[00:48:10] Brad Nigh: You’re yeah that’s not a great situation. However

[00:48:17] Evan Francen: this hacker has definitely has a has a hit out for them. Yeah.

[00:48:24] Brad Nigh: Yeah. King. No I was

[00:48:26] Evan Francen: I don’t think there’s any place where that guy or girl or whoever can hide it better. Hope he doesn’t get doxed.

[00:48:36] Brad Nigh: Yeah. Yeah that’s uh yeah. Yeah. Right. There’s a lot of people very unhappy with him.

[00:48:47] Evan Francen: Well there’s a reason why they call the dark web dark, right? Yeah. It’s the shady if there’s shady shady shady people, some of the shadiest people the world knows. And you just basically outed basically outed 7600 websites. A third of all the dark web portals.

[00:49:11] Brad Nigh: Yeah, there’s gonna be a lot of people very unhappy.

[00:49:15] Evan Francen: Mhm. I wonder, Yeah. I don’t know man. It’s crazy but I thought, you know, in a way it’s kind of like yeah there’s no the way I’m not all that sad about it but uh it just goes to show that there’s no loyalty, you know, among criminals. Right.

[00:49:36] Brad Nigh: Well I mean it’s kind of what UNIX back down there at the pain trade. Right.

[00:49:44] Evan Francen: Yeah. King. No. Is the hacker that’s the that’s his Monica or her. I assume it’s King. So I assume it to him uh that’s the monitor uh uploaded a copy of D. H. So dhs Daniels hosting stolen data base on a file hosting portal. And then and then turn around and notified. Zd net so I wonder why he or she chose ZD that. But the leaked data included 3671 email addresses. 7205 account passwords and 8580 private keys for dot onion. Which are the dark web domains.

[00:50:26] Brad Nigh: My question is so the guy that’s hosting, this was the second time it was packed. First time was in november of 2018 and 6500 sites were wiped but no data leaked. Now they’re saying it’s going to come back and he’s going to relaunch. Well why would you trust this guy’s hosting?

[00:50:51] Evan Francen: Oh Daniel Winston. Yeah. Yeah that’s excuse me, the largest free web hosting provider for dark web services. Daniel Daniels hosting D. H. Daniel Winston is the owner one of these cat, some personal safety issues to deal with now. Mm

[00:51:14] Brad Nigh: Maybe.

[00:51:16] Evan Francen: I hope not man I like people getting justice but I also don’t like people getting you know people getting hurt. Yeah that’s a bad spot to be in.

[00:51:29] Brad Nigh: Yes.

[00:51:32] Evan Francen: Well the next one is kind of I think a better news story. It’s a this is from G. B. Hackers on security which is my favorite source but you know whatever. It’s a good one it’s a good story. Yeah and the title is hacker one paid $100 million in bug bounties to ethical hackers. That’s uh that’s pretty darn cool. That’s awesome. Yeah that’s a lot of money. So this is from, you know, they founded them, they were founded in 2012, so now it’s been 89 years and the trend has been very consistent. You know, in this article, they’ve got the trend that hit, you know, a million dollars for the first time in Q 3, 2014, 10 million in Q 3, 2016 and then all the way up, $200 million in Q. Two of this year, 2020 and bug bounties are great, right? They help improve security and they make sure that the, the ethical hackers who found the bugs and reported the bugs responsibly get paid for it

[00:52:36] Brad Nigh: right now? I think it’s a good program.

[00:52:38] Evan Francen: Yeah, very cool to see. And I guess I didn’t realize that hacker one had been around for that long. I guess it’s been a while.

[00:52:48] Brad Nigh: Yeah. Well yeah,

[00:52:52] Evan Francen: so if you think your elite, you want to go make money the right way. Uh that’ll be one of the, it’s interesting. One of the conversations were going to be having this week on the security shit show. Excuse my language is I don’t think that we have to put the explicit tag on that for just that one time. Uh is what, why do some people go bad and why do some people stay good, be an interesting discussion because these are good. Well, I don’t know if they’re all good, they might do good and bad, which would make them interesting people. Uh but at least for the bug bounties the money that they collected, they were good. They help companies protect their information security better. Um Yeah, just an interesting story. What do you think about

[00:53:42] Brad Nigh: it? I like it. Like I said, I think it’s a, it’s a good way to give people scratch that itch, right? It’s maybe it keeps people from going bad because they can make money to staying on the positive and doing what they want to do and still be able to make some money, right?

[00:54:05] Evan Francen: Good stuff. So the last is from naked security. Do you giggle inside every time

[00:54:11] Brad Nigh: it’s a group. Yeah, I mean they really knocked it out of the park with the name. You can’t forget it.

[00:54:19] Evan Francen: So from naked security by so foes. The title is google sued by Arizona for tracking users locations in spite of settings, surprise, surprise. Mhm. I am so angry with google. I think it’s just this is what happens when the company just gets way too big for itself and greed just rules the day. You know because I remember when google first started out, it was such a beautiful thing and now it’s just like I just don’t like it.

[00:54:54] Brad Nigh: Yeah. I think you started to see that switch when they dropped the do no evil or whatever.

[00:55:01] Evan Francen: So Arizona the attorney general for Arizona is suing google for unfair deceptive. and also against the law. The air is on a consumer fraud act. And it’s interesting last week I was in a natgeo cyber security committee meeting and office last week, a week before the week’s blend now. But it was talking about, you know, the health tracking, um, tracking covid cases. Uh, and an executive from google was giving the talk and was assuring everybody that on the phone that google is not going to keep the data and you know, just, you know,

[00:55:50] Brad Nigh: I know, but we just talked about last week,

[00:55:52] Evan Francen: we talked about that last week.

[00:55:54] Brad Nigh: No, no, with the, was it north Dakota or Idaho or Montana wherever it was. Yeah. So I can’t say that. I mean an apple same thing.

[00:56:08] Evan Francen: Yeah. Yeah. Google takes apple to a whole another level.

[00:56:13] Brad Nigh: I oh, I agree. But it’s tough to trust some of that stuff.

[00:56:18] Evan Francen: Well it is. And, and you’re so sort of like stuck with it. I don’t know, we’re gonna have to do something more open. Just open people’s eyes to what actually happens to your data. Even though google has all this data and you can click to see what data they actually have. And is that true And just all the, and I’ll pull the covers back a little bit and see what actually happens. But it’s, it’s nice to see that, you know, somebody is standing up if in fact it’s true, which it is, uh, they google tracks users locations despite whatever settings they’ve set in the phones and mobile devices, basically see what comes of that. Yeah. All right. Right listeners, that’s episode 82 brad. Who you gotta shout out for?

[00:57:12] Brad Nigh: You know what? I’m gonna go with my oldest. You got the presidential excellence Award for an education. So very proud of that.

[00:57:20] Evan Francen: Congratulations.

[00:57:21] Brad Nigh: So yeah,

[00:57:24] Evan Francen: I’m going to give a shout out the guy named Steve Halverson. That’s the guy who helped me this weekend. He’s probably never going to listen to this. But nicest guy ever meet, took 2.5 hours out of his day, lent me his trailer, his truck told us took care of uh, nicest guy you’d ever meet. Um, so he set the example for what I love to see more people b you know, just loving, caring, helpful, no ulterior motive. You wouldn’t take my money. So finally, I shoved it and crack of his truck and you’ll find it someday.

[00:58:08] Brad Nigh: Yeah.

[00:58:09] Evan Francen: Written, just, you know. Yeah. All right, thank you to all our listeners. You guys, you know, truly are a big deal to us. You know, I know that brad and I don’t get everything right all the time. But, you know, I can certainly tell you our heart is in the right place all the time. We do care about people and care about people being safe. So please please be safe out there physically, mentally electronically. Uh, let us know if there’s anything that we can do, Let us know what you think of the show, what you need to be episode whatever. Uh, send us things, preferably not malware, but you know, if you’re into that, I guess whatever. Uh email us at unsecurity@protonmail.com. If you’re the social type socialize with us on twitter, I’m @EvanFrancen and brad is @BradNigh. You want to follow our company stuff. You can follow security studio @StudioSecurity and FR Secure @FRSecure for whatever cool things they’re up to and they’re doing, wow, that’s it. So have a great week.

No items found.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS