Podcast

Cyber Threats from Iran and what it Means

There are imminent cyber threats from Iran as a result of the tension between them and the United States. What we can expect moving forward.

UNSECURITY Episode 62: Cyber Threats from Iranian Tension, Ryan at SecurityStudio

You’d probably have to be living under a rock to not know what’s going on between the United States and Iran. What you may not know is that there are imminent cyber threats from Iran as a result of the tension. Episode 62 outlines some of the incidents we’ve already seen as a result, what we can expect to see moving forward, and how what you can do to protect yourself.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Hey Unsecurity podcast listeners. This is episode 62 the date is january 14th, not the 13th. I’m brad. And now your host for today’s show joining me in studio is Ryan Cloutier here.

[00:00:35] Ryan Cloutier: We’ll get it.

[00:00:36] Brad Nigh: close enough

[00:00:38] Ryan Cloutier: at this at this point. It’s just painful. Close here. Close here.

[00:00:42] Brad Nigh: See, well I was close. Uh, and on phone is Evan Francen. Hi Evan.

[00:00:49] Evan Francen: Yeah. Hi Ryan. Do you have a nickname?

[00:00:52] Ryan Cloutier: Yes, but in order to keep our rating.

[00:00:56] Brad Nigh: I will keep that confidential.

[00:00:58] Evan Francen: Uh huh. So because I was just thinking your initials are R. C. I was going to start calling you cola,

[00:01:03] Ryan Cloutier: you know, funny enough as a, as a child, my nickname on the playground was RC cola cola.

[00:01:10] Evan Francen: You that if I call you cola

[00:01:14] Ryan Cloutier: no, no, I’m okay with that. You call me whatever you want. Long as you pay me.

[00:01:17] Brad Nigh: There you go.

[00:01:20] Evan Francen: gonna call you nice things like cola

[00:01:22] Brad Nigh: cola.

[00:01:24] Evan Francen: Can people get that mixed up all the time? They’re proud of your Cartier clothier.

[00:01:30] Ryan Cloutier: I respond to, hey that guy mister security.

[00:01:33] Brad Nigh: Yeah. Uh, sorry, took this off track. No, that’s okay. Hi. So obviously we’re day late on this and, and that’s uh, partly on me and we’ll blame Ryan too. We were both under the weather yesterday. You could probably deal here in both of our voices. So hopefully we make it the whole show without going totally. Uh, barry white on everyone and they can hear, still understand us.

[00:01:57] Ryan Cloutier: Yeah, still little froggy, great state of Minnesota come for the weather gets sick stay because your car won’t start.

[00:02:06] Brad Nigh: Yeah, that’s coming this weekend. All right. So let’s do a quick catch up. Um, we’ll go with Ryan you first. So you’re the newest here. What was your first week at security studio? Like

[00:02:19] Ryan Cloutier: it was great. Um, you know, still finding my feet obviously. Um, just like with any job, first weekend. Um, you know, getting set up, but you know, everyone here is just been so passionate and helpful and um, had some, some great calls with some customers. Um, prospect opportunities has just really been very exciting week. Um, made a lot of progress on the newest S two iteration, which will be s to school. Um, so hopefully we’ll have that ready for release in maybe mid february, a fingers crossed

[00:02:53] Brad Nigh: and I know you and I’ve had a couple of really good conversations last week just popping in to just talk shop. So it’s, it’s been fun.

[00:03:03] Ryan Cloutier: Yeah, I love it. I love being back in a culture of, of security and um, really, it’s the passion of the people around me that I’m finding invigorating. You know, I would like to say that my passion is contagious. But I think, I think the contagion is inside these walls,

[00:03:19] Brad Nigh: the, well that’s the culture, right? I think everybody has bought in and just, it is, it is very contagious when you get in here and everybody’s on the same, they focused on the same mission, everybody wants the same goal, There’s not the infighting or the politics that you seeing a lot of places. So it’s, I was uh avenue like this, I was talking with Oscar, our director of tech services, about you and how excited you were, and I was like, it reminded me of when Oscar started, it’s like people come here from corporate jobs or these other things where they’re just banging your head against the wall and you get get here, it’s like, wait, what? I’m an adult and treated as such and people are supportive and it’s just so reenergizing. So

[00:04:07] Ryan Cloutier: yeah, it’s really, it’s really been great and I’m excited for the future to, and you know, doing the podcast here, um loving this, this is a lot of fun. Um and we’ll have more news to share over the next few weeks, but this is just the beginning of some really great stuff we’re gonna be up

[00:04:23] Brad Nigh: to. So my week wrapped up a couple incidents, we had another one come in last night, right? It right after five, so it’s always, you know, that never stops, but I think the biggest are the most fun for me is uh just that I’m, we’re actually now getting in maturing, uh and being able to kind of see things and working on, we’ve got, you know, these products and how do we take them to the next level and being able to spend some time really digging in and understanding, you know, what works, what doesn’t work and how can we make things better and better serve our customers. So it’s a very nerdy, I get that, but I’m having a lot of fun doing that. So uh and Evan is in Cancun, I’m sure tanning and enjoying the sun.

[00:05:17] Evan Francen: I wish man, I think I’ve been doing just as much work down here lately uh when I go back to the office, it’s been great. I had some great conversations with some partners last week, some security studio partners trying to get our security is kicking back, been doing some writing not enough, it’s never enough. But um yeah, the great thing is the atmosphere that I’m around being in, being in warmer weather’s I think it’s more productive, so we’re gonna have to figure out some way to open an office down here. Mhm.

[00:05:52] Ryan Cloutier: I’m in support of that.

[00:05:53] Brad Nigh: Yeah, yeah, there’s certain there’s definitely times, I love the winter, I love the snow, but they’re definitely, it would be nice to be able to get away for a week,

[00:06:03] Evan Francen: but after january 1st man, I’m done with it. Minnesota can stick it with the weather man, I like it up until christmas, but after that I’m done,

[00:06:13] Brad Nigh: I think I’m good through january. But then yeah kind of towards us, february drags on and then it’s March and they’re still, you know, feet of snow. That’s where I’ve kind of gotten like. All right.

[00:06:25] Ryan Cloutier: Yeah, well you get into the summer and then we all forget why we don’t like living here in the

[00:06:29] Brad Nigh: winter. Well that’s why you love the seasons, right? You appreciate the other ones when it’s not that season, you’ll get sick of it, right?

[00:06:38] Evan Francen: Yeah but the cool thing is information security worldwide issue. Right? That’s one of the things we’re gonna talk about today, all Iran thing but you know down here in Mexico they have security issues just like anywhere else. I was certainly at the Starbucks here. It’s a place called La Fiesta and open up my laptop and just like I was just curious how many company hot spots there were

[00:06:59] Brad Nigh: around me and

[00:07:00] Evan Francen: They were like 45 hotspots around me and some of them were still uh wet some of the most of them were open so their security issues

[00:07:10] Brad Nigh: everywhere. Yeah that’s not not great, wow so well and real quick before we dive into the big topic today. I did want to mention that um registration for the 2020 C. S sp mentor program will be opening today so you can go to our website fr secure dot com. Um and register, we’ve got uh I think 40 on site uh seats available this year and a whole bunch online. So you’ll be

[00:07:45] Evan Francen: were eliminated eliminated in 2000. And I’ve already my mail box filled up with just before the call just before your shelf. I’m going to 85 emails. Uh so it’s it’s filling up

[00:07:58] Brad Nigh: already so uh jump on that. Don’t don’t miss out.

[00:08:04] Ryan Cloutier: Yeah register now so you get a chance to have a seat. It’s gonna be really great. I know I’m looking forward this year to being part of it and you know, working with you guys and really helping to grow some folks. Um And you know, if you’re out there and you’re considering taking this and maybe you don’t think you’re ready for a C. I. S. S. P. Um You should sign up for it anyways, you know, the security plus cert um is pretty attainable for those that are just entering into the cybersecurity space and for info security space. And I feel like what you’re going to learn in the mentorship program is going to prepare you not just for the C. I. S. S. P. But it will give you um a really good foundation block for things like security plus. Um Maybe some of the G. Excerpts so really really do encourage if you have any any passion for this at all or even curiosity. You should, it’s totally worth checking out.

[00:08:54] Brad Nigh: Absolutely. All right, so with that out of the way um switching gears, we’re going to discuss a topic that is a lot of people’s minds and that’s the conflict between the US and Iran. And what effect is this going to have on our daily information, security and cyber security lives. So very significant events have taken place over the last few weeks. Um events that are going to impact the world as we know it either politically, economically and definitely from an information security or cyber security perspective. Uh so we’re going to try and stay out of politics as much as possible. Um That’s not our focus. It’s just what is the yeah information security repercussions of what is happening. So politics and economics will leave those to those experts. What we will discuss is how are these current events affecting us with respect to information security? How or why that can’t talk. We should all be concerned about how these things affect our ability to protect ourselves, our families, our workplaces, and local governments. So, uh, some background and these are, I’m not gonna go into um all the detail it is out on Evan francine dot com And if you click on the blog for episode 62 but it started december 27th 2019. Um there was an attack on an air base in Iraq 29th U. S. Attack, Hezbollah positions in Iraq, then it just escalated up through um uh january 3rd when the US dropped drone strike killed the commander of the Islamic Revolutionary Guard Corps, uh followed by january 8th where Iran fired ballistic missiles. And then um The 11th where we see video of Iranian missile um published by the New york Times, video showing the missile hitting a consumer flight and killing all the everyone on board. So not a lot of a lot of violence, not a lot of good stuff out of there. So uh, back to the discussion, I’d like to for us to share opinions, uh, hear opinions of our listeners this week. And mhm. And I mean, so eloquently put it, we all know what they say about opinions. So uh, starting with that Evan, what do you think this means for information security?

[00:11:25] Evan Francen: Well, I think, you know what, there’s a lot of there’s a lot of being written about this uh, you know, the cyber warfare, I think it’s a good opportunity for people that are fear mongers and you know, out there to make a buck a good opportunity for them. Unfortunately, um, we’ve been out, you know, if you think that this is something new hybrid warfare between the United States and Iran. I mean that’s what has been happening for years. I don’t actually, I don’t expect a significant increase because the bodies of Iran, so less than, you know, adversaries of the United States and Israel and then you kind of smuggling china and Russia and the U. K. You know, it’s a complicated thing. I think what I’m trying to figure out is what this actually means to me. You know I’m a small business owner. I know many of our listeners are small business owners or we consult small business owners. Doesn’t mean for them, chances are they’re not going to be direct targets of you know of what happens between the United States and Iran. I think what I’d be more concerned is you know collateral damage where you know I’m low hanging fruit. I happen to be you know something that’s easy to compromise. You do face my website to do something like that. Um And I’m also concerned so I’m concerned one about am I covering the basics, the fundamentals of information security did not make myself Collateral damage for one and number two. You know I’d be concerned about the supply chain and be concerned about the people that I do business with and the actions that I’m giving them in the mall network if they get compromised. It’s a simple potentially a simple pivot in the my network and doing things. So for me it doesn’t, this whole conference honestly doesn’t change anything. For me it just maybe makes it a little higher priority. But I don’t think I’m not a government installation. I don’t want a power grid of I’m not I’m probably not a direct cartage and not overly freaking out about this thing.

[00:13:38] Ryan Cloutier: But you know it’s interesting you bring those points up Evan. Um I think the impact that most small businesses are gonna feel immediately. Um you’re going to see in the news this morning. So Microsoft is putting out probably the most important patch they’ve ever released ever today. So for those of you that have any windows, anything, please get that passion apply it. Uh it comes with a stern and urgent warning from insert any intelligence agency in alphabet soup that you can think of from the U. S. Government. So that’s a long winded way of saying, I think that we as small business owners and as um local government institutions and maybe aren’t that direct target. I think they’re going to have to get quicker at responding to patches so that they’re not part of the collateral damage. I think we’re going to see um some of those supply chain considerations, um small businesses, especially K-12 schools have already been used as pivot points for larger nation state attacks. I can point to an example in North Dakota where K 12 school was compromised by some north korean bad actors in an attempt to gain access to the nuclear defense system. So I think we’re still going to see things like that happen. Uh The other thing is if a small business owners doing business with the Department of Defense, um I think those individuals are going to be at an increased risk um for either a direct attack or um just part of that collateral damage is they’re trying to cause disruption in the supply chain.

[00:15:12] Brad Nigh: Yeah, I’d agree. I think the subcontractors are sub sub contractors, you know, the manufacturers and we’ve worked with a bunch and I think for them a lot of times, security is not very high on their priority list at all. Right there. Like what do we have? We just make this

[00:15:29] Ryan Cloutier: whatever. Right. Well, you hear that all the time in multiple verticals. Right. Well, we don’t have anything that they want. We’re not a bank, were not a hospital. And you know, we all know that they’ll attack a small business to get the person at that small business, compromise their personal accounts so that their brother in law who does work for the military or does work for one of those larger institutions. Um, you know, and I think that’s what the small businesses and just general average consumer needs to become more aware of is it’s not always that you’re the target, You may be adjacent to the target. And the bad actors are simply going through you to get to the, to their final destination.

[00:16:13] Brad Nigh: Yeah. You’re just the means of them getting to what they want. Absolutely being used. Yeah. I think, and to go on with Evan said, I think for the most part for individuals, there’s probably not a huge amount that’s going to change, right? I would agree with that. We just need to be more cognizant of what’s going on and there’s not really all that we can do.

[00:16:40] Ryan Cloutier: No. And thankfully,

[00:16:41] Evan Francen: there

[00:16:43] Ryan Cloutier: go ahead Evan some point

[00:16:44] Evan Francen: To, you know, people, small business K to 12 local government people that traditionally have been reactionary to these things at some point. You need to flip the script on that and stop being reactionary. Get fundamental security caucuses in place. You know, I completely agree completely with what Ryan said on, there’s a big, big tax coming out. Did you know there, are you applying patches and doing vulnerability, standing vulnerability management? Are we doing these fundamental basic things that was when you hear something about Iran or the next concept, you have whoever, it’s just not as earth shattering this project. Oh crap. I have 33, open or I don’t even know they had 33, open or Whatever. You know, I’m taking care of vendor risk management. I mean they say 60, of all breaches directly or indirectly to the supply chain for your members, you for your third parties. So get those things squared away. Now this is going to find any. And if you’re struggling with budget use the Iran conflict is a Yeah, the few years have read this a few years. The boards, they know that these things are happening, research is an opportunity to get some money.

[00:18:06] Ryan Cloutier: Yeah, definitely. You know, um, you know, especially if you’re vertical, so to Evans point about taking this to the board, you know, if you are in that supply chain manufacturing, um this is a great time to do that. You know, if your if your that, you know, local government, critical infrastructure, right? That’s going to be your your angle a lot of times. We don’t think about um that local government being part of that critical infrastructure. We tend to think of the large power plants, we tend to think of, you know, um, you know, nuclear facilities and have that larger scale. We don’t always think about the rural water treatment facility as being part of that critical infrastructure. So I think, you know, local governments now is your time um team up with M. S. I sack team up with homeland security if you are in the government space. Um and if you’re in the private small business space, you know, find a good security partner that’s going to take you through the journey and and start doing those fundamentals to Evan’s point.

[00:19:03] Brad Nigh: Yeah. And and I think, you know, the government, you know, you’re seeing see MMC is coming out to replace the fars, which was a little bit, we’ll say onerous

[00:19:13] Ryan Cloutier: on small businesses. Um that’s a cute word,

[00:19:16] Brad Nigh: but this isn’t something new, right? This is something that’s been around, this is something that, you know, like the government has seen this coming, you’ve got nation states all over the place doing this. But this is I think probably one of the more publicized situation, so it is a good opportunity to take advantage and make some progress in getting some funding or support, you know, to put a program in place.

[00:19:46] Ryan Cloutier: Yeah. And back to back to the basics, you know, it’s, it’s shocking, but not shocking. The amount of folks that still don’t have a complete inventory of assets. And yet if you go to their, say their manufacturer and I asked them how many widgets are in the warehouse, they can tell me exactly if I say, you know, what’s your, what’s your stock out, you know, when do you refill this? Right? You know, but if I say, well, what’s your vulnerability, patching schedule, which I consider to be a corollary to stock out on inventory, right. I’m about to have a risk that potentially could interrupt my business. I need to take proactive action. They don’t wait until the bin’s empty to reorder they re order when they get to that threshold. Um, and I would say, you know, with, with patching vulnerabilities, especially the one that comes out today. Um super important to do that. And you know, proactive versus reactive and Evan, you know, referred to that and I think That is in 2020, I have a strong confidence that users as a whole, the humans of the world, if you will, business owners, consumers, etcetera. I believe this is the year that if we do this right, we will actually start to shift the awareness towards a proactive, I’ve had a lot more people start reaching out to me about, hey, you know, what can I do? Yeah, is there anything I can do to limit my risk at home? Is there um had a gentleman contact me about a firewall and you know, this guy has a little bit of money and not a lot of sense and he went on the internet and got some big old fancy firewall and says, well if I put this in my house will keep the hackers out, and it’s like, no, actually if you put that in your house, you’re gonna have more problems because you don’t know how to use that tool, but I think this is this is the year for that awareness, um and and proactive, you know, and to all the listeners out there, you know, don’t hesitate to reach out to us on social media. If you’ve got questions, we’ve got answers. If we don’t have answers, we know the people who do, and I know I can speak on behalf of all three of us, we have a zeal for helping all of you get better at this. It doesn’t have to be your specialty, it’s ours, but you know, let us help you reach out ask questions, you know, engage us in the conversation. Um we’re gonna be working really hard this year to bring simpler and easier to consume solutions to market because we really do want to help everyone get ahead.

[00:22:15] Evan Francen: Yeah, that’s a good point. I mean, one of the things I think for some of us in our industries will we’re not very approachable or at least we come off that will not very approachable. It’s been kind of cool down here in Cancun where I’ve been asked there at least a dozen people, people that don’t know nothing really about information security, what my thoughts were, you know, the whole Iran concerts and what it means to them personally. Ah and these are great conversations, you know, and it raises the level of awareness, understanding that the world’s a very dangerous place and when I connect things up to the internet, I’m inviting the world into whatever it is I’m connecting and there’s just so much opportunity and being go off. Yes, it wasn’t like you said, like you don’t have to be in Oxford, right? You see the same thing apply whether the threat is from Iran china or the Ukraine or uh you know, some criminal organization was that blood is from a regulator, right? Those fundamentals to invest the time and energy, it doesn’t cost you a lot of money if you invested time and energy on the fundamentals, we’ll be nobody’s thought for all of that.

[00:23:33] Brad Nigh: Yeah. And and that’s the other thing we’ve seen companies that spend a lot of money on, you know, technology with whatever the latest buzzword is and they’re not secure, right? They don’t understand where it should be going. What they have in place hey what’s your external I. P. Range? Oh uh we don’t know right? It doesn’t matter if you throw money at the problem if you don’t know what you can’t protect what you don’t know. You have.

[00:24:01] Ryan Cloutier: I completely agree. And I would say you know I’ve seen a trend of trying to solve a non technical problem with technical solutions at the end of the day security. The way I like to pronounce it as safety uh is it not technical activity? Right? There are technical things we do to help us with it. You know we think in the physical world you know stoplights and door locks and you know they’re you know security cameras, police cars, right? We we do these things for safety. But I think organizations that you know you could have the biggest it security budget in the world and not actually change your security posture by much.

[00:24:42] Brad Nigh: I would argue you actually get worse because it’s that false sense of I would agree I absolutely looking you trust

[00:24:48] Ryan Cloutier: Technology. Remember once somebody said to me well you know we spent 100 grand on that appliance so we’re secure now right? And it’s like no no no no no. Um and I would I would actually argue that you can get a better security posture by investing in your humans by investing in awareness training that works not just the boring nonsense um And making it an inclusive culture of safety and security. You’ll spend a lot less money and you’ll actually increase your security posture significantly more.

[00:25:21] Brad Nigh: Yeah. Yeah. We said all the time. You know, you have you have a good security training program when you get more reports of suspicious, you know, events.

[00:25:31] Ryan Cloutier: Yeah. What’s the old adage? Uh, why should we give you a budget this year to the security team? We haven’t had any events. What are you guys doing over there? Right.

[00:25:42] Brad Nigh: Do you want to keep it that way,

[00:25:43] Ryan Cloutier: or? Yeah. Seriously? Yeah. And for those of you that are listening out there, fund your teams. Um, it’s important. And if you’re not seeing stuff, it’s either because you’re not looking hard enough or you’ve got some people behind the curtain that are working really, really hard to keep you safe. Mhm.

[00:26:02] Brad Nigh: Having anything to

[00:26:03] Evan Francen: do. Would you guys say, you know, in your opinion, uh, due to recent events of Iran and the United States, would you say that there’s a more significant right? Or most significant risk too small to medium sized businesses than there was, say, a month ago.

[00:26:24] Ryan Cloutier: I’d say there’s a higher likelihood of occurrence. I think the risk is the same. Um, the tools are what they are, the attack vectors and patterns are what they are, but I think now there’s a higher likelihood, um, of a small medium business being attacked. And if for nothing more than to capitalize on the hyperbole to cause disruption. You know, it’s it’s the ethos of terror right? It isn’t necessarily about mass casualties. It’s it’s about can I cause mass disruption? And I think there is a higher likelihood

[00:26:56] Brad Nigh: and it may not even be nation states. It’s just it’s bad actors taking advantage of the situation. Yes. And then hiding under that cover

[00:27:05] Ryan Cloutier: of. Yeah. And I think we’re going to see a few instances in the next coming months where when the stories initially reported it’s going to sound a lot like it happened from Iran because they were using Iranian I. P. Space

[00:27:17] Brad Nigh: or Yeah they would put markers that maybe they were easy to find.

[00:27:21] Ryan Cloutier: Exactly. Exactly. And then you know, after the the investigation concludes, we’re going to find out that actually that was you know anonymous or that was you know, some whatever shadow shadow brokers or somebody else doing it. Um and uh I do think we’re going to see more of that where the attacks are masked as being part of this conflict when they’re not necessarily directly related.

[00:27:49] Evan Francen: Yeah. Because when you think about it, I mean when you talk about going toe to toe with your adversaries, so United States versus Iran and take the rest of the countries and things out of out of the equation just to simplify Iran going toe to toe with the United States would be would end up resulting in their destruction set. It’s used as well. There’s more prevalence for um you know, sort of recent attacks or maybe you know, compromise and then dwell and pivot those types of attacks. So it’s not a direct will be disruption. Why did you know another concern I might have as a small businesses artists in my network and no, I want you guys already help. You don’t, you don’t even know what my network is and then are those you uh and maybe using me as a proxy into another place. You know, one of the things that I sort of think about it, I don’t think Iran is going to go toe to toe what they’re gonna do is you know these these healthy, you know, come around, you know the back end rather than going to roughly at us government facilities.

[00:29:00] Ryan Cloutier: Yeah, yeah, definitely. I agree with that. I think, you know,

[00:29:03] Brad Nigh: that’s uh

[00:29:05] Ryan Cloutier: and I think that trends gonna continue right. Uh I don’t, I don’t feel like the cyber war of 2022 2021 is going to be as overt as it’s been in the past. I think it’s going to be more covert. I think it’s going to be you know, more 3rd 4th 5th hand attacker on behalf of um some larger organization and to your point of and I think it is going to be those nuisance attacks. It’s going to be um A lot of persistence. I expect in 2020 a lot of folks to set up persistence for something larger and more coordinated at a later date.

[00:29:40] Brad Nigh: Yeah, I agree. I don’t think you’ll see like the big DDOS attacks or anything like that. But you’re gonna start seeing. Yeah. How long have they been in? Uh we don’t know our logs go back 30 days. Right. Right. So I think you’re seeing exactly more stealth and more just monitor watching and

[00:29:58] Ryan Cloutier: Yeah. Yeah.

[00:30:00] Evan Francen: And it reminds me of the cold war was us in Russia. We both had much right. And so knowing that would result in mutual destruction, there’s this sort of standoff and that’s one of the things I’m more concerned about with china and Russia and Iran cannot be part of that. Uh I don’t know, maybe conspiracy variable. It’s those longer term short. So things that I don’t want to be a part of in terms of my own small business, I don’t want to be used as collateral in most types of french.

[00:30:35] Brad Nigh: Yeah, I agree. I think and you know, I think maybe the positive out of this is because it’s getting so much publicity and play is you’re gonna get those smaller businesses or midsize businesses that that didn’t think about this now. Thinking about it. Um so hopefully we’ll get people into the conversation and at least you got to do something start start with an acid inventory, start with something and at least be making positive steps forward.

[00:31:06] Ryan Cloutier: Yeah. There’s a saying, I like you can’t protect what you can’t see. And so that’s I’m with you brad. I think, you know, and Evan, right, Let’s go back to the basics. I think it’s on us as information security people um, to make it easier to do those basics. I think, you know, we still hold our end users to an expectation that may at times be unreasonable given their experience level in the, in the industry. You know, everybody’s out there on the road driving a car. I expect very few of them to be mechanics and I know some really, really smart people that if something happens with their car, they have zero clue what to do, right? They’re looking for the for the port for the blinker fluid because somebody said it takes blinker fluid, they’re like, okay, sounds good to me. So I think, you know, we as an industry can do better this year to make it cheaper, faster and easier. Right? Let’s leverage that automation. Let’s use the attack tools that we have for doing discovery. And let’s convert them into inventory tools. So that’s my challenge to anybody listening out there that likes to code, make a free inventory and asset scanner. That’s simple and easy to use, publish that thing and send us the link,

[00:32:28] Evan Francen: right? Yeah, whatever you do. I have one more kind of comment before I have to cut loose and let’s go finish the show. But uh, whatever you do, don’t let fear paralyze you into not doing anything and don’t let it, don’t let it leave you to making poor decisions. So, you know, the next time the sales that calls and have some super cool rigid thing. But he wants to sell you because of this. Iranian attacks stuff. Go back to basics life, ask yourself having inside there, have they have access control kind of figured out my usual chance, my vulnerability management do I have those fundamentals kind of figured out? Because if I don’t the stuff that you’re going to go out there and buy, you’re going to piss away money and you’re just putting lipstick on a pig. So I’ll leave you with that guy’s

[00:33:15] Brad Nigh: No great parting words. seven, thank you.

[00:33:18] Ryan Cloutier: We’ll enjoy Cancun sir, have a great rest of the day. Looking forward to seeing you next week.

[00:33:24] Brad Nigh: All right. So, uh, yeah, I think really good conversation. We’ve had, uh, what, what can we do? Focus on home, pack your stuff at home, understand what IOT you have right there. Is that around Adidas and, and some of those bought in that type of things and we don’t expect to see that. But why open yourself up to it at work asset management. What do I have identity management do I have user accounts out there that have

[00:33:55] Ryan Cloutier: never been cleaned up

[00:33:56] Brad Nigh: and are still active.

[00:33:58] Ryan Cloutier: Those are just additional exposure points. Well, it I’ll pick on local admin because I

[00:34:03] Brad Nigh: See that one a lot.

[00:34:05] Ryan Cloutier: You know, If you have local admin in your environment, your, I forget the status at 70 or 80% more likely to be at risk for an event. Um so simply by removing local admin now there’s a bigger conversation about culture and I think this Iranian thing is a is a good opportunity to open up conversations to say uh not to live in fear over, you know, so we’re going to be attacked by Iran but to go, hey look, this is happening now. Yeah, we’ve seen a pattern leading up to this, we fully expect this to continue, right, whether it’s Russia china north Korea, the next whatever hacker group that comes out of thin air, the problem is not going away. So what can we do to start to take those proactive measures to start to do those things and uh you know, and in the home space, you know, to your point, uh think long and hard before you put something smart because most smart devices are security dumb. So think long and hard before you put them in your house there some of them you can’t secure some of them the security so weak that you can’t secure them or

[00:35:19] Brad Nigh: they have no. Yeah, I love how they rush something out with no patch

[00:35:24] Ryan Cloutier: feature. Let I mean we’ve

[00:35:26] Brad Nigh: got the news coming

[00:35:27] Ryan Cloutier: up um and we’ll get into that a little bit. But there’s been some interesting things that have unfolded in the last week or two with regards to smart devices.

[00:35:34] Brad Nigh: Yeah. So, um, yeah, focus on what we can do, what, what are we able to do, master the fundamentals. We know that these attacks are out there, right. This isn’t something that, oh my gosh, this is something new. This is something that’s been going on, use this as an opportunity to make a positive out of it and and start that discussion. Hey, we need to figure out what we have, what’s on our network, where these accounts come from.

[00:36:02] Ryan Cloutier: Well, and if anybody out there is listening and you’re like, okay, I want to do this, but I don’t know where to start or I don’t know what to do, reach out, reach out to partners, you know, I’m gonna do a shameless plug, reach out to us, but reach out to somebody, you know, if you don’t know how to do it, pick up the phone, you know, make some calls, go onto linkedin, go onto twitter, see what’s going on. Um, the info set community is, is a really passionate and helpful group of folks I’ve never met a group of people more willing to help chip away at the problem, willing to share what they know um than this group. And so uh, you know, if you don’t know what to do, reach out, find somebody that can help get, you started, if you’re getting started and you’re looking to move to that next level, but you’re not sure how best to structure your spend or things like that. Again, you know, reach out, reach out and ask work with a work with a partner um that understands you, looks like we got all kinds of fuck’s going on

[00:37:04] Brad Nigh: there, so. Yeah, and you know, with that, Yeah, I think we’re good to go back to your point on the security community community wanting to help. I think when you come in and say I want to learn, help me do this, that you’re going to get a really good response if you come in, you know, uh I would say maybe not not quite so open to help as opposed to um man, I don’t want to say arrogant or whatever, but if you come into it with an open attitude of, hey, how can I want help doing this? I want to learn. There’s gonna be a ton of people that are gonna help you.

[00:37:46] Ryan Cloutier: Yeah, absolutely. And and if you do reach out and you find that this security professional you’re interacting with is uh um well I have to keep our ratings so I can’t say that word, but full of themselves. That’s a good way to describe it. Um Go find another one. There’s a serious people out there. There’s this great people out there. If you want some recommendations, reach out to us, you know, we were happy to help you, but we’re also happy to point you to others. Um We’re all very good at uh what we do. Um But each one of us has a unique skill set that’s a little sharper than the next, which is why we make a great complimentary

[00:38:24] Brad Nigh: team. You can’t know everything. No,

[00:38:25] Ryan Cloutier: no way, no. How

[00:38:26] Brad Nigh: and and by the way, if somebody tells you they know everything. Yeah. Walk that person out. Walk. Yeah. So um yeah, I think great discussion. I think this will be interesting to kind of see how this plays out and what this does. And and again, I’m hoping that people can make this into a positive and use this as a discussion and way to start the conversation uh and moving programs forward. So all right, we’ll do some news here. Um The first one is off of hot hardware dot com. Microsoft accused of sharing Skype Cortana audio with little vetting of chinese contractors and no security. So that’s not good. Uh In the article there, it’s uh it’s saying that Microsoft allowed chinese contractors uh access to Cortina Skype Audio for years with no security measures in place. Um This contractor that reported, it says he reviewed thousands of potentially sensitive recordings from on his laptop from his home in Beijing over the two years. He worked for Microsoft. Um And you know, it’s it’s

[00:39:40] Ryan Cloutier: Yeah, well, so, you know, I think this is the first, well it’s not the first, but it’s one of one of many stories you’re going to hear over the coming next year to two years. Um I’m not surprised by this. I’m not shocked by this in any way shape or form. Um What I find surprising is it took this long for the story to come out. This is happening all over the world with all types of different organizations Microsoft just being the latest to get caught with their hand in the cookie jar. Security costs money it’s always cheaper and easier. Hence the offshore resources to begin with. Um to not put those security controls in place and cross your fingers and hope you don’t get caught. We’ve heard about this with with what facebook was doing um with some of their content moderators in the Philippines. What was the security around that? Right we heard about amazon and some of the things that they’ve been up to with with the Alexa recording. So unfortunately I think this is I think this is just a continuation of a trend.

[00:40:44] Brad Nigh: Yeah I think and this will be interesting to see um how this plays out especially with G. D. P. R. In the California um protection act and. Well right

[00:40:59] Ryan Cloutier: yeah I think this is

[00:41:00] Brad Nigh: this could be big.

[00:41:02] Ryan Cloutier: Well and you know I think a little bit later on we will touch on a few other news stories but um we’re already seeing some traction. I read an article oh I think this was about last week where the little girl, the parents of the little girl, um, that had her ring camera hacked in her bedroom. Um, and that news story was kind of going viral. They’ve actually filed a class action lawsuit now. Um, yeah,

[00:41:31] Brad Nigh: that was, is that the one? Well, yeah, and I think that comes back to, because there was one where they filed the suit, but like they had never changed the default passwords and all that. Well, now it’s, that’s a tough call because,

[00:41:46] Ryan Cloutier: well, in a previous episode, I had mentioned, um, that were starting to see a trend of circuit court judges ruling that basic security hygiene and practices as common law And that employers in this instance, uh, the employer had a common law obligation to take additional steps and measures to protect the employees data and that it was not considered reasonable nor arguable in 2019 that those measures had not been taken. So I think you’re going to see that trend increase. I know I’ve seen a few lawsuits now suing for the lack of basic fundamental security controls.

[00:42:25] Brad Nigh: Yeah. Well, and I think from that manufacturer provider, you don’t, you don’t allow them to keep the default force that to change right? Simple things.

[00:42:36] Ryan Cloutier: Yeah. And that’s the intersection of the consumer experience. Uh, I know that some manufacturers are hesitant to, um, make the security process more rigorous because the, you know, there’s a perception that the end user doesn’t see the value and therefore doesn’t want to participate in the in the experience. But I’m going to argue that and say that one of the largest phone makers in the world right now um is using privacy as a spear head of marketing. So

[00:43:09] Brad Nigh: I would say that, yeah, people, people want it, you can’t make it difficult or painful, but at the same time I think people want some control.

[00:43:21] Ryan Cloutier: Oh yeah, and I think that will increase um it’ll be interesting to see, you know, how it goes. Uh and we’re going to have to start doing a few other things differently, you know? Um I had a great experience here this this weekend. Uh my father got his first smartphone and with that came a new set of rules on how to use it because, you know, the old flip phone that he picked up circa 1990 something um with no internet connection. And no, I mean I’m sure you could compromise it, but you’d have to probably take it out of his pocket first. Um And so I had to kind of walk them through and say, you know, they’re suspicious links, you need to, you know, be careful about those text messages. Um He sent his first text ever and it was clearly done with talk to text and and I can’t repeat it on the air. So

[00:44:12] Brad Nigh: that’s funny,

[00:44:13] Ryan Cloutier: but I think it’s important to to work with, you know, we we as infoseek folk need to work with our humans to equip them to work with their humans can kind of pass that that knowledge down if you will. That’s a good,

[00:44:29] Brad Nigh: good way to put it. Uh, second story is from G B hackers dot com, top seven cyber security tips for college students to protect from hackers. I think this was actually pretty good advice. Um, you know, high level start out on the right foot with fresh credentials, limit your exposure to college library, protect your identity at school, uh, create email and social media just for school backups of your data, protect your devices from your roommates and consider a VPN. I mean really simple, easy things you can do that will definitely make a difference. And I think, you know, from, from my standpoint, you know, you’re starting college, this is now an adult, right? That’s kind of the first big step into adulthood is out of there. So yeah, like start smart.

[00:45:26] Ryan Cloutier: Yeah, absolutely. Um, you know, one thing that I, that I didn’t see that I think would be a good add on, you know, not just create email and social media accounts just for school. Be mindful of your social media use in general, be thoughtful about what you’re sharing how and when a lot of folks are giving up way more information than they realize in the backgrounds of their photos. Um, you know, have the consent. You know, one thing that a lot of folks are learning now as they go to college is about consent and that’s in traditionally and now in the dating context or the romantic um context. But make sure you have consent before you share people’s information. Um you know, being out of college, you could be around european citizens and there are different rules about how their data is handled and managed. You could be around um you know, folks of different cultures um that may or may not have certain religious beliefs about how photographs and other things are are handled. So you know, I think these are all really great tips. Um one that I didn’t see is make sure that you have a trusted recovery account. So when you do set up those new fresh credentials, make sure that you have a recovery account that goes to someone you trust or your your you know your primary email. Um and for God’s sakes please stop using the account that you were issued in grade school.

[00:46:59] Brad Nigh: Yeah. And enable multi factor on everything

[00:47:03] Ryan Cloutier: on everything. So it might seem inconvenient at first but it

[00:47:07] Brad Nigh: will say yeah yeah. You get used to it. All right, last article or two story we’re gonna talk about is um amazon ring fired staff for stupid on customer security videos. It is on to links there. Graham Cluley dot com and vice dot com. Uh Yeah. Again I just it’s interesting um they only came out and admitted it once the U. S. They had that letter from senators question. You know, I don’t know if they would have ever admitted this if they hadn’t been kind of pushed by the government.

[00:47:50] Ryan Cloutier: Well and I’ll say to this what I said earlier, I think this is the start of a trend. I think in 2020 the story is going to become commonplace. You’re going to hear about how this happened at uh Snapchat. You’re going to hear about how this happens at Instagram. You’re going to hear about you know, facebook. You know uh the content moderators have access to everything and I don’t think people realize that that there are actual human beings that are doing the quality control and content moderation. When we look at what happened with amazon. Um uh you know this was oh gosh a couple months ago now there was a story that came out that said that Alexa and Siri, we’re listening to you at the doctor’s office and in your bedroom having intimate time and etcetera etcetera. And and the reality behind that story was is that quality control agents were listening to the recordings to do the voice mapping is to make sure that you know, things like accent and poor enunciation didn’t affect the overall quality of the user experience. And you know when we have to say the snapchats and the Facebooks and instagrams and etcetera of the world uh in those instances on those platforms there’s content moderators who are reviewing that very personal and intimate content to make sure it doesn’t violate terms of service. So uh we need to be very thoughtful about where we’re putting these devices and how we’re sharing this because again, I think this is just one of many, many instances and to your point brad, uh it was that letter for the senators that kind of motivated them for disclosure. But I would I’m just not going to be shocked when 23 podcasts from now we’re talking about this again, but it’s a different company name,

[00:49:36] Brad Nigh: you know? And and one of the things that always makes me, I wonder is like you see the commercials on tv with hey Siri or hey Alexa, is that triggering? I don’t know is that triggering?

[00:49:51] Ryan Cloutier: So to that point um and I’ll have to dig up an article for another podcast. But there are certain advertisements have uh inaudible audio embedded in them. And my ipad will wake up to certain commercials. Right? It’s a trend that we’ve noticed and you know, we know that that can be done. We know that there you two know videos out there that have embedded commands in them um that leverage those smart speakers and can get them to if you don’t have it set up for a two step authorization. You can actually using inaudible audio trigger Siri or google or Alexa to download malware because you basically feed them the U. R. L. And tell them to go download it. So

[00:50:39] Brad Nigh: yeah, I’m I just don’t like that trend. I don’t have any in my house.

[00:50:45] Ryan Cloutier: Well and it’s what it is for the folks out there that don’t know, this is a new school tactic for an old school marketing tactic. So marketing has been using subliminal messaging and techniques for decades and decades. Um you know the one that’s probably most commonly known as the popcorn and soda at the movie theater. Um and how they embed certain imagery and audio into the end of the movie to trigger you to want to get those snacks. Well, advertisers are now doing that for tracking purposes. Um

[00:51:18] Brad Nigh: TVs are grabbing screen captures to see what you’re watching. Absolutely

[00:51:23] Ryan Cloutier: right. And so you know, because you hear this all the time. Well, I was sitting around talking about something and then all of a sudden all the advertisements on google turned into what I was just talking about. Well, I think there’s some truth in that. I think there are some behind the scenes things happening that maybe aren’t public yet.

[00:51:40] Brad Nigh: Yeah, that’ll be that’ll be interesting to say. Well uh I think that will just about do it. Be careful out there. A lot of stuff we cover today. Um one last thing before we close the show out. Uh If you are someone you know are looking for a job in information security. Uh we’d love to hear from you and help out where we can email us at unsecurity@protonmail.com. And we’ll chat. Hopefully whenever gets back, we’ll get that whole thing rolling. And if you’re the social type socialize with us on twitter, I’m @BradNigh Ryan can be found at

[00:52:15] Ryan Cloutier: @cloutiersec

[00:52:22] Brad Nigh: Heaven is in his usual spot @EvanFrancen. That’s it. And talk to you all again next week.

No items found.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

education
Industry insights
NEWS & EVENTS