Evan ran across an article this week titled “15 Security Pitfalls and Fixes for SMBs.” Small- and medium-sized businesses (SMBs) tend to be an underserved market, and with many businesses starting to regain their footing post-Covid, now is a great time to discuss SMB security. Brad and Evan analyze the “15 Security Pitfalls and Fixes for SMBs,” provide their thoughts on the list, and give recommendations for those in smaller businesses to avoid these cybersecurity mistakes.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 126 And the day this nine April 2021 joining me is my good friend, great guy and info sec expert in Osaka short for information security to say thank you.
[00:00:40] Brad Nigh: appreciate it
[00:00:41] Evan Francen: Yeah, I just want to be clear Brad Nigh. So welcome brad.
[00:00:46] Brad Nigh: Good morning.
[00:00:48] Evan Francen: Good morning. We were just talking before the show how sleep deprived we are lately.
[00:00:53] Brad Nigh: Yeah, well we’re recording today because I woke up yesterday with like four with a migraine that finally cleared up about three in the afternoon of I was able to at least function from about starting at nine. But I woke up and I was like, you gotta be kidding me. Evan is gonna be like, what is he don’t want to do this anymore.
[00:01:15] Evan Francen: Now. You know me man, I got smart.
[00:01:18] Brad Nigh: I know it’s just been crazy the
[00:01:22] Evan Francen: because I don’t even, and I actually don’t even question that stuff, you know, because you know, number one core value is tell the truth. So I give people the benefit of the doubt man, this is how we are right? So when I come to you and say like, hey, I got this thing, you know, you, you give me the same, you know?
[00:01:41] Brad Nigh: Absolutely, yeah, yeah. It’s been uh like you’re talking about, it’s been like I’ve got 20, is supposed to be better. It’s been a crappy, like late february through early april so far.
[00:01:58] Evan Francen: I know man, it’s gotta get better. That’s, you know, me being a faith guy and you know, and I have, I don’t I’m pushing on people and I don’t, you know, we’ve got our beliefs right? Yeah, you got your own thing, but the uh I was telling a buddy of mine, you know, another christian friend of mine that uh you know, when you talk about like spiritual stuff, right? And got God and you’ve got satan right, you’ve got good and you have bands, you know, maybe and so it always seems like the people that are being the most effective or that are on the verge of some kind of breakthrough are the ones who are getting attacked the hardest.
[00:02:43] Brad Nigh: Yeah, yeah. I always one of my things. I like to joke and say it was like, you know, I know guy wouldn’t give me more than I can handle. I just wish you didn’t trust me that much, right? It’s like, come on. But anyway, yeah, we’re yeah, getting through it.
[00:03:02] Evan Francen: Well there’s, there is, I mean there’s blessing there’s grace, there’s good things on the other side of it man and we were talking about that too, right, when you’re, you know, you just be persevere, right? A lot of these things are outside of your control. But you know, you lead by example. I love the way you leave your family and as a friend, it’s cool to see it. So
[00:03:22] Brad Nigh: yeah, I’m like, I’m so I was I shared with you yesterday. My oldest guy uh, asked to be a recommended by one of her teachers to be an editor for the school newspaper. Yeah, freshman year. And it’s a pretty big thing. I was like, awesome. I’m so glad you got your mom’s school like study ethic than rather than my mind was in high school, wait till the last minute and do as little as possible to get by,
[00:03:52] Evan Francen: right? Yeah. Michael’s sports school or sports girls. Yeah,
[00:03:59] Brad Nigh: drinking. So I didn’t, I didn’t drink in high school, but it was, yeah, it’s not a wasn’t a bad like disruptive student, but I would not consider myself has been a good student in high school.
[00:04:13] Evan Francen: Yeah. I look back in high school and I think I was a lot the same. I was more of a protector than I was, you know, Like I was telling my daughter she’s 16, you know, um, about yeah, there’s just got this friend who if, if I was back in high school, his name is, uh, name is his name crap. But anyway, I would have called him something then when he gets called today. And I had a and it reminded me back in high school where I had a there was a guy who man, he was so full of himself, He was mr king of everything, right? And and his name is Bill Bader, B.
[00:04:55] Brad Nigh: A D. E. R. Okay.
[00:04:58] Evan Francen: Now he’s probably off, you know uh Ceo of a company doing great. I don’t know, I haven’t you know that was a chapter of my life that’s closed now and you know you’re onto another one. But yeah I used to call Master.
[00:05:11] Brad Nigh: Uh huh. She said his name like I knew
[00:05:16] Evan Francen: yes master. Yes Master. And he would get so pissed off that I was that kind of guy.
[00:05:21] Brad Nigh: Yeah. More of the class clown.
[00:05:24] Evan Francen: Well yeah and I don’t like you know, just like today man, the only the thing that gets under my skin the most is people taking advantage of other people. I hate it. You know what I mean? That’s why I don’t get too wrapped up into politics every once in a while I’ll say something. But because that’s all politics is to me, you know, is people positioning themselves manipulating others lying, whatever they can so that they can get elected. That’s why I don’t play uh I’m gonna go down that path and it’s gonna get masking so
[00:05:55] Brad Nigh: yeah, I’m with you. So yeah security uh a security will make the awkward transition because I’m with you on like yeah we’ll go off on a rant. Uh
[00:06:09] Evan Francen: Just hate people taking advantage of other people. I don’t hate the people, I hate the action of taking advantage of somebody else. And so you can apply that in, I think so many places in life, whether it’s, you know, protecting somebody from a bully, you know, in high school or you know, doing what you can to step up and step, you know, for somebody or like today we’re gonna talk about, you know, that small, small to medium sized businesses, they get taken advantage of in numerous ways. I think one way they get taken advantage of is obviously the Attackers like the people who coming, you know, plant ransom, where or business email compromise or whatever else, right? And take advantage of the small business, but then you’ve also got the people inside our own industry, I call them the wolves in sheep’s clothing who are peddling goods and services to these small businesses that are not the right fit uh, to waste of money and they don’t have money to waste. And that also pisses me off.
[00:07:11] Brad Nigh: I think that pisses me off more.
[00:07:14] Evan Francen: Yeah,
[00:07:14] Brad Nigh: right? We know Attackers are not ethical, We know that, you know, to expect that from them, but when you’re in the industry or selling into the industry and then taking advantage, that’s, that’s bad,
[00:07:30] Evan Francen: right? Yeah. I mean it also not only does it, uh hurt them, but also it makes our jobs that much more difficult, right? Because you give us a bad, you give the rest of us a bad name.
[00:07:43] Brad Nigh: Yeah, they, that small business has a bad experience where they get sold a bill of goods or you know, pay a huge price tag and something happens because it wasn’t the right solution. It was configured properly. Now there, are they going to trust anyone else?
[00:07:59] Evan Francen: Exactly, Exactly. Yeah. So yeah, so we’re gonna talk about that day, we’ll talk about these 15. So that I came across an article, I don’t know, yesterday day before, I can’t remember what day it is anymore. But there was a day when I came across an article, it’s 15 cybersecurity pitfalls and fixes for smes. I’m gonna talk about that. And then I also want to talk about how we’re going to transition. I think the show and start inviting some really cool guests on a pretty regular basis. So we’re gonna start actually, It only took us 126 episodes before we’re like, hey, let’s let’s formalize a schedule then be cool.
[00:08:41] Brad Nigh: I mean, I kind of a lot about, I mean it’s how we, we roll, it’s kind of like, well just, yeah, we should probably do something,
[00:08:49] Evan Francen: right? Yeah,
[00:08:51] Brad Nigh: maybe not. We get quite so much.
[00:08:54] Evan Francen: Well, totally man, because like, I didn’t even, I got up yesterday morning, I got up at four or something in the morning, like, oh, we got the podcast today, What are we talking about? Oh, crap. We didn’t do show notes and what I don’t know. So that’s why that’s what I was like, oh yeah, let’s do this. And so yeah, that’s what leads us to this. Uh, but you’re right man, this is life right last minute. It’s funny. I have a talk coming up and I don’t, I don’t even remember, cause I’m trying to do a little less talks. I don’t, I don’t necessarily like them because it takes so much time usually to prepare for them and you know, and I like to create stuff like a new solution to something or
[00:09:42] Brad Nigh: yeah, it’s, I don’t, I don’t mind doing the talk itself and getting up and doing, it’s all the prep work that, you know, people don’t realize, you know, you’re going up there for an hour, but it’s, you know, for six hours depending on what you’re talking about. If you’re creating something new, could be even longer, Right? Figure it out. I know what you’re going to talk about. Being familiar and comfortable with the information, you know, with the content. Yeah. It’s a lot of work on the back end.
[00:10:15] Evan Francen: It really is. And I think a lot of speakers will just reuse, that’s why it’s probably to just take the same talk and maybe I’m, maybe I’m going to create three or four talks for the year and I’ll just give those talks. Well I’m more a d d so I’m like, I want to talk about this. But I’ve never talked about that before. So then I got to go create all this stuff. Anyway, there’s this, I guess pretty big good size conference and infra garde thing coming up. Mm I don’t know. Not me. I think only I should find out what it is. But they, they emailed me, hey, you know, thanks for being a speaker. And I was like, I don’t remember ever like, did I do this? Did marketing do this? I don’t know who what this is. So thank God they have a page dedicated to the speakers so I can see what, you know, I’m like, what am I even talking about? So I look and I’m like, oh, okay, I can do something about that. So then, yeah, we create, you know, but you have to create and then they want to make like my slides like, you know, it’s a month before the talk and you want my slide deck already. I don’t break my slide deck until about 15 minutes before I’m ready to talk. And then even then I’m making changes.
[00:11:40] Brad Nigh: Well yeah. And we get a lot of really custom requests, especially from customers like in May, I’ll be giving a talk to a health network I guess. Uh, they want to know a review of just how all the different health, all the different affiliates scored on as to what trends and what are, you know, what can they do with that as a whole to work together to get better, you know, where is there any trend that they can do something as a group, Right? That’s a lot of work to pull all that info together and create, you know, a slide deck when you’re looking at probably 15 ISH, different entities that I have to look at and figure out what I mean. That’s gonna be a lot of work.
[00:12:34] Evan Francen: I’ve also found it difficult to find good data in our industry. You know, we’re supposed to be such a data driven industry. But most of the data I see, you know, or find when I’m doing research for things just either old. I mean Past 12 months, you know what I mean? Things move so fast that really in certain instances, anything that’s older than that is kind of, I mean as the, as it ages, it becomes less relevant, right? If there’s if things are pretty stagnant then their data sort of lives longer. But, you know, if things are moving quickly, moving quickly, moving quickly, your expiration date, um It’s almost like an expiration date on milk versus an expiration date on cheese. Mhm. You know, I mean milk, that expiration dates like a couple of weeks, right? Usually something like that. Whereas cheese, I mean, I just scraped off some I’m not gonna tell you about that year. Me. I mean, I don’t know, it’s a long time.
[00:13:33] Brad Nigh: Yeah, fully agree. So
[00:13:38] Evan Francen: yeah. All right. So anyway, we got that. Uh So I’m excited. I think one of the uh it’s not I got a whole roster of people that I think we’re going to have that our listeners will really enjoy hearing from Because you know, after a 126 episodes it’s not like you and I don’t have cool stuff to say, but I’m like oh bring in someone else’s perspective. Might be really fun.
[00:14:02] Brad Nigh: Well, I mean that’s what we talked about. Like you want a diverse team. Well, same concept. Let’s get you know, there’s many people’s opinion and talk through things and I’m going to guarantee it at some point we’re not going to agree with, you know what they say. But it’s a good that’s always a good discussion of.
[00:14:22] Evan Francen: Yeah, it’ll be fun. I’d love yeah, it’ll be fun when somebody comes on your tries to sell something.
[00:14:28] Brad Nigh: Mhm. Oh
[00:14:30] Evan Francen: no. You know what you need you need dark trace and not about it. I was like okay this isn’t gonna go, well probably I
[00:14:37] Brad Nigh: didn’t tell you this. I got something I maybe I did I’ve been getting bugged quite a bit about uh somebody about how how we can better monetize the podcast and we should share pollution and it’s like, come on, right. Although it’s kind of cool that we’ve gotten to the point where people are, you know, reaching out to us for that.
[00:15:02] Evan Francen: Yeah. Well you know, it’s uh Madam C. A. T. V. S taking me all over the place this morning. The, there’s account, there’s an organization. So security studio en fr, security both doing really, really great. But security studio, it’s a software as a service company, Right? So you always gotta push faster
[00:15:21] Brad Nigh: faster.
[00:15:22] Evan Francen: That company is not constrained by people, right? Like fr secure the hottest commodity. The most important commodity we have are the people
[00:15:32] Brad Nigh: we tell the analysts and consultants time. I mean, at the end of the day, that’s what it is. It’s that expertise
[00:15:40] Evan Francen: and it’s hard to find good people and I don’t, and I’ve told people, I don’t know how many times I don’t care about your skills.
[00:15:48] Brad Nigh: You know, we can keep skills.
[00:15:50] Evan Francen: Yeah, just, you know, be a good person, be genuine. It’s something that I would like to hang out with and if I were drinking beer, I would drink beer with you. Right. Be that kind of person. Um, yeah, I don’t know how I get off on that tension. Uh, but that was, oh, sorry, that that company is growing secured studio, but we’re going to take an investment. I think we’re gonna take an investment. Uh, so that we can accelerate certain parts right? At some point, you have to do it every, every software as a service company. If you want to grow, that’s what you have to do. Uh, but one of the, one of the people uh, that I was introduced to, that’s also in this investment pool is squad cast FM Zach Marino. Uh, so we might start using some of their stuff because I got to know him. He’s a cool dude. I think you’d enjoy his background is I realize background his motivation is a lot like ours.
[00:16:49] Brad Nigh: Yeah, I have no issue if if we find a better solution on our own. It’s just when yeah, I believe it is. Hey, I can, we can make you more money. That’s you get the point.
[00:17:05] Evan Francen: He totally missed it. Right. All right. So this article, this uh, its title is 15 cybersecurity pitfalls and fixes for SMB S and SMB small to mid sized business. The article features a round table discussion between hem a script names. I’m sure Teamer Kovalev that’s the cto of untangle eric chrome from noble for who we were just talking about before the beginning of the show Greg Murphy. The ceo order. Uh, this was on threat post and they gave their take on what? S. MBS think about information security, the common mistakes that they make and how they think they can do things better. So, um, I like kind of dissecting these things because in our opinions are opinions are cool, right? As long as they’re coming from the right place and we have no shortage of experts and I say, you know, air quotes experts to so you have experts. Let me have experts who aren’t really experts and then whatever. So I wanted to go through the list and see if we agree, disagree if we have something to add to the discussion,
[00:18:18] Brad Nigh: You know? And this is kind of funny coincidence I had a was supposed to be a 30 minute call. It turned in about an hour and 20 with a 22 23 person company uh last week that they were they were very, very unhappy with their current and some sex uh provider. I won’t even call it a partner because they have like kind of some of the things that I was sold. But yeah, it was they basically were sold old. Hey, you do this and you know, it’s a here’s boxed hipaa compliance, right go with us and you’ll be hipaa compliant right away. And she said they’ve been with him for like within six months. She was like, what have I done? What? I don’t I’m not getting any value. And so I’ll be able to kind of talk as we go for this like real world, like what recent, what are they going through it? Mhm.
[00:19:26] Evan Francen: You know, it’s really common when we were intentional when we started fr secure that we were going to not abandon these underserved markets. We’re not going to abandon the small to midsize businesses. Uh because what happens often in our industry as companies come into this industry to start a business and we start serving the small midsize businesses and then as quickly as you can, you move into the enterprise. Mm everybody wants to play in the damn enterprise. And it’s so damn competitive. Whereas you know, the rest of the world, the 80% or whatever is less sort of floundering, right? You look for, they try to create automated solutions quick hit solutions, ones that they can monetize them, um, scale right quickly. So, you know, this sMB thing is really important for us because we’ve been intentional about it. We’ve had the opportunity, we’ve had many people come into fr secure leaders who want to push us in the enterprise. We got to go after the enterprise, go after the enterprise. Like why?
[00:20:32] Brad Nigh: Well, I mean, you’ve got a
[00:20:34] Evan Francen: pretty well served right now.
[00:20:35] Brad Nigh: Right, well you’ve got a Fortune 500, you’ve got 500 companies. Well, how many small to mid sized businesses are there? Right. I mean multitudes more. Right. You know? Yeah. And yeah, I’m with you. Like why go try and fight with other people and this like highly competitive. They’ve got all the services and offerings they could need when we can help people and and still, like you said, MS mission before money, right. If we help these people and do it right, the money will come. I’d rather work with 25 small to mid size rather than one enterprise.
[00:21:17] Evan Francen: Well, for sure. I mean, Equifax doesn’t go out of business when they have a breach. Target doesn’t go out of business breach facebook isn’t going out of business because of their latest breach. But these small to mid sized businesses, the majority of them do go out of business because of a breach, you know? So yeah these are a big deal for me. So the first one, the first one out of the 15 common smb mistakes. So this came also from like a I guess a study that they did uh where they said you know, how confident are you in your ability to you know be resilient or how prepared are you for an attack? And this was a study of I guess a bunch of s. and b. s. and 57% said they aren’t confident. Which I think is an interesting number right there because that seems high to me. I mean low to me, I’m sorry, It seems like if I talked to smb? S more than 15, are not confident in their ability or confident and how prepared they are. 29% of medium confident, 14% said they are rock stars. Like to know the s. and DS who think they’re rock stars.
[00:22:29] Brad Nigh: Those are the ones that get hit the artists because they they probably think and maybe maybe they are. But yeah it’s not that would be surprised based
[00:22:40] Evan Francen: on when you put when you put yourself out there and say rock star usually the next thing I’m going to get served some humble pie.
[00:22:47] Brad Nigh: Yeah exactly
[00:22:49] Evan Francen: crap. I think uh
[00:22:52] Brad Nigh: we’re an S and B. And there’s still stuff that we’re constantly working on, right? Like regardless of how good you think you are, there’s always going to be something and as soon as you’ve kind of get cocky about it and quit looking, that’s when it hits you. So I mean, I think we’ve got a we’ve got a very solid security program but we’re still improving, still updating and upgrading and doing things to stay on top of it. So
[00:23:25] Evan Francen: Yeah, and I don’t think I never called myself a a rock star, I mean, yeah, really good fine. But rock star to me means like you got a mailman go to, you know, I guess rock stars, you gotta nail go take some drugs, but I’m not doing that right? It seems like the rock stars go there. Yeah, Alright, so number one mistake, they think they think they’re too small to be a target.
[00:23:50] Brad Nigh: I would agree with that as a pitfall. I mean we hear that and I are like, I can’t believe that I got hit where you know people and we do this very niche thing. Yeah. Yeah, the Attackers don’t care,
[00:24:10] Evan Francen: right? Yeah, I think I do think and that’s always been the mentality right? There’s two things I think that mentality one is were too small to be a target, right? Who would want anything that we got? I mean we’re just, you know an HR company or you know,
[00:24:26] Brad Nigh: even manufacturing is a big like, yeah, we need a widget or we do, I don’t want steel stamping, right? Like it’s not anything. Why would anybody care?
[00:24:39] Evan Francen: Right? Yeah. Take fazio mechanical, right? In the target breach? It’s an H back company. What are you going to get out of that? Well, Maybe 50 million credit card numbers, right. So yeah, and I think the other pieces, just people still think it’s just generally not going to happen to them because it’s never happened to them before, so they’re like, I’m not going to happen, not going to happen to me that happens to, you know, johnny down the street,
[00:25:09] Brad Nigh: 100% here. That
[00:25:12] Evan Francen: which, you know, and we stand here screaming and it is going to, but you know, that’s a whole other thing, you know, Have we cried wolf too much to where they’re like, I’m not even listening to you anymore.
[00:25:25] Brad Nigh: Yeah. Oh yeah. There is so much fun out there that people I’ve had to deal with for so many years.
[00:25:36] Evan Francen: Yeah. So this number to our mistake number two, no business risk evaluation. Why the hell would I do that? I
[00:25:47] Brad Nigh: mean,
[00:25:48] Evan Francen: you know, it takes us back to the definition of information security, right? It’s risk management and it’s good to see that the industry now, I think it’s starting to look up more to that because you see it more Like 5, 10 years ago. This wouldn’t have been on your list because people weren’t talking risk like they are today. That’s good.
[00:26:10] Brad Nigh: Yeah I agree. And I think you’re seeing, you know, we’ll see em and see and some of these other things that are requiring it and you know it’s like oh well I guess it is kind of important. Oh I but yeah I agree. I would say we’re definitely seeing more outside of what you would expect, you know like healthcare and finance and banking, that’s the majority of our customer bases in that arena and maybe some insurance things like that but they have to because they’re regulated than they were required or we’re now starting to see manufacturing C. P. A. S. Law firms more of these so what you wouldn’t consider it traditionally or what you wouldn’t see, right? So you’re are you are starting to see a lot more and of these small companies realizing that oh yeah we should probably be doing something.
[00:27:18] Evan Francen: Well it’s gonna start with risk management too. I mean that’s the erick Rowan is the one who I think you give some good stuff here, you have to do a risk assessment.
[00:27:29] Brad Nigh: Mhm.
[00:27:31] Evan Francen: Now I agree that this is heavily regulated industries um there’s a big difference and I know in my own life between being told what to do and doing the right thing, you know, most self motivation versus somebody forcing you to do something and I mean that’s what it comes down to. Either you get this right yourself, do the things you’re supposed to be doing as a responsible business leader, as a responsible owner or you’ll be forced to
[00:28:02] Brad Nigh: uh
[00:28:03] Evan Francen: which do you
[00:28:03] Brad Nigh: prefer? Right? Yeah. And you know, he has a really good example in there, where you say he’s talking to his chiropractor and chiropractors, like if there’s nation states out there doing things like solar winds and they can get the big guys don’t stand a chance. So why bother trying?
[00:28:23] Evan Francen: And it’s the wrong mentality,
[00:28:25] Brad Nigh: right? Because it’s not the nation state. So you have to worry about what? Yeah, here’s the thing. The people that are doing something are going to be a better shape than that, because even if you just, you know, something simple turn off iCMP responses from externally faced, Right? Well, if he hasn’t done that, they’re going to light up before you do. All right, It’s just you know, they’re gonna the Attackers are going the path of least resistance
[00:29:00] Evan Francen: and S. And B. S for sure.
[00:29:02] Brad Nigh: When you Yeah, exactly. When and where you go, what are you gonna do? You are the path of least resistance,
[00:29:09] Evan Francen: Right. Well, and you see that mentality changes when you get into large business, because I I remember working for a big big bank and uh I was talking to the sea. So and and he got up and give a talk to the entire security team and it was a good sized team. And he said we don’t have to be secure, we just have to be more secure than the other guy now that that mentality for me works fine in small to mid sized businesses, but an enterprise that is not the truth enterprise, your targeted specifically for reasons, right? They’re not looking for the lowest hanging fruit at jp morgan versus uh you know, Wells Fargo versus U. S. Bank. They are specifically targeted small to mid sized businesses. Yeah, you’re the, you’re the lowest hanging fruit. You’re the one that looks the most interesting. That’s where I’m gonna go. And oftentimes the small midsized businesses, they’re either attacked directly. Like this is a quick hit ransom where going to get some money there or in the in the worst case scenarios it’s, I’m gonna pivot here, I’m going to use this like I. E target I many, many, many third party risk management type breaches. I’m going to use this SMB and pivot into the bigger companies.
[00:30:29] Brad Nigh: Yeah, or you know, we, we had an Ir where they had a wire, it was wire fraud and they, they found out because there vendor was like uh are you gonna pay us What’s going on? And I mean it was, Gosh, I don’t remember the exact amount, I want to say it was like 10 grand or something, like not insignificant. And then as we started working through it and they started looking, it had been going on for like several months, like three or four months, at least something like that. I don’t remember the details, but right. Like that’s a tangible. Uh can you imagine losing 10 grand a month is a small company. That’s that’s not an insignificant amount to to try
[00:31:17] Evan Francen: and you keep down another false mentality. Illogical. It’s not reasonable. It’s not using reason to think that. I mean, we say it’s gone on for a couple of months. Why didn’t you attend to this at the very beginning? It’s not going to go away. It doesn’t just disappear. It’s not like, oh look, we’re good now
[00:31:38] Brad Nigh: you’ve got to make fundamental changes or it’s, you know, like how did nobody notice that the nah transfer the bank account information change?
[00:31:52] Evan Francen: Like, yeah, you have a wound on your forehead and it’s getting bigger. But don’t worry about it. They’ll go away. Right? All right. So mistake number two. No business risk evaluation. Every small business everywhere. I don’t care profit nonprofit government. Public private. We must do risk assessments. Do risk assessments that are simple, easy to understand. Effective measurable. Um, and then make risk decisions, right? Because just doing the assessment that’s where people stumble to. They just do the assessment and like, oh, we’re good now. No, you’re not. This is, this is a new habit that you need to learn. And just like any other new habit, right? It’s uncomfortable at first. You have to fight through that. Do your assessment. Make risk decisions, build roadmaps, execute on road maps, come back, do the whole thing all over again, becomes part of your normal business operations, right?
[00:32:52] Brad Nigh: Oh yeah. And we talk to people all the time and like do this and document if you are accepting the risk, that’s fine, that’s completely legitimate decision. But you need to document that you’ve at least looked at it and why you’re accepting it,
[00:33:10] Evan Francen: right? And I’ve heard that so many times to the illogical argument from CeoS or cease elsewhere. Well, if you tell me about, if you tell me about a risk, we’re gonna have to do something about it. So that’s their justification for not doing a risk assessment. I’m like, you understand that risk ignorance isn’t going to defend, you know? Right? So you really don’t have a choice. And to your point, just because there’s a risk doesn’t mean I have to do something about it. I can accept it, I can acknowledge it. Say it is what it is. We’re going to live with it, move forward. Maybe look for some mitigating controls, like maybe increased monitoring or some sort, you know, add that specifically to your response plan. So if this one risk does get compromised, this is what we’re going to do about it. But yeah, you don’t have to fix everything, man. You’ll never will forget about that.
[00:34:06] Brad Nigh: Yeah, I mean, we absolutely have accepted some risk. I’m not going to go into detail because why? But there’s certain things in the S. Two that were like, yeah, we’re just not going to do that. It’s not
[00:34:19] Evan Francen: the totally legit.
[00:34:20] Brad Nigh: A good example is we don’t have a generator backup or backup generator, but we don’t have. But everything we use this cloud based, there’s no business really. Like how would I justify, you know, saying we need to spend at the thousands of dollars, tens of thousands of dollars on a generator and a fuel contract when there’s no business benefit, we’re going to accept the risk of we lose power at the office. Okay. We’ve all been working remotely for the last year and had no issues. Cool, We’ll just do that.
[00:34:59] Evan Francen: Exactly, man, 100%. So mistake. Number three. So number one, again, I’m just gonna keep your cap on these because if you’re a small business and you’re listening, we need to start paying attention. Not that you’re not, I don’t know you, but, You know, one thinking you’re too small to be a target. That’s a mistake. No two Not doing, not treating this as risk management, from not doing risk assessments and making risk decisions. That’s mistake. Number two, mistake. Number three, you haven’t made an asset inventory. You don’t even know if it is, you’re trying to protect.
[00:35:30] Brad Nigh: Well, I uh 100 whatever percent. Yeah. And that’s not even S and B. S. That’s absolutely not limited. S and B. S. That is all over the place. We see that all the time for companies that you would be like well really you’re right okay I’m going to create a virtual card to work with you
[00:36:00] Evan Francen: now. Right. Well this one actually ticks me off too because this is one where I get pushed back. Believe it or not from other security people or I. T. People like well do you have any idea how hard that is? I’m like how much do you get paid? Are you getting paid?
[00:36:14] Brad Nigh: Right. Well
[00:36:16] Evan Francen: this is part of the job right? You have to understand what it is. You’re trying to protect you. There are tools you can get their scanners you can use there’s all kinds of things you can do to get creative. You don’t have to be like well Excel spreadsheet that there’s too much work
[00:36:31] Brad Nigh: well you know and obviously we’re product vendor agnostic you know. But personally I’ve used spice works in the past. It does an automatic scan. You can set it up to alert if it finds new things.
[00:36:44] Evan Francen: Solar rinse.
[00:36:45] Brad Nigh: And it’s well but the spice works is totally free to though. Right? So I mean there are quality we get
[00:36:54] Evan Francen: started with N. Male
[00:36:55] Brad Nigh: and Memphis even. Yeah. Yeah I like the that the other one because it you know it does do software inventory as well as hardware and you can set it up to you on changes. So if it finds new software even right
[00:37:11] Evan Francen: I like using dual purpose tools to write if I can use one tool for multiple purposes. So yeah, Spice works is a very broad tool set. There’s a lot of things that
[00:37:21] Brad Nigh: you
[00:37:22] Evan Francen: can configure it correctly. Right. It probably doesn’t need to speak to the internet except for a certain occasions. So you can close that off if you get your worried about solar winds type attack.
[00:37:34] Brad Nigh: No, absolutely. Yeah. Yeah. They have a cloud solution or on prem and you know, you determine your risk tolerance when we did it was on for him. And yeah, that was it. Didn’t none of the servers that didn’t need to talk to the internet. Talk to the internet.
[00:37:53] Evan Francen: Right. One another thing I like is, uh, well that I’ve used very much so and advise clients a lot on this is getting started use your vulnerability scanning data, your vulnerability scans on a regular basis. There’s a ton of good information in there. Yes. It doesn’t rank critical high medium and probably not even low. A lot of it’s the info stuff there are uh, and it’s all an xML format so you can get xml parcels, you can parse it yourself. You can code something. It’s a lot easier than you think start there. And then like, okay, I’d like to know a little bit more about these data types and things like that. Well, then look for other tools, but you probably have tools right now on your own toolbox to get started on that.
[00:38:36] Brad Nigh: Although the issue there is you’re assuming that actually doing vulnerability scanning,
[00:38:41] Evan Francen: right? I don’t know how you are and I don’t know how you manage risk without understanding vulnerabilities, threats. So that’s another man. It’s logic. All right. Number four. So number three, again, asset inventory, hardware, software, data data is probably your most valuable asset, but it’s also the hardest one to get your hands around. So, start the other way hardware software then go after your data. That’s my advice anyway, but what do I know, I just do security shit stuff. Sorry, wow. Number four insecure digital assets. So, this one, you know, this one kind of like, what are you talking about, insecure digital assets, but it’s basically the same thing we’re talking about uh, you know, a digital stuff, the stuff you can’t touch, Right? Yeah, yeah. Web
[00:39:39] Brad Nigh: servers, clouds from, you know, things like that
[00:39:43] Evan Francen: and configure that stuff. Right. When you implement a new server, it would just go with the defaults and stand it up. It works. Everything’s cool. No, no, no. You gotta lock that thing. So, building security in early on in the process and any process is really, really important. We’re gonna build this server, are we going to use, you know, maybe some c I s you know, config templates or ds dig, right?
[00:40:07] Brad Nigh: There’s a ton of really good free, like it walks you through it step by step, what do you need to be doing, what should you be doing? You know it’s not it’s not rocket science
[00:40:23] Evan Francen: you know? But I think I do think people struggle you know because you’re busy running your smb, you know there’s a lot of like ok great I need to secure my My S. three buckets.
[00:40:37] Brad Nigh: Well here’s another thing
[00:40:38] Evan Francen: I just having to search for that stuff is hard to times
[00:40:41] Brad Nigh: well but how many S. And B. S rely on an MSP. Right? Like they outsource their I. T. And security ever ask like what are you doing On these 15 things? Tell me what you’re doing
[00:40:58] Evan Francen: Actually that’s not a bad idea would be to take these 15 things put put it into a template contracting kind of thing and say here give this, if you’re outsourcing your I. T. Or security management, Make them give you some kind of assurance that you’re that they’re doing 100 okay I’m gonna we’ll take that as a take away or add it to my list and get done with it in a year and a half.
[00:41:25] Brad Nigh: Right? Well you know a good example is I’m working with the company and the two readiness and they outsourced to the MSP and a lot of it is um asking about you know well logging and things like that let’s talk to and the MST was asking some really good questions about like hey we’re not familiar with this, what does this mean? Like, you know, they’re asking for saying that they need to have firewall logs and all these are different. What what is the proper time frame? Can you help me understand what, what do we need to be doing to make sure that they’re compliant and me that’s a great MSP because they’re working to make sure that they’re doing the right thing.
[00:42:10] Evan Francen: Yeah, exactly. So number five is no network segmentation I think of the step further, I’d say network isolation, you know, difference is segmentation is typically a later three thing, right? Where we set up the lands. Whereas isolation as I’m actually gonna use some packet filtering between the villains. That’s a much better approach. Not all your systems, all your servers need to talk to all your systems and all your servers on all ports and all services. Right. Start to understand that lock that down more.
[00:42:42] Brad Nigh: I talked to a company that was again looking to do the right thing. They wanted to do. The person that had set up their AWS infrastructure left and mm they don’t, they’re like, what we don’t know what we don’t know. And so we’re talking through there how it’s set up and it, you know, it turns out that there web server results, it’s a flat uh and they’re so their web servers on the same segment as their database that has the, you know, sensitive information like Yeah. You know, great. You’ve locked it down so that only certain protocols can get to the to that front end server that accesses the database, but you are wide open because your web server is open. Right? So it happens all the time. And yeah, I told him on the getting a call of scoping cause like, yeah, I’m gonna tell you right now that’s gonna be a recommendation is that you segment and isolate that web server from anything that is internal.
[00:43:54] Evan Francen: And the cool thing too is, you know, when I first started in this industry, you know, things were simpler. And so that’s why that always resonates with me. The complexity is the greatest enemy of security because I’ve seen that happen over my career. I’ve seen what happened in organizations where you just get so many different tools, so many different servers, so many different things overlapping. It’s just crazy, right? And that that’s much harder to secure. But another thing that I learned early on in my career was the better I understand something the better I can secure. So if I intimately know my environment, I’m better. I’m a better security person, I can secure that a lot better than one where there’s a whole bunch of stuff going on. I’m just not sure what that does. Now. I understand that a lot of us are working in environments where that’s just not possible for one person to really understand intimately what goes on. But if you have a little chunk of your universe, a server that you’re responsible for a database that you’re responsible for. If you’re responsible for the network responsible for this set of firewalls freaking master that, you know it so well, so intimately that you’re almost dreaming that stuff. Because I could tell back in the day, you know, being I grew up in a network guy was a network. I network, I took so much pride in my work. I can tell you how the network was performing. I could tell you something was off based on the lights on a switch. I wouldn’t even need to log in because I knew it so well. It’s almost like you could feel it. You can sense it.
[00:45:25] Brad Nigh: Oh yeah, yeah. You know, I was Windows VM type of background and the same thing. Like if you’re doing it right, you want to be proactive, you want to find those issues before they get reported by the user.
[00:45:40] Evan Francen: It was embarrassing if the user had to report it.
[00:45:42] Brad Nigh: Yeah. You never want that anyway.
[00:45:47] Evan Francen: Nowadays, You know, we just don’t, I don’t know. Maybe some of us just don’t take as much pride as we used to, especially in SMB s I guess because it is usually outsourced. So it’s a third party coming to do a lot of this stuff for you. Well, they’ve got a lot of clients, man. I mean, maybe there it’s hard for them to understand it. Like we did. Yeah. All right. No six. Not understanding basic security hygiene. I don’t like that word hygiene because I would spell it wrong.
[00:46:15] Brad Nigh: As I say. Isn’t that what we’ve been talking about? This whole thing? Like Yeah, these are I don’t think this is a separate. I don’t think this is what these 15 things
[00:46:27] Evan Francen: Are. Right. And when we get through the list to what I think we should do is take their information crater almost 15 because I agree hygiene. When you talk about basic security hygiene, this is all basic stuff. And we’re not talking about like any ai weird strategy type things. This is like these are fundamentals
[00:46:51] Brad Nigh: well and everything that they talked about in that section is covered in one of the other things on the list. So I Yeah,
[00:47:00] Evan Francen: yeah. It’s almost like we just added this one for the sense of adding this month, but they do have, you know, in here, which we’ll talk about a little later too is, you know, backups, access control. Those are also high gini things, patching, you know. But yeah, I don’t like I don’t like the fact that they this is a Yeah, it’s too much overlap here. I think, you know, we need to make it cut and dry for SNPs. Number seven, no business risk evaluation. Didn’t we just talk about that for number two.
[00:47:27] Brad Nigh: That the duplicate.
[00:47:28] Evan Francen: Yeah. So Okay. We just made 15. All right. We could have made this into 14. Maybe we just had complexity of the sacred complexity.
[00:47:38] Brad Nigh: Yeah, We can probably get this pin and be cover everything.
[00:47:42] Evan Francen: Exactly. And make it actionable. Right? I want to I want I don’t want an S. And because they have preached the hell out of here, man, we’ve told them so many things and they’re all like whatever. Because when I’m when I’m told something and just think about it like your own self. When I’m told something that I don’t understand, I have choices. I can either go learn what it is. You just told me so I can’t understand it or I ignore it. Mhm. I did it with my own. I mean, hopefully my wife doesn’t listen to this, but I do that with hurt. You know, she’ll say something. I’ll be like, I’m just gonna let it go. Yeah, ignorance. But I think the same thing happens with the SNB’s We we need to make it super simple and actionable. Yeah, I’m sick. Number eight, know what normal looks like. Absolutely. This requires you to be really intimate.
[00:48:39] Brad Nigh: Yeah. Well, it’s because I agree that if you don’t know if you don’t have that baseline and we’ve reached that you don’t know what your baseline is. How do you know if there’s a problem got to establish a baseline and then that’s beef. I mean, that’s gonna be one of your earliest warning signs. All right. You know, I know like you were saying, I know the performance, I know that this does this at these times. If I suddenly have a spike outside of the normal time. Well, maybe want to look at that and understand what’s going on.
[00:49:15] Evan Francen: Yeah, I mean, you need to be
[00:49:17] Brad Nigh: oh, go ahead. It could be network traffic. It could be CPU usage. It could be memory usage. It could be, you know, disk activity, you know, regardless of what you’re looking at. Set a baseline and monitor against that baseline.
[00:49:32] Evan Francen: Yeah, I agree with that completely. The thing to remember about computers and networks and anything digital, they only do what you tell them to
[00:49:42] Brad Nigh: do. And
[00:49:44] Evan Francen: there’s a reason behind every single thing that happens. Every single packet that sent on your network, every single CPU cycle every single execution. Something made it happen. There’s a cause and effect that happens. And so when you see a deviation from the baseline, don’t just blow it off why there’s a reason. Yeah, it actually, it becomes kind of fun if you like, you know, detective, we work and forensic kind of things. It can be really fun actually hunting that stuff down. You learn a lot.
[00:50:16] Brad Nigh: Mhm. Absolutely. I’m looking at where we’re at in the time. This might become a two part.
[00:50:23] Evan Francen: Oh, we’ll go quick. Number 92 factor authentication. Absolutely do two factor authentication. If you don’t on anything externally exposed. You’re naughty. Yeah, we ate misunderstanding cloud security. That’s a can of worms.
[00:50:37] Brad Nigh: Well, it doesn’t it’s not the same as insecure digital assets.
[00:50:42] Evan Francen: Yeah true. We’re gonna have to we’re gonna have to clean this thing up aren’t we? Yeah. And see A I. Q. C. S. A cloud security alliance has got some good, you know documentation on that stuff to lack of security training. Absolutely and it’s not just training.
[00:50:58] Brad Nigh: Yeah exactly. It’s all up to.
[00:51:03] Evan Francen: Yeah well long training and awareness like there’s the same thing, they’re different training is when you’re teaching somebody specific skill. Mhm. Write something that they can do that. They didn’t know how to do before awareness is like hey you didn’t forget, did you like this stuff is still happening.
[00:51:19] Brad Nigh: You know one of the things that is, well maybe not in the last year but one of the little tips that I’ve given that is super effective. Put your awareness posters on the bathroom stall doors. Yeah well like what you’ve got, I mean it seems kind of silly but you’ve got a captive audience.
[00:51:42] Evan Francen: Yeah absolutely that’s why they put all those ads now on the stalls at the bars, right? You’re going to the bar and you’re standing there, you know urinating, you’re like oh look at that, I could get a new Lexus for, right? Yeah
[00:51:55] Brad Nigh: I’ve been people don’t, they don’t think of those things and it works and it’s a good way, you know, your training awareness is effective. You’re getting more uh questions or reports from your employees
[00:52:12] Evan Francen: you want, incident response goes up, yep. Yeah, for sure, man and quirky always stands out, right, do something funky weird out of the ordinary. That’s the stuff that sticks in people’s brains, not the dry, same old, same old. Yes, mistake. Number 12. No business continuity plan. Oh yeah, there’s a supply chain. One of their number 11. Don’t understand the supply chain threat. Your supply chain threat. Mean the threat you post the supply chain, I think probably more in an smb than the threats posed by your supply chain because um you probably don’t have as many suppliers as the people that you affect upstream. So anyway, yep. Stick 12, no business continuity plan.
[00:53:05] Brad Nigh: Why? Well, they haven’t done a risk assessment. So you can’t really have a continuity plan. If you don’t know, you don’t know your assets and you don’t know what the risks
[00:53:14] Evan Francen: are. Why would they do with business continuity plan plan? I think I’m good enough to continue it as it is. Now. Anyway,
[00:53:23] Brad Nigh: there you go,
[00:53:25] Evan Francen: There’s something state 13 lack of strategic asset allocation and budgeting. Good luck budgeting. If you haven’t done a risk assessment, good luck budgeting. If you haven’t done risk management Because you’re, you’re budgeting is absolutely 100% should be based on our risks and these are the risks that are unacceptable and therefore it’s going to cost this much to do these things if it’s based on something else, I don’t know what your budgeting on. Thanks. 14 and 15, wow we lumped up to more together feeling to back up and lacks patching e hygiene which we already talked about two.
[00:54:01] Brad Nigh: Right? And I don’t yeah, I think that there kind of covering that altogether. But those are very different things.
[00:54:10] Evan Francen: True. Very true. So and they also have another I just think it’s kind of a weird written article because there’s also a graphic in there that I think breaks Donald breaks it up a little differently. But we’re gonna do a follow up to this. I think we’ll create our list of AR 15 and make it you know try to make it actionable for people. Yeah. All right. Up against time news uh as of 9:15 a.m. On the fifth which I think was monday We have 4 5,618 students registered in the CSP Metro Program
[00:54:46] Brad Nigh: blows my mind. Uh
[00:54:47] Evan Francen: huh. It’s gonna be fun.
[00:54:49] Brad Nigh: We
[00:54:52] Evan Francen: just divide up the the teaching load yesterday. Um Did you get you didn’t get models? Did you
[00:55:01] Brad Nigh: uh You know what I honestly I saw it and I haven’t looked to see what I actually what that actually means. I think
[00:55:10] Evan Francen: the schedule is now set on which instructors teaching which
[00:55:17] Brad Nigh: is that is that security engineering or security operations? I can’t remember.
[00:55:21] Evan Francen: I think we want to I’m not going to speculate, man, I don’t remember which one because if it ends up being you again on my heart,
[00:55:29] Brad Nigh: I’m like, well you mentioned you’re like, I’m doing it totally random and I was like, I’m totally good with it being random, but if I get models again, I’m it’s there was it was
[00:55:41] Evan Francen: rigged it. I really believe you fully automated. So it’s like if these guys come back to, you know, you rigged that game. I’m like because I also saw that I got network in communications and I’m like that’s the bomb,
[00:55:59] Brad Nigh: That’s the easy one for you, that’s your real name.
[00:56:02] Evan Francen: It totally is. So I’m like, I like how that worked out. But yeah, it was totally random. Mhm. All right, interesting news articles this week that we’re not going to get a chance to talk about, but in case you’ve been sleeping under Iraq or living under Iraq, there was a big breach, like actually a couple of breaches that kind of hid the, how this all happened. But 500 plus million Facebook accounts, you know, I don’t know how big of a deal it really is when your social media user anyway, and you’re already kind of given out your date of birth and your name and your email address and everything else on the cell phone. Yeah, it’s like
[00:56:38] Brad Nigh: one I found yesterday afternoon that I somehow missed on Freddy Lewis there’s a big Fortinet, uh
[00:56:46] Evan Francen: that is a big for us.
[00:56:47] Brad Nigh: Yeah, that is actively being exploited. So if you have Fortinet get on it, start patching immediately.
[00:56:56] Evan Francen: Absolutely. And then the other one I had was uh, ransom or gangs emailing victim customers for leverage, which is, you know, this is what scammers do, right? If you close, they’re going to go to the it’s like pouring water, right? If you block one, one, escape for the water, it just leave, it goes around or find another path to go down, this is just another path. So if you do have your backups and you’ve done the good cyber hygiene things that you should have been doing to protect yourself, you’re still not out of the woods, right? Because these gangs now know that you’ve been doing that. So now there emailing your customers. Yeah, I should have expected that. I mean, the thing is with these scammers too, I should we should just do some predictions because they’re so predictable in the way they operate, right? They’re not we give them so much like, man, these guys must be super duper smart, Right? But no, they’re not. I mean, these are
[00:57:54] Brad Nigh: crooks. Well, and there’s a reason, I mean, I r isn’t easy, but there’s a reason we know we know to look for every time. Like it’s the same stuff or very similar, right? You know, the things to look for. There’s a reason for that. They’re doing the same thing all the time or
[00:58:17] Evan Francen: uh All right. So wrapping up. Good talk brad seriously dig, dig. Always dig talking to you man. Uh you got me kind of fired up a little bit this morning, so that’s good. It’s good to start. I
[00:58:28] Brad Nigh: mean we’re both tired, so I figure you got to get that adrenaline going.
[00:58:32] Evan Francen: Yeah, I got a new energy drink I’ve never heard of before called G Fuel. Yeah, sounds pretty good to do. Alright, shout out, just make real quick.
[00:58:42] Brad Nigh: Um You know, I’m gonna give a shout out to my daughter’s just with the past year. They finally are hopefully going to be going back. Uh they’re they’re quarantining this week because they did go to a water park for spring break with my life whose who is fully vaccinated, but you know, the past year has been really hard where you know, they’ve been basically isolated from their friends and just super proud of how they’ve handled it and that there’s both getting on a roll and getting accolades from teachers, so just shout out to them for putting up with me for a year.
[00:59:19] Evan Francen: That’s awesome man, I’m gonna give a shout out to somebody that a lot of people are, you know, but it’s chris roberts, you know, I think a lot of, you know, he’s kind of a public figure, but people don’t realize a lot of stuff that goes on behind the scenes, right? Human beings have things that you know, get hit by all kinds of different directions. So I just want to give a shout out to him because I know him personally and I know how hard it is, how hard it gets sometimes to kind of face the storm that he does. So I appreciate people that do that, right? That just, you know, persevere man. Yeah, exactly. So I appreciate that. Thank you to our listeners, send us things by email. I think I saw a couple of emails that I got to go respond to at proton mail. So it’s at insecurity at proton mail dot com. If you’re a social type we, I tweet more than brad does because brass is not very social. Uh mm he’s a he’s an in person social kind of guy.
[01:00:24] Brad Nigh: I just don’t have time.
[01:00:28] Evan Francen: I go the same way I do like, like as a hobby like almost at light or something. So anyway on twitter I’m @EvanFrancen brad is @BradNigh. Not very creative. Just take our names and munching together and that’s where you find us. Yeah, twitter handles,
[01:00:44] Brad Nigh: if you talk to me directly or talking, I will respond. I just don’t proactive on sending stuff out most of time.
[01:00:53] Evan Francen: Yeah, when I tag you, you respond other twitter twitter handles where you can find stuff insecurity, this podcast and that’s not very active. But I I assume it will get more active is @UnsecurityP, security studio @StudioSecurity and FRSecure @FRSecure if you haven’t had a chance and you’re interested in signing up for the CSP mental program, Go do That starts on the 12th. That’s monday. That’s it. We’ll talk to you next week.