Evan fills in leading for this episode of the UNSECURITY podcast with Brad wrapped up in numerous incident response engagements. Together, the two of them chat about the numerous cybersecurity standards the information security world has the ability to adhere to. What do we use standards for, why are there so many, and which ones are best? After that, the guys discuss the ASCO ransomware and what they know about it.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: happy monday. Today is what is the date,
[00:00:26] Brad Nigh: june 17th,
[00:00:27] Evan Francen: June 17 Monday June 17th 2019. and this is episode 30 two of the insecurity podcast. I’m Evan Francen and joining me today is Brad. This is two days, two weeks, two shows in a row. But you were tied up with some incident response work just a little bit. That’s good to keep you out of trouble. It
[00:00:56] Brad Nigh: definitely kept me
[00:00:57] Evan Francen: out of trouble. I saw you last week you were sort of just kind of running all over the place.
[00:01:03] Brad Nigh: It was a little five Friday afternoon is a little fried. Good.
[00:01:08] Evan Francen: I mean maybe good. You get some rest. I did. Good. That’s important. You know, you got to keep things in balance. All right, well, we’ve got a good show plan today. Uh, two things that I’d like to talk about today. One is just kind of the use of information security standards in our industry. Uh, there’s no shortage of standards really to choose from. Um, and you know, I’ve seen some things, you know, people use them well and people use them. Not so well. People ah, you know what standards the right standard. I mean, do I choose I so to choose, Covid. Do I choose And ice t. p. 853, whatever. Right? I mean there’s lots of them. Um, so that’s one thing I’d like to cover today. And then another thing I’d like to cover is we got an email from a listener of ours in Belgium, which you tell me is in europe. So I’ve been told europe. Okay, that’s pretty far away from here, isn’t it? Yeah. Okay. Have you ever been to europe? I have not, I have not been to europe either. Yeah. All right. Anyway, well any that supposedly there’s this place called Belgium and there’s a company, their aerospace parts manufacturer called Asco A S. C. O. They were hit by ransomware, uh, this month and just kind of an interesting story. And so what we’ll do in that one is well read, we’ll just go ahead and read the email that we got from the listener because I think he brings up some good points in that email and uh, and then talk about it. Yeah, Yeah, it’ll be fun. So first things first, uh, standards, let’s talk about standards. What standard is your favorite standard? And I already know what, you
[00:02:54] Brad Nigh: know, so not a true standard, but a framework of standards. I like the next CSF overall from if I were to to be running something. But I think the, you know, if we’re looking at true standards, that would be the eye. So
[00:03:12] Evan Francen: yeah, I like the I saw two. I think the ISIL has always been sort of one of the best business friendly standards. Um, and so, you know, I don’t go for ISO certification. That wouldn’t necessarily be, you know, my advice, but using like I, so 27002, which is, you know, the management techniques, uh, seems legit, right? So choosing a standard. So why would I choose and, and this is open discussion between you and I. I’m not gonna, we can debate, right? Because we respect each other. It’s good to debate.
[00:03:51] Brad Nigh: I don’t want somebody you always agree with,
[00:03:53] Evan Francen: right? You’d be like, heaven. You’re an idiot. I can’t believe you said that. So, all right. Let’s just think. So, how would, what advice would you give somebody in choosing the standard? That’s right for them. So I, so Colbert, uh, you’ve got the, uh, the CSC top 20 I mean, there’s lots of different things,
[00:04:16] Brad Nigh: but I think ultimately you have to understand what you’re trying to accomplish and then understand what that standard does, right? So if you’re manufacturing your government, you probably want to go with the nist 853 that’s a little bit more regimented and what the government’s following your private industry, you don’t have that one. That is more business friendly. But ultimately, when you pick that standard, that’s what you’re gonna, all your policies, procedures, everything you do should support. Yeah. You know, driving towards compliance with that standard.
[00:04:52] Evan Francen: Yeah. And I think you know, and I agree with that, I think to standards that you know, I would consider, I’ve never been a big fan of Colbert and if you are a big fan of Corbett then great, I’m not saying that that’s a bad thing. One of the reasons I just haven’t been traditionally, uh you know, Kobe first came out, it was just so I. T. Specific for, you know, um and I’ve always been this big proponent that this is a business issue. I’m sick of being kind of pigeonholed into I. T. So it was one of the reasons why I kind of like a so so I’ve always been fond of that one, but it’s like asking, you know, yeah what kind of, you know, what model or what brand of router should I buy brand? Firewall, you know, firewalls do fire walling and standards do standard scene, right? That’s the word. I’m totally I’m an author so I get to choose words.
[00:05:49] Brad Nigh: It is a benefit.
[00:05:51] Evan Francen: Yeah. So okay, so you would your advice would be uh you know, if you’ve got some government stuff, you know, maybe to deal with mapping closer to maybe and I. S. T. S. P. 853 you know using 1 71 using uh you know, Phipps 1 99 kind of going through that sort of
[00:06:10] Brad Nigh: formal, it’s only more regimented I think. Yeah. Right? It’s a little more strict or more prescriptive.
[00:06:17] Evan Francen: Alright. And then if you’re, if you don’t have those requirements kind of deal with, uh, maybe ISIL is a good
[00:06:26] Brad Nigh: the CSF? Well,
[00:06:28] Evan Francen: I like to CSF too, because it is a nice framework organizes things really nicely,
[00:06:33] Brad Nigh: you know, I think ultimately that is always the way they would want to kind of base that on. Yeah.
[00:06:39] Evan Francen: So one of the things, um, I’m just gonna give kind of an example because I’ve run into this before. Large company. Um, lots of regulatory requirements has an internal audit department and the internal audit department says the standard says this and you’re not doing this. Is that a legitimate in your opinion? Is that a legitimate thing? I mean, do they have a legitimate case when they say, well, the standard says you’re supposed to be doing, you know, whatever and you’re not doing whatever.
[00:07:15] Brad Nigh: Thank Yeah, it depends. Yeah, I think it depends. Right. If you have a business justification or what, what is the reasoning why you’re not? Well, we’re not doing it to the letter, but we’re doing this to, you know, compensate for it or kind of work within the structure, but maybe not exactly what it’s saying.
[00:07:40] Evan Francen: Yeah, I agree that. I think one of the, my advice on these instances is you blend the standard into your business, right? Be careful not to change your business to fit the standard, Right? Because there are some things that if you look at any one particular standard, the standard says this will do an assessment or risk assessment against that. And if there is no risk there, then just don’t do
[00:08:07] Brad Nigh: that. You could have a you could just skip something because the cost for complying with that portion of the standard is far outweighs whatever that risk, maybe. Yeah.
[00:08:21] Evan Francen: Yeah. At the end of the day, information series about managing risk. It’s not about implementing a standard. Right? And I think sometimes people get so married to a standard that, well, the standard says, I’m supposed to do this. So come hell or high water we’re doing this, that’s not the way they’re meant to be used. No,
[00:08:38] Brad Nigh: no. And again, I’m going to go back to as long as you can justify. Why. Right, show that you thought about it. There’s a reason behind not doing this thing.
[00:08:50] Evan Francen: Yeah. So I think because people who don’t understand, I think you know the way security works and the way uh standards work, just because a standard says to do, you know that this is the way to do something doesn’t necessarily mean that you need to do it that way the standard may have, you know, think about the why the standard is asking you to do something. Why does the standards say I need to have an asset inventory? That’s an obvious one. But because you need to have an asset inventory, you can’t secure what you don’t know you have, right? So, but there’s lots of different ways to do an asset inventory. There’s the way the standard says that there’s a way there’s a way that I may choose to do it. They might deviate from that standard. Right. Right. So as long as you accomplish sort of the why behind it? Yeah. How the what and the how that’s in the standard. Maybe you’ve got other ways to do the what’s in the house
[00:09:43] Brad Nigh: one. And I think you know that that’s where some of those 800 853 and and all that where it’s much more regimented. Where you know, I think if you have less wiggle room, right? It’s very very much do these things in disorder. Right. And I so and some of the others are a little more. You should have an asset inventory but it doesn’t tell you, you know, including physical hardware, I’m sorry, software data, but not how to do it. People are walking by the studio and ignoring us. No,
[00:10:19] Evan Francen: no, no they didn’t. Did they? Okay. They acknowledged. Yeah. Because like you know
[00:10:24] Brad Nigh: when I looked over
[00:10:25] Evan Francen: they were ignoring. Alright, so standards. That’s that’s the way. And tell us how you use standards. I’ve always used them as kind of guidance. I’ve never I’ve never implemented a standard verbatim never done a standard because just just because the standard says to do something, I don’t do it, I do things insecurity because there’s a risk there. Right. Right? And so if the standard says to do something yet, that’s something doesn’t address a risk that I have, then I’m not doing
[00:10:57] Brad Nigh: so Yeah, there’s no value. Yeah, I think kind of the it it’s like the framework, right? Here’s what we should be doing. And how do we actually do these things or how do we address them as? Yeah, every business is different. You can’t just take that standard and do it across the board the same way every
[00:11:20] Evan Francen: time. And I’ve also found, you know, another thing is a standard is a good place usually to start, you know, so if you if you maybe you’re newer to the information security or maybe, you know, you’re working with an organization that doesn’t have an information security program, maybe using a standard as a starting point. But you’ll find as your as your information security program continues to mature. You can you will deviate from what the standard says and because it has to fit your company, right? Not the standard.
[00:11:55] Brad Nigh: Right? And I think again, you get a lot of wiggle room around. Well, here’s how we’re doing this for that portion of the standard.
[00:12:07] Evan Francen: Yeah, exactly. But if you’re going for certification, You sort of don’t have, you don’t have a choice, right? If you’re going for ISO certification. Well, the I so is your standard, you don’t have to 7001, you’re going to have to uh, you know define your sms and you’re going to have to, you have
[00:12:26] Brad Nigh: to do. And they don’t mess around either. No, it’s a, it’s a lot of
[00:12:30] Evan Francen: work. And on the, uh, on the government side, the N I S T S P 153 if you’re going for, if you have, if you have to be fisma compliance,
[00:12:40] Brad Nigh: uh, yeah, it’s a
[00:12:41] Evan Francen: lot of work. You don’t have a choice. All right. So the second thing, thanks for talking about the standard man, exciting. It is, yeah, I don’t you, I find that I use standards a lot less than I used to. Again, it’s that help me make a case. Yeah. But if you can make the case without the standard, then make the case
[00:13:01] Brad Nigh: though. And like, yeah, we map our policies and stuff too to buy. So, and then to we do it to the CSF. Right? But it’s, here’s what we’re using as the guy there is the baseline. Right?
[00:13:19] Evan Francen: All right. So the second thing I got an email or we got an email to the un security at proton mail dot com, uh, email address. I says, hey, and I’m gonna go ahead and read it and then we can talk about it. So this is, hey, Evan, uh, and brad. I’ve been a listener from the beginning of your podcast and just came across this news item from my home country, which is Belgium, which is a country. Yes, I’ve learned yes. In europe. Yes. Okay. To this to me, this is weird. The HR manager being the PR person. Oh and then there’s a link, I’m sorry. There’s a link there uh to help net security dot com. It’s the, the Asco ransomware attack link. It says to me this is weird. The HR manager being the PR person after a big cyber incident. I did a quick look on linked in but could not find anyone in the company with security in their title. Next thing I look into the profile of the IT director since security is sometimes put under it, but on his profile, I cannot see any indicators that this guy might have any security qualifications or experience in the field. So this company has have has have to give all 1500 employees technical unemployment in quotes and keep extending the end date of this unemployment. They don’t really communicate on what actually happened. They don’t talk about ransomware either. At this moment, I am pretty confident that my that my incident response plan is way better than theirs. And we are small nonprofit media company with about 100 employees and then it’s signed by not going out the person but by our listener, interesting. Yeah. So, and there’s a couple of things, you know, it’s cool that I love when people don’t just take the news for the news, they actually go out and do a little bit of research themselves. So first off kudos to the, the listener, right? I love it. Do the same thing. I’m like, I don’t know if I believe that we’re going to
[00:15:30] Brad Nigh: dig. You need to look and the multiple sources.
[00:15:33] Evan Francen: But here we have a 1500, employee company. And if you do some more background, you’ll find out that it was, it’s a company that’s been uh acquired. It was acquired recently by Spirit. Spirit. Yeah. I printed out a bunch of stuff for brad and I to look at spirit Aerosystems, which is a, I think a much larger company stateside here in Wichita Kansas. Uh, so you have this big company Asko hit by ransomware attack and what date did that happen?
[00:16:09] Brad Nigh: It looks like the
[00:16:10] Evan Francen: seventh of this month, june 7th, the seventh and what’s the date today? 17th, 17th. And on the 15th, the company seemed to publicly acknowledge it. Uh they put something on their website saying, yeah, this is what happened a little bit. We still know source. We don’t know what type of ransom where it is. We don’t know the flavor, I guess. Um, So they had this incident and 1500 people. So it sounds like it pretty much took down their production. Yeah. And they do some serious production to, right? I mean it’s not like their customers are, you know, little bitty, X, Y. Z. Company making little X, Y. Z. Part here.
[00:16:51] Brad Nigh: 30 35 7 37 from, yeah,
[00:16:58] Evan Francen: they have plants in Belgium Germany Canada and us as well as office representation in brazil and France. Well, there’s your problem. I’m just curious. Uh so the plants are still, I don’t know if they’re still closed,
[00:17:14] Brad Nigh: we don’t know that from what I can see. I was reading an article, another one that you didn’t have on here and it seems like they’re still down from the latest news.
[00:17:24] Evan Francen: So technical unemployment. Oh my gosh, technical unemployment. So and and I’m, I’m assuming now I’ve been in a lot of plants before. Um you know, a lot of manufacturing facilities before and typically these aren’t, I mean these are bluish color workers, many of them that aren’t, you know, I mean they’re just they’re hardworking folks and it sucks that they, yeah, they said work from home. They said not work at all I guess.
[00:17:57] Brad Nigh: Well they said, yeah, they send 1000 of the 1400 employees home for the week unpaid leave.
[00:18:04] Evan Francen: Think about how much for a week now then.
[00:18:06] Brad Nigh: Right, well that was that first initial week that had happened, they sent everybody home on paid leave. Imagine what the cost is going to be. And and those are those kind of soft costs that don’t get calculated in
[00:18:22] Evan Francen: And what was the cost in Atlanta? I think the estimate was 2.6 million, something like that. And I think the estimate right now in Baltimore which still isn’t back to normal is like 18.
[00:18:34] Brad Nigh: Well, there was one I was reading on a C magazine and there was a similar ah uh, ransomware, Norwegian aluminium producer, Norsk
[00:18:48] Evan Francen: Hydro was 40 million. 40 million. Yeah. So ransomware sucks. We already knew that though. Um so here’s here’s the issue. So one of the issues that um, you know, our listener brought up was, you know, sort of implying, you know, do they, does this company At 1500 employees ISH Do they have any security jobs? Do they have a security department? Do they have an incident response plan? I mean what is in place? Because there are some tells here the fact that the HR person, so the HR person I did, you know, I found out who that is and her name is public because she’s the one that made the statement Vicky. Well, Bart, how do you do when you see that? Um she’s the C H. R. O chief HR officer, that’s the person making public statements on behalf of the company on the incident because she’s quoted in, you know, one or more of these articles. I don’t know. Is that the right person? I mean, is that p. r. 2? I don’t know.
[00:19:56] Brad Nigh: Yeah, I don’t know. It depends on I guess that’s Yeah, there their layout of structure. Right.
[00:20:05] Evan Francen: And so she’s been with Asco since January of 2011 as their CHR prior to that General Motors Belgium paint shop manager product I’ll Manager paint shop. So a different sort of background than what we typically see. And I’m not I want to be really quick not want to be hard. I don’t want to judge harshly because I don’t know this person and I don’t truly know but the optics don’t look awesome.
[00:20:34] Brad Nigh: It seems like there esko put her in a bad position. If that’s the case right It doesn’t seem like she has the pr background. It’s not again not a shot at her but if they’re putting her in that role.
[00:20:53] Evan Francen: So I followed kind of the same path to that our listener did and just looked up Asco and looked up. You know how many people have security and there’s actually one person who has security in their title. It’s uh what’s the title I. T. Quality and security administrator Been with Asco for seven years prior to that team leader at Hewlett Packard. And I’m not going to say their name because their name isn’t quoted in the news but if you wanted to look and find it you could um so it’s not like there’s not any security person there but the fact that it wasn’t that long ago when the company was purchased either. Right uh what’s the name of the company again.
[00:21:36] Brad Nigh: Spirit Aerosystems.
[00:21:38] Evan Francen: So if you do the same sort of look up of Spirit Aerosystems you’ll find that they have 52 people they definitely had. Yeah 52 people with security in their title somewhere. And they have a Chief information security officer, the Director of Global Security at Spirit Aerosystems is a guy Who spent 20 years as a supervisory special agent with the FBI one year, nine months in the private sector as a director of Information security. I thought it was interesting security incident response to. Yeah, but only a year and nine months. I mean there’s a there’s a big difference between the public sector in the private sector. Things run differently in the FBI in the U. S. Government than they do in the private sector. I mean we’ve seen it happen with some of the people that we’ve hired over the years.
[00:22:32] Brad Nigh: Right.
[00:22:33] Evan Francen: Right. Let’s talk about standards, right. If the policy says to do it, you better damn well do it right. Government, whereas in private sector that may not.
[00:22:41] Brad Nigh: Right. Yeah, it doesn’t
[00:22:42] Evan Francen: work, not like that. So you know this guy um and he had a slide deck up there and I thought that was kind of interesting. Information Security 101. Uh Then I went through that slide deck, you’d I don’t know I mean there’s some security people and I would think that and I don’t know where they’re at with the integration either when you’ve got ASco and Spirit systems where they’re at
[00:23:04] Brad Nigh: and I think they were saying that the merger was only approved in March.
[00:23:09] Evan Francen: Yeah, so they may not even be fully integrated.
[00:23:11] Brad Nigh: And I guess. Yeah, probably not.
[00:23:13] Evan Francen: And in some cases they don’t integrate, they end up running those two separate business operations. So
[00:23:21] Brad Nigh: yeah, that would be interesting to see what kind of due diligence was done on that side of
[00:23:26] Evan Francen: it. Right. That brings up all of, you know, a whole bunch of other stuff. Right? Yeah. Your due diligence of, you know, prior to emerging acquisition,
[00:23:34] Brad Nigh: you’re acquiring a
[00:23:35] Evan Francen: breach. Yeah. Thank you, Marriott, Right. I mean, yeah. So, um, there’s a lot of things here, so getting hit by ransomware and you read a lot of the new stuff and it’s the same things you hear all the time. Uh, ransom is bad. Don’t pay the ransom, prepare ahead of time. Take the, take the money that you would have spent and, and that’s all good, like monday morning quarterback type stuff. And it’s true though, the, having your organization run without an aircraft offline backup for these things as well as doing what you can to prevent it up front. Right. Really good training and awareness programs. But no matter what you do, people are still gonna click stuff.
[00:24:26] Brad Nigh: Yeah, yeah, we see it all the time. Well, we’re seeing the phishing attacks are getting, you know, the one on this. Ir I’m working. It is probably one of the better ones. They fished a small subset of people with a pretty realistic one, but had some tells then got in and copied the president’s signature email signature out of an email and fish the entire organization from inside and the one that came from inside looked Really convincing. It just takes one person and then yeah bypasses all those things. Yeah, but the question is how did it get through the spam filters and
[00:25:13] Evan Francen: but that’s what Attackers do. Right. Right, right. Attackers aren’t, especially if you’re specifically being targeted, it’s not hard to s e, you know, go to any, so this is an attack I’ve seen before um go to an I. T. Conference right? That, you know, because people brag about the conferences that they’re going to, so you have a target a company that you’re targeting and you know, you start following this their information security guy or gal, right on social media and they’re saying oh I’m going to be at birkenau on friday and whatever you like. Okay, cool, that’s right. I’m gonna go meet this person and broken and then your peers, right? You come off as peers. You start talking about what what are you guys using for antivirus? You know, I’m having real trouble. I’m not happy with uh trend. It’s just, you know, it’s not doing what I needed to do. Oh really? What we’re using? Yeah. Persky, Kaspersky and it’s working great and Oh really? Okay. You know, and you have this conversation and you’re building because I’ve seen this attack, I mean people think this is the stuff doesn’t happen,
[00:26:21] Brad Nigh: especially again if you’re targeted. Yeah,
[00:26:24] Evan Francen: it’s totally legit and um, and don’t put it past Attackers to do this kind of stuff, this kind of background. And then uh, and then the attacker creates their malware and what do you think they’re going to test it against what you’re going
[00:26:36] Brad Nigh: to be right, They’re going to go down with your spam filter, which you’re in a virus, right? Your
[00:26:42] Evan Francen: firewalls. So I don’t know, it it just just relying on that, you know, isn’t going to no, obviously isn’t going to work. You have, it’s a multi pronged sort of defense, but where your defenses fail and we’ve been preaching this forever where your defenses fail, you need to have something in place to detect and respond to it. So preparing for these types of attacks, there’s no, it’s almost it’s inexcusable to not prepare yourself for a ransomware attack knowing that their this prevalent knowing that their this impactful we’ve seen in our own practice here and we’re not a huge company. We’ve seen companies go out of business because they can’t recover from a ransomware attack.
[00:27:27] Brad Nigh: Yeah, it’s and you know, I think it’s going to happen, right? It’s it keeps saying it’s not a matter of if it’s a matter of when and how do you, how are you prepared to handle it and you can’t head in the sand. It’s not going to happen to us just doesn’t cut it.
[00:27:46] Evan Francen: Well, it’s it’s not reality, we’re living in a in an entirely different world than the rest of us. Yeah. And I don’t, you know, into the the emailers point, I don’t know what sort of incident response plan they had in place. I I assume there’ll be more details that will emerge into. But that
[00:28:07] Brad Nigh: complete radio silence is not
[00:28:10] Evan Francen: when having your plants an offline for any period of time that shows that they didn’t prepare at least for this particular type of attack, which I don’t we don’t know the details of this.
[00:28:23] Brad Nigh: Yeah, you would think at this point they would have
[00:28:27] Evan Francen: Also in the 15th. So interesting you said that. So Asco released Yeah, something and it says this is from Zevin TEM Belgium On June 15 at 1330. Ask Oh, this is this is their update, uh, their public release. So Asco has become has become victim of a large scale ransomware attack. The attack caused a serious disruption on all of our activities and impacted our ability to communicate are available. Communication means so not only disrupted production communications are
[00:29:05] Brad Nigh: affected when your communication play in his email. That
[00:29:09] Evan Francen: Yeah, probably, yeah, maybe an offline. Yeah,
[00:29:14] Brad Nigh: I can’t sort of out of band. Yeah,
[00:29:17] Evan Francen: well, that’s, you know, you bring up a good point. I was just talking with somebody in another incident response and email and they said, well, you know, we have cell phones and we were talking about instant response on the crossover between incident response and disaster recovery where that, you know, sort of takes place. And I said, and even uh cellular communications can be disrupted in a big event. Right? So what’s the third? You know, just have a meeting point. You know, you you know an event has happened and you don’t hear from me meet here. Right. Right. I mean, even that kind of stuff you have to have in place. All right. So anyway, as a precautionary precautionary, I hate that when you use precautionary as a word in a response there was Yeah. Anyway, as a precautionary measure, all systems have been quarantined and all act and the activities on at all our sites in Belgium Canada, the United States and Germany were stopped. That doesn’t sound precautionary me.
[00:30:24] Brad Nigh: No, that
[00:30:25] Evan Francen: sounds sounds reactionary.
[00:30:27] Brad Nigh: Holy
[00:30:28] Evan Francen: right. Turn stuff off. All right. Together with the relevant authorities, forensic and technical it experts. Uh more security people. Just authorities, forensic and technical experts. Oh, you know, security people are in there somewhere. Probably the forensic forensic people. Our teams have taken control. And so, you know, I said I wasn’t gonna judge look at me. Our teams have taken control over the incident. I don’t know what that means either.
[00:30:59] Brad Nigh: And they shut everything down. So
[00:31:00] Evan Francen: that’s control. Yeah. Uh So yeah, because usually we’re taking control would be what containment maybe. But you’d probably be well on your recovery
[00:31:12] Brad Nigh: you’re probably you have identified the fix and
[00:31:16] Evan Francen: you back up your coming back. Alright taking control over the incident and are committed to reduce the consequent impact on the business activities. It is because of the specific nature of the attack that we want to assess every individual I. T. System not to compromise security. Uh Newsflash security was compromised
[00:31:38] Brad Nigh: and adam on their website and they have just errors on there.
[00:31:44] Evan Francen: It’s sort of funny because it’s like it is because of the specific nature of the attack that we want to assess every individual IT system not to compromise security. What do you call this? Your security was compromised right too late. Yeah unless you’re talking about confidentiality, you’re talking about data, exfiltration something else.
[00:32:05] Brad Nigh: And that may have been what they were worried about because if they were sure you’re doing work for Boeing and yeah and Lockheed martin and it’s like oh no
[00:32:14] Evan Francen: poor choice of words. Maybe
[00:32:16] Brad Nigh: wilt, that’s why you need a but then you are a person but then you use the word whilst
[00:32:21] Evan Francen: that’s an awesome word. I’m not sorry I’m going to use the word whilst whilst quarantining the sustainability and quality of the solution and mitigation actions that are put in place. We take an approach of extreme caution as we cannot accept an impact on the security of the systems. Did it really take eight days for them to come up with this. Uh I’m sorry this
[00:32:47] Brad Nigh: is I think the problem is it’s not
[00:32:50] Evan Francen: just translation thing maybe
[00:32:52] Brad Nigh: potentially. But again that’s why
[00:32:54] Evan Francen: should they speak in Belgium is a Belgium dalglish. I don’t know. Somebody’s gonna give us. It’s always gonna send us all
[00:33:03] Brad Nigh: an idiot. Right. You don’t even know it is. Uh,
[00:33:09] Evan Francen: are you looking it up the link?
[00:33:10] Brad Nigh: Well, I clicked on a news link and I can’t read it so.
[00:33:15] Evan Francen: All right. So we’ll skin okay.
[00:33:17] Brad Nigh: Do you recognize ransomware in that?
[00:33:19] Evan Francen: Nice. I mean, not nice. With the help of external expertise, we installed several work streams to allow a safe and secure restoration of our systems in the different sites. We are now gradually rolling out our business continuity strategy. I don’t know. In order to restore operations. The forensics investigation is ongoing and to date this analysis has not identified evidence of the exfiltration of any information or the non recoverable loss of it. Well, you got non recoverable loss of revenue that’s for sure. Uh currently, our teams are putting in every effort to resolve the challenges caused by the attack. As as a company, it is our priority to provide clarity, continuity and support to our personnel, clients, suppliers and partners. As we gradually restart our operational activities. Over the course of the following days, we will keep our employees as well as our involved clients, suppliers and other stakeholders informed through the following channels, designated contact persons have established direct communication with their contact persons from our clients suppliers and partners. We commit ourselves to answering as many questions as possible. We are in the process of putting together a frequently asked questions page on www dot asco industries dot com. Overall communication and press handling around this topic is being coordinated by mrs Vicky. Well Bart that well paired. Yeah. What do you say that? And then our phone number who is also at your disposal for any questions you may have. So that’s that, that’s their news release. And I I wanted to rip on it more just for the record. But I feel like I’m being harsh. Am I being harsh bread
[00:35:12] Brad Nigh: Flemish, dutch, french and german? There you
[00:35:15] Evan Francen: go. That’s what they speak in in in
[00:35:17] Brad Nigh: Belgium that it says all right,
[00:35:19] Evan Francen: go to Belgium. I met a guy from Belgium actually once at Dutch black hat who was in my social engineering class with me. He was cool. I liked him.
[00:35:29] Brad Nigh: I think the problem that I have a this is again very clear, I’m not ripping on any of the the people that are making the statements, right? I don’t I don’t know their background crappy statement, but this is why you hire a pr specific or you have a pr person do this because like you said, words matter translation if it’s lost in translation, but it’s put on their website in english
[00:35:56] Evan Francen: and if it’s a it’s lost in translation, then do two different statements, right? Do a
[00:36:00] Brad Nigh: Belgium. Right. And that’s what the, you know, a pr company is going to know and understand. And I think, you know, like his words matter. So these little things make you go what?
[00:36:12] Evan Francen: Especially where they don’t want you when you’re talking about people’s jobs, right? You have 1500 people are 1000 people or some number of people don’t have work right now. You better you better be damn clear on your
[00:36:24] Brad Nigh: words are used. Yeah, because they’re gonna be looking ability to make a living well, but there it said they’re paying them so there are at least getting Yeah, they send them home with pay, but they don’t know how many. Thank you. But how many of those people are going to go, Well, I’m gonna go work somewhere else because right, there’s no communication. This is what they’re being put out there, is there? I would assume there’s no uh, internal communication going on. Yeah, I don’t know.
[00:36:59] Evan Francen: You would think this is their communications right? Were impacted. I don’t know. Yeah, yeah, interesting statement. Um, but then you get all the normal Uh, you know, newsy stuff, right? You got to have backups. You gotta test and you know, I mean, those things are all absolutely true. If you haven’t prepared yourself to respond to a ransomware attack in the year 2019 when you’ve seen ransomware attacks all over the damn place affecting companies of all sizes, small, large teeny, whatever government. I mean, if you don’t have adequate protections in place to protect yourself from arrangement at least from recovery. If you can’t protect the actual infection, protect your ability to recover within a timely period. Test that stuff have an incident response plan. Have communications built into your incident response plan. Internal and external communications.
[00:37:59] Brad Nigh: I mean to me what’s absolutely critical in that statement, It doesn’t say there anything about it doesn’t reference it’s in response plan were gradually rolling out our business continuity plan. That’s the only plan they
[00:38:11] Evan Francen: mentioned. Well, and the fact that you security as only appeared only affecting confidentiality, data integrity is in question. You’ve got certainly availabilities an issue and those are cornerstone important. Critical pieces of information security that you’re just discounting here. Right. And if somebody can place ransomware on your systems that easily, you don’t think they can exfiltrate. I mean is
[00:38:37] Brad Nigh: your how do you know,
[00:38:40] Evan Francen: is your your egress and your DLP you know, is it that solid? I doubt it because you couldn’t, you know, and there’s there’s a lot of issues and and I don’t want to be critical of just ask, oh either. Right. This is the latest example. This isn’t epidemic problem.
[00:38:57] Brad Nigh: Well, yeah, we see it all the
[00:38:58] Evan Francen: time. And it’s, it affects. I mean, what are the estimates now? $6 trillion dollars will be, you know, transferred from normal legal industry too. Yeah, cyber calm cyber criminals, crooks, uh, people that take advantage of other people and you don’t just like say, oh that’s just the way the world doesn’t know. It’s just crap, you know, Right? Yeah, that’s we can’t let them win. It’s time to get off your button and actually do the things you’re supposed to do as part of just running a normal business. This is part of business. This is how you do business in the year 2019 right period. Yeah. Yeah. All right off myself box. Uh anyway, that’s ask. Alli is frustrating. It really is. So if anybody’s listening and you don’t have an incident response plan, if you don’t have uh if you haven’t accounted for ransomware in your incident response plan? If you haven’t counted for communications in your incident response plan. Do it stop listening. Push pause on your right and your podcast right now and go out there and do it. And if you need help, if you need somebody to talk to your executive management, if you need somebody to drive this home to make this a priority, call us, you know, we don’t work. If there any lawyers listening, sorry, we don’t work like lawyers and call us. We’re here to help. Uh it’s just tiring people’s lives are affected by this, correct? Okay, well that was good. Did you have anything else to say about as co brand?
[00:40:36] Brad Nigh: I can’t wait to see kind of the postmortem and what details come
[00:40:42] Evan Francen: out. Yeah, me too. Alright. So big thank you for our listeners. Thank you for uh you know, uh calling this out and uh, you know, giving us something to get, I’ll get our blood pressure up on a monday morning. Yeah. All right. Let’s get to some news and then we’ll wrap this thing up. So two news articles that I that I picked and uh and we don’t have to talk about them in detail. I just think they’re interesting. One is uh, from G. B. Hackers, Zeno time hacking group expands its target to the U. S. Electoral electric utility sector. The next news is us escalates online attacks on Russian power grid. So
[00:41:23] Brad Nigh: it’s kind of both. Yeah.
[00:41:27] Evan Francen: Well this is the this is also the world we live in. We live in a the new Cold War is an online cyber war. That’s and we’re at this sort of stalemate, right? It’s maintaining this balance where in your systems, you’re in our systems, right? We could click go just as easily as you could click click click go. But that’s what we live in the part that um sort of sucks about this war and I’m not going to go into too much detail. Um, is that there’s collateral damage? And the collateral damage is people like you me, uh, right. You know, Yeah, there’s a lot of information being collected that’s not currently being used. That could easily be used uh, in the event of an attack, right? I mean an actual active like flip the switch kind of thing. Uh So that second story the us escalates online attacks on Russian power grid that’s on msn dot com. Um interesting stories that you can certainly reference from Evan francine dot com uh to read about it. But it’s, yeah. Do you have anything to say about it? Because I don’t want to,
[00:42:45] Brad Nigh: it’s almost like the new cold war. It is, I mean realistically at this point you could, I don’t think it’s an accident that those two stories came out at the same time and or with it. Right. Right. Hey Russia is targeting our stuff. Guess what? Right. We’re gonna get there still. So
[00:43:04] Evan Francen: from the chinese and the Iranians and north Koreans and the Canadians and I mean, yeah they’ve all got several warfare capabilities. Yeah. And they’re all in each other’s junk and in your junk in my junk, you know.
[00:43:21] Brad Nigh: Yeah. It was, there was an interesting story I just saw from telegram is the Hong kong protesters are using telegram and telegram. The company came out and said, yeah, we got a massive attacks from china slow things down but it didn’t take us down. But there’s, you know, it’s always interesting when when you see that stuff.
[00:43:47] Evan Francen: Sorry. That’s my Mhm. That’s the thing. Does
[00:43:51] Brad Nigh: it actually record that?
[00:43:53] Evan Francen: Oh yeah people hear it and then people complain,
[00:43:58] Brad Nigh: you know because you
[00:43:59] Evan Francen: are professional death threats and stuff. All right. So yeah good good two news stories and then the other one amazon has been sued over illegal retention of child recordings through Alexa?
[00:44:13] Brad Nigh: I’m wondering how that’s going to play out in uh G. D. P. R. Stuff too because this is in the US with a couple of states. But I would imagine that’s gonna become a big issue of her in europe as it should perhaps in Belgium as it is in
[00:44:29] Evan Francen: europe. That is in europe. That’s right. So I’m told yeah there’s so many privacy issues with iot and in Alexa and google home and again, but people just keep buying it. You nobody wants. I don’t get it man. I know I just would never put a listening device in my home. Right? I would never put it listening to ever. Alright. Not willingly and not purposefully right. You know and I saw something this morning to about Samsung their TVs. They’re talking you know you’ve got to perform regular virus scans of your tv.
[00:45:05] Brad Nigh: I don’t connect my tv to the
[00:45:07] Evan Francen: internet like nuts. But anyway this story is e hacking news. The title is amazon sued over illegal retention of child recordings through Alexa. Amazon is being sued by a massachusetts woman for unlawfully recording and storing the voices of Children with its Alexa enabled devices. The lawsuit filed in Seattle this last week, interesting. Yeah like you said it’ll be interesting to see how that plays out Alexa is not coming into my house because I tell me if you believe this and then we’ll wrap this thing up. Do you bully? So, I know what? No brother, wrap it up? I don’t believe so. You don’t believe me. Or this this Oh no, I think you will. I’m sort of of this theory that every new technology I add into my life, I strip away a little bit of humanity in my life. So like, it kind of dawned on me this weekend because I was out camping and I was walking and I was like, man, it’s just beautiful.
[00:46:16] Brad Nigh: Right?
[00:46:17] Evan Francen: I’m not in front of a damn computer. I’m not like you get
[00:46:20] Brad Nigh: so plugged in. Yeah.
[00:46:24] Evan Francen: And isn’t that hard for me to get up and and go to the store and buy something or go on versus having Alexa. I have to buy it for me or to, you know, turn down the shades on the
[00:46:39] Brad Nigh: windows. And I think there’s no there’s no question. There’s been a lot of good coming out of it, you know? Especially like the gps and mapping and that, that stuff is really nice. But yeah, there’s it almost feels lazy,
[00:46:56] Evan Francen: you know, like, I’m like, I’m losing like, we’re losing ourselves, right? We’re letting the machines do things for us that you should be doing yourself.
[00:47:06] Brad Nigh: Yeah. Yeah, like the even the voice control remote. I’m like, no, come
[00:47:12] Evan Francen: on. Right. I
[00:47:14] Brad Nigh: can I remember, I remember I had to walk
[00:47:16] Evan Francen: across unit. I remember when I was my father’s remote control. Right? Evan turned on? The twins game.
[00:47:23] Brad Nigh: All right. Which one. Where do I have to turn the dial? Which way? Yeah. What number, dad?
[00:47:28] Evan Francen: All right. Anyway, that’s uh, that’s
[00:47:30] Brad Nigh: this week. It’s our old man yelling at the clouds moment of the week.
[00:47:34] Evan Francen: Well, you know, I just think it is. I do think it’s true. I do think we’re losing our humanity. I really do it. Uh, we’re losing our ability to have face to face conversations like we used to kids are all, you know, they’re not interacting. Like, you know where I live? I live in a small town in in living Laconia Minnesota. Right? Small town. And there are tons of kids who live in that. It’s a it’s a, it’s a it’s a suburb. Right. Right. And any given time when I drive through a small town, you should see kids everywhere. Yeah. You just don’t, just don’t back in, you know, and it wasn’t all that long ago when you would, they’d be hanging out. They’d be having fun. They’ll be riding their bikes and building a bike jump. They’d be doing something fun in person right now. They’re on games or, you know, Snapchat or
[00:48:32] Brad Nigh: God, they’re not, they’re not social skills are not there.
[00:48:37] Evan Francen: Yeah. Because like any technology, there’s good and there’s bad. I’m just fearful that the bad is, I don’t know. I’ll write something about it someday. Right, So that’s a wrap. Thanks again to our listeners. Thank you brad. I always enjoy talking to you man.
[00:48:53] Brad Nigh: My favorite time every week.
[00:48:56] Evan Francen: Uh, so let’s go have a great week. Don’t forget you can follow me or brad on twitter. I’m @EvanFrancen Brad’s @BradNigh
[00:49:06] Brad Nigh: I might have to actually tweet something this week because I’ll be smoking ribs and brisket. So, some barbecue pictures. That’s all my twitter is going to be, Is
[00:49:15] Evan Francen: why not? Yeah, I agree. Uh, an email us at the show, unsecurity@protonmail.com. Uh, we’ll get you on the show. So thanks a bunch. Have a great week.