In this episode, the first UNSECURITY podcast, Evan and Brad discuss current information security events, including what they’re both working on, and information security industry news.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:18] Evan Francen: So here we are Brad. It’s our first ever uh podcast. Right? Yeah. And I called it the the un security podcast. I don’t know, I guess to keep along with the branding of everything else. I like it. Yeah. Well we don’t like it. We can always change it, you know that. Right? So we’ve got lots and lots to talk about what’s uh you know this, so we’re recording this on sunday. That’s when we’re going to record. I think most of these uh tell me about your last week and you know what’s going, what’s going on this week, anything cool and exciting.
[00:00:54] Brad Nigh: Um you know, you as you know, you were involved in those a couple incident responses that we had at work. Um Yeah, yeah. We’ve been having a lot of uh trying to think what was going on. Mhm. You know, we you know, we you know, we actually did a couple interviews for clients they’ve gone through and identified um you know, kind of a final candidate from for in Passaic positions and uh asked if we would do that final sanity check from a security perspective is is the person really know what they’re talking about. So it’s kind of fun. I like to read those.
[00:01:37] Evan Francen: Okay, so we had a he had a couple of clients who asked us to interview, yep, candidates that they’re entertaining maybe for hiring?
[00:01:45] Brad Nigh: Right. Right. These are VC. So clients so it would be somebody to come in and be their security analysts doing some of the work. And would you guys mind making sure we’re they’re actually they know what they’re talking about?
[00:01:59] Evan Francen: Let make sense. So like well we’re still the VC. So we’re kind of doing that that I guess strategic direction for the security program and this is more somebody do the day to day.
[00:02:11] Brad Nigh: Right. Right. Yeah. Actually getting in and doing the law reviews and doing the configuration changes and those types of things.
[00:02:20] Evan Francen: That’s cool. We have uh you know the one client I guess that I work with they’re trying to hire somebody like that to a security manager. Mhm. You know so we interviewed a few and you know I like them and I think they liked them but then there’s one person so it always seems like there’s one person the C. I. O. Didn’t like them last you know last minute like You know what do they call that 11th hour it’s like all right well I guess you can start over again.
[00:02:56] Brad Nigh: Yeah there was one where we were uh Megan and I did we’re like man if they don’t make him an offer I think we might tell him he was I was really impressed. So
[00:03:09] Evan Francen: yeah. Well we have a shortage of information security folks so somebody will use them, yep.
[00:03:15] Brad Nigh: Yeah they ended up making him an offer so well cool, it will be good to work with them.
[00:03:21] Evan Francen: Yeah. Yeah for sure. So yeah the what what time of the week do you kind of um get prepared for the next week? Is it is it usually on a sunday or is it like monday
[00:03:34] Brad Nigh: morning for my uh here’s what’s coming up? I always like to look on Sundays to give it a high level of what’s coming up for the week. So you know after I get the kids to bed I’ll just put my calendar review with already on the calendar. Um And then I always have to check it every night to prepare for the next day as well because you know how quickly these things change on calendars get filled up? But yeah usually on on sunday evenings I try to reset and figure out what what’s coming up and prepare for it.
[00:04:09] Evan Francen: Speaking of that, what you were just saying that I was looking at my calendar for next week, I realized that I have some meetings that I I forgot I have what’s new.
[00:04:22] Brad Nigh: I was doing that last week and uh last Tuesday I had no the client meetings at all and I was looking at that sunday is like I can’t be right. But no I had a had a day with no no client meetings. It was unreal.
[00:04:40] Evan Francen: Nice. Do you have any dates like that coming up this week?
[00:04:43] Brad Nigh: Um friday looks pretty good, but that’s, you know, that will change, it’s still too far out for that to be uh staying up me.
[00:04:54] Evan Francen: Yeah, that’s and so for people who don’t no, us, I guess, you know, being this is our first podcast, you’re the director of consulting services at fr secure uh and I’m the Ceo and so that’s sort of how our week goes, isn’t it? I mean you might start off on a monday and thinking, oh man, my week looks pretty light, but you know, one blink of the eye and it’s there’s no free time.
[00:05:22] Brad Nigh: No, no, if it if it’s not blocked off, they gets eaten up. So I do try to make a concerted effort weekly and block off a couple hours to actually dedicate towards that, you know, product, product, the methodology and development stuff. So otherwise, yeah, it would just completely get eaten up and get away from me.
[00:05:46] Evan Francen: Speaking of methodology. What any any kind of cool things that you guys, because I know your team, he’s doing a lot of cool things with methodology, you know, with road mapping from the face of score too, you know, creating new mapping, all kinds of cool things that you guys were doing anything in particular.
[00:06:05] Brad Nigh: Uh I think the two big ones are we’re getting ready for the new version of the uh ISIS for, so we have to go back and update all of our map ing’s and and all that stuff which honestly I enjoy doing, it’s fun. Um so we’re looking, I’m kind of looking forward to that and seeing where that comes out. And then the our virtual generous manager uh, offering, so kind of like the VC scale, but for vigorous management. So we’re working on that.
[00:06:35] Evan Francen: That’s cool. That should be exciting because I think one of the things with, even though we have the then defence tool, uh, you know, having somebody, it still requires somebody to do something, right? And so, you know, having an expert doing that.
[00:06:51] Brad Nigh: Yeah, yeah, and we’re looking at, you know, that there’s multiple levels, right? Depending on the company, some people just want that guidance at strategic level of, I think I’m doing it right versus others that just say, hey, 4-foot sets off. You do everything for me, you know, ultimately. Either way, my, my thought is the company is still going to have to make that risk decision. But we can, how much of the work we do prepping them for that decision is is kind of up to them. So
[00:07:24] Evan Francen: yeah, yeah, that’s good. So before we, uh, you know, before we started this talk, we put together some things, uh kind of some recent news items, things I think that might be pertinent. But then You sent just 15 minutes before we started, uh, stuff that Megan has been putting together and sharing with the team, which I thought, man, that’s some cool stuff that she’s got there so we can talk about all that kind of stuff. Um You know some of the recent news things, one of them was from a guy named Troy Hunt. Now, do you have you ever did you before they said you ever heard of Troy Hunt before?
[00:08:01] Brad Nigh: Honestly I hadn’t
[00:08:03] Evan Francen: Okay because he’s been around for a while. Uh he’s a sort of big, you know. That’s funny too because when I wrote the book uh we were in this phase right now where it’s you need to get endorsements. Right? And so uh Suzy says I need to go get some big name endorsements and big name like who? Mhm. I mean I can say some big names like Bruce schneier or Chris had Maggie or you know whatever, you don’t know any of those people, you know what I mean? She’s like, well did you have anybody more famous? I’m like who’s famous?
[00:08:47] Brad Nigh: What? Yeah. What circle are you looking for? The same?
[00:08:51] Evan Francen: Right. Right. So it was kind of an interesting discussion but it’s the same thing I guess, you know, Troy Hunt or anybody else in our industry. I mean he uh he’s uh he’s been around, he’s a Microsoft guy been known for as a Microsoft guy. Um M. V. P. Travels around, you know lots of events speaking on you know Microsoft things and security things. Um But anyway his article what caught my attention originally I found it and Bruce schneier years blog uh where the title is, here’s why insert this thing here in brackets is not a password killer. And so he’s talking about how passwords aren’t going anywhere anytime soon. Right? So even though everybody hates it, I mean I hate passwords. Yeah, it’s frustrating, you know, when when users use passwords insecurely. Um Yeah, I mean, so he talks through, you know, because in the on the one side you like, uh it’s cool that there are people out there trying to create solutions to get rid of passwords altogether. Right? That’s great. Where it’s not great is the frustration or um I guess the reluctance for people to adopt some of these technologies, you know, whether the QR codes or some other some other method of authentication.
[00:10:32] Brad Nigh: Yeah, the lot of resistance to that. It’s that resistance to change, right?
[00:10:37] Evan Francen: Yeah. So his point is that passwords aren’t going anywhere anytime soon. Uh And maybe even never, I mean might always have to deal with. Not never, but you might always have to deal with passwords so don’t wait and don’t stop trying to teach people good password, delicate. Mhm. They’re still going to be around, yep. What are some of the password tricks that two years?
[00:11:03] Brad Nigh: Uh so I think the biggest thing is phrases, right? It’s I’ve been doing that and preaching that approach actually went back and looked and in 2011 I put together a proposal to change the company password policy and expo and put together, hey here’s each of these links and how long it will take and here’s how we can make it more secure and it was you know pass phrase is because people remember that um you know quote from a movie, some sort of inside joke in your family, whatever it is. But lengthen is going to be the easiest way to add security to it. And if it’s a It’s a phrase from your favorite movie then it’s a lot easier to remember than 15 digit randomly selected generated from a password manager.
[00:11:52] Evan Francen: Right? I suck it remembering password lying lines from movies. Are you good at that?
[00:11:57] Brad Nigh: Uh Yeah depends some of them right? Some of the ones that I’ve watched you know so many times or stick out but
[00:12:09] Evan Francen: knows the best of it in that I’ve seen at the offices john harmon
[00:12:13] Brad Nigh: Yeah you got that quote whole scene. I know
[00:12:17] Evan Francen: and and he and he caught him like like I’m supposed to know what he’s saying. Mhm. Yeah I just went I was just I was talking to Renee at work and I was saying have you seen that new movie? And I couldn’t remember the name of the movie and I just seen it like two days ago. That’s how bad I am at that. It was the movie where the country you may bring went out of seeing whether it’s a country western guy and this lady gaga is in it,
[00:12:44] Brad Nigh: you know? So I know what you’re talking about. Yeah, I can’t I don’t I haven’t seen it. Yeah, I’ve seen clips and trailers for it. I know exactly what you’re talking about.
[00:12:54] Evan Francen: Yeah, so that’s how bad I sucked at movie and I can’t remember movies, let alone remember lines
[00:13:00] Brad Nigh: the movies. I remember him from our you know, because I got three younger kids is all the animated movies, right? Because like that’s all I ever see anymore. Like we went and saw the parents this morning. Mhm.
[00:13:13] Evan Francen: Let you go. Lydia wants to go see that. All right, so long is strong right? In passwords? Uh Making passwords super cryptic I think just makes them more difficult for you to learn or to you for you to remember,
[00:13:30] Brad Nigh: yep, I would agree, I think you know, so I do a lot of well I haven’t done it recently but I was doing a lot of the training for clients and going around and that’s one of the things that we really do talk about. So I was doing one and in it we say Here this is a password that matches into satisfies password requirements. It was spring 2017. right. And then why is that? Well people you have to change your password every 90 days, so it’s winter, spring summer fall of the year and then it changes the next year. That’s not really that secure and she came up afterwards and was like um so if I saw my password up there, I was like, oh yeah, yeah, but you know, that’s exactly we also say go through what is a strong password and you know, Well it’s you know, when we have for examples and one of them is 16 digit randomly generated and almost always people pick that one. It’s like, no, it’s not because if you have to write it down to remember it, you’ve defeated the purpose of it. That’s a great strong password. Yes, but not for a human for a computer. Fantastic. And you know, I actually use the XK Cd example, oh yeah, was it electric horse, battery staple?
[00:14:53] Evan Francen: Oh yeah, yeah, wow. Well, so the passwords are one thing and, and I think sometimes will remiss with users is telling them why or or we we we tell them the why. Yeah. And we sort of assume that they understand what we’re saying. Yeah. You know, because it’s not that they’re dumb, it’s just a miscommunication, it’s just I think we’re not communicating. Mhm.
[00:15:27] Brad Nigh: You’re right. And I think when, you know, we have, I think we have a good response when we’re in front of people and talking about it as well, it’s been my experience, but you don’t, that doesn’t translate well, you know, in a written word or what I’ve seen out there, you really have to be able to understand and read that the audience and kind of help them understand. You can see people questioning it and trying to come up with what would be a secure password and getting conversations started and uh I think those companies we’ve done that in have had much better improved, you know, improve passwords from. Sure.
[00:16:09] Evan Francen: So one of the reasons why, you know strong passwords is we’re trying to prevent Attackers from guessing them or cracking them. Right. Right. And so if I choose, you know, common english or common, you know, obfuscation techniques, Attackers can guess them and if they guess them, it’s probably in a dictionary file. And so it’s it’s trivial for them to get that password. The other one is password cracking where maybe I’ve got the hash values of passwords. And so I’m trying to do an offline, you know, cracking of those passwords. And so if you make them longer, it makes it more difficult for the attacker to get the passwords through those two methods. Right. Right. But what I think is the most common method of getting passwords is just asking people,
[00:17:11] Brad Nigh: Right. I think it’s that’s the easiest way.
[00:17:15] Evan Francen: Yeah, I mean just do a phishing attack. Right. And so you were talking to about um, you know, breaches and some of the incidents we’ve been working on recently and I’d say the last five incidents that I’ve been involved in have started through fishing. Yeah. You know where the user just gives them the password now. There’s two parts to that too. Right. It’s uh, you know, obviously we don’t want users clicking on links and giving passwords. That’s bad. But let’s assume that we can’t ever eliminate that problem. Right. There will always be some percentage of users who will always click on links will always give out passwords. It’s just that’s just human nature. Yeah. So then we try to limit what an attacker could do if they did get that password. Yeah. Right. And so that’s why it’s so important to have two factor authentication on anything external. And so, you know, you try to explain that to companies yet. Still so many companies are slow to adopt that. I think they’re better at it.
[00:18:31] Brad Nigh: Well, I think so. And what’s crazy is there so many at this point, good or uh, you know, cheap or free solutions. It’s it’s almost silly not to do it.
[00:18:46] Evan Francen: Yeah, I think it is. I think it is silly. And I think, you know, and there’s this whole thing about, okay, a breach happens in litigation and liability. That’s one of those things that’s always kind of fluctuating. I think some people are losing patients on with other companies, you know, there they’re getting tired of it. Um, so, but just, I mean, I just can’t imagine that if if if I were drug into court or something, you know, how would I do? It’s really kind of becoming indefensible because it’s just so Hammond.
[00:19:25] Brad Nigh: Right. So I just I wanted to look it up because I wanted to make sure I got the right numbers. But so 2018 data breach investigation from Verizon they said out of the report, 93% of all the social breaches were from. Uh let’s see how hard, 93% of the breaches, it was 96 was was email, 96% of the social breaches his email. So yeah, it’s it’s incredibly easy to do. It’s so easy to to help prevent with that multi factor.
[00:20:05] Evan Francen: Well, it’s not it’s yeah, I mean, and this isn’t anything new, right? I mean, breaches are phishing attacks been going on for 20 plus years now. Yeah, this isn’t like, oh my gosh, I’ve never seen this before. And so we’re just not nimble, you know, people. Yeah. Anyway, um and that’s that’s kind of a frustration because it Attackers know that it’s this easy. Mhm. It’s not it’s not going anywhere and now we’re starting to see more and more, well, I don’t know if we’re starting to see it or for just paying attention more, more and more home users are getting hit two. Yeah, I mean crypto jacking is everywhere right now, you know, where, you know, either users are browsing the browsing online, you know, with a and admin or a privileged level account, you know, and and going to websites and, you know, bad ads and installing malware not even knowing it, it’s crypto I well, and,
[00:21:12] Brad Nigh: you know, I think this goes to our approach to is, you know, when we do our training, it’s protecting corporate and personal information, because if you have bad habits at home, they’re going to happen at work. You don’t change how you behave from home to work. Right? So it really does come back to trying to educate people to good practices, regardless if they get their home computer locked up or they have a breach at home and lose their bank information. How effective do you think they’re going to be at work? They’re they’re not focused on work. Right? So it really does all tie together on that
[00:21:49] Evan Francen: for sure. Well, and I think, I don’t know, we’ve been, we’ve been insecurity for a while. That’s the beauty of of security, is that it all ties in together? I mean, everything in information security has a tie in, Right, yep. Uh, so, I mean, that’s the beauty part of security, the bad part of securities, you don’t see beauty much. You don’t see a lot of people doing it. Well, putting things together. Well,
[00:22:17] Brad Nigh: it’s funny, I was, you know, you you say that and it’s like, what, what sticks out more to you, those truly horrific ones? Or the like, oh my gosh, this is incredible. Like to me, those, wow, you’re doing this right, are so much more rare that they really stick in my, you know, my head like, yeah, they’re doing it right? Yeah.
[00:22:42] Evan Francen: Well yeah and you can tell to when you when you talk to a client or you talk to somebody at a conference and you um you can sense your frustration at least I can. Sometimes I can sense my frustration level going up when I’m talking to some sometimes people on security and it’s like no man. Yeah. You know it’s just
[00:23:08] Brad Nigh: yeah. Anyway it’s not you don’t have to be militaristic and just force everything and lock everything down because that’s a that’s a common approach me here. Right? Just, nope it’s my way or the highway we’re shutting this stuff down.
[00:23:21] Evan Francen: All right. Then you go then you’re not looking for a new job.
[00:23:24] Brad Nigh: Yeah. The company hates you. You don’t get by in. Yeah.
[00:23:30] Evan Francen: Well that reminds me so we had another you know sort of article this week. It was it’s a long read though.
[00:23:38] Brad Nigh: It was
[00:23:40] Evan Francen: a one hour or three minute rita. I’m thankful that they actually put that on the top of the article. Yeah. I don’t know if you saw that. I was like how much time is it? It’s got to be a you know it’s a normal article. Take me five minutes and like oh yeah I’m gonna have to set some time aside for this.
[00:23:56] Brad Nigh: Yeah I started to read through it and then I was like whoa how long and I saw that at the top of the car. Right. Yeah
[00:24:06] Evan Francen: it’s good. It’s good. Right?
[00:24:09] Brad Nigh: Yeah. Oh it was it was so in depth. It felt a little bit hard to follow at times just because of the amount of information they were throwing at you. I had to go back and read a couple sections again. I was like wait what? Okay. It is really comprehensive.
[00:24:27] Evan Francen: Yeah. So the article we’re talking about is the one from 3rd way and 3rd way is a national think tank and they wrote a paper and the title of the article is uh to catch a hacker toward a comprehensive strategy to identify pursue and punish malicious cyber actors And it’s at 3rd way.org. Um It is a long read but I think it’s, it made a lot of sense to me on how we just sort of get more serious about these things. We have to rather than just kind of half asking you, which is, it seems like what we do, let’s let’s unify, let’s make this, let’s be deliberate. Um let’s identify the sources of cyber, they call it cyber crime. Um let’s address the enforcement gap and then let’s create a strategy to hold these people accountable because right now Attackers operate with impunity. Yeah. Unless you’re dumb that’s unless it caused too much problem.
[00:25:40] Brad Nigh: Well and and that’s one of the in there. They’ve got that number of convictions for internet fraud with the actual convict vic shin rate per year and I had to go back and I got through it and read and saw the graph was like wait that had to go back and reread it because it just seems so wrong when you actually see the grass that you know As of 6 2016 there were nine convictions for Internet fraud. nine 15 it was 19. You know the the highest was in 2011 and they had 27. There’s nothing stopping them. Like that’s so I can’t even imagine.
[00:26:18] Evan Francen: Yeah it’s it’s troubling. And so it and they even asked about that you know with uh then quotes In the care 11th story um last week you know the reporter asked him uh you can make 100 times more money if you went to the dark side. What keeps you on the not the dark side. I loved his answer because I think it’s what motivates all of us. It’s he he wants to help people. It sounds so cliche but it’s the truth because I think any one of us if we didn’t have scruples and you know I didn’t care about people. What what would stop us from making anything you wanted to make right?
[00:27:09] Brad Nigh: Yeah it’s you know yeah that’s I think that’s dead on. You know you think where you’ve worked, where I’ve worked if we didn’t have scruples with the access level that we had Newton. You could have had any amount of information but that’s it’s not the right thing to do. I would, yeah, can’t be wired that way.
[00:27:33] Evan Francen: So yeah, I’m looking at that graph that you, that you alluded to in the article 27 actual convictions for Internet fraud in the fiscal year 2011. And it goes all the way. 2016. That was the highest number of any year. 2016. It was nine.
[00:27:54] Brad Nigh: Hey, I mean, yeah. And how many breaches and ransomware attacks and that doesn’t even consider, you know, the personal stuff that’s just corporate, like there’s no way I can, yeah, blows my mind mine.
[00:28:13] Evan Francen: I can see a region for words. I can’t, I just can’t believe it. Yeah, I’m with you.
[00:28:20] Brad Nigh: There is basically no, no deterrent there, right that the odds of getting charged and convicted or yeah, it’s just not gonna happen.
[00:28:34] Evan Francen: Well, yeah, and so I’m more uh, you know about some of that expert witness stuff. Um, and I think some there are, it’s hard to say, but it’s a the State Department or the Department of Justice is putting a lot of effort in trade secrets. I think more effort today into prosecuting investigating and prosecuting trade secret crimes, but um, based on what I’ve seen, they’re not doing it. Well, yeah, a lot of them are pleading out, but I don’t think they’re getting many conviction convictions where, you know, there’s actually going to trial or anything like that. I’m representing one today that is going to go to trial at least that’s what they say and I think the the government’s cases not very strong not from a trade secret perspective because a trade secret isn’t a trade secret unless you protected it. Like it’s a trade secret, right? Yeah I think it is a little bit wonky.
[00:29:48] Brad Nigh: Well you gotta you know the more I think thinking about it, how many of these are overseas and outside of the U. S. Anyway, so yeah does drop a lot of that out.
[00:30:01] Evan Francen: Yeah. And one of my favorite, so you look at like brian Krebs love his investigations. I mean that guy, okay can seriously investigate. Yeah follow a trail all over the place and there they do have success every once a while of getting somebody who’s overseas but usually it’s just because somebody you know the criminal uh made a mistake,
[00:30:27] Brad Nigh: right? Yeah they get, well it’s always they get overconfident and cocky and then that’s what does them in, right?
[00:30:37] Evan Francen: And one of the uh one of the ransom was one of the ransomware variants or groups I guess that they alluded to a little bit in that third way dot org um report was the SAM SAM group of the same same ransomware whatever. And so I started doing a little bit more digging on that because we haven’t I can’t recall running into that in any of our investigations. The last one was rock. Um Yeah and that one got weird but the uh so I I was like man I’ve you know I’ve I’ve heard and I’ve run across Sam sam before it was like where did I hear it? Well it turns out that Sam Sam Sam Sam was Atlanta, I think That group which I think is going to end up costing Atlanta or did end up costing Atlanta $17 million. It’s a lot of dollars.
[00:31:36] Brad Nigh: Yeah that’s that’s hard
[00:31:39] Evan Francen: Sam but Sam Sam didn’t get that money because they didn’t pay the ransom, that’s how much it costs in lieu of that and then I thought um so I did a little more digging, I was like where else if I’ve seen you know it turns out that we actually did investigate a Sam sam outbreak. It was uh tell me um in Minnesota but I was surprised to see that Sam Sam They’re making $300,000 a month wow and supposedly according this article in wired magazine they’re getting better sophisticated.
[00:32:20] Brad Nigh: Yeah. Yeah when you know it’s always any of the other malware in port protection, it’s always catch up and now you’re seeing it where yeah they’re encrypting it before they have a chance to I know what that new signature looks like.
[00:32:40] Evan Francen: Yeah well the thing that ticks me off and you know there was another incident investigation where the client lost you know $800,000 or whatever, financial fraud whatever and it’s funny because the FBI wasn’t interested in investigating that one. Mhm. So that’s that goes back to the uh you know
[00:32:59] Brad Nigh: I mean it was it was only $800,000 and money gone.
[00:33:04] Evan Francen: But the part that really ticks me off is that the more money that the Attackers make them more money they invest to make their attacks better and make our jobs harder. Which it’s a vicious circle. Man.
[00:33:19] Brad Nigh: It’s like you know, don’t pay the ransom where you’re just funding them. B you have no guarantees.
[00:33:27] Evan Francen: There’s that too right? You pay the ransom and they don’t they don’t give you the key. Yeah. What are you gonna do call customer service?
[00:33:36] Brad Nigh: Yeah sorry
[00:33:38] Evan Francen: actually some of them do have customer service but that’s that’s different. Anyway. Sam Sam was funny not funny funny and in a bad way, you know what I’m saying? Yeah. Yeah. There was also mentioned in that 3rd way paper about the amount of loss Uh huh to fraud and I think it was Nearly $100 billion dollars or something like that. They also mentioned you know china and others um been accused of stealing intellectual property, estimated at 225 billion to $600 billion annually. So that’s on that trade Secret thing I was telling you about. Um But and I’ve read some articles and I actually put it in the book to that we are in the middle of the greatest economic transfer of wealth in our history. And it’s expected to be according to some estimates way beyond what 3rd way mentioned. Uh, it’s expected to rise to $6 trillion. You know what I mean? Because what is there to stop
[00:35:04] Brad Nigh: it? Yeah,
[00:35:07] Evan Francen: I mean Unless we unite, unless we come together like a lot of the things that they’re saying at 3rd way unless we unite and come together, we don’t stand a chance. Because what can I do? What can you do brad?
[00:35:21] Brad Nigh: Yeah. No. You know, we work in train and help educate people, but just it’s yeah, it’s a finger in the dam approach. You need more people working together to help push that back.
[00:35:39] Evan Francen: Absolutely. Yeah. And I think that’s what our call is, Right? And that’s what we’re trying to do is get more people to work the same way and and there are other organizations. It’s not just us. I mean, I think I’m hoping that sooner rather than later this thing shakes out and we really start working together more than against each other. Right? Yeah. I got the whole money grab things in there
[00:36:04] Brad Nigh: too. It’s crazy. Is there? I mean, there’s more than enough work to go around.
[00:36:09] Evan Francen: Yeah. Right. You and I are staying here on sunday, right. Yeah. Bring about what are we going to look like? All right. So Girl Scouts, you heard about that breach?
[00:36:23] Brad Nigh: Uh, I hadn’t until I read the articles like Good Lord. I’ve never aimed.
[00:36:29] Evan Francen: I know even going after the Girl Scouts for crying out loud, But this attack as I read some of this, so it affected 2800. So this is an article in Info Security Magazine, um 2800 Girl Scouts in Orange County. Where’s the fighter right now? Is that in Orange County got to help out? Anyway, it’s a bit, I don’t know, 28:00 so the attacker, it began on September 30, Unauthorized 3rd Party gained access two a or an official Girl Scout Orange kind of travel email account. It was then used to send emails to others, presumably phishing emails. Now that is the same exact pattern that we see over and over and on for the last Specifically the last year or two. It’s been that same pattern. The attacker compromises. So somebody fell for a phishing attack and then so the attacker then has an account in your system. So I would, I would, I don’t know if I’ve read it and here or not, but I would bet a lot, I’m not a betting man, but I would bet a lot that the attacker got into. Ow or single factor authentication.
[00:37:51] Brad Nigh: Yeah, that was my first thought when I read this one, I bet they didn’t have multi factor, right? Yeah, immediately,
[00:37:59] Evan Francen: yep. And so the attacker then used that I’m guessing and I’m just speculating it’s not in the report and then the attacker used that changed some email rules because they typically don’t want to hide their tracks. They don’t want the real user of the email account to ever know that they’re there. So any of the replies that come back, they put an auto, you know, they put rules on the inbox to hide those things. Yeah. And they use that to spread their, it’s
[00:38:31] Brad Nigh: a, and this kind of drives me crazy because a lot of places don’t put like the spam and phishing filtering on outbound email or the anti virus on, well, it causes problems with marketing or whatever. And, you know, you could add multi factor, you could have some sort of skating on your outbound, not just inbound and maybe it catches this and now you’re, yeah, maybe it takes a little longer to set it up and configure it. So that legit business email can go out, but, you know, it’s a reputation and financial impact for not doing it
[00:39:13] Evan Francen: frustrating. That’s frustrating.
[00:39:16] Brad Nigh: That’s crazy. It was one day and it was 2800. Yeah,
[00:39:23] Evan Francen: yeah. One day. Well, the, well, and you know, there’s no, it’s like in most of these incidents, there’s, there’s probably not proof, uh, probably that the attacker actually access to all the information that they were in those in boxes, right? So they announced what was exposed, not necessarily what was accessed or used. It doesn’t make it any better. The fact that it was
[00:40:00] Brad Nigh: what we hear that all the time is, well, you know, why do we need to get to the level of uh you know, knowing who what each user can access and things like that. Especially healthcare or finance. And are they downloading anything to a to their email or their laptop if that were to get breached, what do they have access to do? You know, You don’t know where they have access to everything? Well then you guess what you have to assume unless you can prove otherwise. Yeah right. I want to say oh I’m impressed they caught it that it only went for a day.
[00:40:40] Evan Francen: Well yeah it was pretty noisy though. I mean you probably have an account that was sending out a bunch of external emails and people are like, hey what’s with the phishing email?
[00:40:49] Brad Nigh: Yeah, I mean that’s still better than we’ve seen it, where it’s gone on for longer than a day.
[00:40:56] Evan Francen: Oh yeah you’re right. Like 200. What’s the average 206, something like that?
[00:41:01] Brad Nigh: Yeah, I would expect it to be a little bit less from from an email but I would still expect, you know, I think we’ve seen it. Where why is nobody getting our email now? Oh you’re you’re on the blacklist because you’ve been spamming for three weeks so emails wants to get caught a little faster but you know, one day is still pretty good happened. But remember
[00:41:22] Evan Francen: a lot of people don’t notice set up their email servers. Well either, you know because you have SPF records you have but then you have de Chemin de Mark records that you also need to put in because we we sort of ran into that a little bit even at f are secure as a security company. We turned out we didn’t have a demarche record. Yeah, emails or emails were still getting through, but just
[00:41:46] Brad Nigh: well and and it goes back to that balance of security versus business functionality. The business never wants to have emails blocked. Right? And and then it’s like, well, it’s gonna take a little while to figure no, you don’t know. Just they need to work. Yeah. And that’s where you see that. All right. Well, what can we do in a minimal to at least do something.
[00:42:11] Evan Francen: So yeah. So two points. So another thing I you know, I mentioned that I not mentioned, but I read related to Children in the United States who are affected by identity fraud. And it said that Losses of $2.6 billion $540 million dollars from. That’s according to some research from Javelin strategy. And that that same report claimed that 60% of child identity fraud victims know the fraudster versus 7% of adult victims.
[00:42:48] Brad Nigh: It’s green. I can see that. Right. You see that all the time of, you know, like my parents opened an account for credit cards under my name or Yeah, somebody doesn’t get loans. I’m I’m not surprised by that because they are and they can’t defend themselves. It’s not it’s pretty bad.
[00:43:13] Evan Francen: It is all right. So we have about 10, 15 minutes left. We have other things that we can talk about. Talk about. HSBC that was a data breach. And somebody somebody, one of my friends, you know, I was talking to me about that. You heard about that one?
[00:43:31] Brad Nigh: Yeah.
[00:43:33] Evan Francen: Credential stuffing attack.
[00:43:36] Brad Nigh: Yeah. Well I don’t I’m a little surprised by that one. I’m surprised you. Well like it says in there it’s basically brute forcing the password in a bank which would expect to have to factor. Yeah, what what’s really going on? I think that was the part that surprised me. Every bank that I use or have accounts at has to factor. So what that
[00:44:06] Evan Francen: right. Yeah. Not using any banking, your email accounts, your social media accounts, all of those things, you know the big ones anyway can all be protected with two factor authentication. So why that’s not being used more um or even forced to I mean banks should in my opinion should force users because banks are liable for those losses right? If somebody gets my username and password for you know my bank account and drains my bank account, the bank gives me my money back. So you know the bank should you know. But I guess at the end of the day of customers, if you have enough customers who are up in arms about it. You know the end of the day the banks in business to make money. So I’m sure they do cost benefit analysis and all that stuff. But
[00:45:02] Brad Nigh: yeah but uh yeah I guess we’re in the minority but if my bank didn’t have that and basically turning on by default I wouldn’t be banking there. Yeah.
[00:45:16] Evan Francen: Well shape security did a report in 2018 and it’s in that article this is this is an article of the U. S. B. The U. S. Are sorry. Hsbc data breach. I’m reading the article from threat post um threat post dot com. Good place to get some security news. But in there they cite a report from shape security. It claims that the banking, consumer banking industry loses $1.7 billion dollars annually as a result of credits credential stuffing. It’s I thought that was interesting.
[00:45:52] Brad Nigh: That’s great through
[00:45:53] Evan Francen: Credential stuffing $17 billion. Um Yeah so at the end of the day, you know banks are banks, no money really well you and I both know that so that usually I would assume that that probably gets absorbed somewhere in additional fees that you and I end up paying for things. But it’s frustrating. It’s the same password that that should be our theme for this first podcast. Just freaking passwords. Yeah.
[00:46:23] Brad Nigh: Yeah hazards and multi factor please. Oh my.
[00:46:27] Evan Francen: Mhm. So another one from threat post uh zero day bugs. Yeah, wireless access points. That was interesting.
[00:46:36] Brad Nigh: Yeah, that one when I read it, when I when I first heard about it, I was like, oh my goodness, this is really but really bad. But when you when you actually look into it, I mean it’s bad but from what I saw, you know, is the Cisco and Muraki and Ruba. But
[00:46:54] Evan Francen: the energy turned
[00:46:58] Brad Nigh: on. Yeah. And it’s all disabled by default. So you had to have gone and turned it on and changed it. Which we all know. Most people don’t mess with the default. So why
[00:47:08] Evan Francen: would anybody use bluetooth? Low energy. Yeah, I mean those settings, I guess it’s it’s a cool feature. But for what? Yeah, just what’s your point? I don’t think anybody’s using it.
[00:47:23] Brad Nigh: Yeah, it sounded really, really bad when I first heard about it and then like it’s probably pretty limited,
[00:47:30] Evan Francen: right? It’s not enough for us to issue. I think an advisory. Uh Yeah,
[00:47:38] Brad Nigh: no. Yeah, I’d be like, hey, just make sure hopefully, you know, if you’ve got what your competitors are. But mhm.
[00:47:47] Evan Francen: And patch, so the patches are available for all those Right. Some that was that. But yeah, when I I had the same reaction when I first read, when I first read, I was like, seriously, this isn’t good. Then I read that I read about it and did some research on like Yeah. So what? Right. I mean if it’s on my if it makes it onto my list of The top 50 things I need to do this week, I’ll get to it. If it’s not then yeah,
[00:48:16] Brad Nigh: I will say the one thing on their towards the bottom that that does make sense is uh does this affect smart locks used in the hotel chains or point of sale now? Okay. Maybe there but there’s no evidence that it’s in any of those. But that’s that could be a little bit more uncertainly
[00:48:36] Evan Francen: true. That’s true. Yeah. Excuse me. So, Microsoft released another released some guidance. You might have heard about another sort of thing that this was sort of big, I think this solid state drives that their ability in the hardware encryption. Um this is an article out of security week um rabab bowed university in the Netherlands found some bugs and self encrypting SSD s from Samsung and crucial.
[00:49:07] Brad Nigh: Yeah. Small names. Right.
[00:49:11] Evan Francen: It’s like say what? So that’s this is a This is a bigger one. You know, because the benefit of having hard where encryption is that the encryption is done in hardware. It’s higher performance. Right?
[00:49:27] Brad Nigh: Yeah. I’ll say this one, I had a kind of a similar reaction. I mean it’s way more Impactful in the wireless one, but when I first read the headline, it was, you know, uh bit locker is impacted or is affected by an encryption flies like oh holy cow, no wait now it’s the hardware encryption that bypasses bit locker. Okay. A little bit of a sensationalist headline, not on this article but when it first came out.
[00:50:01] Evan Francen: Well I wonder I I would I’m not sure and maybe it needs more research. I’m not sure if Samsung are crucial. I’ve addressed this officially. Did you find
[00:50:11] Brad Nigh: anything uh you know, I haven’t seen anything about that actually. Okay.
[00:50:18] Evan Francen: Maybe something for us to look into. Cause yeah, Microsoft did release their advisory, which is you know how to force software encryption which would then, you know, essentially bypassed the hardware flaw. But what if I want the hardware? I mean I want I want that. Yeah or how do I know? So they did give a there’s a command that you can run um, you know, manage dash BD dot txt dash status with the status flag. You got to run that with privileges though? Uh it’ll show you what what type of encryption you’re running.
[00:51:01] Brad Nigh: Yeah, I just did a quick search where you’re I haven’t seen anything mm encryption software. Samsung recommended encryption software and crucial owners set of fixes on the way. But that’s about it.
[00:51:17] Evan Francen: Okay, so that’s where we’re at for that. All right, well I’ve got uh you know next week this is our podcast. Right? This is me and you next week. I’m gonna have you kind of lead it and then I’ll take the back seat we’ll just flip flop. So you know what, when we got to lead the discussion and the next week you’ll need it. And then, uh, when you want me to say something, you can just say, hey, say something,
[00:51:45] Brad Nigh: what do you think? Evan?
[00:51:47] Evan Francen: Right. What? What? I’m sorry. What were we saying?
[00:51:52] Brad Nigh: I was working?
[00:51:53] Evan Francen: What? Right. Uh, well, last thing you know, before wrapping up Megan, I did look at that. I didn’t get a chance to read all those articles, but man, did a great job putting together some really cool stuff.
[00:52:08] Brad Nigh: Yeah, I think the biggest one out of there was that the grand crab ransomware was cracked. So that’s uh, that’s a big one. Once you, that was when you start getting some of those cracks now that makes everyone’s life at least a little bit less stressful.
[00:52:25] Evan Francen: Yeah, I agree. In one of the, you know, one of the victims she talked about with the grand crab ransomware was the Monroe County School district. And then later on, which I thought was kind of cool. She included a link to the K through 12 Cyber Incident Map. Did you look at that,
[00:52:42] Brad Nigh: uh, looked at it when I first got it, the email, but
[00:52:46] Evan Francen: it, uh, according to this incident. No, I don’t know this. I haven’t, I haven’t read it. Uh, manager’s peru’s did a little bit, The website is K- 12. So okay. 1, 2 cyber secure all one word dot com slash map. And according to Their site, they have 385 incidents since January 2016 and I don’t know where they’re getting their data from, but I do know from our, some of our own incident investigation work that they’re missing some. Yeah.
[00:53:25] Brad Nigh: Hey, it looks like I’m just looking at the local area and it’s like uh data breaches dot net Edtech strategies as reported by and vita sources, the media, so looks like they’re just calming media reports for that. Okay. Which that would make sense. Some of these are not going to get out into the media,
[00:53:49] Evan Francen: you know, some of them should I know about one breach in particular very close to where I live. That certainly by law is a reportable breach, but you know, I can’t report it, they’ve got to report it. Right. And so it’s frustrating that that hasn’t been, it hasn’t been released. But
[00:54:16] Brad Nigh: yeah, it’s pretty much, and if you look at the map, it, hey, I was trying to look and I think South Dakota is the only one without a reported breach. I mean it’s every, it’s non discriminatory
[00:54:26] Evan Francen: who’s got anything that anybody wants in South Dakota. No, is that the only state without one on
[00:54:34] Brad Nigh: that. That’s the only one I can see, I’m just kind of clicking around in here. But yeah, wow,
[00:54:42] Evan Francen: that’s, yeah, South Dakota where to go? South Dakota maybe,
[00:54:49] Brad Nigh: maybe Rhode island Rhode island looks like it might be clean.
[00:54:52] Evan Francen: Mhm. Yeah
[00:54:54] Brad Nigh: road iron screen,
[00:54:55] Evan Francen: but that was a very interesting map. So if if you’re uh You know, if you have, I guess we all have some vested interest in K through 12, right? We either have kids, you know, somebody who has kids uh a teacher, we know a teacher. I mean something like, I think There’s a lot of work to do in K through 12. And and um this is a good resource to kind of show, hey look, this stuff is happening all over the place and you know, maybe we should get our security in order. Yeah.
[00:55:28] Brad Nigh: I mean we work with a lot of school districts all over the place and and having that information that Yeah, six. There is an interesting vertical to work in very, very different than, you know, kind of the corporate world or. Mhm. Other nonprofits.
[00:55:50] Evan Francen: Yeah. It’s very distinct K through 12. And then post secondary to write colleges and universities. Because you’ve got one half, it seems like it’s one half that runs itself like a business and the other half runs itself like a research organization. It’s like anything goes over here. Nothing goes over here in a lot of
[00:56:13] Brad Nigh: Yeah. You know, I did before I came up here, I applied for a couple of jobs and at some universities and was in the interview process kind of horrified and walked away. But they’re like, oh yeah, no, we still have analog phones were hoping to get some of this and you know, everything’s on one network and sometimes it works because you know there’s this one server. So sometimes you have to go over here to this closet and unplug it and plug it back in to make it work. And it’s like their core router is just in a janitor’s closet that they have no tech support around or like oh no walk away.
[00:56:54] Evan Francen: Yeah. One of the last like, you know, I don’t do a lot of I don’t don’t do a lot of work anymore brad. You know that right? When the last times I did work for post secondary, they wanted a penetration test but they didn’t know what resources they had. So they weren’t, you know, so we said well let’s do this, let’s do scanning then let’s not do a penetration test. Let’s just figure out what you got. They had a whole public class. B Okay, so 16,000 always that 64,000
[00:57:29] Brad Nigh: 64 I was going to say we had that’s funny, go ahead, finish
[00:57:33] Evan Francen: your story. Yeah. So 64,000 possible I. P. S. It’s like okay. And so we started enumerating and their firewall would puke out, you know, so we had to do it in chunks of like class basically classy chunks, you know and automated so that you know, instead of doing one vulnerability scan, we did end up doing like 1000 or a couple 1000 vulnerabilities. Yeah what should have taken, you know, a night a day, a couple of hours? You know, if you would have been probably properly sized, took two weeks
[00:58:13] Brad Nigh: speaking. Yeah, we, we just had, it’s very similar on, you know, kind of the first stages and Going through and they send over 1/16 for their external, like how many are active? Like we think around 50. Yeah. Great.
[00:58:36] Evan Francen: Uh Joyce. All right. Hey, I thought it was this was our first podcast, man. Yeah. Yeah. Well, hand this over to our marketing folks and have them do their thing with it. Uh, next week we’ll do it again the game
[00:58:52] Brad Nigh: I’m in.
[00:58:54] Evan Francen: All right. And you, like I said, you’ll you’ll take the lead on the discussion and we’ll just flip it back and forth. Um, hopefully anybody who listened or listens will enjoy what we talked about. If if not give us some feedback,
[00:59:09] Brad Nigh: yep. Absolutely.
[00:59:10] Evan Francen: All right. Thanks brad. Have a good rest of the night.
[00:59:13] Brad Nigh: Thank you. You too.
[00:59:13] Evan Francen: All right. See you tomorrow. Bye bye.