We catch up with Evan as he focuses on building infosecurity partnerships, learn about the launch of S2Org and Evan and John’s upcoming #S2Roadshow.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:20] Evan Francen: All right. Let’s do this. I’m Evan francine. It’s Monday September 30 In this episode 47 of the Un Security Podcast. My guy brad. And I it’s like that rhymes. I’m a poet. I didn’t know it. Uh, is here with me. Hey
[00:00:37] Brad Nigh: brad, Good morning. You are an author. So, should be surprising. Ooh, yeah, there you go. That’s why that’s what it is.
[00:00:45] Evan Francen: I should let that go to my head. Probably not.
[00:00:48] Brad Nigh: Yeah, that’s I don’t think that’s you.
[00:00:50] Evan Francen: All right. No, no. You probably read in the show notes, uh lots of things going on last week. You were out with our senior management team. We affectionately call you the S. M. T. And you are doing some offsite stuff. And I was um, I remember who I was talking to, but I was giving them credit because one of our core values here is to work hard, play hard. I know you guys do that when you’re off site. Tell me tell me about what you guys were doing.
[00:01:19] Brad Nigh: Just, you know, planning no uh planning playing kind of yeah. Q. For of this year. You know, are we set for what we expect to come in, Uh setting you no longer term 2020 goals, expectations, all that. And then uh we were up north and at a cabin and we did some fishing and kind of punch a bunch of pike, uh a couple of Oscar caught a couple bass. Nice. So pike pike are fun to catch but hate them. Slimy little
[00:01:54] Evan Francen: something. Yeah.
[00:01:56] Brad Nigh: Yeah, but no, it was good, you know, just sitting around the campfire and kind of B. S. Ng and cool, having some fun.
[00:02:04] Evan Francen: That’s cool man. Well you probably saw in the show notes to, and we were just talking before the show started. Uh My life just seems like all sort of about a sort of a little chaos. Yeah. You know, a couple of weeks ago I was in Bulgaria, my wife was in China for the last 10 days and she got back into town on Saturday. Uh so her sleep is all off, just just about kind of the same time, my sleep is getting right and Uh and then in the middle of this uh you know, I’ve been a smoker for 30 years, I decided I was going to quit on Wednesday and my wife quit 11 days ago. So we’re both just angry
[00:02:39] Brad Nigh: And I bet that was fun for her to quit and then be like 12 or 13 hours off.
[00:02:46] Evan Francen: Yeah, so everything is just walkie right now and we’re heading out, you know tomorrow I think Yeah, for some roadshow stuff, but you know one of the things um so good Smt meeting. Very good. Do you know that we knew that nicotine is also um it helps you concentrate. So my 30 years of that. And so now I don’t and now I’m not going to concentrate.
[00:03:16] Brad Nigh: So I told The S&T. The other co okay, what are your plans for? 2020 is like I’ve been hanging around open too much, I’m just going to wing it and he thinks he’s a plan. They didn’t like that Renee particularly was not impressed.
[00:03:30] Evan Francen: Yeah. I know. I wonder why you know when we get it has gotten me by this long and uh Built one successful company building another and yeah just wing it, go with the flow. But that doesn’t work for everybody. No. All right. So uh late last week you know, we have the topics for today is I wanted to get back and talk about fundamentals and I know that that’s not a sexy thing people like. Yeah, I get it. It’s basic and everybody nods their heads, everybody gets it. But I’m tired of
[00:04:03] Brad Nigh: it not happening. As I say, we keep seeing it. Yeah, we’re doing the fundament. No. Right. Nobody, it’s far too many people are not doing them.
[00:04:12] Evan Francen: Yeah, I mean it uh yeah, so we’ll talk about that because there was one meeting in particular that ah you know, happened towards the end of last week which I thought was interesting and I’d like to get your take on it and then um it’s really kind of a key thing. So it’ll be a good segue into this roadshow thing we keep talking about. Uh, and then also had a really good meeting on friday in the morning with some cool people to talk about, uh, you know, security things with parents and kids. Yeah, yeah. So anyway, so I had this discussion and that I can’t say the name of the company or the person because I don’t like to out people, I mean, I would, I would do it more if they were like sitting here and I was talking to them face to face and they knew we were going to have this debate or whatever.
[00:05:03] Brad Nigh: You don’t want to throw someone under the bus.
[00:05:05] Evan Francen: Yeah, so, I mean, it’s not like a, I wouldn’t debate, well, I did debate it in the meeting, but anyway, there’s this big organization very, very important. And um, we had a meeting on friday and uh, this person, uh, you know, knew all the acronyms, you know, and I S T C S F, Colbert, blah, blah blah, just throwing throwing around things, uh, mentioned, um, you know, all sorts of people that he knows in this industry, you know, if I knew if I, if I threw out their, their names, you know exactly who I’m talking about. Um, and so we sit down and we just, I’m just there to talk about where you’re at, man, you know, and where you should go and, you know, it’s good to be a VC. So, because you get to steal all these ideas from people and right. And so so we sit down and uh you know, he mentions uh he was interested in R. V. C. So practice was telling them sort of how we do it. And I said it’s the same way. You know, almost if you if you hired me off the streets, I would start with some sort of an assessment to sort of understand where you’re at. What am I working with? Exactly? And he said, well we’ve already done that. Like, okay, well then tell me about how that worked as well. Two years ago we did this assessment. Right?
[00:06:22] Brad Nigh: So you’re doing it again this year?
[00:06:25] Evan Francen: Well, yeah, so two years ago they did an assessment with this organization and he said, and so we’ve we’ve been spending time building our security program. Um You know, we feel really good about it. You know, we we basically we know what we’re doing. We don’t need any advice like okay. Uh and then and he says, and now we’re doing another assessment with another company. Um Yeah. And so like, okay, that’s cool. But there was this just like we have the we have the fundamentalist town is sort of what he was telling me. And I was like, okay, well tell me, you know what that means. Uh and so one of the questions I had asked him as I said, okay, well tell me the current state of your security program and that was where things kind of stalled and then things got off the rails pretty quickly. Good. I know. Well, yeah, I was like well defined. Good. Yeah. I was like because he was telling me that you know, they can quantify, you know things. And I was like, okay, well quantify to me means measure. She was like, well quantify your security program for me, You know, where are you at? Uh We just had this sort of long debate and I think we and then he was also, you know, talking about cybersecurity and information here. Like they were synonymous terms,
[00:07:44] Brad Nigh: you know? Yeah. You see that all the time too.
[00:07:47] Evan Francen: I know and I get it because it sells right, cybersecurity is sex here. It’s like one less syllable too. I think in formation cyber to to to less. So it’s easier to say
[00:07:59] Brad Nigh: we are in a like instant gratification society. So you know that’s that’s two syllables. No, I think I think part of it also is the okay the marketing push behind cyber right from all these different vendors and so people have just Associated the two as being synonymous and and they are not cyber is part of information
[00:08:25] Evan Francen: security and I wouldn’t get so bent about that other than the fact that you know, you and I’ve been in this industry for a long time. We fought so hard to get this as a business issue information security is a business issue, I’m not a technology
[00:08:41] Brad Nigh: issue. Someone’s backsliding
[00:08:43] Evan Francen: what is backsliding because you know and I’m writing a a thing now about you know the importance of language and we started off you know well you’re an author you know joking around but you know words do matter that carry weight. Um and so when you look at the meaning of cyber, cyber is of or pertaining to computers right? Which puts us right back into the same crappy spot. We were thinking this is an I. T. Issue. So anyway, so I had some things for us to discuss just in fundamentals and hopefully people that you know are we constantly have to remind ourselves of the fundamentals. So the first question I had was you know, what is information security? I’ve asked this question a trillion times it seems like but I keep getting it was all over the place.
[00:09:35] Brad Nigh: I know I know I’m trying to think of it’s too early. I was going to try and come up with some sort of a the smart ass answer for it. But I can’t come up with one. It’s too early
[00:09:45] Evan Francen: because we’re all information security. People right here in this industry. Should we not have a common definition of what information security
[00:09:52] Brad Nigh: is? Yeah I mean we know what ours is right. I think we’re on the same page. It’s protecting confidentiality integrity and availability of your data through the use of physical and or administrative, physical and technical controls. Right. Well
[00:10:05] Evan Francen: done. Yeah. True. And and so in another thing in that definition is managing risk, right? It’s not eliminating risk. It’s managing risk,
[00:10:14] Brad Nigh: right? We can eliminate risk. I do use your line all the time because we get asked how do I eliminate risk or you know, how do I
[00:10:24] Evan Francen: what’s the greatest thing I can do to reduce
[00:10:26] Brad Nigh: it if you don’t want any risk close. Yeah. Otherwise you will have risk fire everyone and go home. You don’t have any risk. Right?
[00:10:36] Evan Francen: These are just basic basic fundamentals, right? The definition of information security. So the important part and we’ve always driven home the C. I. A piece, right? So when you get to that part, everybody was like rolling their eyes like Yeah I got it. You know, it’s like okay but you focus so much of your time and money and effort on protecting confidentiality that you would think that stand all bill. But then you also and then you know, part of our definition is administrative, physical and technical controls and people also agree to that yet. You look at their programs and their overemphasized on technology. They treat it like it’s an I. T. Issue. It’s still reporting to the C. I. O. It’s still not considered as a part of any other business risk that you know, you would consider at the board. Right? So it’s one thing to say it it’s another thing to do it,
[00:11:29] Brad Nigh: right? Yeah. We here, I think that’s kind of, I think one of our big skills is a, as a group is kind of seen through people, same thing, you know, they say the one thing and then it’s not how it is and then they argue with us and it’s like, right, you say this, but here’s what you’re doing. So tell me how there’s a line. Right?
[00:11:52] Evan Francen: And so that and this was, you know, going back to that discussion on friday from somebody who’s been around for a while, right? I mean, it’s not like this person is new to information security. And so, you know, but his he called his program, the cybersecurity program. So I was just looking for clarification in your
[00:12:11] Brad Nigh: truly
[00:12:14] Evan Francen: Program, right. Is it truly 90 issue or do you view it as like being across the entire, you know, spectrum? And he’s like, well, you know, it’s the entire spectrum like, okay, well then, great, let’s start from the top, what does the board get in terms of information about, you know, information security or cyber security, you can call it. And it’s like, well, we’re working on that. Okay, well that’s pretty damn important for a fundamental before you start going off chasing, you know, flashy lights. Uh, let’s talk about governance, you know, do you have some sort of a committee established? I mean, who is running this thing? He is. Yeah, basically.
[00:12:57] Brad Nigh: So there is no committee. It’s me.
[00:12:59] Evan Francen: So one fundamental is what is information security. And then another fundamental question that I asked him was, who here is ultimately responsible for information security. And that’s what, basically what I got. Well, I guess it be me. Well, that’s the wrong
[00:13:16] Brad Nigh: answer, I guess. But first of all, I guess it would be meanings that it’s not defined. See,
[00:13:21] Evan Francen: you’ve been working around lawyers too much. You pick up on those words.
[00:13:25] Brad Nigh: Well, it’s like, I mean legitimate words matter, right? I it’s telling you if something were to happen and he answered that it’s gonna he’s gonna get skewered. And I know I I honestly, I don’t know who you’re talking about. I don’t know the company. I don’t have any of the background information. Look at my calendar and I could. But I’m just saying just so the listeners. No, I don’t. I don’t know. It’s not like I have any sort of background on this. You have to be able to know those things. Two to run a successful program.
[00:13:57] Evan Francen: I mean, these are fundamental.
[00:13:58] Brad Nigh: Is this defined in a job description and a security committee charter, I guess I am. So if something goes wrong, what’s his argument going to be what wasn’t defined or not necessarily right, but that opportunity exists.
[00:14:14] Evan Francen: Absolutely. And so, and so we did play that out a little bit. We played through sort of a that assumed breach sort of thing. Ok. You know, let’s talk about this, uh because there’s a couple things. One I said ultimately. So I meant, you know, at the end of the day, all the house of cards collapses who’s left. So ultimately it’s the board, it’s executive management of which he may be a part of, but he can’t be the person who is ultimately responsible for information security and the word, I guess, you know, certainly, because, you know, because in that discussion I had also picked up on, I guess. And so I was like, what do you have to find? I mean, what are the roles and responsibilities? Who is doing what?
[00:14:59] Brad Nigh: It’s funny. That’s the part that people hate the most is defining that stuff, having this stuff written out. Because I think for two reasons a it’s not, it’s not sexy. It’s not fun. But also, now there’s accountability and it feels like maybe they, in general people would prefer to have that kind of that wiggle room.
[00:15:23] Evan Francen: Well, these are fundamentals, right? These are the basics right. Of information security. So it’s great that you can go pen, test the crap out of something and find an exploit in whatever and do all kinds of cool things. Those are important things. But without the foundation without the fundamentals, without mastering those, all the rest of it becomes lipstick on a pig. Right? Right, Right. So, you know, so as we were starting sitting there talking where he was starting his discussion was really on lipstick on a pig stuff. Right great. I’m super impressed that you know all these letters and know what they mean. But fundamentally what is your security program look like? And is it functioning? And it’s
[00:16:03] Brad Nigh: not it was kind of it’s I don’t want to see cherry picking but it is it’s almost cherry picking the sexy fun stuff. Right? The pin testing the flashy lights. The oh we’ve got the sim and the I. D. S. I. P. S. And you know all these toys as it were. But you don’t have any governance around it. You don’t have any defined processes around it. Well how do you know it’s the same every time. How do you know you’re getting the right things?
[00:16:31] Evan Francen: Well and you and I have been in security long enough to know that um that if something is insecure the core no matter what you do it will be insecure. Right? So you can put all kinds of dressing on it and make it look as pretty as you possibly can. But at the end of the day it’s still
[00:16:48] Brad Nigh: a pig. If everybody is a domain admin, it doesn’t matter what schools you have in place.
[00:16:52] Evan Francen: And how many incidents have we responded to? Where this has been the case?
[00:16:57] Brad Nigh: Right? There’s a reason I use that exact
[00:16:59] Evan Francen: example. Right? I mean they’ve got flashy lights, they’ve got all the things they’ve spent tons of money yet they have a breach and nobody knows what the hell is going on. And you look at it and say that this is almost indefensible because you didn’t follow fundamental best practices on anything. So that’s why the fundamentals are so important. And that’s why, you know, I’ve focused most of my career on trying to master those, master the fundamentals and then go off and, you know, specialize in something.
[00:17:28] Brad Nigh: Yeah. And I think I would say we’ve gotten a couple of customers that have been working in there that are beyond kind of on a 1 to 5 or 1 to 10 scale kind of beyond that. 5 to 7 range, 95% 99% of who we work with is in the 0 to 5. Right? Like there, it’s just so common.
[00:17:51] Evan Francen: It really is. And so, uh, so the definition of information security just for people again in drill it into your heads, right? It’s managing risk to information confidentiality, integrity and availability using administrative, physical and technical controls. That’s it. Always, always keep that in mind and always be prepared to share it. Right. I mean, when executive management asks, hey, what is information security, you keep saying compliance and security are different. Tell me how they’re different. You know, have defensible answers to all those things
[00:18:25] Brad Nigh: and you’ll start to drive your
[00:18:26] Evan Francen: program
[00:18:27] Brad Nigh: forward. I use that all the time. You know, people calling for compliance purposes. I’m like, well, here’s how we’re different. We will get you to compliance by doing security the right way. Exactly. Let’s do security properly. And compliance is easy
[00:18:42] Evan Francen: if you do doesn’t
[00:18:43] Brad Nigh: work the other way around. If you do compliance only you, that does not equal security
[00:18:49] Evan Francen: and you’ve always got the stories, you know, things that you can share, like an administrative controls. One of the things I say, and you say it, It’s easier to go through your secretary than your firewall period. That’s just I mean 99 you read studies varying from 90 to 99 of all breaches have a human element to it. Right. Whether it was a phishing attack, whether somebody, you know, whatever it’s called, password. Yeah. And so and then on physical controls, it doesn’t really matter how good your firewall works affect seal, your server.
[00:19:22] Brad Nigh: Yeah. Yeah. I walk in and sit down at someone’s computer. Right? Or take papers off a printer. Right? Like there’s a lot of ways that people don’t realize
[00:19:33] Evan Francen: and just because you moved all your data assets in your data center is in the cloud that does reduce risk somewhat on the physical side, but you still have, you know, usually open connectivity from your network to
[00:19:44] Brad Nigh: I mean there’s something if I can sit down at someone’s machine without them realizing it. I mean you can ask the our tech services team. They only need 2030 seconds and then everything that happens on that network is, there’s, it doesn’t take long.
[00:20:01] Evan Francen: No, it really doesn’t. Alright, so that’s information here. So the next question as a fundamental is what is risk? A board game? It is it’s kind of a fun board
[00:20:12] Brad Nigh: game. That’s something.
[00:20:14] Evan Francen: Well, what
[00:20:15] Brad Nigh: you said is technically correct.
[00:20:17] Evan Francen: That is correct, yeah. Uh so risk is likelihood and impact, right? And yet people use in likelihood impact our functions of vulnerabilities and threats, Right? Yes. So you have a weakness which is a vulnerability. A threat is something that could compromise or exploit that vulnerability or weakness leading to a likelihood of this happening in the impact if it did. Right? So you have these things and so that’s risk. And so but everybody throws around this risk word all the time, but often times you’ll find that they’re referring to a vulnerability only as a risk. So you look at cbs s scores in a vulnerability scan and you’ll say, well, that’s our risk or this is our risk course different, Right? I mean, there’s some element of that there, But yeah, you’re scoring vulnerabilities not,
[00:21:12] Brad Nigh: not the right. It’s like if you have 5, 5 mediums at a five H is your score 25, is that more risk than a single 10 with a known exploit? Right? I mean, if you look at your scores CVS s if you only do that 10 verses 25 to go, it’s 25 is a bigger knoll. Right? Yeah, you have to look at the whole picture.
[00:21:36] Evan Francen: Exactly. And I think one of the easier and I’ve said this before, one of the easiest ways to pick out either a poor or a maybe a novice see so is their inability to put risk into context? They can find a risk in their security program and be like, oh my God, that’s the biggest problem ever. When you when they’re not taking into account the entire security
[00:22:00] Brad Nigh: program,
[00:22:01] Evan Francen: right? You keep chasing these rabbit
[00:22:04] Brad Nigh: holes. We kind of we just went through this internally with our you know, what are all the risks and threats and the impacts and scoring just kind of as part of that business impact analysis and I don’t know, I think it’s kind of fun like get to argue a little bit around
[00:22:22] Evan Francen: this is our specialty right now. You and you were different.
[00:22:27] Brad Nigh: Yeah. Well I had to help from uh you know like Lori and some of the other senior it was she did a lot of the work. But yeah, it’s fun to go through I think and people maybe don’t realize that to say, you know here they think hacking right? That’s about it. Well, okay, what about fires? What about Mhm. You know water, you know, main breaking or all these other things that you don’t consider because you’re thinking cyber only only the technical piece,
[00:22:58] Evan Francen: right? Or even in a in a penetration test, you know, you have a penetration test where you know, maybe a pen tester works 30, 40 hours or 20 hours, you know to to find a vulnerability that they then exploit. And so you know, you think, oh my God, we got to close that right away. That’s like we’ll take into account, you know, threat and vulnerability. How what would the impact be if somebody did actually exploit that and what’s the likelihood that it will actually be exploited? Yes, It’s a risk. There’s nobody’s going to debate that. But to what degree of risk is a whole other discussion?
[00:23:37] Brad Nigh: Yeah, yeah. What did they have to do to get in and you know, is that realistic? And he spent 35 hours? I mean, honestly, if if you’re going to be attacked for that minute time they’re going to find something. Exactly.
[00:23:51] Evan Francen: And so that in the key to our definition and information securities risk is we’re manage risk. We don’t eliminate risk. So it’s always got to be a degree. Right? And so the thing about security is it’s always relative where am I at on a scale? Put yourself on a scale. And so one of the most common scales that we see is cmM I write capability maturity model, which is fine, you know, but it’s not the same as risk.
[00:24:16] Brad Nigh: Right? Again, it’s kind of like how well uh yeah, how old we have processes in place and documentation for. I got to see it like if someone is going to leave if we have to replace a team member, what’s the impact to the organization do we have the things in place for someone else to step in? That doesn’t Yes, that’s part of risk. There’s obviously risk involved with that. But that’s not
[00:24:41] Evan Francen: when I always views view like maturity as being a measurement of vulnerability. You know what I mean? So like if a control is put in at five, right? It’s optimized. It’s there’s really no weakness in that control. Whereas if you go all the way to the other side, you know, an ad hoc or initial at zero or 1. It’s a it’s full weakness. Right? So then you take into account, take into account. Okay, what’s the threat to this thing is control and that gives you kind of a risk bringing. So if you were going to use CMm I uh in my opinion, it would be use it as a measurement of vulnerability. And you can still measure your security program if you choose to. But you’re not it’s not the same definition.
[00:25:28] Brad Nigh: You know what I mean? Yeah, I agree. I think I think we have the kind of the same slightly different look on that. But it’s at the end of the day, it’s really the same thing. It’s it’s not a measure of risk. Yeah.
[00:25:42] Evan Francen: So information and risk. Those are two things that as an information security person and even a pen tester? Anybody who works in? Information security should have those two definitions? Pretty well mastered. Right. Uh And how many how many, if you were to estimate how many breaches do you see or do we see where if somebody had just followed the fundamentals? They wouldn’t be we wouldn’t be investigating this breach.
[00:26:12] Brad Nigh: Uh uh Yeah most of them. But I think it’s also I guess you have to kind of go and say like how long are you gonna give them in terms of where they’re at to follow that? Um You know ideally yeah you would be able to prevent almost all of them. They’re gonna be some you can’t prevent. That’s just I mean that’s the unfortunate reality but things like you know having a good asset inventory and having you know. Yeah the fundamentals you could prevent a fair number. Good network segmentation.
[00:26:47] Evan Francen: Yeah. Yeah I agree. All right. So if if I had so here’s another question I had. If I hire you to do in quotes information security for me, what is the first thing you would do?
[00:27:00] Brad Nigh: I’ve said this. You know, even going back to my more I. T. Days is basically take an inventory of what am I working with? Right? That it’s at risk assessment from a security standpoint or an inventory. What do we have in place. What tools technologies what’s there? So until I know what what I’m working with, what the landscape looks like? I can’t tell you.
[00:27:25] Evan Francen: So you have to start within some sort of an assessment. Right, Okay. And I agree. I mean, I can’t, it’s like taking your car into the mechanic, right? I mean, they have to do diagnosis. I have no idea where I should focus my time, where I should focus my energy. And so I think that and that’s prudent. And you see that in, I mean, I was a friend of mine, uh, works at a fortune, I don’t know, I guess would be Fortune 500. And they just got a new c. i. o. And that Ceo came in and it’s the first thing we’re doing, right. This in depth assessment of what he’s working with
[00:28:00] Brad Nigh: smart, you know, you’re you’re coming in typically for a reason, whether it’s someone else left or they were fired or whatever. Uh, no offense to anyone out there. I’m not gonna trust somebody else’s work. If it’s my job on the line, right. I want to know exactly what’s going on and then you can make those decisions,
[00:28:21] Evan Francen: right? And I might trust somebody else’s work. If it was one, if it was current to if it was relevant and three, if I understood it, Yeah. You know, So if I looked at another, you know, that’s fair. Yeah. If I looked at another person’s assessment. Okay. Yeah. This seems
[00:28:34] Brad Nigh: like, yeah, they did it right before they left and went to a better job. Absolutely. That’s a good point.
[00:28:40] Evan Francen: But the because that’s, you know, the only way I can’t imagine building a security program without
[00:28:49] Brad Nigh: that. How do you how do you prioritize what to do if you don’t know what’s out there?
[00:28:55] Evan Francen: Right? So it just seems very fundamental and I know that, you know, risk assessments get a bad rap, but I love them because they tell me what the hell is wrong. Yeah. You know where I should
[00:29:08] Brad Nigh: go. I think a lot of times you have a gut feel when you can, you know, kind of vocal and see and talk to people and get a good idea, but nothing else. It’s validation,
[00:29:20] Evan Francen: right? I mean there would be the obvious things like, yeah, we don’t have any firewalls. Okay, well I don’t need an assessment to, you know what I mean? But there are it’s an obvious one. But uh yeah. So you know, so then stating that uh what percentage of S. N. B. S do you think in our industry or in industry in general, SnB’s meaning 1000 employees unless have done that a security assessment risk assessment.
[00:29:51] Brad Nigh: And yeah, just guess 15 percent. I
[00:29:57] Evan Francen: Think that’s probably about right according to the math. You know, working at backwards from, you know how big that market is uh estimated about 90% of companies didn’t so pretty close to what you’re thinking.
[00:30:10] Brad Nigh: Yeah, I’m just going off of the number of companies we talked to that have never done it versus done it either with us or someone else. Right?
[00:30:22] Evan Francen: So there’s a lot of confusion, I think in S. M. B. S. And the, and the the challenge here is three point one million S and B. S in the United States meaning 1000 employees unless There’s only there’s only 500 Fortune, you know, and they have pretty good security programs most of them and where they don’t, where they’re missing in the fundamentals, they put so much lipstick on that pig that you know, they’re up there. The return on investment for an attacker is fairly low because they still have to get, you know, it’s difficult whereas you have the rest of the industry which is most by far is
[00:31:03] Brad Nigh: stuck. I mean the number of breaches that have, you have some sort of like any any or equivalent, you know, arty people is to the internet, you know these easy to find things that they haven’t done. Yeah that’s who the Attackers are going after.
[00:31:24] Evan Francen: So uh yeah we have to do something about that and it’s not rocket science, you don’t have to be super awesome expert security person to understand, you know, really the fundamentalists, the basics of information security would be the same way. I mean take the way you, you were to uh uh protect your physical assets, right? And just think of them digitally, you know, that’s one place you can start, you know, I would start with an inventory like if I had, you know 10 gold bars that I needed to protect, I would Make sure I counted, I have 10 gold bars, you know that I need to protect and I would then Lock them up. I would control access, I would not share access to where my 10 gold bars are stored. You know what I mean? I
[00:32:16] Brad Nigh: was just really get a good
[00:32:17] Evan Francen: analogy. Yeah, I mean, so you don’t have to, you just have to use logic, you just have to think it through. Ah and I would also do an assessment. I mean if I had 10 gold bars, I would want to have no, what’s the crime rate in this area, What are the potential threats do I live next door to a, you know, a prison, you know, I mean right.
[00:32:38] Brad Nigh: Yeah. It’s funny how many people don’t, don’t even consider that. No,
[00:32:45] Evan Francen: and I think one of the reasons is things life gets so damn complex. Yeah, I was talking on and this is a, I guess we can skip down to the parents and kids discussion and come back up to the roadshow discussion. But um because I’m kind of done ranting on fundamentals and the basics, uh, complexity really is, you know the enemy, it’s always been the enemy, the more complex we make our lives, the more difficult it gets. And so last week I had a discussion with two awesome, awesome people from Minnetonka school district, which is my alma mater by the way second and you have kids there. My, uh, the second largest school district in The state of Minnesota 2nd to, to believe in terms of enrollment I think. Uh, and I’m talking like the entire district. But anyway, these, uh, these two guys mike drone, who’s, he’s the senior director of technology or executive director of technology and then Dave Iceman, Eisenman, sorry, the director of instructional technology and then Ryan cloudier, you know who we know
[00:33:58] Brad Nigh: from? She was bummed. I couldn’t make that, but I was off doing
[00:34:02] Evan Francen: business stuff. We’ll definitely have another one. Uh, mike brought in £4 of bacon. That’s awesome. I mean like the good thick kind and so I ate on saturday, I ate £3 of bacon. It wasn’t good.
[00:34:24] Brad Nigh: Your wife got home. It’s like, I just got £1, I don’t
[00:34:28] Evan Francen: know. Well the other pound, I think I hate throughout the rest of the day. And then lydia had sometimes my daughter. That’s funny. Yeah, but we had this discussion. So the reason why we’re meeting was, we’re trying to figure out, you know how to address and I know that there are tons of resources out there, but how to address parents and kids. Uh, just that whole family information, security, peace, um, not just security, but also privacy and also, uh, safety and there’s a lot of things kind of coming together at the same time here, one of the, one of the resources there is share together and I know we’re working on kind of some child sex trafficking sort of things. Um, And they were trying to create, you know, eventually it will create an S2 teen to go into the security studio platform, so that you know, teenagers, we can do assessments, they can do assessments and somehow we can share it appropriately. Right? You have to do, you have to gamify it I think. And you have to make it almost like social engineer them a little bit right, coax them giving you true answers as
[00:35:38] Brad Nigh: opposed to Yeah. Yes. You forget about that because they think naturally skeptic Yeah, of that.
[00:35:45] Evan Francen: But that’s why the reason why I wanted to bring this group together and I think we’ll expand the group will start including more people and getting more ideas.
[00:35:52] Brad Nigh: I know Rosetta has expressed some interest in being involved as well.
[00:35:56] Evan Francen: Yeah, yeah, for sure. And I think the more the great so we had this uh discussion and I think um, it was it was really an amazing meeting. We we did spend two hours together. We talked about a bunch of different things. Uh, Dave Eisenman um is sort of a leader in this area at minute. Taka. So he shared some good resources. One of those is common sense, media. Uh, and all these links are in our show notes,
[00:36:29] Brad Nigh: we should add. I was gonna look into that. We should also have the one for ic squared the I am cyber safe dot org. They’ve got good, good parent, senior citizen and Children. So so another good, good place for parents to go to get some awesome
[00:36:45] Evan Francen: free information. So I think what we’ll do is I think we’ll take kind of our takeaway was to take what we think is the best sort of guidance from each of these. So common sense Media, the american Academy of Pediatrics will add the squared one. Uh, and then the cybersecurity and infrastructure security agency Sisa has uh, good resources and then share together and try to take kind of all this together and try to create like a best in breed, but then make it sort of, I don’t know some way to just bring all these together rather than having 56 different ones. You know, I have just one
[00:37:25] Brad Nigh: and, and I’ve done, I just did a parent’s presentation and that was one of the things that came out of it is do you have anything for parents that are not that are these as digital immigrants? How do I secure my wife? I, how do I do these things that you know, for, for us in the industry is kind of like second nature. We forget people don’t know how to do it. It’s intimidating. Right? So you know, putting those something together for the parents I think will help teens and then how do we get the teenagers to go through and do this,
[00:38:04] Evan Francen: right. And so much of this too is just starting the conversation, you know, I can’t I mean, I can only imagine how many parents, I don’t know. They would never even have a discussion with their kids, right, about what they’re doing. And I usually the story of, you know, when I was a kid, you know, the teenage, when I was a kid, my dad kept his playboy magazines on the top shelf of his closet. You know, nowadays. Uh it’s just that’s not what dads do. Kids are the number. I think the largest consumer of online pornography is like 12 year old boys, right?
[00:38:47] Brad Nigh: I mean, they’re not surprising, but just still
[00:38:50] Evan Francen: Yeah, I’m talking to here talking to my 14 year old daughter and I guess it’s really popular now to be asking each other to send nudes, you know, that’s kind of Yeah, it’s like what I’m sorry. I mean when we were kids, we didn’t we didn’t do that. There was no way for me to send nudes and received nudes from girls,
[00:39:11] Brad Nigh: you know. Yeah.
[00:39:13] Evan Francen: So things are much, much different. I think parents don’t know. And I think parents sometimes feel intimidated to even ask.
[00:39:21] Brad Nigh: Yeah, exactly. And I think it’s a little bit of that, that ignorance is bliss. I don’t know, but I don’t know, can’t hurt any type of uh thought and that’s not the case.
[00:39:33] Evan Francen: It does hurt kids are suffering for this. Yeah. And I think I read another study somewhere that said the suicide rate and teenage girls has doubled since the advent of the
[00:39:45] Brad Nigh: smart social media has come out. It’s it’s been really bad.
[00:39:49] Evan Francen: Right? And so we were talking about all these things and we’re talking about how, you know, you just get bombarded from all angles, right? You get
[00:39:57] Brad Nigh: people get the anonymity and they they think they can say whatever, no matter how hateful or hurtful it is
[00:40:05] Evan Francen: when parents are overwhelmed too, right? I mean, my daughter, this uh, this last weekend, I think it was friday. She um we walked by, we were a target inch, we walked by Alexa. She goes, we should get Alexa like hell no, she says, well why not? He does all this cool stuff and everything like that. And I go, because I have privacy concerns, honey, she’s like, what? I’m like, Alexa is listening, you know, to our conversations to the things that happened in her home. And she’s like, that’s only if you say Alexa and I’m like, how do you think it here’s Alexa
[00:40:41] Brad Nigh: right now, you can get Alexa car. So, you know, right in the car even you can’t get away,
[00:40:46] Evan Francen: right? And so that, you know, I have this privacy concern, but then I also have this complexity concern, right? My life is already complex enough. I don’t want to add more, I don’t want to add more technology and more things that I have to secure more things. I have to think about or things I have to potentially worry about. You know, more things I need to patch more, you know, I mean, it’s just like I already have to patch my tv.
[00:41:10] Brad Nigh: It was, yeah, Yeah, I’m with you. Keep it, keep it
[00:41:14] Evan Francen: simple. That’s, and that’s, and so you know, if, so parents are getting bombarded with all this stuff and then kids are like playing what Fortnite. Uh, uh, there’s Tic tac, there’s instagram,
[00:41:27] Brad Nigh: there’s even with like, uh, was one of the parents were saying like roadblocks or Minecraft or something. They had a skin where they’re young kids or like first grade we’re talking about, it was fortnight and this what should be a relatively safe game like, oh, we just go in here and here’s how we get to it. And it’s basically fortnight at that point skinned over that. They were like, well, what, what do you, what is this? Right. So,
[00:41:57] Evan Francen: and listen in, I mean, if you’re a parent listen in on some of the conversations right? That kids have on chat in their games. A lot of times they’ll do it in a room where they’re off somewhere right? There. Often times, excuse me. Kids aren’t playing their video games in the living room in plain sight of parents and so they go into some room somewhere, you know,
[00:42:21] Brad Nigh: but our rulers door
[00:42:23] Evan Francen: open right in more parents need to sort of learn some of these skills and we need to somehow bridge the gap of, of just communications. Right. What, how do you safely communicate about security things at the dinner table assuming you eat dinner at the dinner table. I mean it seems like parents don’t do that nearly as much as I used to either, but just having these conversations because you know, it’s our job to love our kids. It’s our job to raise our kids. Well, it’s our job to protect them from, you know, sexual crap. I mean, but we have to be equipped. Yeah,
[00:43:04] Brad Nigh: to do that. And it’s tough to be equipped if you don’t understand it yourself.
[00:43:08] Evan Francen: Totally true man and things move so damn fast. Right. I mean there’s new things hitting the market. I mean, what’s going to come out this christmas? I don’t know. I mean, what sort of things will be like the new things on the market would be like, Oh God, you have to think
[00:43:22] Brad Nigh: here we go again. Every
[00:43:24] Evan Francen: yeah. Because as a parent sometimes too, we feel like we’re stuck, we don’t want to deprive our kids with all of, well they get all the cool things that all the rest of the kids are playing
[00:43:34] Brad Nigh: with. Well, especially with some of the social media, they get excluded if they don’t have it. And that’s, I mean that’s a whole, another,
[00:43:41] Evan Francen: yeah. We talked about a story, uh, in that meeting on friday about a kid who uh, got ostracized basically because they weren’t on social
[00:43:51] Brad Nigh: and they started happening. My daughter with uh, instagram And her friends had turned or had it before they were 13, which, you know, that’s, that’s another issue we have to talk about. But I told her she, you can’t get until you’re 13 and it was tough on her and she’s really good about what she puts on there and being almost like she’s, she does listen, she’ll never admit it, but she doesn’t listen. But yeah, it’s a real, it’s a tough thing to do as a parent to say, no, you’re not old enough yet, but you got to do it set some boundaries
[00:44:27] Evan Francen: right? And it would be a lot easier, not easier to be a lot more effective. I think if all parents kind of together, right,
[00:44:36] Brad Nigh: There’s just, I’m,
[00:44:38] Evan Francen: instead of the norm being, yeah, I could do whatever I want to do in my bedroom with my ipad every night instead of that being the norm, let’s make it the exception. And then when you see that or hear about that stuff, we can all come around and sort of educate. I mean, we just have to flip the script on this, which is going to take a huge, huge effort, but that’s why, you know, you know, working with common sense, media, working with, you know, uh, ap the american academy of pediatrics, the, you know, I I c squared working with, you know, Minnetonka school district, you know, probably eventually was at a school district, maybe some national players, you me, you know what’s all hear voices and figure out ideas on how we can address this because it’s, it’s our future man. I mean this is going to get
[00:45:27] Brad Nigh: nasty and going to the already is nasty. But with all the parents have talked to, they universally want to know more. They don’t know where to go what to do and you know, you go and speak to them and it’s like they’re so thankful for what I’m considering, like just routine basic stuff and they’re like, this is eye opening. I had no idea. I think they want, I think parents in general as a whole want to know born and do the right thing. They just don’t know where to go, what should they do,
[00:46:02] Evan Francen: right? And, and I mean, you always have some certain percentage of people or just bad parents,
[00:46:09] Brad Nigh: right? I mean, that will
[00:46:10] Evan Francen: never change, right? But I think good parents do want to do something about this.
[00:46:14] Brad Nigh: The majority of vast majority do.
[00:46:16] Evan Francen: And I don’t want. And what I don’t want people to think is there are good parents who don’t know that doesn’t make them a bad parent. No, you need to somehow reach across and give them the resources.
[00:46:27] Brad Nigh: I’d say it almost is the same as within the business, right? If if your security in the business and you’re not getting your message across that’s on you, not on them, you need to figure out where is that disconnect. So what kind of, I think it’s the same. We failed.
[00:46:42] Evan Francen: They’re right and we were talking, you know, like Minnetonka is one of those school districts that does reach out to parents and they do have
[00:46:52] Brad Nigh: no, they do, I was from experience that we do get stuff and
[00:46:56] Evan Francen: but that they’re the exception Yeah. To the rule, right? Most, most like a vast majority of school districts are not,
[00:47:06] Brad Nigh: well I’m in a taco and I’ve talked to some, you know principles and others at other districts and I think again, same thing where can I get some information, what can I be doing? It’s not that there’s not a lack of desire, it’s just a lack of, of what
[00:47:22] Evan Francen: what well and I was talking to my daughter, you know, after our meeting, after I had my meeting on friday. Um, when I got home, I was like, hey, you know, she goes to a different school district and I asked her, you know, have you ever, what kind of instruction do you get on sort of responsible use of, you know, electronics of, you know, iphones and ipads, you said none of, you know, and I said, well, you know, I want to show you something. So we talked about, you know, some of these things that I have learned on friday, you know, some of these resources like because I hadn’t heard of believe it or not, common sense media, I was like, oh that’s cool. So I looked it up. All right, I’m going to share this with my daughter. Well, first I was going to find out if she got any right this and she didn’t and I was like, okay, well, I’m glad we’re having to talk then.
[00:48:12] Brad Nigh: Yeah, we’ll say I’ve been pretty impressed with with the outreach from Minnetonka. Yeah, I haven’t, I haven’t had any reason to,
[00:48:19] Evan Francen: but I think they lied. Oh absolutely. You know. All right. So that’s that. Now let’s go
[00:48:27] Brad Nigh: back and talk about your roadshow.
[00:48:28] Evan Francen: Yeah, yeah, so we, we uh, it was formerly called Project Bacon. Uh and I do mention again that mike drawn in from Minnetonka brought me bacon
[00:48:38] Brad Nigh: that lasted apparently a day and a half.
[00:48:41] Evan Francen: I know and I think I’m feeling it now between that and not smoking anymore and I don’t know, I think whatever it’s my
[00:48:49] Brad Nigh: problem, I’m glad I’m not the one travelling with you.
[00:48:52] Evan Francen: I know john harmon is but john will put you in your place john jones a big dude, he’ll handle himself just fine. But yeah, this week we leave for Harrisburg pennsylvania. So if you’re in the Harrisburg area. Uh yeah, reach out to us get some barbecue or something, tell us where there is good barbecue, then we can, we can meet and we can talk security stuff. But we’re going on the road show. Uh really the there’s two points to the roadshow. One is a security studio. We built this platform and now we’re making it available for free and it’s a platform to really master the fundamentals. Right? So, there is an information security risk assessment module there. That’s it doesn’t go deep into any one area of information security. It’s there tons of different types of risk assessments. This is a good fundamental risk assessment.
[00:49:50] Brad Nigh: It’s intended to identify at a high level strengths and weaknesses for your security program. Exactly. Then once you do that dig in and really start to understand what does that mean?
[00:50:03] Evan Francen: Yeah, I think it’s a risk assessment that can be used and kind of meet you wherever you’re at. And so that’s really what we want to hit is every, every one of those s MBS of the 90% who haven’t done one, Here’s a free one. You can do it yourself if you need help. We have a partner network that can help you not gouge you not sell you something, you don’t need that, help you through this risk assessments or you can build a good security
[00:50:32] Brad Nigh: if you need that independent assessment for compliance or regulatory or whatever reason. Yeah, we can help you with that. But exactly. I told people, you know, when I started it went through our assessment and kind of like, where has this been like I would have killed to have this. I didn’t know about it, you know, different region and all that. But it’s a, it’s a good place to start. It’s going to let you identify. Okay, where should I be focusing effort
[00:51:04] Evan Francen: And so we want to take that on the road. You know, we uh in this next release, which is due about the same time, I’ll be at B sides in Harrisburg uh is completely free.
[00:51:16] Brad Nigh: This week. Is like this week.
[00:51:18] Evan Francen: This week. Yeah, I think Wednesday I’ll be speaking at B sides in Harrisburg and besides, you know, you can’t sell things right? And so we’re that’s why, you know, one of the reasons why I made it free to because we don’t, I don’t care about selling things right now. What I want you to do is follow the basics, get the fundamentals in place and then master write something. Yeah.
[00:51:46] Brad Nigh: Well like if we’ve talked about it right, If you do the right thing, everything else will fall into place right? If you do things for the right reason, things tend to turn out pretty well for
[00:51:57] Evan Francen: you. And I read another statistic to it was like 80 some odd percent of all smb s that suffer a data breach end up not ever recovering. No, that’s sad.
[00:52:09] Brad Nigh: And so yeah, I mean it’s expensive to have this happen. I can see why.
[00:52:16] Evan Francen: So it’s kind of our calling to go and do this. So, on the road show, we will be speaking every week, we’re speaking at a new different event this week. It’s Harrisburg pennsylvania B sides. Um, and then we’re meeting with partners. So the other competitors to fr secure basically that do assessments of their customers and saying, hey, give this away to your customers and when they need help, it will end up actually making more business for you, probably because you’ll reach a wider audience and you’ll be providing better value. So that’s really what the road show is all about. I think john harmon and I will be socializing this on our twitter. So be tweeting hashtag as to roadshow, I gotta do this. Hashtag. Uh, yeah, so we’re excited. I think, um, it’s part of our mission, right? Our mission is to fix the broken industry. If we were just to sit here and just bitch and complain about people not getting the fundamentals correct and then not do anything about it. Well then,
[00:53:26] Brad Nigh: Well, it’s what I mean, I think from the way I’m looking at it, you know, the, the industry, there’s a lot of money grab going on right in a lot of kind of just throwing money at things. This is very disruptive and in a good way. I hope so. And I think it’s going to get some people’s attention
[00:53:46] Evan Francen: good and if any listeners, uh, here, uh, go take your free s too, it’s called the s to Oregon, That’s the assessment as to org. There’s also an S- two vendor just for vendor risk management. It’s a small fee because you do have to pay for developers and such. Um, and then there’s the S two team, I think the S two team, we’re ahead of the curve a little bit. So
[00:54:10] Brad Nigh: yeah, that’s been everybody I’ve talked to about that is like, Oh, yeah, yeah. So, you know, go into that a little bit. It’s, it’s basically your employees personal risk or aggregated and anonymized. So you, as an organization, excuse me, uh, can see like, hey, where’s our employees risk bad security, hygiene at home, bad at work, Good at home, good at work. Right.
[00:54:36] Evan Francen: So you said that real well, to exactly
[00:54:38] Brad Nigh: where, where should we be targeting training? You know? So it’s, it’s a, I think it’s a really cool.
[00:54:46] Evan Francen: Yeah, I think so. Cool approach. But the, so, you know, and that’s the same thing that I offered for this security person, uh, on friday. And so he agreed like, yeah, I’ll take my free, yeah, I’ll take, I’ll take a free assessment. I’m like, all right, good. And then at least now you’ll have something that you can quantify information, security risk and you can master the fundamentals.
[00:55:10] Brad Nigh: And I think a lot of times it is by opening for people to write, they think they’ve got the good program. And then you start going through. I mean, realistically the full full assessment is 600 and almost 700 questions. Probably. It’s like 684. Not today, but
[00:55:30] Evan Francen: 63 I just removed
[00:55:32] Brad Nigh: okay. I’m just kidding. That doesn’t include scanning and recon. So, but anyway. Uh, yeah. You don’t, I don’t think people realize they, they look at like those, Maybe like there’s 40 subcategories, you know, kind of and that’s about it. They don’t go 10-15 deep in each of those. No, you, you need to go a little bit a little deeper. It’s still not as deep as it. You can go by any means, but it gives you a really good idea. And again, it’s eye opening for
[00:56:05] Evan Francen: people. Yeah, yeah, I agree. And for those, you know, who use it for compliance, you know, I think. But before the end of october will have compliance reporting built
[00:56:14] Brad Nigh: in. Yeah. Yeah. That’ll be in this next release. I saw that as part of our S and T was to make sure that how they were doing it satisfied those needs. That’s pretty cool. I was, I was, I won’t lie. I was skeptical, but I was impressed with what they got done.
[00:56:30] Evan Francen: Well in the hospital, you know, take like hospitals, for instance, health care, hospitals are, most of them are losing money
[00:56:38] Brad Nigh: or the margins.
[00:56:40] Evan Francen: Yeah. So if you can give them a free assessment that they can do. That’s quality that will hold up to OcR scrutiny
[00:56:48] Brad Nigh: do it. We’ve seen the OcR accept it now. They’ll never endorse it right? Government won’t endorse, but they have absolutely accepted it as a remediation for a finding on not doing an enterprise wide risk assessment.
[00:57:01] Evan Francen: You don’t thought I thought it was another cool thing and it came out this week and I won’t mention who, but school districts now are using the S. Two Score, you know, which comes from the s. two orig they’re using it for supporting the bond
[00:57:18] Brad Nigh: Rating. I think that one. Right?
[00:57:20] Evan Francen: Yeah. I was like, damn cool. Because then you’re talking about they’re saving hundreds and hundreds of thousands of dollars by protecting that bond rating
[00:57:28] Brad Nigh: and you’ve got, you know, I mean it’s pretty common. Who does those ratings? But those companies are now going, oh, this yeah, okay. Like I’m not guessing. It’s the same with cyber insurance, there’s a easy to understand numerical risk score, right?
[00:57:47] Evan Francen: Oh okay. That isn’t cyber, it’s information
[00:57:50] Brad Nigh: it is across the board. Right? Yeah. Yeah. I thought that was really cool. So it’s encouraging to hear that too.
[00:57:57] Evan Francen: Yeah. And I’d like to use more in M and A. Or two, right? I mean,
[00:58:02] Brad Nigh: yeah, we keep getting that, where it’s like we just purchased this company, what should we do before we merge them or I’m like, oh well you should have done an assessment before. At least at least you haven’t merged yet at a minimum. Do these things
[00:58:18] Evan Francen: anyway. Yeah. So that’s what the road show is all about it’s getting people on board with this thing. You know what I mean? And then there’s even another piece to it which um is let’s build a community around this. You know, I don’t think in terms of the content, I think security studio should also open that up and share that with the community and receive, you know
[00:58:39] Brad Nigh: I like your thought of you know, kind of that Wikipedia or whatever. But you know there’s got to be qualification to be involved. But yeah I’m with you. I think the more people we can get giving feedback the better. Right? I mean I think we’ve done a pretty good job but does that mean it’s perfect. No. Right. That’s and I always kids catches people off guard. Like what? What do you mean
[00:59:05] Evan Francen: exactly?
[00:59:08] Brad Nigh: We can make it better.
[00:59:09] Evan Francen: Yeah absolutely.
[00:59:10] Brad Nigh: It’s not like the questions or any sort of secret sauce. Right? It’s Look at the knee CSF, look at the ISO Standard. Look at 853. The controls are the controls that right? There’s other things that we weren’t, you know, that’s where the magic happens
[00:59:28] Evan Francen: totally totally. So uh on the road show if you are a an information security consulting company. If you’re an I. T. Company who wants to start doing information security assessments the right way or any either one of those or combination thereof. Look us up and let’s have a meeting while we’re there so we can talk to you about it or if you’re going to be at, you know, Harrisburg pennsylvania B sides, let’s meet up there because we want to get this community together on this, on this thing. So, it’s all about that.
[01:00:04] Brad Nigh: Yeah, we can’t do it alone.
[01:00:06] Evan Francen: No, nope. I can hardly get my pants on alone.
[01:00:11] Brad Nigh: It’s a miracle you’re houses standing.
[01:00:13] Evan Francen: It is a miracle my house is standing. All right, so, onto some news, we’ve got three news stories today. I thought the first one would cut my eyes. I was like, yeah, uh uh this one comes from help net security and it says rise of RdP as a target vector is the uh title of the article. And I saw it. I was like, RTP has always been already, has always been a damn target. I don’t understand how it’s been a rise, but I mean, can the problem get worse? I don’t know. My my uh so it’s an interesting article, there’s nothing eye opening here because we’ve always known that RdP is a uh
[01:00:57] Brad Nigh: yeah, we get the
[01:00:59] Evan Francen: critical attack vector
[01:01:00] Brad Nigh: anytime we get the uh the breach or whatever. And like RdP was open to the internet. How did it happen? Pretty confident it’s not going to be good. I mean,
[01:01:13] Evan Francen: if you absolutely absolutely have to have RdP open um multifactor at a minimum, uh ideally you’d make somebody have to VPN in first with multifactor and then rdP into a system but just hanging already P out there, first of all, it makes you a target, Right? We know that there are active bots and scans going on all the time, looking for 33 89 as well as you know, https and http and ssh, I mean those are just common ports that will be hit,
[01:01:51] Brad Nigh: right? Yeah. They’re going to search these well known, easy to escalate things
[01:01:57] Evan Francen: and if you have you no single factor authentication. Um I mean I hate to say it, but it’s like at this point you almost kind of deserve it. I mean I hate to say that, but it’s like several factor authentication on anything on the internet is bad. Yeah, especially in RdP server or ow a
[01:02:20] Brad Nigh: yeah. Yeah, I mean you’re just kind of asking for
[01:02:25] Evan Francen: for trouble seriously. And so uh and if you don’t know because I’ve asked this, you know, many times we asked this, you know, asset management is one of those fundamentals and I’ll ask if you scan your entire I. P address space looking for what ports you have opened and people say um
[01:02:41] Brad Nigh: No, well not only that we’ve had. Yeah, I’m not getting into it. That’s a whole another another episode. Yeah.
[01:02:53] Evan Francen: So yeah, because you know, if you’ve never done that before, if you have an I. P address
[01:02:59] Brad Nigh: space. Eld app open to the internet please your bad times.
[01:03:04] Evan Francen: Yeah, I mean we’ve seen it happen over and over and over again. So anyway, if you didn’t believe if you didn’t believe us, you can look at helping that security and I’ll tell you the same thing. All right. So the next news article I have is from E hacking news. Google takes down around 46 apps by Chinese developers from its play store. This kind of caught my eye because one my wife was in china that this article was written Uh in 46 x apps by a Chinese developer. So it was a single developer called I handy were taken from the google play store. They didn’t provide google didn’t provide any reasons for the sudden removal. The tools included uh various security, horoscope, selfie, health and anti virus related apps that were downloaded over a million times.
[01:04:03] Brad Nigh: All I know is I was very happy that I don’t have any of these and my daughters didn’t
[01:04:06] Evan Francen: write you. Uh so it turns out that some of these, I’m guessing researchers discovered that all of these infected apps were put on the play store with via distinct developer accounts. So there were some dis uh some bad things with these apps. Yeah. Uh they’ve taken down apps before. This isn’t something new for Google but I think what sort of stands out is that it was 46 apps from one
[01:04:38] Brad Nigh: developer
[01:04:40] Evan Francen: developer that’s pretty
[01:04:41] Brad Nigh: big. Yeah, there might be some sort of pattern
[01:04:45] Evan Francen: there. Right and if you are an android user, right. If you’re a droid user, you just need to practice a little bit more caution.
[01:04:52] Brad Nigh: Yeah, there’s and there are some pretty good uh, you know, in point protection tools for free. Right? I know, you know, sofas and thank trend micro. And so they will scan and alert you. And I know I’ve downloaded some apps where I’m like, oh yeah, okay. And then it goes, hey, did you know it was going to do this? Like no, I missed that remove. All right. So have have have something out there to protect yourself a little bit better.
[01:05:21] Evan Francen: Yeah. And and know that too. Like if you’re a user and you, you know, lack sophistication on technology, the android may not be the right thing for you. You have to be a little more sophisticated and managing a droid phone. If you don’t even know if you have a droid phone, well then you’ve got more issues. If you’re using a Samsung, you’re using that android. Um,
[01:05:46] Brad Nigh: if it’s not an apple, it’s not sample its
[01:05:49] Evan Francen: android at this point because I think Microsoft has
[01:05:52] Brad Nigh: dropped all that. Yeah. You might have an older one. You have a blackberry, but anyway, into the weeds.
[01:05:57] Evan Francen: Yeah, I hear you. So anyway, if you’re using an android, uh just follow some best practices. There’s lots of different ones out there. You can follow. Last one I’ve got is speaking of this is here IOS. Yeah. So checkmate, uh this is um G. B. Hackers on security checkmate. And it’s spelled C H C H E C K M. Eight. The number eight hacker published unpatchable jailbreak for millions of IOS devices from IOS four S to iphone X. Or Iphone for us to iPhone X More. Do you call that 10? I’ve always called it the X. X. All right. I’m going with X. Because that’s the letter.
[01:06:45] Brad Nigh: I can’t wait till we’re like ex II X. Ivy.
[01:06:48] Evan Francen: Yeah. My daughter and I were talking about like what are they gonna do for 13? He likes the number 13. There you go. Ext three.
[01:06:55] Brad Nigh: Yeah, probably X triple I.
[01:06:59] Evan Francen: Yeah, the 11 is out. My daughter and I went and looked at the 11th at the 18 to store last week. I’m still using an older one. I just got a new phone. I’d use a flip phone. I could
[01:07:11] Brad Nigh: you can get the new Motorola flip for the android.
[01:07:15] Evan Francen: Yeah, I just don’t want anything else and I don’t want email.
[01:07:18] Brad Nigh: Yeah. Well, it’s cool technology. Yeah.
[01:07:22] Evan Francen: All right. So yeah. So
[01:07:24] Brad Nigh: yeah, this this is really I mean there’s no there’s no fix. It’s a issue within the chip. The fix is stop apple is going to have to stop selling the older devices and stop using that chip. That’s about it
[01:07:44] Evan Francen: when it jailbreaks the phone. But what’s the yeah unpatchable boot rahm exploit hundreds of millions of IOS devices. There’s a published jailbreak guide. but do you have to how do you get, how do you get the exploit code onto the phone?
[01:08:07] Brad Nigh: Uh you know, Adrian that, and I think there’s a that you have to have it from connected to either a Mackerel Lennox, there’s a way to to do it from there,
[01:08:17] Evan Francen: so this isn’t going to be a jailbreak from, I don’t download. Think so, yeah, I don’t think so either,
[01:08:24] Brad Nigh: I haven’t read enough about it to know, but
[01:08:27] Evan Francen: I think the people that,
[01:08:28] Brad Nigh: I’m sure we’ll hear, we’ll get lots of feedback on that,
[01:08:31] Evan Francen: right, because as an IOS, you know, I do use IOS and I’m not terribly concerned about this.
[01:08:37] Brad Nigh: Oh no, I think, I don’t think it’s going to be, I think it’s going to be more for that, the mod community more than anything, It seems to be the yeah, that’s been the, the, the background, I think as you start getting devices that are no longer supported, you know, the Apple doesn’t do a really good job supporting older devices, but yeah, you have devices that from a power standpoint are plenty strong and plenty powerful enough, they’re just not supported or whatever. So now you have the opportunity to do some more with those devices?
[01:09:11] Evan Francen: Yeah, yeah, this is the tool is compatible with Mac and Lennox, so you do have to run it, you know level and be connected to jailbreak. Uh Yeah, so it’s a chip thing, I don’t know if the
[01:09:23] Brad Nigh: ice there, they have to, it cannot be exploited remotely. You have to have physical access to the device. So, you know, if I’m an iphone user, I’m not really terribly concerned. I think again, it’s going to really be the mod community. It’s almost like a feather and the guy’s hat and they’re, and they’re happy as hell.
[01:09:37] Evan Francen: Right? Oh yeah. Who doesn’t want to, I mean if you’re in that community who doesn’t want to jailbreak? So iphones. Yeah, it’ll be interesting to see, you know what? Yeah, I don’t know if the 11, I didn’t see if the 11 is
[01:09:51] Brad Nigh: Part, I think it starts at the 10. It’s with that, the a 11 chip is the last one that used whatever that the exploit was.
[01:09:59] Evan Francen: So Apple may not even do anything about it. Just live with it. But those phones take a while to get out of the wild, you know what I mean?
[01:10:09] Brad Nigh: Oh no. It, I think This is something that’s gonna be be there for a while 5-10 years especially with the tin just now having it.
[01:10:20] Evan Francen: All right. So we talked about a bunch of things. Uh, and we’re gonna wrap it up. Uh, so there you have it, I’ll be checking in regularly from the road. So, uh, we have a mission and I put the word dammit in my show notes with two amps. Not the bad way that makes it different, but stay tuned, You know, stay tuned to it. I hopefully you’ll follow along and hopefully we’ll have great success and we’ll start getting people, you know, sort of speaking the same language will start helping people that need it. Um, and thank you to our loyal listeners, shout out to Kevin, uh thank you for your tips and feedback. Last week we are working on it. We know that we have some audio things were going to make better for the rest of you, send us your input or send us your feedback by email at UN security at proton mail dot com. If your social type socialist with us on twitter, I’m @EvanFrancen and brad is @BradNigh and that’s all I’ve got. So I have a great week.