Building a Cybersecurity Program

Unsecurity Podcast

In this episode, Evan and Brad conduct a mental health check-in and have a candid discussion about their own struggles. They also discuss the first foundational steps in building a cybersecurity program including less “what to do”, and more “how to do”. In the news this week, a cryptocurrency hacker returns $260 million in stolen funds, and the State Department is hit by a cyberattack amid Afghan evacuation.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: All right. Welcome listeners. Welcome to episode 144 of the unsecurity podcast. The date is August 24, 2021. And joining me as usual is my awesome friend, Brad Nigh. Hi Brad.

[00:00:36] Brad Nigh: Yeah. What’s uh does this sound like the background behind you? Yeah, it doesn’t

[00:00:43] Evan Francen: suck. Uh, I’m down, I’m down here in Mexico again. Uh Marlys came down here to do work on the house uh, to get it ready for rental and she was going to come by herself and I didn’t feel comfortable about that at the beginning. And then I was like, I didn’t make the decision until like two days before she was leaving that I’m gonna go with because I found tickets for $250.

[00:01:08] Brad Nigh: Yeah, it’s better there than here. We’ve got we had like three bad thunderstorms since the last five or six hours now. That’s different

[00:01:17] Evan Francen: when it’s rainy season here. So it rained almost all day yesterday. But I I told marla said I’m coming down for like support and I’m going to work. So I have zero. Uh, the interest me and her. I don’t have any distractions. So you know, no dogs, no cats. All right. I don’t have cats and no kids.

[00:01:38] Brad Nigh: And I mean, well, kind of a nice a way, but good for you to get away. Even if you’re still working just to change up that environment.

[00:01:47] Evan Francen: All right. And that that is a good segue because you’re going on PTO tomorrow. Yes. Much needed. Much deserved. Ah I think a lot of times my PTO is like you said it’s working in different locations. It almost doesn’t even feel like I’m working because the scenery is different,

[00:02:07] Brad Nigh: right? Yeah. You know, and and tomorrow it will be the first time I’m leaving the house since like more and more than like two nights Since April of 19 because we had our vacation are big vacation last year scheduled for the first week of April. And obviously that didn’t happen. So I tried a couple of like one night tonight, Prince, that’s it. Other than that I haven’t left the house and it definitely wears on you.

[00:02:38] Evan Francen: I’m glad you’re getting that time away. One of the things we were talking about because we all struggle with stuff and you know, we’re very pro mental health at fr secure and that security studio. Uh you’re minding, right? I mean, it’s it’s it’s not right. It can be tortured for somebody who’s suffering through those things. You’re not going to get good work done anyway. So

[00:03:01] Brad Nigh: yeah, remind first.

[00:03:03] Evan Francen: Always.

[00:03:04] Brad Nigh: Well and you know, we talked about it and I personally had an experience last week where ah Oh, so that’s not just talking to talk right. It’s it’s not going to walk Tuesday morning. Uh I was trying to work and all of a sudden just like how like an anxiety attack which I’ve never had before. So it was really really weird for me uh just hold sweat, my palms were sweating and not my stomach. I felt I was good for what like jittery. It was really really

[00:03:35] Evan Francen: bizarre.

[00:03:36] Brad Nigh: Especially I’ve never uh you know with the first time you go through something like that it is off unsettling. So I just messaged Renee and said hey I just don’t have it, I can’t do it today, I’m sorry, no client meetings, there’s no client impact. I just have to take, I have to be with. So um I went out to the living room thinking you know maybe 15 in the office and work and it was just it was too much just with the kids and the dogs and I just couldn’t handle it. So I ended up going up into our bedroom and closed all the doors and turn off the lights. So it’s kind of a blackout um situation and funny enough so my son loves the cartoon Phineas and so we’ll have that on and it’s a really funny, it’s a good wholesome cartoon um and has like adult jokes and stuff that the kids don’t get. So we have that on a lot so it’s kind of like a calming background so I put that on the road very quietly so you can just barely hear it and just Basically from about 9 30 till 4 30 stayed up there and you know, just a lot of like thinking and self reflection, which you don’t do and it kind of came to the realization that, you know, hey, I recharged by being my climate itself, right? But that when she was a time in the car, that transition, I haven’t had that for a year and a half. Um You know, it’s basically been 24/7 with somebody here with you and don’t get me wrong, I love my family, but right, kind of, it just hit me, I was like, oh wow, okay. And you know, you, you gave me a call to make sure I was okay and I really appreciate that um, a couple’s kind of issues throughout the week and I kind of realized it was they were being triggered by a being having a video call. Like I could feel yeah building throughout the fall and I had to go up and like lay down and turn everything off for our or two afterwards, like it is back down to a normal level. So it was uh you know, I thought I had been thinking pretty good care of myself mentally and you are until you realize you’re not, so you know something, I’m going to make a very concerted effort, was talking with a couple other people and uh Megan actually gave me a uh okay, relaxation privacy retreat. So you can just go and in a couple of days and all inclusive the food and everything and have activities where you can just do nothing. So uh no, my wife is very supportive and it’s like I’m gonna do this when I need to do it good for you. You know how to do it. I can’t I don’t want to go through this. I have a whole new level of respect for people that deal with that anxiety on a daily basis because it’s Exactly,

[00:06:41] Evan Francen: well, I don’t think. And it just seems like it gets worse because I don’t our minds our bodies weren’t built for constant stimulation. Like constant, right? It seems like you’re getting bombarded all the time because I can relate to two things that you said. One is Uh huh. Not being able to find place by yourself. All right, I’m the same way I’m an introvert. I’m good with people, but they exhaust me and I need to have my recharge. Yeah. And if I don’t get that recharge, I am a mess. And so where I’ve run into that problem even here somewhat Because I came here and I’ve got no dog to distract me. I’ve got my my 16 year old daughter isn’t here. It’s just me and my wife and then she’s having contractors come in. But even then it’s like she’ll walk in the room and it’s like damn it. I had, you know, I had had some alone time and it’s not that I don’t love her and I don’t want to spend time with her. I do, I do. But I also got to just find a place to get away.

[00:07:46] Brad Nigh: Well, yeah, and even if they don’t say anything, like uh it was asking you, she’s like, hey, can I come in? I’m like, is you? And I was like, no thanks. It’s not even if you don’t say anything, it’s your there, it’s not you personally, but it’s I truly need insulation at this point, right? You know, and it really worked and and it’s good to kind of, you know, do that self reflection and take care of yourself because that I mean, especially with everything that’s been going on the last year and a half, I know I’m not alone. No, you’re not. I

[00:08:26] Evan Francen: am anxiety to it’s a it’s a it’s not an unhealthy amount. I think of anxiety, I think it’s because there’s healthy and unhealthy, right? Unhealthy is when it paralyzes you, when you have those panic attacks can’t manage it and there’s nothing there’s there’s obviously something wrong with it. There’s nothing wrong with you, right? I mean, that’s you have to get help for it because that’s why we’re all here, that’s why we’re on this planet, man. But I do have small, I have anxiety turning every time I turn on my video on a video call because I see myself, But I hide self view. That helps. But my daughter, I was telling you before we started the show, my 16 year old daughter, uh you know it was remote schooling, right? So schooling from home and she would be up in her room and her and new classes. And then we got a call from the principal saying, you know, we filed essentially and there was, I’m shortening this essentially the county is being brought in for troops. My daughter my true and see what the hell’s she talked to her all the time. She says school’s going well and she says that she’s in class every day and and all this stuff. Well it turns out that she would, she wasn’t classic day, but she wouldn’t turn on her video and in class if you didn’t turn on your video, you got mark this absence. And so I went out. So I talked to her. Why why don’t you turn on your video? It was complete, I mean it was sob. She was sobbing. She’s like, I can’t, it’s so much anxiety and so uh we have to work through that. We have to work through that with the school. You know, like don’t mark her as absent when she’s actually there or you see her name, the attendee list. She’s got anxiety about this and combine that with all the crap going on in the world. She used to go to school and see her friends in person every day, and now she doesn’t get to do that. She’s isolated in her own room, scared as hell about video. Mhm.

[00:10:29] Brad Nigh: Yeah. Well, and you know, it sounds like the school is willing to work with you guys on that, which is good. You wish you would have been a moment, may be more proactive talking to you versus like, oh, by the way, right, we’ve done this, But yeah, yeah, it’s us. Well, I uh I couldn’t I don’t know if I I don’t know how people do it. It’s I’ve been it’s been exhausting last week, like you said, it builds on itself because now, like looking at my calendar or like it starts getting in your head because then you’re like, oh well, this is going to happen again if I do you know what, what’s causing it? So it’s uh you got to talk about it, you can’t hold it in, it’s not healthy.

[00:11:15] Evan Francen: Exactly. And I think that’s the first, that’s the first step right in dealing with anything is to recognize that it’s there not don’t go with this denial thing and think, you know, don’t go with the stigma, The stigma kills man stigma such bullshit. It pisses me off because people don’t talk about, you know, suicidal thoughts. So they don’t talk about depression or they don’t talk about anxiety because they’re afraid of what other people are going to think of them, or uh you know, it’s taboo. It’s like, no, it’s not. We all got we all got minds,

[00:11:51] Brad Nigh: hey, you’re I mean it doesn’t matter what you’re feeling. There’s somebody else out there that can relate and understand what you’re going through. Like you’re not alone,

[00:12:02] Evan Francen: right? I think it’s important to remember. So we’re security people and this is a security podcast. I think it’s important for us to remember as security leaders as c so that the people that were talking to maybe suffering people on our teams might be suffering. And when you think about and we said it so many times that information, security is not about information or security as much as it’s about people, people are the ones who suffer. People are the ones who, you know, typically cause a lot of our, you know, security incidents. Well, don’t you think you’re going to have more incidents if when people are suffering, when people aren’t thinking clearly there just clicking links or they’re like, what’s the use anyway? I don’t give a shit. Yes.

[00:12:46] Brad Nigh: Well, and you know, everybody, if you look at there’s advice, you know, watch for changes in employee behavior bobo. I don’t think I had any, it just hit me out of the book. I wasn’t even aware, you know, of what was going on until because you kind of the dam bro. So you know, the only thing I can say is be supportive if somebody goes through that, you know, Well you can do it. Yeah, don’t don’t eyes it even further like that’s gonna be, that’s only gonna make it worse and you’re gonna lose loyalty

[00:13:22] Evan Francen: 100% man. And you know, the fertile ground, the actual work happens well before somebody suffers or has an episode. Right? Because you’re right. A lot of times we won’t be able to tell in our interaction that you’re suffering. But if we have a culture here where we do love each other, we do care about each other. But you feel safe sharing those things, then then you will be more likely to say something when you do have an episode and not, you know what I mean? You’ll feel safe.

[00:13:53] Brad Nigh: Yeah. Yeah. And 100% support. Like there was no, no issues from sales or marketing or operations because I had to cancel meetings with internally with all those departments and didn’t really tell them why at the time. But it did go back and talk to him after the fact when I was functionally right. You know, they’re yeah, they all were like,

[00:14:21] Evan Francen: yeah, when I was grateful that Oscar X, I think you and Oscar are very close and Oscar had mentioned something to me and sometimes, you know, you’re like, well, you know, I don’t want to call him like yeah, of course I want to call because that’s part of the, as part of the Bs two is well I call that might be offended or I might make them angry with me or you know, like no call and then if they’re angry with you deal with that later because if you if you’re truly going through mental health things, you don’t wait. You

[00:14:56] Brad Nigh: know? Well, you know, you think about it from uh, and I would not say this with me. I was never like suicidal. I never had any of those sides. But my thing has always been Yeah. You might regret reaching out if they get upset with you, but that’ll in if you don’t reach out and they do kill themselves, you’ll never how do you ever forgive yourself for that? So I’d rather have than pissed and worked like you said that didn’t deal with him. Like I should have done something

[00:15:25] Evan Francen: right? So for the for the listeners, one of the things that we did as a company as a leadership team was mental health First aid. But Google Mental Health 1st aid. It was a fantastic course. I think we had we had a full class so we had to turn some people away in our own. But then I think we have another one later for others. Um what it talks about all these things, it was about four hours, was it?

[00:15:50] Brad Nigh: Yeah, like half a day. So it’s

[00:15:51] Evan Francen: Only four or 5 hours.

[00:15:54] Brad Nigh: Yeah, it was really working

[00:15:56] Evan Francen: every second.

[00:15:57] Brad Nigh: Yes, fully agree. And yeah, everyone else out there, like, like I said, mm really, really self aware. You know, I do focus on that stuff and I’ve opened up to you about some other, you know in the past. And man, they just caught me off guard so you know, going to happen.

[00:16:22] Evan Francen: Yeah, it’s caught me off guard too man when I last year when I went to Sturgis in the middle of the pandemic and so you had to deal with all the people who were judging on that regardless of whatever precautions you took, you know, because everybody seems to know whether you’re good or bad or not even knowing whether you’re good or bad. But the well it was when I came, my wife had been warning me that I just didn’t seem right and I got back jim Sturgess and I sat there, I was like, oh my God, I didn’t realize how far I had slipped mentally. I was angry, I was depressed. Uh huh. Yeah. Yeah. Getting away. I’m excited to hear you know, after you get back from, from your long weekend, how things went and how you’re feeling.

[00:17:10] Brad Nigh: Yeah, yeah, we’re going up and up north, found a Having on 40 acres cabin itself as a mile and a half off the road. So about getting away, we’re you’re getting away.

[00:17:24] Evan Francen: I love it man. All right. So the next thing uh and yeah, so and you can reach out to me and brad about these things if you feel comfortable, we can certainly play in the right resources because this is, this does apply to us, superhero security people. We have mental health issues, just like everybody else does. So get, get the help you need. The next thing is I want to talk about is you know, in our industry as security people, we do a lot of telling people what to do, lot of it do this, do that, do this. I mean that’s why we have so many damn standards. So you have so many damn frameworks, we have so many damn compliance things, Do this, do this, do this. What we don’t do a very good job in is how great I know I need an asset inventory. Tell me how Uh huh. I know I need to deal with uh roles and responsibilities. I know I need to get the ceo on board were more involved. Tell me how. So I figured we’d spend a good part of today’s show talking through some of the tips and tricks that worked for us and then and some of things that worked out. Not so good maybe.

[00:18:38] Brad Nigh: Mhm. It’s funny that you mentioned that I was shadowing on a an assessment for one of the new people just kind of being there to provide support and they came up to the you know, do you have any sort of centralized asset management and I’m like no like I don’t know. We don’t know what do we have? I don’t know what like yours. And so you know uh mentioned it and it’s a product that I’ve used to spice works right? And that’s actually, and then I was like, hey, you know, this is free, you know, depending on what information you have. There’s a cloud based on or they used to have a on prem that did cost a little bit, but nominal amount. Um, and it will centralize your hardware and software assets for you. It will go out and scan your subnets and tell you here’s what, here’s what I found. Here’s what’s on it. And they’re like, oh, okay, I’ll check that out. So, you know, I think not just saying, well you should have it, but you know, it’s like always come with a solution to the problem approach. Uh, you know, being able to not just tell them, hey, you should be doing this, but like you said, here’s how here here are some options. Look into these things. It’s not as simple as you think it probably are. You probably think it is

[00:20:01] Evan Francen: right. Yeah. But people don’t realize there’s oftentimes they’ll, because you can, you can do it manually to, I think, you know, it depends on how you want to go about like what other benefits can I get from doing asset inventories right? Let’s say I want to. Um, in terms and say maybe I’ll get interns, we want to entertain interns because interns are a great way to get staff later because you’ve already got that introduction to them. So even as something as simple and rudimentary as having an intern, you know, run around to every computer, you know what I mean? Write it down on a spreadsheet.

[00:20:42] Brad Nigh: That was my first job in I. T. Was literally going around a college campus and writing down a room and the uh serial number of the computers in that room.

[00:20:54] Evan Francen: It seems because you know, we’re so advanced that you know, bar but the but that’s one thing and nothing is you’ll find a lot of times people will have tools in their environment already that they can leverage to do asset inventories. You know, if you’re doing vulnerability standing say witnesses for instance, well all those outputs right, if you export a dot nesa smile, it’s an xml file and you can easily parse that xml file because if you’re doing an authenticated scan, I will see every single thing you’ve got running on that computer.

[00:21:27] Brad Nigh: Yeah. Yeah. And yeah, but you know, again we had an issue with an ss file that it was a scam that their firewall had been set to reply on any type which is make uh I guess odds, odds okay, easy for you to say. Uh huh. So they only had like 250 300 devices and we didn’t catch it because it didn’t throw an error And it came out with like 2300 devices and so you can’t go back and re scan it and oh my gosh clearing that out, is that you just can’t do it. So there’s a really nice PERL script that forces that necessary. I’ll into a phenomenal spreadsheet with exactly that post named software installation. Just a ton of wealth of information.

[00:22:20] Evan Francen: Did you send me that process? Crypt? Yeah. Because I think we should make that available to anybody if you’re struggling with acid inventory and you’re doing NESA scans here, run this PERL script and put it in a nice format for you. And I think another thing that people run into because I’ve heard this as excuses from other security because you do just have, I mean there are people who just don’t like to work. There’s always that right. I don’t want to asset inventory. Why and I’ll make a bunch of excuses and then we get down to the bottom of the bottom of it. You find out that you just don’t like work. You like a paycheck. You like paycheck. But my God, I didn’t know I’d have to actually do stuff.

[00:23:00] Brad Nigh: It’s hard work and they want to share the easy stuff. Yeah.

[00:23:05] Evan Francen: But you know one of the, and it’s not, sometimes it’s not an excuse it’s legitimately, I don’t know, is well as soon as I do the asset inventory, it’s changed. Yeah. And so okay, that’s fine. You’re not going to get a perfect out of the gate. You don’t go from having no asset inventory. You’re having a live updated asset inventory that’s always, you know, accurate. No, that’s a hell of a long time. Start with doing a basic asset inventory. Either manually using something like spice works using something like messes with a PERL script that will pull it out whatever you need to get that first asset inventory, right? And if you can get it into a spreadsheet, you can get it into a database, right? I mean it’s that’s another step in the maturity and start quarterly. Yeah. And then reconcile these inventories. Right? So last quarter it said I had these things, why do I have 47 new devices on my network when we haven’t hired anybody knew we haven’t made any purchases. You know, that’s an indicator. Maybe we got something bad happening Uh and vice versa, what happened to these 23 years of somebody walking out the back door with the systems? We don’t, I just don’t need because we would notice it. But that’s the beginning and you have to do that. And it’s frustrating because I don’t know how many people are trying to secure things. They don’t know they have it. Just logically that is a fallacy. You cannot protect things unless it’s by luck coincidence just, you know, I mean, you won’t be effective at protecting things. You don’t know. You have.

[00:24:45] Brad Nigh: Yeah. Yeah. And you know the me the next step or another easy win is and after the count, Right? So you know that that’s a big risk. Do you have accounts, you know, you’re expanding your exposure in your active directory that haven’t logged in and you know, same thing quarterly. I would run a our shell script that pulled the name. Ou because the user was in their departmental. Ou. And the last log in time, if it had to be greater than 90 days and every quarter started off and would send it because we tried to do it with management and never got really any buy in. So what I did is I sent it to the head of the business unit and said, can you confirm if these accounts are still needed? And you know, it was like The first time I ran it was like, I remember over 100 accounts because they hadn’t followed the process or HR hadn’t followed the process to alert. Mhm. You know, is to disable. And then to leave. And so kind of a happy compromise was, yeah. I would have preferred it if they hadn’t logged in in 30 days. But That’s the business is risk. Appetite was 90. Okay. And then we disable to put it in a ou that script all permissions for six months and then deleted it. And they were happy with that. And I was at least happy that yeah, we got that taken care of it. But it took Yeah, Probably 3/4. And then we got it. What happening? It would be one or 2 maybe. Is they got tired of being asked why they weren’t following the process.

[00:26:31] Evan Francen: Right. And so, well, so many times you see people, you know uh you know when you do assessments or you do something they want remediation immediately. Right? So you go from, let’s say you you know, An easy quantification that we use obviously is the S two square with security studio. Uh let’s see your 500. You know, you immediately want to go to 660. Okay? If that were possible, it would be cost prohibitive and it wouldn’t stick. Right? You’d be back here again very soon because it’s a maturing process and no two companies mature at the same speed. And I just got I just got a call um on sunday from one of our large very good customers and I think they called me directly because we just have um you know, I guess that kind of relationship. But she called and said you know they’re under litigation. They had a breach a while back and opposing counsel is stuck on this thing about them having to disable ssl internally on all systems and it needs to be done within the next six months. This is a very large complex environment. And so you know, they wanted my opinion so they can go back to opposing counsel to talk about it. Number one is that we could pick anything. Right. Why did you pick ssl internal? Right. I mean I get it. It’s a risk but man, you got a lot more risks that are a lot more impactful than this one. You know, what are you thinking that there’s going to be a man in the middle because somebody compromise something internally? Well there’s your problem. How do they compromise? Whatever? And number two, how can you go in this environment? You have to basically drop everything. Which means it’s always give and take right. If I take my attention off of this thing and put it onto this thing will no longer paying attention to that thing. So if I if I drop everything and say all right, we’re gonna disable or eliminate ssl in the entire environment in the next six months. It’s unreasonable. Why not show progress? Why not go first? We have an inventory of all the places SsL is running in this environment. Do we even know what the scope of this is?

[00:28:41] Brad Nigh: Yeah. Well you know already, you know, figuring that out. I’m working on a road map and I was just looking that. So when I do these roadmaps, I do like a short term, this is your immediate things. Focus on these things first. A mid term. Like hey start planning for these. There’s probably gonna be software purchases that are gonna be needed and then long term is like okay, it’s down the road, but just be aware, you know, keep that in mind as you’re moving forward. Um and so I didn’t, I just drag and drop and then exported to Excel to give them. And I have 67 items in their short term that were 41 total of 41 points. And then there a midterm was 91 items six point you’ve seen there’s a lot more, but you know, it’s maybe not going to gain them as much. I mean the long term was 108 for like 37 points. But what you’ll see because, and I didn’t do it on purpose but short term has the shortest list and the cascades out which I like to do and not pay attention to because it’s kind of a sanity check for me say, Hey, they have, I put 200 things in their short term. Well that’s not

[00:30:06] Evan Francen: right.

[00:30:07] Brad Nigh: So what are the most important things?

[00:30:11] Evan Francen: Yeah. People lose track of that a lot and then Once you figure out what those are, then how to do them. So we we talked about one his asset management, asset inventory, the keys to that are you probably already have tools in your environment to at least get you started right to get your first asset inventory two. Um And when I’m talking assets harbor software and data start with hardware and software, right? Data, we’re going to get there. It’s a maturity process, you know, but if I don’t know your your your data is running or controlled by the hardware and software. You don’t get that stuff figured out first. The data things just bigger message. So get those things going. Look for tools in your own environment mentioned Spice Works. We mentioned, uh, nexus can do the same thing with rapid seven, same thing with open vast same thing with lots of different cleaners.

[00:31:08] Brad Nigh: Yeah, there’s a ton of options. It’s just those are the ones personally that I’ve used. Right? So that’s, well, that’s what people do exactly. Well for you.

[00:31:18] Evan Francen: Right. And, and don’t worry about all the things that happened and the fact that your environment so damn dynamic and all that other stuff do it once do it again another month of the quarter if you have, you know, spare, you know, manpower, you can do more often. But eventually you build this thing where you will script it and it will be on all automatic and you will get just a report in your in box that says, hey, these five things are appeared yesterday that weren’t there before.

[00:31:49] Brad Nigh: Yeah, wow. I mean, yeah, it takes some skill to put that together and so there’s gonna be some trial and error. I mean, I know it didn’t work right the first few times that I did it or okay. It didn’t provide the information I was expecting right? You have to tweak it to get what you want. Um, yeah, it’s free. That’s the other thing. It’s not like this stuff costs you money, you can script power Shell to run daily, any new assets, any new user accounts, any new computer accounts, any changes to group membership like it, you can do these things fairly easy. Oh there are tools out there as well that you know, are inexpensive. I’ve used several of them, you know, uh managing unit has some fantastic pool, especially management, you know, it’s not terribly expensive.

[00:32:48] Evan Francen: Well I think and one of the things we lose out on two because people like this instant gratification thing, so let’s go out and buy this cool new tool. It costs us, you know, $100,000 a year to do asset inventory when you could have done it all for free. And I understand it’s more work but there’s so much value, so much training value in so much of this work that you miss out on. When you go through these steps of scripting yourself. When you actually review the asset inventory yourself, when you troubleshoot, why certain things are showing up and other things are not showing up. When you go through all these processes, you make yourself so much of a better security person. If you just bought the damn commercial tool, plugged it in and push go,

[00:33:31] Brad Nigh: well it’s along the same concepts of why we don’t right policies for people we coach then through it. If you if you do that work and you write this, you’re going to be intimately familiar with your environment, you own that environment, you just plug in a tool and let it do its thing. You don’t have that same sense of ownership. There’s not that same an activity I guess, uh, with what’s going on.

[00:33:57] Evan Francen: Well that becomes so, I mean nothing. I think people are so excited because when I have that intimate knowledge of my environment or at least a more intimate knowledge of my environment, it plays out so much better in detection. I can detect when things are off. I can detect when there’s an anomaly in the system. Computers only do what you tell them to do. Why is there more bandwidth today than yesterday? Because something is happening. Don’t just write it off, you know? So when, you know your environment more intimately you’re better protection, you’re better detection and you’re a lot better at response to because I can’t tell you how many times we do instant response and they’re like, oh, I didn’t even know I had that system. I didn’t, what does that do? I’m like, I don’t know. It’s your damn environment.

[00:34:42] Brad Nigh: Yeah. All the time. Like yeah, responses from this. I p what’s on it? I don’t know. Maybe you should go find out.

[00:34:55] Evan Francen: It’s your environment. It’s like, it’s like things in your own house, right? Like there’s this weird noise coming from the corner, you know, of this bedroom in my house, what is it? I don’t know. No, I guess it’s just the way the houses where, you know, open the door and find out what the hell is in

[00:35:13] Brad Nigh: there, right? You know, and your example of the band with you personally gone through that our network guys identified a a spike in band with, and it turned out one of the healthiest staff and it’s one of the retired computers and was running a uh like pirate Bay torrent on it and downloading stuff and we’re like, what, what, what, what is wrong with you? Um, right. You know, so, but if they hadn’t been paying attention, if they didn’t know that stuff, how long would that have gone? You know, and we think they caught it within like a week of him putting it on, which is really is pretty, pretty good.

[00:35:56] Evan Francen: Right? Well, in part of your post mortem right? That’s why we do post mortems on things, is it took a week, is a week is adequate or should we narrow that down? And if you decide again, you decide, Well, I think a lot of times you look for security people help me? How quickly should I know, you know, should I become aware of that thing? It depends. I mean, in some cases, if you have a really high security environment where you have a very low risk tolerance and you know, it’s not gonna get in the way of the business making money. Well, maybe it’s instantaneous another case is maybe it’s a monk one of the things you never one of the things you never want to be. And and again, I can’t tell you how many instant responses I’ve been in where I get notified by somebody who’s not even part of our organization that somebody external, whether it be the secret service of the F. B. I. Or law enforcement or God forbid a customer. Tell me, hey, I think you’ve got a breach going on. How freaking embarrassing is that? Right?

[00:36:57] Brad Nigh: Yeah. You know, you don’t want that.

[00:36:59] Evan Francen: It’s like my mother coming into my house and you know, telling me how to no

[00:37:04] Brad Nigh: sorry. My house. Yeah. Yeah. You know, right. And that’s going back to what we were talking about with the CSOS role. What is the organization’s risk tolerance? Do you want a daily report? You want instantaneous? You want weekly, you know what? And you know, it’s been a long time since this happened. But I think it would be caught it on a weekly report and that was, that was what the business was okay with. Okay. Also if anything happened in the past week, do you see in an all night,

[00:37:37] Evan Francen: one another, you just brought up is risk tolerance. We use that all the time. You got to figure out the businesses risked on. So let’s go there because we tell people that all the time and I think unfortunately few people actually know how to do that. So I’m gonna just go with what I do and then you can ask whatever part you want onto it. Because number one, if I’m ever going to figure out the businesses risk tolerance, I have to get the Ceo on board with me. I’ve gotten to the point where uh, if anybody were to come and ask me to be there Bc. So if I’m not reporting to the Ceo, I’m not interested. I’m not willing to play a game that I can’t win. You want me to play the game? I can win. I will report to the CEO because that’s the person who makes decisions, that’s the person who is ultimately responsible for information security in this organization. And I think one of the things we end up doing when you talk about trying to figure out risk tolerance is we don’t have these just hard truthful discussions with other executives. I’m not asking the Ceo to be in a weekly meeting with me. I’m not asking the Ceo to invest hours and hours and hours and hours with me? What I’m asking the Ceo is this is how we’re going to do security. Are you okay with this? Would you like to be communicated in a different way? So ideally what I want to and I’m going to come just like you said with a suggestion already laid out, I’m not asking them solve this problem for me. But I’m gonna say I want to give you a quantification where you’re at, where you’re going when you’re going to get there and how much it’s gonna cost you all around security risk manager and then and then we can delegate from there. Right? What’s the next layer? You know, are you going to delegate security risk decisions to me? Not a good answer. Who I want. Security risk decisions, delegated to our heads of business humans, the owners of these systems that we’re trying to secure together. The good thing is because a lot of times, oh that’s more work they don’t want to get. Well here’s the really, really cool awesome advantage is you get autonomy, you get to call the shots Mr mr or mrs head of business unit. You no longer have to hear from me telling you can or can’t do anything. You get to choose what you do. Right.

[00:40:01] Brad Nigh: Yeah. And the one I fully agree with that. And the the one thing I think I’ve run into the most is them going okay. So what does that mean? How do we determine? What is risk times? And I think the example I’ve had the best response to is uh hey happened because it was a question of like, hey how long should we how often should we have to change passwords if we have to and my response is how long are you willing to potentially have a breach if a user clicks something and gives access rest and they’re like, oh right. Some places it’s 90 days like normal others it’s like you know personally, maybe six months. Right? Yeah

[00:40:50] Evan Francen: it goes back to our job right As c so I consult you on how to make good risk decisions and give you good risk information for that and I implement those risk decisions. So your example that you just gave right there. I think it was awesome because they asked the question you consulted on the answer now if you want my opinion, How many you know I I would say 30 days 50 whatever.

[00:41:18] Brad Nigh: Yeah that’s my opinion. And the reality is to me this is going back to the consulting, what’s the sensitivity of the data? What are we talking about? Right. Even if if it’s an admin I still would 30 days. Even within FAA right. Whatever. Right? It’s somebody that has no physical or no access to sensitive information. Maybe it’s uh somebody who’s got email only. Well maybe then they can go longer.

[00:41:51] Evan Francen: Right. Well and so when you say risk tolerance. So first it starts with the ceo right? Or the board and order the board. You know, in some organizations you’ve got both, right, one holds the other accountable and all that other stuff. So but it starts there with a number, Right? That’s why we use the S two scores. All I want you to focus on is this number this is where it’s at, this is where we’re planning on making it go this is how much it’s gonna cost to make it go there. And this is when we’re going to get there. You just give them the four pieces of information right now they’re involved. And now when I come back the next quarter And I told you that by the end of this quarter we were going to be at 600. We’re only a 580. Now you can ask me and hold me accountable. Why didn’t you get to a 600? And now we can have a different discussion. Right? That’s the kind of interaction that happens. We want to happen with Ceo the business unit leader. They’ve got their own qualifications but now we get more into the details right? Give them more autonomy. The business unit leader might have their own I. T. Department they might have a business unit C. So that you work with. It takes them to the next levels, you know what I mean? It just all builds on top of itself. That’s how you figure out risk tolerance. Yeah.

[00:43:14] Brad Nigh: Uh huh. No argument from me. Right.

[00:43:18] Evan Francen: And so you can use constructs. One of the constructs we use and you can use others. You can develop your own. I’ll tell you how to develop your own. The one that we developed is you know we use what’s called nested entities. Programmatically it’s a little bit newer. Right? So we’re exploring this with for me personally in the state of Iowa state of North uh New Jersey and state of Minnesota for all. Working on how to use nested entities to distribute this risk tolerance throughout the entire state. Right? But the way it works is really, really simple, identify what units you have in an organization, give them their own assessments that are the same as or as close to the same as the same assessments. You’re using another place. So you can do apples to apples and do that. Roll up for the ceo or the governor of top.

[00:44:07] Brad Nigh: Yeah. I’m doing the same thing with an international customer. And you know, we didn’t start that way because we didn’t have that. That wasn’t really flushed out. So we’re migrating to it. But I’m gonna do, you know North America? We’re gonna do europe, we’re gonna do asia were due South America as each of those areas has different expectations different, you know, support. So let’s start at the top. Well all these different ones in there and then roll it up and Yeah. Yeah, exactly.

[00:44:44] Evan Francen: And then it also allows me to dig in deep so that the ceo his ceos are going some Ceos are going to be much more involved than others, right? They have a ton of things on their plate. They’re running an entire organization, right? So that’s why I wanted to give you four things to focus on where we’re at, where we’re going when we’re getting there and how much it’s gonna cost. That’s it. Maybe if there’s a little more time, I can tell you what the most significant risk is we’re working on right now or some significant event since last time we talked. That’s it. And then if they want to know why things are scored, if they ask and want to get more involved and now I’ve got a dashboard, I can roll it out. Here’s your 50 entities that make up our company. This is what their security looks like. And they can say, well, why is that one red? Well, let’s let’s go find out. So you know what I mean? Well, it’s red because they made these risk decisions. Okay. Do you agree or you don’t agree? Ultimately. I don’t, I do care, but I’m not going to get involved in that.

[00:45:42] Brad Nigh: Okay. Yeah. And you know, it’s like what you said, hey there, red because this is their risk tolerance. Well, maybe we have to or segment them off because there are other business units that can’t accept that level of risk and can’t be exposed to it

[00:45:59] Evan Francen: because there are

[00:46:00] Brad Nigh: consequences for those, but it is what it is.

[00:46:05] Evan Francen: Yeah. Yes Sir. In today’s podcast, we’ve already talked about the type of communication that happens with the Ceo how to get, not necessarily how to get the Ceos, there isn’t one way to get a Ceo’s attention and by in on security. Uh it depends on your relationship. In some cases you’ll have a relationship with the ceo of some in some cases you won’t have a relationship with the Ceo. I’d be very weary of any place where I didn’t have at least a relationship with the Ceo. Even if I report to the Ceo, which I wouldn’t because I just told you I won’t do that work because it’s a losing game. I’m gonna want to play it. But if if I am reporting to the Ceo that just happens to be the place I’m in. Ask for 15 minutes a month. You know ask your Ceo for 15 minutes a month. Meeting with the Ceo. Or maybe you have a relationship with the Ceo anyway. Even though you report to the C. I. O. Whatever it takes, get a relationship nice working relationship. You’ll learn what motivates them, what doesn’t motivate them. We’ll learn how bought in they are in the mission of the organization. You’ll get from them just in these conversations and then you can start using their language that will resonate and be like, hey remember that thing you talked about this is how we can help that happen with security. And they’ll be like hell yeah, I am

[00:47:37] Brad Nigh: right? And and don’t stop there, do the same thing. Business head heads of the different business units. Whoever is making those risk decisions, have a good relationship with them. Yeah. It could be in the no man could be in the know person. Yeah. We’ve talked about is the yes but approach

[00:48:00] Evan Francen: you know or I don’t know.

[00:48:02] Brad Nigh: Well, yeah. Yeah. I don’t know what we find out. Right? But get away from just saying no. This is never going to build a good relationship.

[00:48:13] Evan Francen: Well, it is funny how many times you and I because I’ve seen it happen all the time with security people that we get asked. What’s that? You know, what’s the top thing I should do? What’s the number one thing I should do? I don’t know. And I don’t know because we haven’t had that discussion. I don’t know your business. I don’t know what you do to make money. I don’t know what’s more important to you, your culture or making money out of your public company or a private company. I don’t know if you work in technology or you’re a bookstore. I mean how the hell would I know? Let’s have a talk. Oh my gosh.

[00:48:47] Brad Nigh: So many times in the pre sales process they get brought in because the customer wants to talk to an expert. Not a salesperson. Which I totally understand. And I can’t tell you how many times I’ve been asked. Okay. So what would be the first thing you would do recommend or nuts. And my I don’t know. Universe assessment. But if not let’s start there.

[00:49:09] Evan Francen: You know what we

[00:49:10] Brad Nigh: got. I don’t know what to tell you because I have no idea what you’re dealing with. Yeah.

[00:49:16] Evan Francen: And my and my answer now is that’s the first thing you would do I take out to lunch, you know, why would you take me out to lunch? I need to know you. I can’t consult you. I can’t tell you what’s good for you and what’s not good for you unless I have some time to diagnose what your problems are.

[00:49:33] Brad Nigh: Yeah. And that’s why we’ve kind of transitioned how we’re doing our B. C. So engagements right? We have been doing it where we did go into the full assessment, deliver it and then kind of really start kicking off the process. Well yeah but we’re, you know it’s it’s not, it’s not the best way. So now what we’ve done is we’re going to start with the estimated It’s what 60, 70 questions, something like that high level. Just, hey, let’s get to know each other, you know it and I’m gonna get to learn the company and then I just understand that. So that’s the first experience the customer now has is it is a two hour and a half, two hour meet and greet where I’m going to just ask you some questions, get to know how you work for the company works and then I can formulate and least put together some sort of a plan. Yeah it’s it’s kind of along those same lines because we can’t really take people out to lunch at this point. But especially when they’re, you know in different states. But it’s in concept,

[00:50:38] Evan Francen: right? And when we can take people out to lunch again or we can have that opportunity. It’s a with another thing I’ve been, I’ve been adding, which is kind of humorous, but it’s how I worked. It’s like, what’s the first thing you do? Well, thank you out to lunch and you’ll know whether I like you or not by whether I pay or not. Yeah. I mean if I bought your lunch, then I want to do more. Do you want to date? But if I I didn’t buy your lunch, I’m probably not interested in dating anymore. But just another thing too, I mean, it’s everybody, you know, when you were to compare security, like dating, everybody wants to go from like I just met you to, I want to have babies overnight versus like I want to date a little bit. I want to get to know you, I want to do some things. You know what I mean? We might get to a point where we are going to break up because, you know, maybe the business changed and whatever, but it’s a long term relationship. It’s not a transactional thanks. It’s frustrating. But anyway, it’s also good because hopefully some of our listeners got some good tidbits out of this and if you want more about this, reach out to us. You don’t work like lawyers, you’re not gonna get a bill.

[00:51:51] Brad Nigh: Yeah, that’s why we’re not allowed to be in the truly in the sales process. We really like to come in and talk about the methodology.

[00:51:59] Evan Francen: Yeah. Sometimes people skirt the process because they figured me out. And so uh uh what is it next? On Sunday? I start a three part training series uh or women’s cyber tutu. It’s 32-hour sessions and we’re going to hack ourselves. Very cool. Yes. New, new new people getting into the industry, helping them transition and learn some of the basics. I know networks. So we’re gonna start with networks. Uh huh. That’s good stuff. Right? So we got a couple of news things that I wanted to talk about quick and then we can wrap this sucker up and in about our days day one of the things I thought was interesting. So this comes from Cnet And the title is hacker returns all $610 million dollars in Cryptocurrency stolen in cyber attacks, interesting.

[00:52:57] Brad Nigh: Yeah, I saw that and I was just like, I don’t know what how,

[00:53:04] Evan Francen: Okay, right. I’m gonna go out and share the screen because I think if people actually watch uh watch this online or I think Don’t we have 800,000 people a month to listen or download, but I don’t know how many people actually watch it, but if you do watch it, I’m going to put it on the screen knocks. I always forget that we do that. We have people watching too. So I’m gonna share my whole screen. So if you want to see some security stuff maybe steal my identity or something. Feel free. But I’m on an ipad. So this is how we’re gonna roll. This is the uh the article After returns all $610 million dollars and cooper currency stolen in cyber attacks. The Attackers. Guy, the attacker’s name is mr white hat. Never heard of him. Have you? Oh

[00:53:56] Brad Nigh: but uh so weird.

[00:54:01] Evan Francen: Yeah it is weird. So this Cryptocurrency theft appeared or happens is you can see the poly network a decentralized finance platform sometimes called the defi 610 million or $600 million. Cryptocurrency stolen through a code vulnerability. So the attacker finds the vulnerability, steals Lots of money. 273 million. And the threat is real token tokens. 253 million in finance smart chain and 85 million U. S. D. C. Ah from the polygon network. Mr White hat then return them all. Almost immediately after he stole the money, he started returning the funds piecemeal. Uh Eventually all the funds were returned. I thought it was kind of his quote at the end. My actions which may be considered weird are my efforts to contribute to the security of the policy project in my personal style.

[00:55:06] Brad Nigh: Yeah I mean yes he got his message across and at the end of the day uh there was no you know lost for the the people right? The users So it works. Yeah. It is weird

[00:55:26] Evan Francen: quitting the show. He says he’s quitting the shower. I don’t know if he or she will Mr white hat I’m guessing to hear that. Ah Yeah I don’t know who this is I suppose you know you go about trying to figure out this may be but I think it’s interesting. I don’t have enough time to do that anyway. Um Yeah I don’t know would you do the same? I guess I wouldn’t I wouldn’t have taken the money to begin with because I can’t mess around with that. You know there’s just too many people that rely on me making better decisions than that.

[00:56:00] Brad Nigh: Yeah I agree. I can’t say that. I would because I wouldn’t have taken the money to start with. Yeah.

[00:56:10] Evan Francen: Yes. I think we would have never gone down this path to begin with. But in a way it’s kind of like I don’t know what to think either. I mean I don’t it’s definitely illegal, right? You don’t break into computer systems and do these things without permission regardless of whether you put it back to the fact that you were there makes it legal. Uh But it’s not really is it immoral maybe unethical? Yeah. Minutes.

[00:56:41] Brad Nigh: It’s kind of a conundrum. It’s a fine line.

[00:56:46] Evan Francen: So anyway I thought that was interesting and that just happened not that long ago in the last few days.

[00:56:53] Brad Nigh: Yeah the news broke yesterday or at least that’s the first time I’ve seen it

[00:56:58] Evan Francen: show the State Department uh this is the next news thing. The State Department reportedly hit by a serious cyber attack. This happened a while back and um wasn’t reported. I don’t think anybody really even noticed that happened. Um And we don’t know anything about it. So it’s just we know that the State Department allegedly was hit by serious cyber attack. It doesn’t seem to have disrupted anything. It doesn’t seem as though they necessarily lost anything. But they’re also not there’s zero transparency on what actually took place and who’s affected. So we do know that the State department itself though in the A. B. C. D. Ratings that they do every so often that the last time they were A. D. Nothing. So I don’t know I don’t think the government is very good at protecting their stuff because it’s too damn complicated. They I think they got a big big big time ego problem. They’re still there man?

[00:58:12] Brad Nigh: You hear me? Yeah. Well sure sure it was gone.

[00:58:25] Evan Francen: I don’t know I’m going to keep talking and if you chime in you chime in

[00:58:33] Brad Nigh: is that better?

[00:58:34] Evan Francen: Little bit? Okay We’ll continue.

[00:58:37] Brad Nigh: Okay. Yeah I’ve been having issues with the technology issues with the new computer. So yeah.

[00:58:43] Evan Francen: Yeah technology. So did you have anything to say about the State Department attack?

[00:58:49] Brad Nigh: No just I mean not surprising. Yeah.

[00:58:53] Evan Francen: Yeah. Yeah And the thing that the government is on the kick that the government is on today which is I don’t know we will often do another podcast about it. Is the J. C. D. C. You know I had Swallow my vomit a little bit on that one. Um if you go with a C. D. C. Although Sort of what I’m talking about 10 minutes a partnership, a collaboration between Cisa which is the Department of Homeland Security. Uh and there there want to actually just even the the thinking that you can possibly secure everybody is so ludicrous. But that’s essentially what they’re trying to do and I don’t think that they’re trying to do it to actually secure anybody. I think they’re doing it to try to get control of things difference. You know there’s a difference there but I don’t trust the government to secure my stuff because the government can’t secure their own stuff. So. Yeah. Yeah mm. Get your house in order. The last one I thought was kind of cool because these deep fake things are going to become more and more and more uh common. So this is from Pc Mag Bruce Willis deepfake to star in Russian tv ads.

[01:00:16] Brad Nigh: That’s interesting. I saw something that val Kilmer did it uh in that jockeys memory because you has voice issues with after he had cancer I guess and he was okay with it. But yeah that’s it’s gonna be interesting to see how this ways out.

[01:00:35] Evan Francen: Yeah. But yeah I mean the pick has come so far that it’s almost, well to the naked eye. Even a trained eye it’s you can’t tell. No I mean you have to really break it down almost pixel by pixel to notice but they’ve got the ad actually there. I haven’t washed yet. Um Yeah pretty soon you’ll be your favorite celebrity. Well you know if you’re into pornography you’ll see them. I’m starring in porn films. You know when they’re not it’s not really them. We usually see all this plays out. It’s going to be weird. Yeah I agree. Once just once again you know it society adopts technology way faster than our ability to secure it and certainly way faster than our ability to use it responsibly. And this is another example of where this is heading. It’s going to get nasty. Yeah.

[01:01:36] Brad Nigh: Oh yeah. Yeah easily be weaponized.

[01:01:41] Evan Francen: Oh God and it will be for sure for human beings between a lot. All right man that’s all I got any shout outs.

[01:01:48] Brad Nigh: Yeah I’ll give a shout out to my wife for putting up with me the last week.

[01:01:52] Evan Francen: That’s gonna be a huge shout out. I mean it’s got to be like the biggest shot up shot out. Yeah

[01:01:58] Brad Nigh: and she started her new job today so that’s

[01:02:00] Evan Francen: excited about her. You do have a wonderful wife. She’s a true a true gem man. I mean she’s in the perfect job to you know being a nurse because she just yeah, she’s amazing. She’s yeah, I just do every time. Every time I see her it’s like I always feel welcome. Yeah.

[01:02:21] Brad Nigh: Yeah, just yeah, I’m not gonna argue

[01:02:25] Evan Francen: seriously man. We had, we had dinner, you know, a few weeks ago or at your place man, you walk in and it’s like, yeah, we’re like, we’re part of the family. It’s awesome. But we try. Yeah, I’m going to give a shout out to uh Kevin believe it or not, Kevin North. Uh which is weird. It almost pains me to do so. Uh but he’s been very supportive. Uh he’s been a huge help in us getting through the legal contract stuff in the state of New Jersey for security studio. And I had a really good attitude lately. All right, that’s it. So, we’ll see you next week, will you? You’ll be back what Tuesday

[01:03:05] Brad Nigh: ish.

[01:03:09] Evan Francen: Have the greatest time ever. Make memories, take your phone, crack it in half. I’ll buy your new only get back.

[01:03:16] Brad Nigh: Yeah, we’re gonna kind of lock him up and we got a bunch of board games and that some movies. It does look like it’s been a rain. So I sent super excited to watch baseball because he loves our wars and it’s one of my favorite movies. So he was wrapping up with the trailer. So we’re gonna spend some time together off electronics and yeah.

/by