Transcription of podcast episodes.

In this episode, Evan and Brad conduct a mental health check-in and have a candid discussion about their own struggles. They also discuss the first foundational steps in building a cybersecurity program including less “what to do”, and more “how to do”. In the news this week, a cryptocurrency hacker returns $260 million in stolen funds, and the State Department is hit by a cyberattack amid Afghan evacuation.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: All right. Welcome listeners. Welcome to episode 144 of the unsecurity podcast. The date is August 24, 2021. And joining me as usual is my awesome friend, Brad Nigh. Hi Brad.

[00:00:36] Brad Nigh: Yeah. What’s uh does this sound like the background behind you? Yeah, it doesn’t

[00:00:43] Evan Francen: suck. Uh, I’m down, I’m down here in Mexico again. Uh Marlys came down here to do work on the house uh, to get it ready for rental and she was going to come by herself and I didn’t feel comfortable about that at the beginning. And then I was like, I didn’t make the decision until like two days before she was leaving that I’m gonna go with because I found tickets for $250.

[00:01:08] Brad Nigh: Yeah, it’s better there than here. We’ve got we had like three bad thunderstorms since the last five or six hours now. That’s different

[00:01:17] Evan Francen: when it’s rainy season here. So it rained almost all day yesterday. But I I told marla said I’m coming down for like support and I’m going to work. So I have zero. Uh, the interest me and her. I don’t have any distractions. So you know, no dogs, no cats. All right. I don’t have cats and no kids.

[00:01:38] Brad Nigh: And I mean, well, kind of a nice a way, but good for you to get away. Even if you’re still working just to change up that environment.

[00:01:47] Evan Francen: All right. And that that is a good segue because you’re going on PTO tomorrow. Yes. Much needed. Much deserved. Ah I think a lot of times my PTO is like you said it’s working in different locations. It almost doesn’t even feel like I’m working because the scenery is different,

[00:02:07] Brad Nigh: right? Yeah. You know, and and tomorrow it will be the first time I’m leaving the house since like more and more than like two nights Since April of 19 because we had our vacation are big vacation last year scheduled for the first week of April. And obviously that didn’t happen. So I tried a couple of like one night tonight, Prince, that’s it. Other than that I haven’t left the house and it definitely wears on you.

[00:02:38] Evan Francen: I’m glad you’re getting that time away. One of the things we were talking about because we all struggle with stuff and you know, we’re very pro mental health at fr secure and that security studio. Uh you’re minding, right? I mean, it’s it’s it’s not right. It can be tortured for somebody who’s suffering through those things. You’re not going to get good work done anyway. So

[00:03:01] Brad Nigh: yeah, remind first.

[00:03:03] Evan Francen: Always.

[00:03:04] Brad Nigh: Well and you know, we talked about it and I personally had an experience last week where ah Oh, so that’s not just talking to talk right. It’s it’s not going to walk Tuesday morning. Uh I was trying to work and all of a sudden just like how like an anxiety attack which I’ve never had before. So it was really really weird for me uh just hold sweat, my palms were sweating and not my stomach. I felt I was good for what like jittery. It was really really

[00:03:35] Evan Francen: bizarre.

[00:03:36] Brad Nigh: Especially I’ve never uh you know with the first time you go through something like that it is off unsettling. So I just messaged Renee and said hey I just don’t have it, I can’t do it today, I’m sorry, no client meetings, there’s no client impact. I just have to take, I have to be with. So um I went out to the living room thinking you know maybe 15 in the office and work and it was just it was too much just with the kids and the dogs and I just couldn’t handle it. So I ended up going up into our bedroom and closed all the doors and turn off the lights. So it’s kind of a blackout um situation and funny enough so my son loves the cartoon Phineas and so we’ll have that on and it’s a really funny, it’s a good wholesome cartoon um and has like adult jokes and stuff that the kids don’t get. So we have that on a lot so it’s kind of like a calming background so I put that on the road very quietly so you can just barely hear it and just Basically from about 9 30 till 4 30 stayed up there and you know, just a lot of like thinking and self reflection, which you don’t do and it kind of came to the realization that, you know, hey, I recharged by being my climate itself, right? But that when she was a time in the car, that transition, I haven’t had that for a year and a half. Um You know, it’s basically been 24/7 with somebody here with you and don’t get me wrong, I love my family, but right, kind of, it just hit me, I was like, oh wow, okay. And you know, you, you gave me a call to make sure I was okay and I really appreciate that um, a couple’s kind of issues throughout the week and I kind of realized it was they were being triggered by a being having a video call. Like I could feel yeah building throughout the fall and I had to go up and like lay down and turn everything off for our or two afterwards, like it is back down to a normal level. So it was uh you know, I thought I had been thinking pretty good care of myself mentally and you are until you realize you’re not, so you know something, I’m going to make a very concerted effort, was talking with a couple other people and uh Megan actually gave me a uh okay, relaxation privacy retreat. So you can just go and in a couple of days and all inclusive the food and everything and have activities where you can just do nothing. So uh no, my wife is very supportive and it’s like I’m gonna do this when I need to do it good for you. You know how to do it. I can’t I don’t want to go through this. I have a whole new level of respect for people that deal with that anxiety on a daily basis because it’s Exactly,

[00:06:41] Evan Francen: well, I don’t think. And it just seems like it gets worse because I don’t our minds our bodies weren’t built for constant stimulation. Like constant, right? It seems like you’re getting bombarded all the time because I can relate to two things that you said. One is Uh huh. Not being able to find place by yourself. All right, I’m the same way I’m an introvert. I’m good with people, but they exhaust me and I need to have my recharge. Yeah. And if I don’t get that recharge, I am a mess. And so where I’ve run into that problem even here somewhat Because I came here and I’ve got no dog to distract me. I’ve got my my 16 year old daughter isn’t here. It’s just me and my wife and then she’s having contractors come in. But even then it’s like she’ll walk in the room and it’s like damn it. I had, you know, I had had some alone time and it’s not that I don’t love her and I don’t want to spend time with her. I do, I do. But I also got to just find a place to get away.

[00:07:46] Brad Nigh: Well, yeah, and even if they don’t say anything, like uh it was asking you, she’s like, hey, can I come in? I’m like, is you? And I was like, no thanks. It’s not even if you don’t say anything, it’s your there, it’s not you personally, but it’s I truly need insulation at this point, right? You know, and it really worked and and it’s good to kind of, you know, do that self reflection and take care of yourself because that I mean, especially with everything that’s been going on the last year and a half, I know I’m not alone. No, you’re not. I

[00:08:26] Evan Francen: am anxiety to it’s a it’s a it’s not an unhealthy amount. I think of anxiety, I think it’s because there’s healthy and unhealthy, right? Unhealthy is when it paralyzes you, when you have those panic attacks can’t manage it and there’s nothing there’s there’s obviously something wrong with it. There’s nothing wrong with you, right? I mean, that’s you have to get help for it because that’s why we’re all here, that’s why we’re on this planet, man. But I do have small, I have anxiety turning every time I turn on my video on a video call because I see myself, But I hide self view. That helps. But my daughter, I was telling you before we started the show, my 16 year old daughter, uh you know it was remote schooling, right? So schooling from home and she would be up in her room and her and new classes. And then we got a call from the principal saying, you know, we filed essentially and there was, I’m shortening this essentially the county is being brought in for troops. My daughter my true and see what the hell’s she talked to her all the time. She says school’s going well and she says that she’s in class every day and and all this stuff. Well it turns out that she would, she wasn’t classic day, but she wouldn’t turn on her video and in class if you didn’t turn on your video, you got mark this absence. And so I went out. So I talked to her. Why why don’t you turn on your video? It was complete, I mean it was sob. She was sobbing. She’s like, I can’t, it’s so much anxiety and so uh we have to work through that. We have to work through that with the school. You know, like don’t mark her as absent when she’s actually there or you see her name, the attendee list. She’s got anxiety about this and combine that with all the crap going on in the world. She used to go to school and see her friends in person every day, and now she doesn’t get to do that. She’s isolated in her own room, scared as hell about video. Mhm.

[00:10:29] Brad Nigh: Yeah. Well, and you know, it sounds like the school is willing to work with you guys on that, which is good. You wish you would have been a moment, may be more proactive talking to you versus like, oh, by the way, right, we’ve done this, But yeah, yeah, it’s us. Well, I uh I couldn’t I don’t know if I I don’t know how people do it. It’s I’ve been it’s been exhausting last week, like you said, it builds on itself because now, like looking at my calendar or like it starts getting in your head because then you’re like, oh well, this is going to happen again if I do you know what, what’s causing it? So it’s uh you got to talk about it, you can’t hold it in, it’s not healthy.

[00:11:15] Evan Francen: Exactly. And I think that’s the first, that’s the first step right in dealing with anything is to recognize that it’s there not don’t go with this denial thing and think, you know, don’t go with the stigma, The stigma kills man stigma such bullshit. It pisses me off because people don’t talk about, you know, suicidal thoughts. So they don’t talk about depression or they don’t talk about anxiety because they’re afraid of what other people are going to think of them, or uh you know, it’s taboo. It’s like, no, it’s not. We all got we all got minds,

[00:11:51] Brad Nigh: hey, you’re I mean it doesn’t matter what you’re feeling. There’s somebody else out there that can relate and understand what you’re going through. Like you’re not alone,

[00:12:02] Evan Francen: right? I think it’s important to remember. So we’re security people and this is a security podcast. I think it’s important for us to remember as security leaders as c so that the people that were talking to maybe suffering people on our teams might be suffering. And when you think about and we said it so many times that information, security is not about information or security as much as it’s about people, people are the ones who suffer. People are the ones who, you know, typically cause a lot of our, you know, security incidents. Well, don’t you think you’re going to have more incidents if when people are suffering, when people aren’t thinking clearly there just clicking links or they’re like, what’s the use anyway? I don’t give a shit. Yes.

[00:12:46] Brad Nigh: Well, and you know, everybody, if you look at there’s advice, you know, watch for changes in employee behavior bobo. I don’t think I had any, it just hit me out of the book. I wasn’t even aware, you know, of what was going on until because you kind of the dam bro. So you know, the only thing I can say is be supportive if somebody goes through that, you know, Well you can do it. Yeah, don’t don’t eyes it even further like that’s gonna be, that’s only gonna make it worse and you’re gonna lose loyalty

[00:13:22] Evan Francen: 100% man. And you know, the fertile ground, the actual work happens well before somebody suffers or has an episode. Right? Because you’re right. A lot of times we won’t be able to tell in our interaction that you’re suffering. But if we have a culture here where we do love each other, we do care about each other. But you feel safe sharing those things, then then you will be more likely to say something when you do have an episode and not, you know what I mean? You’ll feel safe.

[00:13:53] Brad Nigh: Yeah. Yeah. And 100% support. Like there was no, no issues from sales or marketing or operations because I had to cancel meetings with internally with all those departments and didn’t really tell them why at the time. But it did go back and talk to him after the fact when I was functionally right. You know, they’re yeah, they all were like,

[00:14:21] Evan Francen: yeah, when I was grateful that Oscar X, I think you and Oscar are very close and Oscar had mentioned something to me and sometimes, you know, you’re like, well, you know, I don’t want to call him like yeah, of course I want to call because that’s part of the, as part of the Bs two is well I call that might be offended or I might make them angry with me or you know, like no call and then if they’re angry with you deal with that later because if you if you’re truly going through mental health things, you don’t wait. You

[00:14:56] Brad Nigh: know? Well, you know, you think about it from uh, and I would not say this with me. I was never like suicidal. I never had any of those sides. But my thing has always been Yeah. You might regret reaching out if they get upset with you, but that’ll in if you don’t reach out and they do kill themselves, you’ll never how do you ever forgive yourself for that? So I’d rather have than pissed and worked like you said that didn’t deal with him. Like I should have done something

[00:15:25] Evan Francen: right? So for the for the listeners, one of the things that we did as a company as a leadership team was mental health First aid. But Google Mental Health 1st aid. It was a fantastic course. I think we had we had a full class so we had to turn some people away in our own. But then I think we have another one later for others. Um what it talks about all these things, it was about four hours, was it?

[00:15:50] Brad Nigh: Yeah, like half a day. So it’s

[00:15:51] Evan Francen: Only four or 5 hours.

[00:15:54] Brad Nigh: Yeah, it was really working

[00:15:56] Evan Francen: every second.

[00:15:57] Brad Nigh: Yes, fully agree. And yeah, everyone else out there, like, like I said, mm really, really self aware. You know, I do focus on that stuff and I’ve opened up to you about some other, you know in the past. And man, they just caught me off guard so you know, going to happen.

[00:16:22] Evan Francen: Yeah, it’s caught me off guard too man when I last year when I went to Sturgis in the middle of the pandemic and so you had to deal with all the people who were judging on that regardless of whatever precautions you took, you know, because everybody seems to know whether you’re good or bad or not even knowing whether you’re good or bad. But the well it was when I came, my wife had been warning me that I just didn’t seem right and I got back jim Sturgess and I sat there, I was like, oh my God, I didn’t realize how far I had slipped mentally. I was angry, I was depressed. Uh huh. Yeah. Yeah. Getting away. I’m excited to hear you know, after you get back from, from your long weekend, how things went and how you’re feeling.

[00:17:10] Brad Nigh: Yeah, yeah, we’re going up and up north, found a Having on 40 acres cabin itself as a mile and a half off the road. So about getting away, we’re you’re getting away.

[00:17:24] Evan Francen: I love it man. All right. So the next thing uh and yeah, so and you can reach out to me and brad about these things if you feel comfortable, we can certainly play in the right resources because this is, this does apply to us, superhero security people. We have mental health issues, just like everybody else does. So get, get the help you need. The next thing is I want to talk about is you know, in our industry as security people, we do a lot of telling people what to do, lot of it do this, do that, do this. I mean that’s why we have so many damn standards. So you have so many damn frameworks, we have so many damn compliance things, Do this, do this, do this. What we don’t do a very good job in is how great I know I need an asset inventory. Tell me how Uh huh. I know I need to deal with uh roles and responsibilities. I know I need to get the ceo on board were more involved. Tell me how. So I figured we’d spend a good part of today’s show talking through some of the tips and tricks that worked for us and then and some of things that worked out. Not so good maybe.

[00:18:38] Brad Nigh: Mhm. It’s funny that you mentioned that I was shadowing on a an assessment for one of the new people just kind of being there to provide support and they came up to the you know, do you have any sort of centralized asset management and I’m like no like I don’t know. We don’t know what do we have? I don’t know what like yours. And so you know uh mentioned it and it’s a product that I’ve used to spice works right? And that’s actually, and then I was like, hey, you know, this is free, you know, depending on what information you have. There’s a cloud based on or they used to have a on prem that did cost a little bit, but nominal amount. Um, and it will centralize your hardware and software assets for you. It will go out and scan your subnets and tell you here’s what, here’s what I found. Here’s what’s on it. And they’re like, oh, okay, I’ll check that out. So, you know, I think not just saying, well you should have it, but you know, it’s like always come with a solution to the problem approach. Uh, you know, being able to not just tell them, hey, you should be doing this, but like you said, here’s how here here are some options. Look into these things. It’s not as simple as you think it probably are. You probably think it is

[00:20:01] Evan Francen: right. Yeah. But people don’t realize there’s oftentimes they’ll, because you can, you can do it manually to, I think, you know, it depends on how you want to go about like what other benefits can I get from doing asset inventories right? Let’s say I want to. Um, in terms and say maybe I’ll get interns, we want to entertain interns because interns are a great way to get staff later because you’ve already got that introduction to them. So even as something as simple and rudimentary as having an intern, you know, run around to every computer, you know what I mean? Write it down on a spreadsheet.

[00:20:42] Brad Nigh: That was my first job in I. T. Was literally going around a college campus and writing down a room and the uh serial number of the computers in that room.

[00:20:54] Evan Francen: It seems because you know, we’re so advanced that you know, bar but the but that’s one thing and nothing is you’ll find a lot of times people will have tools in their environment already that they can leverage to do asset inventories. You know, if you’re doing vulnerability standing say witnesses for instance, well all those outputs right, if you export a dot nesa smile, it’s an xml file and you can easily parse that xml file because if you’re doing an authenticated scan, I will see every single thing you’ve got running on that computer.

[00:21:27] Brad Nigh: Yeah. Yeah. And yeah, but you know, again we had an issue with an ss file that it was a scam that their firewall had been set to reply on any type which is make uh I guess odds, odds okay, easy for you to say. Uh huh. So they only had like 250 300 devices and we didn’t catch it because it didn’t throw an error And it came out with like 2300 devices and so you can’t go back and re scan it and oh my gosh clearing that out, is that you just can’t do it. So there’s a really nice PERL script that forces that necessary. I’ll into a phenomenal spreadsheet with exactly that post named software installation. Just a ton of wealth of information.

[00:22:20] Evan Francen: Did you send me that process? Crypt? Yeah. Because I think we should make that available to anybody if you’re struggling with acid inventory and you’re doing NESA scans here, run this PERL script and put it in a nice format for you. And I think another thing that people run into because I’ve heard this as excuses from other security because you do just have, I mean there are people who just don’t like to work. There’s always that right. I don’t want to asset inventory. Why and I’ll make a bunch of excuses and then we get down to the bottom of the bottom of it. You find out that you just don’t like work. You like a paycheck. You like paycheck. But my God, I didn’t know I’d have to actually do stuff.

[00:23:00] Brad Nigh: It’s hard work and they want to share the easy stuff. Yeah.

[00:23:05] Evan Francen: But you know one of the, and it’s not, sometimes it’s not an excuse it’s legitimately, I don’t know, is well as soon as I do the asset inventory, it’s changed. Yeah. And so okay, that’s fine. You’re not going to get a perfect out of the gate. You don’t go from having no asset inventory. You’re having a live updated asset inventory that’s always, you know, accurate. No, that’s a hell of a long time. Start with doing a basic asset inventory. Either manually using something like spice works using something like messes with a PERL script that will pull it out whatever you need to get that first asset inventory, right? And if you can get it into a spreadsheet, you can get it into a database, right? I mean it’s that’s another step in the maturity and start quarterly. Yeah. And then reconcile these inventories. Right? So last quarter it said I had these things, why do I have 47 new devices on my network when we haven’t hired anybody knew we haven’t made any purchases. You know, that’s an indicator. Maybe we got something bad happening Uh and vice versa, what happened to these 23 years of somebody walking out the back door with the systems? We don’t, I just don’t need because we would notice it. But that’s the beginning and you have to do that. And it’s frustrating because I don’t know how many people are trying to secure things. They don’t know they have it. Just logically that is a fallacy. You cannot protect things unless it’s by luck coincidence just, you know, I mean, you won’t be effective at protecting things. You don’t know. You have.

[00:24:45] Brad Nigh: Yeah. Yeah. And you know the me the next step or another easy win is and after the count, Right? So you know that that’s a big risk. Do you have accounts, you know, you’re expanding your exposure in your active directory that haven’t logged in and you know, same thing quarterly. I would run a our shell script that pulled the name. Ou because the user was in their departmental. Ou. And the last log in time, if it had to be greater than 90 days and every quarter started off and would send it because we tried to do it with management and never got really any buy in. So what I did is I sent it to the head of the business unit and said, can you confirm if these accounts are still needed? And you know, it was like The first time I ran it was like, I remember over 100 accounts because they hadn’t followed the process or HR hadn’t followed the process to alert. Mhm. You know, is to disable. And then to leave. And so kind of a happy compromise was, yeah. I would have preferred it if they hadn’t logged in in 30 days. But That’s the business is risk. Appetite was 90. Okay. And then we disable to put it in a ou that script all permissions for six months and then deleted it. And they were happy with that. And I was at least happy that yeah, we got that taken care of it. But it took Yeah, Probably 3/4. And then we got it. What happening? It would be one or 2 maybe. Is they got tired of being asked why they weren’t following the process.

[00:26:31] Evan Francen: Right. And so, well, so many times you see people, you know uh you know when you do assessments or you do something they want remediation immediately. Right? So you go from, let’s say you you know, An easy quantification that we use obviously is the S two square with security studio. Uh let’s see your 500. You know, you immediately want to go to 660. Okay? If that were possible, it would be cost prohibitive and it wouldn’t stick. Right? You’d be back here again very soon because it’s a maturing process and no two companies mature at the same speed. And I just got I just got a call um on sunday from one of our large very good customers and I think they called me directly because we just have um you know, I guess that kind of relationship. But she called and said you know they’re under litigation. They had a breach a while back and opposing counsel is stuck on this thing about them having to disable ssl internally on all systems and it needs to be done within the next six months. This is a very large complex environment. And so you know, they wanted my opinion so they can go back to opposing counsel to talk about it. Number one is that we could pick anything. Right. Why did you pick ssl internal? Right. I mean I get it. It’s a risk but man, you got a lot more risks that are a lot more impactful than this one. You know, what are you thinking that there’s going to be a man in the middle because somebody compromise something internally? Well there’s your problem. How do they compromise? Whatever? And number two, how can you go in this environment? You have to basically drop everything. Which means it’s always give and take right. If I take my attention off of this thing and put it onto this thing will no longer paying attention to that thing. So if I if I drop everything and say all right, we’re gonna disable or eliminate ssl in the entire environment in the next six months. It’s unreasonable. Why not show progress? Why not go first? We have an inventory of all the places SsL is running in this environment. Do we even know what the scope of this is?

[00:28:41] Brad Nigh: Yeah. Well you know already, you know, figuring that out. I’m working on a road map and I was just looking that. So when I do these roadmaps, I do like a short term, this is your immediate things. Focus on these things first. A mid term. Like hey start planning for these. There’s probably gonna be software purchases that are gonna be needed and then long term is like okay, it’s down the road, but just be aware, you know, keep that in mind as you’re moving forward. Um and so I didn’t, I just drag and drop and then exported to Excel to give them. And I have 67 items in their short term that were 41 total of 41 points. And then there a midterm was 91 items six point you’ve seen there’s a lot more, but you know, it’s maybe not going to gain them as much. I mean the long term was 108 for like 37 points. But what you’ll see because, and I didn’t do it on purpose but short term has the shortest list and the cascades out which I like to do and not pay attention to because it’s kind of a sanity check for me say, Hey, they have, I put 200 things in their short term. Well that’s not

[00:30:06] Evan Francen: right.

[00:30:07] Brad Nigh: So what are the most important things?

[00:30:11] Evan Francen: Yeah. People lose track of that a lot and then Once you figure out what those are, then how to do them. So we we talked about one his asset management, asset inventory, the keys to that are you probably already have tools in your environment to at least get you started right to get your first asset inventory two. Um And when I’m talking assets harbor software and data start with hardware and software, right? Data, we’re going to get there. It’s a maturity process, you know, but if I don’t know your your your data is running or controlled by the hardware and software. You don’t get that stuff figured out first. The data things just bigger message. So get those things going. Look for tools in your own environment mentioned Spice Works. We mentioned, uh, nexus can do the same thing with rapid seven, same thing with open vast same thing with lots of different cleaners.

[00:31:08] Brad Nigh: Yeah, there’s a ton of options. It’s just those are the ones personally that I’ve used. Right? So that’s, well, that’s what people do exactly. Well for you.

[00:31:18] Evan Francen: Right. And, and don’t worry about all the things that happened and the fact that your environment so damn dynamic and all that other stuff do it once do it again another month of the quarter if you have, you know, spare, you know, manpower, you can do more often. But eventually you build this thing where you will script it and it will be on all automatic and you will get just a report in your in box that says, hey, these five things are appeared yesterday that weren’t there before.

[00:31:49] Brad Nigh: Yeah, wow. I mean, yeah, it takes some skill to put that together and so there’s gonna be some trial and error. I mean, I know it didn’t work right the first few times that I did it or okay. It didn’t provide the information I was expecting right? You have to tweak it to get what you want. Um, yeah, it’s free. That’s the other thing. It’s not like this stuff costs you money, you can script power Shell to run daily, any new assets, any new user accounts, any new computer accounts, any changes to group membership like it, you can do these things fairly easy. Oh there are tools out there as well that you know, are inexpensive. I’ve used several of them, you know, uh managing unit has some fantastic pool, especially management, you know, it’s not terribly expensive.

[00:32:48] Evan Francen: Well I think and one of the things we lose out on two because people like this instant gratification thing, so let’s go out and buy this cool new tool. It costs us, you know, $100,000 a year to do asset inventory when you could have done it all for free. And I understand it’s more work but there’s so much value, so much training value in so much of this work that you miss out on. When you go through these steps of scripting yourself. When you actually review the asset inventory yourself, when you troubleshoot, why certain things are showing up and other things are not showing up. When you go through all these processes, you make yourself so much of a better security person. If you just bought the damn commercial tool, plugged it in and push go,

[00:33:31] Brad Nigh: well it’s along the same concepts of why we don’t right policies for people we coach then through it. If you if you do that work and you write this, you’re going to be intimately familiar with your environment, you own that environment, you just plug in a tool and let it do its thing. You don’t have that same sense of ownership. There’s not that same an activity I guess, uh, with what’s going on.

[00:33:57] Evan Francen: Well that becomes so, I mean nothing. I think people are so excited because when I have that intimate knowledge of my environment or at least a more intimate knowledge of my environment, it plays out so much better in detection. I can detect when things are off. I can detect when there’s an anomaly in the system. Computers only do what you tell them to do. Why is there more bandwidth today than yesterday? Because something is happening. Don’t just write it off, you know? So when, you know your environment more intimately you’re better protection, you’re better detection and you’re a lot better at response to because I can’t tell you how many times we do instant response and they’re like, oh, I didn’t even know I had that system. I didn’t, what does that do? I’m like, I don’t know. It’s your damn environment.

[00:34:42] Brad Nigh: Yeah. All the time. Like yeah, responses from this. I p what’s on it? I don’t know. Maybe you should go find out.

[00:34:55] Evan Francen: It’s your environment. It’s like, it’s like things in your own house, right? Like there’s this weird noise coming from the corner, you know, of this bedroom in my house, what is it? I don’t know. No, I guess it’s just the way the houses where, you know, open the door and find out what the hell is in

[00:35:13] Brad Nigh: there, right? You know, and your example of the band with you personally gone through that our network guys identified a a spike in band with, and it turned out one of the healthiest staff and it’s one of the retired computers and was running a uh like pirate Bay torrent on it and downloading stuff and we’re like, what, what, what, what is wrong with you? Um, right. You know, so, but if they hadn’t been paying attention, if they didn’t know that stuff, how long would that have gone? You know, and we think they caught it within like a week of him putting it on, which is really is pretty, pretty good.

[00:35:56] Evan Francen: Right? Well, in part of your post mortem right? That’s why we do post mortems on things, is it took a week, is a week is adequate or should we narrow that down? And if you decide again, you decide, Well, I think a lot of times you look for security people help me? How quickly should I know, you know, should I become aware of that thing? It depends. I mean, in some cases, if you have a really high security environment where you have a very low risk tolerance and you know, it’s not gonna get in the way of the business making money. Well, maybe it’s instantaneous another case is maybe it’s a monk one of the things you never one of the things you never want to be. And and again, I can’t tell you how many instant responses I’ve been in where I get notified by somebody who’s not even part of our organization that somebody external, whether it be the secret service of the F. B. I. Or law enforcement or God forbid a customer. Tell me, hey, I think you’ve got a breach going on. How freaking embarrassing is that? Right?

[00:36:57] Brad Nigh: Yeah. You know, you don’t want that.

[00:36:59] Evan Francen: It’s like my mother coming into my house and you know, telling me how to no

[00:37:04] Brad Nigh: sorry. My house. Yeah. Yeah. You know, right. And that’s going back to what we were talking about with the CSOS role. What is the organization’s risk tolerance? Do you want a daily report? You want instantaneous? You want weekly, you know what? And you know, it’s been a long time since this happened. But I think it would be caught it on a weekly report and that was, that was what the business was okay with. Okay. Also if anything happened in the past week, do you see in an all night,

[00:37:37] Evan Francen: one another, you just brought up is risk tolerance. We use that all the time. You got to figure out the businesses risked on. So let’s go there because we tell people that all the time and I think unfortunately few people actually know how to do that. So I’m gonna just go with what I do and then you can ask whatever part you want onto it. Because number one, if I’m ever going to figure out the businesses risk tolerance, I have to get the Ceo on board with me. I’ve gotten to the point where uh, if anybody were to come and ask me to be there Bc. So if I’m not reporting to the Ceo, I’m not interested. I’m not willing to play a game that I can’t win. You want me to play the game? I can win. I will report to the CEO because that’s the person who makes decisions, that’s the person who is ultimately responsible for information security in this organization. And I think one of the things we end up doing when you talk about trying to figure out risk tolerance is we don’t have these just hard truthful discussions with other executives. I’m not asking the Ceo to be in a weekly meeting with me. I’m not asking the Ceo to invest hours and hours and hours and hours with me? What I’m asking the Ceo is this is how we’re going to do security. Are you okay with this? Would you like to be communicated in a different way? So ideally what I want to and I’m going to come just like you said with a suggestion already laid out, I’m not asking them solve this problem for me. But I’m gonna say I want to give you a quantification where you’re at, where you’re going when you’re going to get there and how much it’s gonna cost you all around security risk manager and then and then we can delegate from there. Right? What’s the next layer? You know, are you going to delegate security risk decisions to me? Not a good answer. Who I want. Security risk decisions, delegated to our heads of business humans, the owners of these systems that we’re trying to secure together. The good thing is because a lot of times, oh that’s more work they don’t want to get. Well here’s the really, really cool awesome advantage is you get autonomy, you get to call the shots Mr mr or mrs head of business unit. You no longer have to hear from me telling you can or can’t do anything. You get to choose what you do. Right.

[00:40:01] Brad Nigh: Yeah. And the one I fully agree with that. And the the one thing I think I’ve run into the most is them going okay. So what does that mean? How do we determine? What is risk times? And I think the example I’ve had the best response to is uh hey happened because it was a question of like, hey how long should we how often should we have to change passwords if we have to and my response is how long are you willing to potentially have a breach if a user clicks something and gives access rest and they’re like, oh right. Some places it’s 90 days like normal others it’s like you know personally, maybe six months. Right? Yeah

[00:40:50] Evan Francen: it goes back to our job right As c so I consult you on how to make good risk decisions and give you good risk information for that and I implement those risk decisions. So your example that you just gave right there. I think it was awesome because they asked the question you consulted on the answer now if you want my opinion, How many you know I I would say 30 days 50 whatever.

[00:41:18] Brad Nigh: Yeah that’s my opinion. And the reality is to me this is going back to the consulting, what’s the sensitivity of the data? What are we talking about? Right. Even if if it’s an admin I still would 30 days. Even within FAA right. Whatever. Right? It’s somebody that has no physical or no access to sensitive information. Maybe it’s uh somebody who’s got email only. Well maybe then they can go longer.

[00:41:51] Evan Francen: Right. Well and so when you say risk tolerance. So first it starts with the ceo right? Or the board and order the board. You know, in some organizations you’ve got both, right, one holds the other accountable and all that other stuff. So but it starts there with a number, Right? That’s why we use the S two scores. All I want you to focus on is this number this is where it’s at, this is where we’re planning on making it go this is how much it’s gonna cost to make it go there. And this is when we’re going to get there. You just give them the four pieces of information right now they’re involved. And now when I come back the next quarter And I told you that by the end of this quarter we were going to be at 600. We’re only a 580. Now you can ask me and hold me accountable. Why didn’t you get to a 600? And now we can have a different discussion. Right? That’s the kind of interaction that happens. We want to happen with Ceo the business unit leader. They’ve got their own qualifications but now we get more into the details right? Give them more autonomy. The business unit leader might have their own I. T. Department they might have a business unit C. So that you work with. It takes them to the next levels, you know what I mean? It just all builds on top of itself. That’s how you figure out risk tolerance. Yeah.

[00:43:14] Brad Nigh: Uh huh. No argument from me. Right.

[00:43:18] Evan Francen: And so you can use constructs. One of the constructs we use and you can use others. You can develop your own. I’ll tell you how to develop your own. The one that we developed is you know we use what’s called nested entities. Programmatically it’s a little bit newer. Right? So we’re exploring this with for me personally in the state of Iowa state of North uh New Jersey and state of Minnesota for all. Working on how to use nested entities to distribute this risk tolerance throughout the entire state. Right? But the way it works is really, really simple, identify what units you have in an organization, give them their own assessments that are the same as or as close to the same as the same assessments. You’re using another place. So you can do apples to apples and do that. Roll up for the ceo or the governor of top.

[00:44:07] Brad Nigh: Yeah. I’m doing the same thing with an international customer. And you know, we didn’t start that way because we didn’t have that. That wasn’t really flushed out. So we’re migrating to it. But I’m gonna do, you know North America? We’re gonna do europe, we’re gonna do asia were due South America as each of those areas has different expectations different, you know, support. So let’s start at the top. Well all these different ones in there and then roll it up and Yeah. Yeah, exactly.

[00:44:44] Evan Francen: And then it also allows me to dig in deep so that the ceo his ceos are going some Ceos are going to be much more involved than others, right? They have a ton of things on their plate. They’re running an entire organization, right? So that’s why I wanted to give you four things to focus on where we’re at, where we’re going when we’re getting there and how much it’s gonna cost. That’s it. Maybe if there’s a little more time, I can tell you what the most significant risk is we’re working on right now or some significant event since last time we talked. That’s it. And then if they want to know why things are scored, if they ask and want to get more involved and now I’ve got a dashboard, I can roll it out. Here’s your 50 entities that make up our company. This is what their security looks like. And they can say, well, why is that one red? Well, let’s let’s go find out. So you know what I mean? Well, it’s red because they made these risk decisions. Okay. Do you agree or you don’t agree? Ultimately. I don’t, I do care, but I’m not going to get involved in that.

[00:45:42] Brad Nigh: Okay. Yeah. And you know, it’s like what you said, hey there, red because this is their risk tolerance. Well, maybe we have to or segment them off because there are other business units that can’t accept that level of risk and can’t be exposed to it

[00:45:59] Evan Francen: because there are

[00:46:00] Brad Nigh: consequences for those, but it is what it is.

[00:46:05] Evan Francen: Yeah. Yes Sir. In today’s podcast, we’ve already talked about the type of communication that happens with the Ceo how to get, not necessarily how to get the Ceos, there isn’t one way to get a Ceo’s attention and by in on security. Uh it depends on your relationship. In some cases you’ll have a relationship with the ceo of some in some cases you won’t have a relationship with the Ceo. I’d be very weary of any place where I didn’t have at least a relationship with the Ceo. Even if I report to the Ceo, which I wouldn’t because I just told you I won’t do that work because it’s a losing game. I’m gonna want to play it. But if if I am reporting to the Ceo that just happens to be the place I’m in. Ask for 15 minutes a month. You know ask your Ceo for 15 minutes a month. Meeting with the Ceo. Or maybe you have a relationship with the Ceo anyway. Even though you report to the C. I. O. Whatever it takes, get a relationship nice working relationship. You’ll learn what motivates them, what doesn’t motivate them. We’ll learn how bought in they are in the mission of the organization. You’ll get from them just in these conversations and then you can start using their language that will resonate and be like, hey remember that thing you talked about this is how we can help that happen with security. And they’ll be like hell yeah, I am

[00:47:37] Brad Nigh: right? And and don’t stop there, do the same thing. Business head heads of the different business units. Whoever is making those risk decisions, have a good relationship with them. Yeah. It could be in the no man could be in the know person. Yeah. We’ve talked about is the yes but approach

[00:48:00] Evan Francen: you know or I don’t know.

[00:48:02] Brad Nigh: Well, yeah. Yeah. I don’t know what we find out. Right? But get away from just saying no. This is never going to build a good relationship.

[00:48:13] Evan Francen: Well, it is funny how many times you and I because I’ve seen it happen all the time with security people that we get asked. What’s that? You know, what’s the top thing I should do? What’s the number one thing I should do? I don’t know. And I don’t know because we haven’t had that discussion. I don’t know your business. I don’t know what you do to make money. I don’t know what’s more important to you, your culture or making money out of your public company or a private company. I don’t know if you work in technology or you’re a bookstore. I mean how the hell would I know? Let’s have a talk. Oh my gosh.

[00:48:47] Brad Nigh: So many times in the pre sales process they get brought in because the customer wants to talk to an expert. Not a salesperson. Which I totally understand. And I can’t tell you how many times I’ve been asked. Okay. So what would be the first thing you would do recommend or nuts. And my I don’t know. Universe assessment. But if not let’s start there.

[00:49:09] Evan Francen: You know what we

[00:49:10] Brad Nigh: got. I don’t know what to tell you because I have no idea what you’re dealing with. Yeah.

[00:49:16] Evan Francen: And my and my answer now is that’s the first thing you would do I take out to lunch, you know, why would you take me out to lunch? I need to know you. I can’t consult you. I can’t tell you what’s good for you and what’s not good for you unless I have some time to diagnose what your problems are.

[00:49:33] Brad Nigh: Yeah. And that’s why we’ve kind of transitioned how we’re doing our B. C. So engagements right? We have been doing it where we did go into the full assessment, deliver it and then kind of really start kicking off the process. Well yeah but we’re, you know it’s it’s not, it’s not the best way. So now what we’ve done is we’re going to start with the estimated It’s what 60, 70 questions, something like that high level. Just, hey, let’s get to know each other, you know it and I’m gonna get to learn the company and then I just understand that. So that’s the first experience the customer now has is it is a two hour and a half, two hour meet and greet where I’m going to just ask you some questions, get to know how you work for the company works and then I can formulate and least put together some sort of a plan. Yeah it’s it’s kind of along those same lines because we can’t really take people out to lunch at this point. But especially when they’re, you know in different states. But it’s in concept,

[00:50:38] Evan Francen: right? And when we can take people out to lunch again or we can have that opportunity. It’s a with another thing I’ve been, I’ve been adding, which is kind of humorous, but it’s how I worked. It’s like, what’s the first thing you do? Well, thank you out to lunch and you’ll know whether I like you or not by whether I pay or not. Yeah. I mean if I bought your lunch, then I want to do more. Do you want to date? But if I I didn’t buy your lunch, I’m probably not interested in dating anymore. But just another thing too, I mean, it’s everybody, you know, when you were to compare security, like dating, everybody wants to go from like I just met you to, I want to have babies overnight versus like I want to date a little bit. I want to get to know you, I want to do some things. You know what I mean? We might get to a point where we are going to break up because, you know, maybe the business changed and whatever, but it’s a long term relationship. It’s not a transactional thanks. It’s frustrating. But anyway, it’s also good because hopefully some of our listeners got some good tidbits out of this and if you want more about this, reach out to us. You don’t work like lawyers, you’re not gonna get a bill.

[00:51:51] Brad Nigh: Yeah, that’s why we’re not allowed to be in the truly in the sales process. We really like to come in and talk about the methodology.

[00:51:59] Evan Francen: Yeah. Sometimes people skirt the process because they figured me out. And so uh uh what is it next? On Sunday? I start a three part training series uh or women’s cyber tutu. It’s 32-hour sessions and we’re going to hack ourselves. Very cool. Yes. New, new new people getting into the industry, helping them transition and learn some of the basics. I know networks. So we’re gonna start with networks. Uh huh. That’s good stuff. Right? So we got a couple of news things that I wanted to talk about quick and then we can wrap this sucker up and in about our days day one of the things I thought was interesting. So this comes from Cnet And the title is hacker returns all $610 million dollars in Cryptocurrency stolen in cyber attacks, interesting.

[00:52:57] Brad Nigh: Yeah, I saw that and I was just like, I don’t know what how,

[00:53:04] Evan Francen: Okay, right. I’m gonna go out and share the screen because I think if people actually watch uh watch this online or I think Don’t we have 800,000 people a month to listen or download, but I don’t know how many people actually watch it, but if you do watch it, I’m going to put it on the screen knocks. I always forget that we do that. We have people watching too. So I’m gonna share my whole screen. So if you want to see some security stuff maybe steal my identity or something. Feel free. But I’m on an ipad. So this is how we’re gonna roll. This is the uh the article After returns all $610 million dollars and cooper currency stolen in cyber attacks. The Attackers. Guy, the attacker’s name is mr white hat. Never heard of him. Have you? Oh

[00:53:56] Brad Nigh: but uh so weird.

[00:54:01] Evan Francen: Yeah it is weird. So this Cryptocurrency theft appeared or happens is you can see the poly network a decentralized finance platform sometimes called the defi 610 million or $600 million. Cryptocurrency stolen through a code vulnerability. So the attacker finds the vulnerability, steals Lots of money. 273 million. And the threat is real token tokens. 253 million in finance smart chain and 85 million U. S. D. C. Ah from the polygon network. Mr White hat then return them all. Almost immediately after he stole the money, he started returning the funds piecemeal. Uh Eventually all the funds were returned. I thought it was kind of his quote at the end. My actions which may be considered weird are my efforts to contribute to the security of the policy project in my personal style.

[00:55:06] Brad Nigh: Yeah I mean yes he got his message across and at the end of the day uh there was no you know lost for the the people right? The users So it works. Yeah. It is weird

[00:55:26] Evan Francen: quitting the show. He says he’s quitting the shower. I don’t know if he or she will Mr white hat I’m guessing to hear that. Ah Yeah I don’t know who this is I suppose you know you go about trying to figure out this may be but I think it’s interesting. I don’t have enough time to do that anyway. Um Yeah I don’t know would you do the same? I guess I wouldn’t I wouldn’t have taken the money to begin with because I can’t mess around with that. You know there’s just too many people that rely on me making better decisions than that.

[00:56:00] Brad Nigh: Yeah I agree. I can’t say that. I would because I wouldn’t have taken the money to start with. Yeah.

[00:56:10] Evan Francen: Yes. I think we would have never gone down this path to begin with. But in a way it’s kind of like I don’t know what to think either. I mean I don’t it’s definitely illegal, right? You don’t break into computer systems and do these things without permission regardless of whether you put it back to the fact that you were there makes it legal. Uh But it’s not really is it immoral maybe unethical? Yeah. Minutes.

[00:56:41] Brad Nigh: It’s kind of a conundrum. It’s a fine line.

[00:56:46] Evan Francen: So anyway I thought that was interesting and that just happened not that long ago in the last few days.

[00:56:53] Brad Nigh: Yeah the news broke yesterday or at least that’s the first time I’ve seen it

[00:56:58] Evan Francen: show the State Department uh this is the next news thing. The State Department reportedly hit by a serious cyber attack. This happened a while back and um wasn’t reported. I don’t think anybody really even noticed that happened. Um And we don’t know anything about it. So it’s just we know that the State Department allegedly was hit by serious cyber attack. It doesn’t seem to have disrupted anything. It doesn’t seem as though they necessarily lost anything. But they’re also not there’s zero transparency on what actually took place and who’s affected. So we do know that the State department itself though in the A. B. C. D. Ratings that they do every so often that the last time they were A. D. Nothing. So I don’t know I don’t think the government is very good at protecting their stuff because it’s too damn complicated. They I think they got a big big big time ego problem. They’re still there man?

[00:58:12] Brad Nigh: You hear me? Yeah. Well sure sure it was gone.

[00:58:25] Evan Francen: I don’t know I’m going to keep talking and if you chime in you chime in

[00:58:33] Brad Nigh: is that better?

[00:58:34] Evan Francen: Little bit? Okay We’ll continue.

[00:58:37] Brad Nigh: Okay. Yeah I’ve been having issues with the technology issues with the new computer. So yeah.

[00:58:43] Evan Francen: Yeah technology. So did you have anything to say about the State Department attack?

[00:58:49] Brad Nigh: No just I mean not surprising. Yeah.

[00:58:53] Evan Francen: Yeah. Yeah And the thing that the government is on the kick that the government is on today which is I don’t know we will often do another podcast about it. Is the J. C. D. C. You know I had Swallow my vomit a little bit on that one. Um if you go with a C. D. C. Although Sort of what I’m talking about 10 minutes a partnership, a collaboration between Cisa which is the Department of Homeland Security. Uh and there there want to actually just even the the thinking that you can possibly secure everybody is so ludicrous. But that’s essentially what they’re trying to do and I don’t think that they’re trying to do it to actually secure anybody. I think they’re doing it to try to get control of things difference. You know there’s a difference there but I don’t trust the government to secure my stuff because the government can’t secure their own stuff. So. Yeah. Yeah mm. Get your house in order. The last one I thought was kind of cool because these deep fake things are going to become more and more and more uh common. So this is from Pc Mag Bruce Willis deepfake to star in Russian tv ads.

[01:00:16] Brad Nigh: That’s interesting. I saw something that val Kilmer did it uh in that jockeys memory because you has voice issues with after he had cancer I guess and he was okay with it. But yeah that’s it’s gonna be interesting to see how this ways out.

[01:00:35] Evan Francen: Yeah. But yeah I mean the pick has come so far that it’s almost, well to the naked eye. Even a trained eye it’s you can’t tell. No I mean you have to really break it down almost pixel by pixel to notice but they’ve got the ad actually there. I haven’t washed yet. Um Yeah pretty soon you’ll be your favorite celebrity. Well you know if you’re into pornography you’ll see them. I’m starring in porn films. You know when they’re not it’s not really them. We usually see all this plays out. It’s going to be weird. Yeah I agree. Once just once again you know it society adopts technology way faster than our ability to secure it and certainly way faster than our ability to use it responsibly. And this is another example of where this is heading. It’s going to get nasty. Yeah.

[01:01:36] Brad Nigh: Oh yeah. Yeah easily be weaponized.

[01:01:41] Evan Francen: Oh God and it will be for sure for human beings between a lot. All right man that’s all I got any shout outs.

[01:01:48] Brad Nigh: Yeah I’ll give a shout out to my wife for putting up with me the last week.

[01:01:52] Evan Francen: That’s gonna be a huge shout out. I mean it’s got to be like the biggest shot up shot out. Yeah

[01:01:58] Brad Nigh: and she started her new job today so that’s

[01:02:00] Evan Francen: excited about her. You do have a wonderful wife. She’s a true a true gem man. I mean she’s in the perfect job to you know being a nurse because she just yeah, she’s amazing. She’s yeah, I just do every time. Every time I see her it’s like I always feel welcome. Yeah.

[01:02:21] Brad Nigh: Yeah, just yeah, I’m not gonna argue

[01:02:25] Evan Francen: seriously man. We had, we had dinner, you know, a few weeks ago or at your place man, you walk in and it’s like, yeah, we’re like, we’re part of the family. It’s awesome. But we try. Yeah, I’m going to give a shout out to uh Kevin believe it or not, Kevin North. Uh which is weird. It almost pains me to do so. Uh but he’s been very supportive. Uh he’s been a huge help in us getting through the legal contract stuff in the state of New Jersey for security studio. And I had a really good attitude lately. All right, that’s it. So, we’ll see you next week, will you? You’ll be back what Tuesday

[01:03:05] Brad Nigh: ish.

[01:03:09] Evan Francen: Have the greatest time ever. Make memories, take your phone, crack it in half. I’ll buy your new only get back.

[01:03:16] Brad Nigh: Yeah, we’re gonna kind of lock him up and we got a bunch of board games and that some movies. It does look like it’s been a rain. So I sent super excited to watch baseball because he loves our wars and it’s one of my favorite movies. So he was wrapping up with the trailer. So we’re gonna spend some time together off electronics and yeah.

In this episode, Evan and Brad focus on the concept of PDEIS (Programmatic Distributed Empowerment of Information Security) and its ability to involve and empower others within the organization; not just CISOs, to make their own risk decisions. They also debate the trend of information security leaders facing legal repercussions in the wake of the recent SolarWinds incident. As always, they close with some industry updates such as the T-Mobile breach, and more.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right welcome listeners. This is episode 144 of the unsecurity podcast. I’m your host, Evan Francen and joining me is my good friend Brad Nigh. hey Brad.

[00:00:34] Brad Nigh: Hello, are you?

[00:00:35] Evan Francen: not too bad man. Recording on uh Wednesday started middle the week. I don’t know what happened to monday and Tuesday, do you uh you know

[00:00:47] Brad Nigh: that’s what I did this morning.

[00:00:49] Evan Francen: I know right when I’m my wife I’m getting all describe I haven’t been groomed uh you know I had my beard or moustache room for a while so she’s making an appointment I think should have made an appointment. So I got to go get

[00:01:04] Brad Nigh: yeah mine’s long enough now that it some waxing and it’s Oh yeah

[00:01:10] Evan Francen: we got it ma’am

[00:01:12] Brad Nigh: Islam. There you go. Yeah

[00:01:15] Evan Francen: crazy. All right. So last week it was fun. We had a good talk with the team ambush and then we talked a little bit about you know the work that you did uh def con the week before that was good. Yeah yeah

[00:01:32] Brad Nigh: there’s a good change of pace for me I mean even for those guys really in C. T. F. Says changes your thinking but it’s so valuable from an experience perspective.

[00:01:43] Evan Francen: Yeah yeah totally man. Yeah I think next year I’ll probably jump in you know maybe help out, see uh I can read p caps, like I said, I’ll do that.

[00:01:54] Brad Nigh: There’s some cool new tools out there.

[00:01:57] Evan Francen: Right? Yeah, I’m used to the old school p cap tools, so just give me something, know anything, I’ll be fine. All right, so good show today. Uh one come for a couple of things, you know, we talked a little bit about this thing called distributed accountability. I want to bridge off of that little bit more. Um, I still contend that many of our Csos certainly in state, local government. Miniver caesars, private sector are just in this position where they’re playing a game that they can’t win.

[00:02:34] Brad Nigh: Yeah, yeah. And I think one of the articles are going to talk about kind of proves that point a little bit.

[00:02:40] Evan Francen: Yeah, 100% The frustrating thing is you and I have been in this industry for 20 some odd years, 30 years, whatever and we still cycle through the same crap today that we did back then.

[00:02:56] Brad Nigh: I mean the technology has changed, but the basic premise is still the exact same.

[00:03:03] Evan Francen: Right? Well, and we continue to adopt and uh yeah, we continue to adopt new technologies faster than our ability to secure it and certainly faster than our ability to be responsible with it. And so if anything, the problem has gotten worse and you know, the goal, the objective is further out. Charter.

[00:03:28] Brad Nigh: Yeah, yeah. Well, and I mean a lot of times you’re looking at how many years of different people building on it. So then when you come in, you know, it’s like deciphering six different languages to understand why things were put together the way they were, what the band aids are. I mean we’ve talked about it the only way to to really be confident. It’s just start over and that’s not realistic.

[00:03:58] Evan Francen: Well, yeah. Well it’s either, I mean it will eventually come to the point where I think if you don’t get your stuff together now, the longer you wait, the harder it gets and eventually you’ll be forced to, you know, are you just no longer exist right? I mean it’s like, yeah like health, right? If you don’t take care of your health eventually you’re going to be forced to or you die basically. Yeah. Yeah. Uh We’ll talk about that and then uh you mentioned a news article. So one of the news article that kind of plays off of that is uh secure world. Uh, I don’t know The 5th. So almost two weeks ago I wrote an article Bruce uh man was the author, the title of the article is suing the sea. So Solar inspires back. So in this particular case, uh, a group of shareholders have filed suit against the sea. So the chief information security officer, tim Brown who is also the V. P. So VP of security and see so at Solar ends uh alleging certain things And then you know there’s this solo ones fighting back. So I want to talk about that because you’re barking up the wrong tree. That’s not the place.

[00:05:22] Brad Nigh: Yeah there’s a lot to unpack in that order. Do.

[00:05:25] Evan Francen: Yeah I would love to play uh it would be fun to be part of that litigation in terms of you know consulting on it. Um It’s kind of bullshit. Anyway people talk about that and then uh this last week you know the news the big news you know I think worldwide is to follow the Afghanistan again into the hands of the taliban. What does that mean for us in terms of information security is it going to mean anything? Uh you know we can speculate a little bit. We’ve seen big news in the past before. What does this one we’re going to do? Uh huh. Yeah. Yeah. Yeah and then a couple news articles. T. Mobile lost all your data. You know

[00:06:12] Brad Nigh: we’ll go into that. But when I right when I saw that I was like okay like all that isn’t already out there.

[00:06:21] Evan Francen: Well there’s that which is

[00:06:24] Brad Nigh: unfortunate right? That’s that reached the T. Yeah.

[00:06:29] Evan Francen: Well then uh in the last piece you know we’ll cover in today’s episode uh is you know the U. S. Government uh lost. Well actually never secured um Some information that their secret terrorist watch list with about two million records was exposed online. And insecure.

[00:06:50] Brad Nigh: Yeah there’s a lot to unpack in that one too a lot of questions.

[00:06:55] Evan Francen: Oh well and it leads to like a whole discussion that we had last week on the shit show where chris chris roberts was playing devil’s advocate about. Uh huh. Well if you can’t secure your stuff then why doesn’t the government do it for you? You know and I’m so against that because the government can secure their own crap, why the hell would I have them your mind and they have no vested interest in actually securing my craft. What they’re actually going to do is steal my crab. I’ll have no privacy at all be. I’m gonna already do it right the NSA and stuff but yeah no I don’t want to go there.

[00:07:34] Brad Nigh: Yeah I agree.

[00:07:37] Evan Francen: Yeah. So anyway first thing I want to talk about was that I give you a name because I think when things have a name to take on a new meaning, the name is programmatic distributed accountability for information security. So if you’re an acronym person which I think most of us are in this industry whether you like it or not uh called P. Days. So P. D. A. I. S. Program programmatic distributed accountability for information security. And where this came from. Was working with state C. Shows and take the state of Minnesota for instance right now we’re doing a proof of concept um in the executive branch of government. In the state of Minnesota by law. S centralized the ceo essentially the centralized I guess authority um is responsible for securing the executive branch agencies

[00:08:37] Brad Nigh: makes sense.

[00:08:39] Evan Francen: Yeah. So there are 95 agencies listed in that standard. So when you talk about you know the C cell for the state of Minnesota who is very good. I think he’s a great person um capable all that stuff But the way they do it today, they can’t win, they can’t play that game because you can’t secure 95 government agencies unless you get the 95 government agencies to played by

[00:09:08] Brad Nigh: and they all work differently enough. Yeah, there is no blanket solution.

[00:09:17] Evan Francen: Exactly. So that’s a yeah. So about that. So the way they do it today, you know, I think the best attempt is to take assessments, you know distribute assessments in the form of spreadsheets to, you know, the government agencies have them fill out their assessments and then you compile the results and try to do some reporting and try to enforce some requirements. Um Which on the surface doesn’t seem that bad. The problem is these 95 government agencies are not all the same. Some of those government agencies use policies that come from, you know central authorities, some of those have their own policies, some of them have their own c so some of them have known technology department. Yeah. Mhm. Yes, I think quiet like that, the terror prone,

[00:10:19] Brad Nigh: you know for sure.

[00:10:22] Evan Francen: No. So the challenge then is, you know, how do you define? So it’s actually, it’s funny because this morning I was working on working on a presentation and really I think it’s There’s 1234, was it 12 steps to the process you’re talking about in the state of Minnesota, take any state for instance. So the first one is your inventory of the agency’s right, What who are the agencies now? How many do we have Here? We have 95. I’ve asked other states before, you know, how many government agencies are you responsible for securing? And I get different answers. Um Even within the state of Minnesota, I’ve heard answers from 87 to 92.

[00:11:12] Brad Nigh: Yeah. You know, if I’m just thinking it’s funny how light you and I think because we’re working with like a out of venture capital that like a the company that owns investment firm against And they they’re looking at 30 companies to start with and we’re going to use S to R and have each one of those is a sub entity because then they can see everything and it rolls up and they can see what their risk posture is. And I mean it’s almost exactly what you’re talking about. It’s so funny.

[00:11:47] Evan Francen: Well it is and and that’s the reason why we built it that way to be honest, you know? But the first thing we have to start with is what are we actually trying to secure instead of, you know, physical assets or software assets at this level, you’re talking about uh an intangible asset, right? The agencies or the departments or the companies in your instance. So depending on where you’re starting in the process, if you’re starting as An investment organization or a company that owns 30 companies, well then you’re starting at that level. If you’re starting with the state, ideally he would start all the way at the governor. Uh huh. That’s right. Because they are the ceo of the state and then you would deploy through that, right? The government and all the things that were responsible for. We’re starting a couple of layers down here right now with the state of Minnesota, it’s not the governor, it’s not the Legislature. We’re talking about the C. I. O. And see so

[00:12:50] Brad Nigh: of these for a proof of concept. I mean, I don’t I don’t know if you necessarily starting at the very top it is going to, it would be a more representative. Mr

[00:13:04] Evan Francen: Yeah, well, eventually we’ll get there right. There’s a couple, there’s two states in the country, the National Governors Association. So, nga, called out to states are nominated, two states to do this thing called whole of state security, right? Which means you’re going to figure out a way to get the entire state sit here, right? And so those are different Washington and indiana are those two states um that takes distributed accountability to a whole another level. Right. It scales that way because the first thing is the inventory. The next thing is once you’ve got that inventory, who’s responsible for what in that inventory?

[00:13:49] Brad Nigh: You know it gosh, it sounds like the fundamentals we talk about every week, right? I mean it is it’s a different target, so to speak. Great. We’re not talking about your data in her hardware assets, but it’s the same exact

[00:14:07] Evan Francen: concept. It is, man, I mean that’s that’s the thing that most people don’t realize or maybe many people don’t stop to think about is information security as information security. The same concepts apply at home as they do in a small business as they do it to an entire state to entire country.

[00:14:26] Brad Nigh: Right? I think if mastering the fundamentals isn’t difficult, my understanding them knowing what do not difficult actually gain. Like you said, other people to buy in and doing them. That’s the hard part

[00:14:40] Evan Francen: well. And that’s the cool thing, man is we’re making progress. You know, there are some states in this country that are, I think um ahead of the curve, they are maybe taking more pragmatic approach and understanding Minnesota is one of those new jersey is another one I think hawaii Washington Iowa these are states that I know personally are marching down the right path right? And you go back to either do it now or do it later. Eventually you have to do it.

[00:15:15] Brad Nigh: Right. Well, I mean how many times have we heard a c suite member go? I wish I had known and done this or during the during the breach dear. And then a ransomware event almost every time they’re like, I wish I had known, I wish I had done something. Yeah. Proactive a lot cheaper in the long run run it

[00:15:39] Evan Francen: and it also helps you make more sense of just the organization itself. Right? When you go through the process. So right now I said step one inventory of the agencies. The next is the responsibilities as part of that inventory of of the agency’s it’s what are the criteria for risk in those agencies when you put them into context with everything else? Right. Maybe it’s the number of employees in that agency. It’s the importance of criticality of that agency to the overall functioning of the state government, right? Some are different than others. So if you take like the board of social work that would be different than, say the veteran affairs administration, right? If there were a breach or something, it was to just being completely obliterated. Right? I mean like when you talk about risk, right? It’s likelihood and impact. So let’s say that the impact, let’s say you just wipe them off the board Department of Transportation calling what does that do to the state. Right. So that’s one criteria that also has to go into this risk equation versus let’s say the zoological board.

[00:16:49] Brad Nigh: Yeah. think about Minnesota. Yeah the O. T. Isn’t here in the winter. Mhm. Is massively disruptive.

[00:16:58] Evan Francen: Exactly. So in that inventory of your agencies it’s figuring out the criteria for risk, one might be the number of employees, another might be the importance of criticality to the functioning of the body, another would be you know how much sensitive information do they actually collect, process create so on and so forth. Once you define that right now I can put things in the context. And you talk about the state of Minnesota, you talk about the executive branch of the state of Minnesota. Now I’ve got the agencies and I’ve got some equation of which one of these agencies or entities is more critical than not. Right?

[00:17:38] Brad Nigh: Almost like a business impact analysis. You know another fundamental weird I’ve seen a lot of similarities. Right right.

[00:17:48] Evan Francen: And then you go through okay uh you know those responsibilities who is responsible for each for security in each one of these entities. In some of those cases it will be um you know the agency had some of these agencies have a c so some of these agencies now the cool thing here is and one of the things we’ve gotten wrong I think we talked about distributed accountability is now I can get to distributed accountability right now I can go to that person and say here let’s have a discussion and instead of pointing it like I’m making you responsible. Therefore you must do these things. Instead the approach should be, you get to call the shots, this is your agency.

[00:18:28] Brad Nigh: I’ll present you facts and you decide, Yeah, okay. That makes it was going to say what if the person doesn’t understand security, but now I agree with that approach. Okay.

[00:18:38] Evan Francen: Yeah. Instead of us always telling you what to do instead of what we’re, what we are as the sea. So is we’re consultants. Yeah. Which was the simple approach from the very beginning, seesaws have two jobs. One consult the business on how to make good risk decisions and to implement those risk decisions to the best of your ability. That’s it.

[00:19:00] Brad Nigh: Yeah, Yeah. And you know, I think we talked about this when you first brought it up, but it’s the approach that I it’s similar because I would say, you know, hey, can we do this? Yes, but here are the risks involved. Are you willing to accept them? If not, here’s some alternatives. You tell me which way to go?

[00:19:19] Evan Francen: Absolutely. So at that point then the sea, so is accountable for those two things. Right? Ultimately, then now I pull myself out as the sea. So implicit or explain, I pull myself out as the person person is ultimately responsible for risk in this entity, right? This organization.

[00:19:40] Brad Nigh: Um, and yeah, something we breach the security. Be defining the businesses risk tolerance. No organization should be doing it. That should be at a C level board level at the theme, hey, here’s the level of risk. We’re willing to accept managers or whoever decision makers fall in line

[00:19:59] Evan Francen: with this. What it’s all and the reason why we suck at that for many reasons. One is we started communicating it well, you know, I mean if if I go to the Ceo or the owner of a business and say, hey, tell me about your responsibility for information security or actually just tell me what information security is to you. Yeah.

[00:20:27] Brad Nigh: Yeah.

[00:20:28] Evan Francen: What we usually get is we have we have an I. T. Guy who handles that for us the same. No, not a good answer.

[00:20:38] Brad Nigh: Yeah. Yeah. You hear some interesting things doing the assessments and yeah right.

[00:20:48] Evan Francen: It’s cool. It’s I think to three states are going to get off on a really good foot on this. You know Minnesota Iowa and in New Jersey are the three that I think uh just these are Csos that well Iowa doesn’t have a C. So which is interesting. That’s a whole nother thing. Um but I think it’s really cool because I look forward to the day when I can go to when we can the sea. So can go to the state of Minnesota, go to the legislature, go to the governor and say this is the current state of security today. What with the computers. Yes, yep. And this is the future state based on the risk decisions made by our organization.

[00:21:32] Brad Nigh: You know, again, funny, I was working on an executive presentation this morning, exactly that we started with the estimator. Where were they at? Not good. We’ve kind of done itself on the one. Okay, a little bit better. So the presentation is all right. We started here, what is our plan? Where are we going to be? What’s the goal and what does that look like at a high level? But it gives them something to work off of that. We can track over time.

[00:22:05] Evan Francen: Yeah, yep. And keep it simple. Right. I mean, one of the things that we love to do in our industry, because I think a lot of times we do it as you want to sell more crap or because, you know, my motivation really isn’t what’s best for you. It’s really what’s best for me as we overcomplicate things. So keep it simple. Yeah, yeah. You start with a new criteria and then expand out into others or go deeper. But start with the basics, the fundamentals, get that stuff figured out and then built.

[00:22:37] Brad Nigh: And the way I approached it was, you know, hey, look, we started with this, it had, you know, x number of controls. Our goal is to get moved up annually to that next level. We’ll hopefully have accomplished enough. No, it’s not okay. We know security is fluid, right? It’s a living program, things happen, new threats come up. What is the reality of plans? But at least we have some sort of a goal in in place that we can track our progress towards,

[00:23:12] Evan Francen: yep, 100% man. So yeah, I’m excited. I think when you think when you think it all through, when you think about logically how information security works, this is the only way to make it work. You can’t have a C. So be accountable. So you take this, you know, again, I’ll use the state of Minnesota for instance and all this stuff is public except for some of the details of what we’re doing together. But you can’t hold the sea. So responsible for risk decisions that are made in the department of Public Safety or the Department of Transportation.

[00:23:47] Brad Nigh: Yeah. You would hold them responsible if they don’t provide that guidance or a warning of hey, be aware of this. Sure, it’s not the season making that decision. Absolutely agree.

[00:23:59] Evan Francen: Yeah. So we’ll see how that plays out now that leads to our next discussion. So that’s program you’ll hear it again and again. So I’ll be repeating it because I’m going to build it out more and more. It’s called programmatic distributed accountabilities for information security. Right? So how do you programmatically do this because if you do it manually, its air prone, it’s inefficient. So you mentioned, you know, some of the things that are in s to Oregon on the security studio platform today? That’s really just the beginning, you know, where does it go from here? How do we build it out more? How do we make it more? Um just standard. Right, This is how you do security.

[00:24:39] Brad Nigh: Yeah, yeah, I like it because this is more prescriptive then red, yellow, green. What does that mean? That leaves things up to interpretation. Right? Let’s take that out. Yeah. With you.

[00:24:57] Evan Francen: one is the sea. So I am now playing a game I can win, I can’t play that. I can’t win a game when you expect me to make risk decisions or manage security across all these various pieces of the business and you want me to make the calls and you want me to do the enforcement, you want me to do all these things because they use, you know, take for instance, you know, hypothetically the Department of Transportation, the head of that if they don’t agree with the risk decisions that I make is c So what do you think is going to happen?

[00:25:30] Brad Nigh: No, I can supply.

[00:25:32] Evan Francen: Exactly. And then they have a breach and then who gets playing

[00:25:37] Brad Nigh: that? Was the person who made the decision? Well, not right, not the not the people that didn’t comply with the decision.

[00:25:46] Evan Francen: Exactly, exactly. So it also brings about this community of security where now you can have discussions with these other agency heads on a level that you couldn’t have before, right? There’s a common understanding about what security is, how it works. Uh And instead of pushing it out as, hey, you know, we’re going to make all these mandates, we must do this risk assessment. Instead, it’s, you get to make the calls, you get to be empowered, you know, how your business runs better than I do. You make the decisions on how risk works. We’re empowering you enabling. Yeah, yeah, that’ll work. Uh, so that leads to the next thing. So you talk about CSOS, um, you know, holding them accountable. Uh, like I said, secure world. Um, the title is suing the sea. So solar winds fires back. It’s thursday august Yeah, was when this was written. So almost two weeks ago and in this article, essentially the, there’s a lawsuit, the lawsuit was filed from some investors and the lawsuit claims that inaction around cybersecurity at solar winds led to deception for the investors. So they were deceived. Wow. Specifically that solar winds embraced intentional or severely reckless deceit on investors. That’s the quote. So let’s, let’s, let’s soon to see. So

[00:27:24] Brad Nigh: yeah, some of the claims that they may seem and

[00:27:30] Evan Francen: this, when I always go back the same thing man who ultimately is responsible for information security at solar winds,

[00:27:42] Brad Nigh: uh huh. People that should be making the decision right now if, if they say, you know in the lawsuit, there’s no password policies. Well, I can guarantee you almost any sense of worth anything is going to say, hey, that’s a really bad idea. But if the company says, I don’t care, I mean, what am I gonna do document the heck out of the fact that I argued against that. But I mean if you force it, but you’re just gonna lose the company.

[00:28:20] Evan Francen: Right. Well, in the one who, I mean, ultimately at at solar winds, you know, who’s ultimately responsible for security would be the Ceo. Because the Ceo is responsible for the performance of the company, responsible for the protection of the assets of the company. Uh they’re responsible for the structure of how things get managed within the company, Right? So they’re the ones who make the call, either them or the board or some combination thereof.

[00:28:48] Brad Nigh: The board would probably be the if they were this was the board would be the right target of this lawsuit in my opinion, not to see so

[00:28:57] Evan Francen: or potentially the Ceo you could make a

[00:29:01] Brad Nigh: final decision, right? Yeah.

[00:29:03] Evan Francen: Because I don’t know how many times we’ve screamed it from the mountaintops and everything else. That information security is not an IT issue. It’s a business issue. So we continue to bury it under the Ceo. In many cases, we don’t put it on the same level ground as say, the CFO uh as the chief are the C. 00. Other C. Level executives. They have the ear of the Ceo much more than the Ceo, you know, then much more than the sea. So does uh you know, that was in a a round table uh with a bunch of seat. Iose and I’m I probably won’t be invited back because they kept saying that speaking the language of the business, speaking the language of the business speaking, you know, they just kept saying it like it was the reason is a buzzword. I go, what the hell is the language of the business? What is that? Is that like annual that I can read or is it a

[00:30:03] Brad Nigh: Well, I mean, I think, yeah, I think I understand the concept. They just speak in a language they can understand, but I don’t think there’s a standard business language

[00:30:17] Evan Francen: well, and I made this so I made this case like many many of the Ceos were kind of complaining that uh, you know, there’s so many um demands on their time, their short staff, they can’t keep up with the demands of the business. Uh uh and in some cases they’re unrealistic demands. And I said, well then you’re not speaking the language you’re not because if you were speaking the language and they understood the language you were speaking, they would understand that the weight of some of the decisions that they’re making in terms of the ceo.

[00:30:56] Brad Nigh: Well, and yeah, and the risk that that’s putting organization in.

[00:31:00] Evan Francen: Right? So, and I’m talking specifically C. I. O. So let’s let’s let’s contrast the C. I. O to the CFO at any given time when you talk to the ceo do they not know the financial performance of the organization?

[00:31:18] Brad Nigh: I mean, yes, unless they’re not gonna be there long. Right.

[00:31:21] Evan Francen: They probably know roughly how much cash, roughly. They know whether they’re profitable or not. They know, you know, so they know the financial position or condition of the company to some extent. Probably now take that to the C. I. O. So you can talk about speaking the language of the business. What is the Ceo get in terms of the condition of the technology piece of the business?

[00:31:49] Brad Nigh: Hey, this is how much it’s gonna cost.

[00:31:51] Evan Francen: Yeah. I mean, they might have some weird metrics but there’s nothing standardized there.

[00:31:55] Brad Nigh: And I mean, I’ve seen that and what happens is you’ve been kind of perpetuating the cost center. Right. If really because it’s not get the cost center thought, but it’s not right,

[00:32:12] Evan Francen: we’ll take like a CFO. So the Ceo says this has this idea, you know what, we’re going to I want to investigate a merger with another company or an acquisition or do something. The CFO says that’s great Mr and mrs Ceo, but we can’t afford it.

[00:32:27] Brad Nigh: Right.

[00:32:29] Evan Francen: Mhm. It then something changes, right. It doesn’t happen. How often do you hear? See IOS tell the Ceo that you can’t do it.

[00:32:39] Brad Nigh: No. Yeah, I know or you know, they will do their due diligence from a financial standpoint. But I have no idea what they’re you know, inheriting from I. T. Or security issues, You know we’ve seen it with who the Hilton did that. There’s pieces of it. So

[00:33:01] Evan Francen: so I think there’s this upward lack of communication with the Ceo between the Ceo and the Ceo or lack of understanding. They’re not speaking the same language like C. F. O. Does the sound seems like. And then what’s the assets so he took it the assets of the CFO the assets of the CFR the dollars right? They know how much they have an accounting of every single dollar. Yeah

[00:33:24] Brad Nigh: and everybody understands it

[00:33:26] Evan Francen: right? I take that to the seat I owe what are your assets? We have hardware, software data is your coming. Yeah you’re not speaking the same language you’re not doing things the same way the business is used to doing things and then let’s bury the sea. So under that trap. Yeah

[00:33:50] Brad Nigh: it’s going through it you know a caesar speaking language that nobody understands. It’s being translated by the Ceo who’s speaking in a language that the his audience doesn’t understand but it’s now gone through two translations how you know. Yeah I can’t imagine why we’re in the position we’re in

[00:34:10] Evan Francen: totally. Yeah and so the and so that’s that’s a huge challenge so that you can holding the sea so responsible for these things now the Ceo does have the opportunity and does have probably some poll and reorganizing things setting appropriate expectations of this is what I expect I expect you to have a good accounting of your assets because I am responsible at the end of the day, I make decisions as the Ceo on asset protection, right on asset accumulation. We’re trying to accumulate cash, we’re trying to manage cash well, well then we need to do the same thing with our computer assets or other assets are human assets or physical assets seems to make sense. Uh

[00:35:01] Brad Nigh: no, I agree.

[00:35:03] Evan Francen: So anyway, in this, in this uh article, it’s frustrating because until we figure this out until you truly hold a Ceo or a board responsible for information security, this will not change. We’ll still be in the same boat. We are 10 years, 20 years from now. The only thing that could potentially happen that would shit the winds would be that the government does step in and does start mandating and does start taking control and I honestly don’t want to live in that kind of that kind of environment man.

[00:35:44] Brad Nigh: You think it’s rough now?

[00:35:47] Evan Francen: Mhm. Yeah, exactly. All right. So in this, in this article, uh summary of investor lawsuit against solar events, here’s some of the things they claim some of the highlights and this is public. So you can go and download and read it for yourself. But number one, uh the face of the case is a former solar winds employee who was hired nearly two years before the Iranian cyber tech and only stayed with the company a few months. He allegedly raised concerned about poor security. Well in the role of quote unquote global cybersecurity strategist. So I think in that allegation that there was somebody that was there that didn’t stay very long that had raised concerns and nothing was done about it.

[00:36:34] Brad Nigh: Yeah, but it feels like they contradicted themselves in some of the allegations. Yeah, one of them being, hey there’s there was no security team but your idol was global security. Alright. Doesn’t that imply that they have people insecurity right.

[00:36:57] Evan Francen: Yeah. Yeah. The case also says that the solar winds 1-3, he was the password in the company’s update server and it had been warned about that and didn’t do anything makes direct claims like you said no security team, no password policy, no documentation regarding data protection controls. The company did not limit. These are access controls, exposing the company’s crown jewels, quote unquote to potential cyberattacks.

[00:37:26] Brad Nigh: Here’s, here’s my thing. I mean guarantee you Solar winds pc I get certified right? They because they take credit cards for payment so at some point if they don’t have any of those things there, however their access er is either not doing their job or this is incorrect, write me that would be lot of this

[00:37:49] Evan Francen: but the the racket with PC and it is a racket is you can get, you can become pc compliant and then there’s a breach and you’re never pcr compliant.

[00:38:04] Brad Nigh: Oh I’m not saying that’s the case because there are always gonna be those controls. But I mean, these are the basic things that you have to have even get to that point regardless of how well they’re implemented if you have them. Yeah. Right.

[00:38:23] Evan Francen: one. Trustwave was the sea, they were the assessor for target. Obviously, I speak of that one because I know that one. So, and being the fact that, you know, 25 years, 30 years into this industry, not much has really changed. It’s the same crap. Uh, Terry was PC compliant. And when you look at the mess that I don’t,

[00:38:45] Brad Nigh: Oh, for sure. I mean, don’t get me wrong, Yeah. I’m not defending PC. I I’m just saying some of the things that they’re cleaning like directly in the face of being able to get compliance.

[00:39:01] Evan Francen: The other thing about Pcs, right, is it only applies to the colonel there, David, so I might be doing all kinds of crappy ass everywhere else. Yeah. Yeah. Anyway,

[00:39:14] Brad Nigh: and that’s not necessarily like, well, here we go, crossing out. It just, that struck me as odd.

[00:39:22] Evan Francen: Oh, yeah. This whole thing is odd, man. Uh, many accusations. So in the lawsuit, they say that the acquisitions, the accusations made by the shareholders Are corroborated by a group of 10 former anonymous employees. Uh, Solar winds also allegedly made misleading claims about the quality of its cybersecurity, especially on the website deceiving investors. All right. So solar rents fired back. Uh, and in the middle of all of this, by the way is, you know, the former my office for many more. He smith’s tim brown, the VPs security and see. So is in the middle of all this. Uh huh. Right. Um, there was like, who is that Equifax? Equifax preachers? Susan, I can’t remember her name, but she was also drug through the mud. Oh yeah,

[00:40:27] Brad Nigh: everybody wants somebody to blame.

[00:40:30] Evan Francen: It’s crazy. So the company’s responses, 48 pages long. Uh, the lawsuit itself was, I think 12, but here’s some of the things they say, quote unquote the compliant. The complaint does not contain a single actual allegations supporting any in France, much less a cogent and compelling inference that the solar winds defendants intended to deceive investors into believing the solar winds was immune to cyber attacks or otherwise smoke with severe recklessness. Such that investors would draw that conclusion, which to me,

[00:41:10] Brad Nigh: Oh, go ahead. Sorry.

[00:41:11] Evan Francen: Well, there’s no direct and that,

[00:41:14] Brad Nigh: yeah, I mean what we, yeah, if they had said, yeah, we’re, you’re fully protected from a cyberattack. Yeah, that would be, uh, nobody that’s good. I would never say that right.

[00:41:34] Evan Francen: But, and then the scope and sophistication, they attacked quote unquote investigators. Government officials and the press have uniformly characterized the cyberattack as the largest and most sophisticated cyberespionage operation the world has ever seen regarding at least 1000 very skilled, capable engineers. Um, yeah, not uniformly. I don’t think it was the largest and most sophisticated cyber espionage operation the world has ever seen. I think there was oversights.

[00:42:10] Brad Nigh: Well, I think that that are probably others that we don’t know about yet. Okay, this is probably the largest disclosed. Mhm.

[00:42:20] Evan Francen: Well I’m certainly sophisticated. I caught a lot of people’s attention. Yes, but I also don’t think that that’s that in and of itself is not offense against some of the other allegations that were made. You know,

[00:42:34] Brad Nigh: isn’t that the common man? Right. We did, we did what we could that this was something that nobody could have expected. Right.

[00:42:46] Evan Francen: This one was interesting shot here. They do make a They fired back on a specific point. The allegations about the solar winds 123 password are simply a red hearing Plaintiff does not and cannot plead any facts suggesting that the solar winds 123 password or the update server was used in the cyber attack. So that’s almost an admission that solar winds went to three password was on an update server. However, that update server or this password was not used in this particular attack.

[00:43:18] Brad Nigh: Yeah, they very much like almost an admission but it’s if there’s no mhm saying yes this is the case. They’re saying if it were it doesn’t matter. Right.

[00:43:32] Evan Francen: So it’s interesting. I like following these things because at the end of the day, it does set some precedent. Uh The sad thing is you have this back and forth fought by lawyers and um at the end of the day, it just never seems like the person that should have been held accountable was held accountable. Mhm.

[00:43:54] Brad Nigh: Yeah, but that last piece with the group of employees, I thought it was interesting but Darwin’s is claiming none of them, I would have had access to anything within the security infrastructure, none of them worked on the Orion software platform. So that’s an interesting, that would be interesting. Yeah, I’m with you, this will be a really interesting one to follow.

[00:44:21] Evan Francen: Well, yeah, especially on that point, these are anonymous employees. So how do they know that, you know, I don’t know, I have to read more into it.

[00:44:31] Brad Nigh: My guess is they know, you know the turnover in those departments very well.

[00:44:37] Evan Francen: Yeah, you think so, but you know on the other hand to it, I know enough about, you know big companies and know enough about solar winds to know that their security wasn’t as great as they are claiming it was either, you know what I mean? The truth is somewhere in the middle of all this.

[00:44:59] Brad Nigh: Yeah, no, I would agree.

[00:45:02] Evan Francen: And I would love to see at some point and maybe this isn’t the breach, maybe there is no uh you know nobody to hold liable on this side. Right. Certainly the Attackers if you can ever find them and get them and hold them accountable, you know, ultimately that’s that’s where it goes, but the where there is negligence? I would love at some point for us to actually hold a ceo accountable or their negligence with respect the information security so that we can set some sort of precedent get, you know, something to get Ceo’s attention that we need to take a lot of this stuff more seriously. I need to put it on the same level playing field as everything else in my business. I understand it’s hard, right? There’s so many things competing for CEOS time but we like what we like what we do, you know for instance, we provide a number, this is your current state of your security. This is the future state the same thing we do the CFO does with money. Right? We currently have x number of dollars next month. We will have y number of dollars. It’s the same kind of thing.

[00:46:12] Brad Nigh: And I think the Ceos need to wake up and pay more attention because if you have a security event that’s probably going to be one of the most disruptive things that could happen to the company.

[00:46:24] Evan Francen: Right? But until unless I think was because I’ve read other studies, I read a study that more than half of Ceos think that information security is a waste of resources

[00:46:36] Brad Nigh: until they have a ransomware attack and are suddenly willing to invest

[00:46:41] Evan Francen: or until it helped personally account.

[00:46:45] Brad Nigh: Yeah.

[00:46:46] Evan Francen: I mean take the, you know the colonial pipeline breach the Ceo gets up and says, I’m extremely sorry, okay, what does that do?

[00:46:58] Brad Nigh: Nothing

[00:47:00] Evan Francen: in some point, you have to have the first one, right? The first one, it’s not going to feel like it’s fair. Right? So if you were to hold there, you know, the colonial pipeline ceo accountable, right? And find them or do whatever criminal, whatever you wanted to do, it’s not gonna seem fair. And the reason why it doesn’t seem fair is because you’ve never done it before.

[00:47:21] Brad Nigh: Yeah. You know, I’d say same thing here. Like there’s got to be due process obviously because it could have been a defensible thing and somebody just made a mistake. They could have had all the controls. We say it’s a matter, not a matter of it as a matter of when. So if it’s found that they were underfunding security, that requests were being, you know, denied. Yeah, I’m accountable. They had all the things that you would expect in place and were supportive and gave a budget. Oh, well, and at that point, I’m sorry, the satisfactory.

[00:47:57] Evan Francen: Right. And I think maybe that would be something that would help would be is if you had maybe we do have actually, I think it’s just putting it in this context, but we have a set of things that if you’re not doing, I would call them negligent For one having an asset inventory. If you don’t have an asset inventory. And I understand that assets change on a regular basis. Well then get your hands around it figured out processes. Figure out technology to get your hands around your ass sets. Yeah, I don’t have an ad and it’s great Three. How could you claim that? That’s not negligence.

[00:48:36] Brad Nigh: Oh yeah. And It’s not difficult stuff. It’s like I would say what less than 10 fundamental things that you need to have in place and implemented appropriately. Not just happened, right? Yeah. Is that beautiful and exercise to Mhm.

[00:48:55] Evan Francen: Well, maybe work on that. And the, well, the next thing I want to talk about was what if anything do we expect from the taliban taliban news this week. You know, the things happening in Afghanistan.

[00:49:06] Brad Nigh: But honestly, I think it’s going to be the same thing we see after every major disaster with the increase in phishing emails looking for donations to help the uh refugees. That type of thing. I don’t I wouldn’t expect to see any other types of attacks.

[00:49:24] Evan Francen: Yeah. Yeah. I think I agree with, I agree with you there. You know, I think in a longer term sense it’s interesting to see how china is positioning themselves. That could work out into something kind of funky. But I agree it’s going to be things that playoff the humanitarian aid thing, you know, pull at the heartstrings. It should look like.

[00:49:46] Brad Nigh: Yeah. And people have to be very vigilant right now because you also have, you know, the earthquake in Haiti now they’re getting hit by the tropical storm. So you know there that we’re going to see an innovation of those. So there’s a lot going on right now. You’ve got to you on your toes right?

[00:50:04] Evan Francen: Yeah. If you want to donate thing that stuff you know go about it yourself right? Search for right places you know don’t respond to a damn email that you didn’t ask for. Yeah it’s news things. We’ve got three news things. Actually two news things will go through those pretty quick so we can wrap this thing up. The 1st is a mobile. Thanks.

[00:50:31] Brad Nigh: Yeah. Yeah. I think the only thing on that one that really concerned me was the I. M. E. I. Number speed taken because that’s probably one of the few things that hadn’t up to this point. Everything else I know for sure my date of birth, Social security number you know? Well the pin the plaintext pin which is oh my god but you know and this will be interesting to see again how this was done

[00:51:03] Evan Francen: right? No I agree with that same thing. The fact that all of this data It’s probably been leaked in the thousands of breaches that have happened over you know the 30 years chances are really good that my name, my date of birth, my social security number driver’s license number.

[00:51:25] Brad Nigh: And I think I’m at the point of just I assume that stuff is all known. Yeah accordingly.

[00:51:33] Evan Francen: But then you know the I. M. S. I. And the I. M. E. I. Data that you’re right that that probably hasn’t been leaked before.

[00:51:43] Brad Nigh: Yeah, it will be interesting and I want to see how they didn’t notice that 100 gig was downloaded. Like uh is that not normal? That’s normal. How did how did this get mixed?

[00:51:55] Evan Francen: Well and again man, it’s the basics, the freaking basics, it’s over and over and over again, you know it ingress and why do I have a firewall in places? It just to be a crunchy shell or should I not be using it the way it was actually designed to be used, which was to limit what goes out as well, ingress. Egress. I mean the same thing happened, you know, we’ve already mentioned the target breach, you know, it all went up to FTp, why do you have FTp? Open up? Yeah, I don’t know.

[00:52:29] Brad Nigh: Yeah, that would be a fun one to follow as well.

[00:52:33] Evan Francen: Right. Well, at least with the I. M. E I and I am s I like those are used for people who don’t know those are used essentially on your sim card. Right. And they identify your phone on the phone network, if I had that data, I could potentially replicate a sim card and do a sim swap without having to call t mobile.

[00:52:52] Brad Nigh: Yeah. Yeah. And so I would assume anybody that’s affected will be getting a new sim card,

[00:52:59] Evan Francen: I hope so on the But you know the thing that doesn’t bother me about those is I can change.

[00:53:08] Brad Nigh: Yeah sure

[00:53:10] Evan Francen: I can’t change my name but I can but probably not going to because they’ll just lose my damn name again. Can’t get a new social security number. I probably can. But again it’s not it’s not true. It’s not trivial driver’s license number. I mean those things the thing that sucks about those things is that are permanently out there and I can’t change them. Yeah. Uh huh. Alright. So the way the data was exposed uh there’s light ups everywhere about this um essentially somebody broke in to T. Mobile found the data and extracted it. Yeah this is your run of the mill attack. It’s not what we just left something hanging out there somewhere. Now somebody infiltrated exfiltrate id.

[00:54:09] Brad Nigh: Yeah. Yeah. I’ll be interested to see that results of the investigation.

[00:54:16] Evan Francen: Yeah and in this case it’s what 100 million customers

[00:54:20] Brad Nigh: Uh they are claiming 100 immobile’s claiming 40. Yeah.

[00:54:26] Evan Francen: Yeah.

[00:54:27] Brad Nigh: The other thing was if you read I was reading something about it and the attacker was saying it was like in retaliation for U. S. Cyber espionage. They weren’t asking for a ransom or anything. This is a retaliation attack which you know what I don’t understand why you’d go after right or you know a company not the government but yeah that could be a significant ramp up of. He was rad.

[00:55:00] Evan Francen: Well I need to you know that some government employees probably have personal T. Mobile accounts or their family members do. So there’s a back door there as well

[00:55:10] Brad Nigh: usually. Absolutely.

[00:55:13] Evan Francen: Alright so speaking of the government thank you. We just uh the FBI has this thing called the from the terrorist screening center. So TSC for sure if you just google FBI TSC you’ll find some information. But their job essentially is to maintain the no fly list. You know make sure that terrorists are being suspected, terrorists are being tracked. Um The information on the watch list is shared with the Department of State and Defense. You know numerous international partners staff have access to it. Customs officers. Um Part of that TSC part of that um terrorist screening center list is the no fly list. Uh So a bigger list part of that because most people have heard of the no fly list. A lot of people haven’t heard of TSC before.

[00:56:09] Brad Nigh: Yeah but no fly list is a subset of bigger watch list

[00:56:14] Evan Francen: yep. So this was exposed on an elasticsearch server. Let’s just hanging out there.

[00:56:22] Brad Nigh: You know the most unusual part is a, well it was on a rain I. P. Wasn’t a. U. S. A. P. That way. Okay.

[00:56:35] Evan Francen: No you’re right so it might have been someone that we shared with one of our international parts and

[00:56:39] Brad Nigh: yeah in it was left online without a password or any authentication and it’s on a non U. S. A. P. I don’t know what our relationship with bahrain is but you know could be we shared it with someone. They exposed it. It could be, hey do we have was this leak? So I think there’s a lot of what you need to know about this one?

[00:57:09] Evan Francen: Yeah, I agree, man. And the fact that it was a bahrain, it does kind of lend itself to the fact that it was shared with bahrain or a partner, a partner country who then exposed it inadvertently. Yeah. So it was discovered on July 192021 by a guy named Bob Dyachenko, Bob Dyachenko, you know has his own company and you start researcher out there doing a lot of this good staff Uh found on July 19. And I think it was taken down. When was the date we have that?

[00:57:48] Brad Nigh: This is three weeks later.

[00:57:50] Evan Francen: Okay. So it is, it is gone now. The data that was exposed on the 1.9 million records. Full name, gender, date of birth, citizenship, passport number. TSC watch list ID. Uh

[00:58:04] Brad Nigh: And the no fly indicator, yep. Yeah. You know in the three weeks they keep harping like there’s no nobody knows why are you kidding me? I’m not such all by that because it was probably reported to some very little level and it took that long to get to somebody who could make that decision, right? No.

[00:58:33] Evan Francen: Yeah I agree. Now this doesn’t affect me personally because I don’t think I was on this list, but 1.9 million people were now the actual list. Do I mean, you gotta point out there are people on that list that probably shouldn’t be on that list. People not on that list. That should be

[00:58:52] Brad Nigh: and we don’t know. Is it even a legitimate list?

[00:58:59] Evan Francen: Yeah. He’s got some screen, he’s got a screenshot that shows some of it. And yeah, I don’t know.

[00:59:04] Brad Nigh: I mean, that’s another thing we, we have to take into account.

[00:59:09] Evan Francen: Yeah, totally, man. So I think the, and maybe I’m reading more, but just for listeners who think that the government is so good at security, they’re not, they’re just not, there are parts of the government that are good at information security, but most, most of them aren’t the same chapter talked about with states. You know, think about the complexity in a, in just any state. When you talk about all the things, take that and multiply that, you know, take that to a factor 100. That’s your federal government.

[00:59:46] Brad Nigh: Yeah. They can’t compete salary wise with the private sector, right? I know anybody historically, right? That people would go there, get experience and then go get hired and so there was a lot of turnover in some of those positions.

[01:00:04] Evan Francen: Yeah. Yeah. It’s a mess, man. And I guess buddies and cease and I was talking to one of them about some of the things that we’re trying to do. He’s like oh that’s a good idea. I’m like you’re the one, you’re the damn government. You’ve got all the resources in the world. I’m like a dude in my guest bedroom. Yeah. Come on. I’ll give you the methodology. You can do it please fix these problems. That’s the thing about Sisa to not only is Sisa, you know the Department of Homeland Security transfer government things, but now cisa the way they’re set up its let’s go out and help everybody else, let’s go out and help state Scotland, help, you know counties and cities and everybody. It’s like why don’t you get your own house in order first?

[01:00:54] Brad Nigh: Yeah. Yeah. And you know, honestly it probably would be easier to start small. You’ll see more a more tangible results faster. Would be a lot easier for a county to implement some of these changes than department of Transportation for the U. S. Government.

[01:01:13] Evan Francen: Yeah, but what’s going to have the most impact man.

[01:01:17] Brad Nigh: Yeah. And this is a this is a business, this is where that business needs to make a decision, right? The organization to say, hey look We can pick off these 15 things introduced. There is my ex and take this long or we can do this one thing that is more, it’s gonna take twice as long and cost twice as much. Yeah what do you want to do?

[01:01:39] Evan Francen: Yeah good point man. All right, well, good episode. Uh You got any shout outs?

[01:01:47] Brad Nigh: Yes. I’ll give a shout out to our ah 15. I think you’ve been very supportive and encouraging that just on a personal level. But also like to the organization.

[01:02:02] Evan Francen: Yeah. That’s cool man. I’m gonna give a shout out to my mom because she’s here visiting me from wherever she comes from and she birthed me. So that’s kind of good. I’m thankful for that. The crazier the world gets some kind of thinking like, yeah, maybe you should have saved your time on that because it’s getting crazy out here. But no, it’s my mom. She’s she’s a wonderful person who you know, I think you did a good job mostly. Um Alright, well, that’s it. That’s that’s the rap. Absoluteing 45 next week. I’m gonna try to get some states. He says maybe join us and some of these.

[01:02:38] Brad Nigh: That would be fine.

[01:02:39] Evan Francen: Yeah. I’d love to hear kind of their perspectives. Obviously they live it and walk in it and I want to help as much as we can. Uh If you want to socialize with us, you can email us at We’re not very good at actually.

[01:02:59] Brad Nigh: Mhm following that email, but I don’t find anything critical there.

[01:03:01] Evan Francen: No, nothing timely no way where you can follow us online too. I’m @EvanFrancen for twitter. You’re at brad and I we’re also on late then you can find us, we’re all over the place. We get talks and put a you’ll find us. That’s it. Have a good one.

It’s finally here, the annual BlackHat and DefCon29 events are back again in Las Vegas, Nevada. What are these events? Evan & Brad unravel everything you need to know about BlackHat 2021 and DefCon 29 in this week’s UNSECURITY episode.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:20] Evan Francen: Okay. Welcome Listeners. This is the unsecurity podcast. Episode 142. That’s 42. More than 100 like 58. Less than 200. It’s a lot of podcasts. But that’s uh, that’s the number today. We’re in the middle of not in the middle sort of failure in the middle of this all this black hat defcon goody stuff happening in Vegas. We’ll talk a little bit about that. But before we do that, you know, Brad Nigh. He’s here, how you doing Brad?

[00:00:56] Brad Nigh: I’m doing well.

[00:00:59] Evan Francen: Yeah, telling you man. Good fun.

[00:01:06] Brad Nigh: We’ve had some, you know, some stuff going on with work is being, you know, it’s crazy. It’s good. It’s very busy. So that’s what you want.

[00:01:18] Evan Francen: Yeah, yeah. Yeah. There’s, there’s a good busy and they’re not so good busy, you know what I mean?

[00:01:25] Brad Nigh: Nothing good busy. Yeah.

[00:01:28] Evan Francen: Well, one of the things we talked about earlier this weekend and we won’t get into it here on the podcast is using resources I think too. Um, most appropriately, you know what I mean? Yeah. Well we all struggle with that uh, in management when you’ve got really high end resources and they’re using them maybe on tasks that they’re not best built for. So you’re kind of over engineering that and then you also go the other way, sometimes we’ve got, you know, people that just aren’t capable of doing some of the things that we asked them to do and that’s always a challenge trying to figure that stuff out and made to those waters. But you know, that happens all the time.

[00:02:12] Brad Nigh: Yeah. Well, you know, I will say that, you know, one of the nice things with my role is, you know, there when they said, hey, we’re gonna take away your HR responsibilities, but you get to keep all the security responsibilities and manage the programs. Oh yeah, Okay.

[00:02:29] Evan Francen: Right. Yeah. Well it’s always a double edged sword because you never know how one how people are communicating map, you know, like where they’re coming from, you know, because like we did that with Kevin Kevin’s, I wouldn’t have a listener so he’s going to hear this and probably getting a crap about it. But uh, we took that away from Kevin, not because we thought it was, I mean, after the same reason it happened with you for him because he sucks at managing people, I think, You know what I

[00:02:59] Brad Nigh: mean? Hi Kevin love you.

[00:03:06] Evan Francen: Right? Well, he knows, I mean, it’s not like it’s, he’s a fantastic ally is great to have on the team. I can’t imagine doing the stuff I do and us doing stuff we do without him because he does that stuff in the back end. People don’t really realize that he does. And then when you do hear him, when you guys popped his head up, you know, it’s like, oh shit, what is it now? You know

[00:03:33] Brad Nigh: you mean no go karts,

[00:03:34] Evan Francen: kevin? I know, right? Well, I would tell you about the, you know, there’s all these conversations that happen to have the scenes that I don’t think people, uh, you know, like there’s executive conversations that happen that people don’t know. And if you did, you’d be like, are you kidding me? Because that’s how I feel. You know, I get an email from Kevin and like, really? I mean, I got 10,000 things on my list. This isn’t even close to one of them. Uh, but you still gotta deal with it. Right?

[00:04:09] Brad Nigh: That’s funny.

[00:04:11] Evan Francen: Yeah. You gotta be careful for people that want to be executives and we’ve said this before for people that want to be Csos be careful what you’re asking for. Yeah, you might, you might just get it when you be like, oh, wish really? But I honestly, at the end of the day, man, I’m really grateful. I’m grateful to be, you can take a step back and look at things and you can be grateful content. You know, I mean, it’s just, I’ve been blessed. You’ve been blessed, We’ve been blessed with a lot of really good things and I think the blessings are only the beginning. There’s a lot of good stuff, a lot of good work left to do, man,

[00:04:50] Brad Nigh: uh you know, I was having a conversation with one of our newer, so uh what’s Today Tuesday? It was and she was like, we were talking about the job and she was, you know, there was an issue with one of us can from last year this year and I took care of it and we’re just talking, you know, she was on vacation. So it was like just to catch up and I just appreciate it. It’s amazing how, you know, everybody here supports each other and it doesn’t matter who you are. It was really awesome to hear because I think make good concerted effort to keep that as part of it. You know, it is who we are as an organization and it is top to bottom. So it’s always awesome to hear that, you know, new people are they recognize that they under that that is coming across, it’s still there, you know, it makes a huge difference.

[00:05:56] Evan Francen: Oh, man, totally. Well, today is dr smith and like we mentioned, kind of at the beginning of the show, you know, it uh today is the last day of black and so it’s thursday for people who have never been to black cat, you should go once. Uh I’ve been enough, I’ve been there enough times. I just have no interest in going anymore.

[00:06:20] Brad Nigh: You know, the problem is it’s gotten so marketing.

[00:06:24] Evan Francen: Oh my gosh, man, so

[00:06:27] Brad Nigh: copyright that, that market e

[00:06:30] Evan Francen: You’re right, man. I mean for people who have been, who are there, you know, in the earlier years, I mean, I don’t know how many numbers this is now. It’s gonna be 20 nine, Actually, 24 from black at its 20,

[00:06:45] Brad Nigh: 29.

[00:06:47] Evan Francen: But you know, the first black head I went to is nothing like the black hats today and teachers. All right. I’m not, I don’t want to be overly negative, but to me, black out is just too commercial, too, uh, too much foam. Oh, too much. Like, oh my God, you know, don’t miss out on this. Don’t miss out on that. And it’s like, you’re not missing out on crap because you still haven’t figured out the fundamental, so go back and work

[00:07:18] Brad Nigh: Well for us. It does. I will say. I think it still has its place. Yes, for sure. It’s not, Yeah, I’m not the target audience,

[00:07:31] Evan Francen: right? Well, the fact that it’s in Vegas for one, you know, it’s, that’s cool. You know, Vegas is cool for some people, but the, the fact that in Vegas, the fact that it’s become so commercialized, uh, the talks, you know, are nowhere near like the, what they used to be, the talks used to be much more. Um, I think it didn’t seem like there was a motive. I wish it

[00:07:59] Brad Nigh: went from like, hey, here’s what we, here’s what we’re finding here is what we’re doing to, hey, here’s why you should buy our product

[00:08:07] Evan Francen: pretty much. Yeah. So if people don’t know black at, uh, you know, this year was, you know, three days or four days of my saturday, sunday, monday, four days of training. So they call that the Black Hat trainings, which are the couple that I’ve been to in the past have been amazing. Some of the best training in the world happens. Blackout expensive as hell. But good training the, and then it’s two days of briefings. So Wednesday yesterday was the first day of the briefings and then, uh, today to wrap it up.

[00:08:43] Brad Nigh: Yeah. And to be clear yesterday today that we’re talking about, like you said, the training portion is very different.

[00:08:51] Evan Francen: Yeah, totally. So nothing. I mean there wasn’t really any breaking news yesterday. That was like, oh my God, that’s insane. Usually there’s a little bit of that, you know, but I haven’t, I haven’t seen anything that was like earth shattering, more of the

[00:09:08] Brad Nigh: same print nightmare supposed to be released during black hat and it got, yeah, so there you

[00:09:17] Evan Francen: go. Well, that’s one of things that’s frustrated me too, is, you know, people want to wait to disclose something at black hat when, why, why? No reason why you’d be waiting to disclose it and black at would be for the notoriety,

[00:09:35] Brad Nigh: Maybe 100%.

[00:09:37] Evan Francen: Yeah, so that’s a pretty selfish reason to be holding back, you know something. Um but it is what it is the sponsors, you know, they don’t know what they pay for sponsorship nowadays but holy ghost, I look at some of the sponsors and I’m like uh adam money, I’m gonna say something I shouldn’t so let’s move on man, Black black hat today ends and then we go to defcon death camp starts tomorrow. Death friends, you know if you again if you’ve never been it’s worth it’s worth a go. If I were to go to either one black hat and def con if I had if I could only go to one I would definitely go to def com.

[00:10:23] Brad Nigh: Absolutely

[00:10:25] Evan Francen: it’s more it’s more of the agriculture, it can kind of get yourself immersed into, you know what all these weird geeky people do.

[00:10:32] Brad Nigh: Oh yeah you can go on the, there’s got like the itinerary and some of the things it’s like wow.

[00:10:41] Evan Francen: Yeah

[00:10:42] Brad Nigh: and there’s like the various centric ones too, they have like a Tinfoil hat competition like they’ll give you 10 for you have to make the hat and they are gonna judge and declare a winner. It’s so funny.

[00:10:56] Evan Francen: Yeah, I think it’s a lot of it’s funny and it’s a lot of fun. I think one of the things that sometimes people do if you’re not in that culture is you may think that oh my God you may come away either being scared shitless or think oh you can do this Well then this must be happening everywhere kind of thing. No, this is a lot of one off kind of like stuff you probably will never encounter in your own business, but pretty damn cool stuff.

[00:11:29] Brad Nigh: Well, you know, it’s, I was talking with a couple of the uh my VC so clients and telling him like, hey, by the way, I’m gonna be Uh huh dan for out of pocket for the capture the flag and you know it for that for us to an incident response for the pen testers doing the red teaming stuff. It’s valuable experience.

[00:11:53] Evan Francen: Yeah, for

[00:11:55] Brad Nigh: Mhm. The people I’m working with your like that would be cool. I’ll never use it. Right? Yeah, it’s interesting to, you know. Yeah, that’s fun to do, but it’s a fairly narrow skill set or you know, that can well use it in any sort of regular wave,

[00:12:19] Evan Francen: Yep 1st. Sure, so def con 29 kicks off today, it will run through the safe. Sunday thursday sunday yeah, I can’t do the numbers, right? So it kicks off today. Today’s thursday the fifth. It will end on sunday the egg. That’s when they’ll do all their awards and give out the black badges and all that good stuff. We have a team. So you’re doing your own and we’ll talk about that, you’re doing your own like you’re going solo on the CTF to just see what the hell you can do.

[00:12:52] Brad Nigh: Uh

[00:12:53] Evan Francen: we have a team out there too. We have we have actually a team at black hat and at def con but the team is, how many, how many cts are they doing this year? Do you know?

[00:13:04] Brad Nigh: So officially we’re not disclosing what we’re doing. Well the problem is a lot of times you’ll start on some of these and be like, you know what, this is stupid and so you know, because marketing was asking like, hey, can we know because yeah, there’s a couple we’re gonna do, but what if we choker decide like, you know, a couple hours in like this is ridiculous, we’re not doing this. And so you know, so usually I’ll say this, how about this last year? Uh I know the red team did okay and they focused on one saying this is a blue team and then kind of work together on a couple like the bio hacking village and um So one other one, I

[00:13:57] Evan Francen: can’t remember the medical

[00:13:58] Brad Nigh: one. Yeah, that was bio hacking.

[00:14:00] Evan Francen: Oh yeah, yeah. What shoot, what was it was? I know an Iot

[00:14:07] Brad Nigh: yeah, it was something I don’t remember what it was, you know, so usually, but usually you don’t work, you know, the the open sock one this year is like I think it’s like noon to eight on Friday and then central and then the finals are on saturday, so there’s gonna be time to work on other stuff or you know, as you’re doing it. So it’s you know, never really just one thing you’re doing kind of doing a bunch of stuff. Yeah,

[00:14:40] Evan Francen: Yeah. The team last year, I think it was in four CTS, right?

[00:14:43] Brad Nigh: I’m like, yeah, that sounds about right.

[00:14:46] Evan Francen: I think the team

[00:14:47] Brad Nigh: final than all of them uh with I think so the command and control was I think second maybe okay, um Open sock, which last year was the first time we have done As a team and we had a bunch of relatively new people, we finished, I want to say 9th, It was like 10 minutes after the first place finisher. So are off and then we did like, we’re top 15 for the bio hacking which was a like literally like when we had time. Yeah, it wasn’t even a full time. Yeah, and I don’t remember what the other one was, but it was top 20 for sure.

[00:15:29] Evan Francen: Yeah, that’s cool. I’m excited to hear the updates from you and Oscar as you know, as things go on. I I actually stay out of the way until uh Yeah, I mean Oscar will paying me, I’m sure on sunday monday and you will, you know, hopefully you and I you and I are always kind of, you know discussing things. So

[00:15:52] Brad Nigh: it yeah, it’s fun. I’m interested because last year I was was part of the blue team piece because we’re still training up a bunch of people now and those guys have just come light years so we’re going to let them, I think Oscar is going to let them just how to do their thing. So you, how did you know? Yeah, so

[00:16:14] Evan Francen: goodbye. That’s so cool. When you talk about baby Bird, I mean true that blue team is, You know, I would say top 10 in the world and people don’t realize that because they’re in the back end and you never see them, you never really see what they’re doing, but their damn damn good man,

[00:16:38] Brad Nigh: We’ll see how they do this year. But I mean yeah, yeah, finish their last year. I mean realistically this is kind of the best way to the only real way to judge how some of these going and it’s an even playing field because you’re not using any of these customized tools or anything like that. You give you, hey, here’s, here’s the tools go. So it’s a and the

[00:17:08] Evan Francen: that’s cool man. Well I think and after maybe next week or the week after we’ll have you Oscar me, maybe pinky join us. You know, we can talk about how things went.

[00:17:21] Brad Nigh: Maybe eric just have a big party.

[00:17:23] Evan Francen: Yeah, right, because I’m excited to hear, I love, I’m like that, I’m like the dad, you know who watches his kids go out and play on the field. Holy crap, they’re so good.

[00:17:36] Brad Nigh: Oh yeah, yeah, those guys are well, we know are are renting is amazing, you know, they just, do you grow big blue is so new. Like if you think back two years ago it was like me and Oscar and we just hired

[00:17:57] Evan Francen: that I was doing crap then.

[00:17:59] Brad Nigh: Yeah, tom just two years. He was the first one. I think so. I mean, yeah, from where we were to where they’re at this guy’s man. Nothing but yeah, these for them.

[00:18:13] Evan Francen: Yeah, yeah, that’s cool man. So all right, so that’s kind of where we’re at their, I think next week we’ll have an update on, you know how things went down, you know, def con more so than black hat. I mean if you want to know what’s going on in black cat, just check the news because black, that’s a place where all the marketers are going to be spewing all this stuff, you know, that came from black hat. So it won’t be hard to find really good information on black It. I think it’s important, you know, at def con to see some of the inside stuff that happens. Our team, our team, is there not as tourists. I mean our teams are active participants that actually worked their ass off. Some of them like hardly even sleep for the entire, you know, 34 days

[00:18:59] Brad Nigh: here. It was The same thing. I started like noon on Friday. I think I went to sleep at three a.m. And was back up at eight and went so I don’t even, I don’t Yeah

[00:19:16] Evan Francen: crazy.

[00:19:16] Brad Nigh: Well into the night. Yeah. And then sunday as well I think. Gosh, we’d have to go back and work. It was like 6 40 hours over that three day window.

[00:19:32] Evan Francen: Yeah, that’s cool. All right, well let’s uh stay tuned for some updates there. Uh Other things going on around here. I’m doing a lot of work with states and local governments trying to crack that nut. That’s easier said than done. Uh I don’t know your you’ve been working here all over the place. You’re

[00:19:52] Brad Nigh: I mean my big focus is what we call program management. So taking we’ve got so much good information, but it’s all decentralized. So, you know, people don’t maybe just working to make it Standard, right? Just one voice. You know, everybody knows. Okay. I have a question about in response. Here’s where I go to find it from sales and marketing side. Or where the expectations for uh our case managers or the, you know, project manager, what are they expected to do? And where do I go to find that information? So it’s fun. It’s a lot of work.

[00:20:34] Evan Francen: But yeah, and you’re all over the place. It’s like herding cats.

[00:20:40] Brad Nigh: Yeah, it’s basically, I mean every single Mhm. Group, you know, outside of like some of the back end stuff. Yeah. Ignoring finance are about the only ones that I’m not working.

[00:20:57] Evan Francen: That’s cool man. I appreciate I appreciate all the good work. It uh it’s a big deal, otherwise you get chaos.

[00:21:07] Brad Nigh: You know, it’s fun. It’s good to do too. It’s a good sanity check for us as an organization because you do find I did I R last quarter and we, we found some like we’re like, oh wait we’ve updated that. We need to fix that in the statement of work to make sure that it reflects the current status because I mean, let’s be honest, we’re as fast as we’re moving. It’s very easy to miss and it was, yeah. Oh yeah, no, we should change that language is, it’s not how we refer to it anymore. Yeah

[00:21:46] Evan Francen: yeah accurate, very cool. Well I have three news pieces today. Nothing, it sort of has seemed a little quieter out in the world. Yeah. Uh huh. That’s not uncommon either around this time of year. Um, All right. So first one is from bleeping computer, it’s locked bit ransomware recruiting insiders to breach corporate networks. Not the first time we’ve heard of criminal gangs using insider, so trying to find somebody on the inside who is maybe money motivated, maybe hard up on cash. They were going through a divorce, whatever. I mean there is, there is a, there is a profile of the ideal person to approach and how to essentially convince them to help you. There is a profile that Attackers used to do that and it’s all those things that people are going through life changes because if you think about it as a human being, I may not have a criminal record. So if you do the background check, you won’t see the fact that there’s nothing right because I wasn’t motivated to, but now with Covid and I’m going through some mental issues going through a divorce, my wife is gonna want a bunch of money that the lawyers are going to cost a whole bunch. Yeah.

[00:23:10] Brad Nigh: Yeah, there’s, it’s, well, you know, it’s funny when I saw this, I was like, I had to look at the date. I was like, did he send one from like did he look at the date wrong? No, that’s okay. That’s yeah, interesting. Yeah. Like you said it is not, it’s common, sadly

[00:23:29] Evan Francen: it is. Um, and and there is the ideal person. I mean they have automated this, they’ve gotten so good at this. It used to be almost spray and pray. Right? You just make all bunch of phone calls, how much of emails, who’s gonna respond. Okay? There we go. I got somebody on the hook, they still do a little bit of that. But the really good ones, they will, they will create a profile or they have a profile of who the ideal target is when they will use search engines and you know their own ascent to identify who those people are and then keep it quiet because if I do this frame pray method, you might be tipping off somebody else.

[00:24:06] Brad Nigh: Yeah. Well you know, it’s funny because in that article at the very very last sentences in august 2020 the FBI arrested in Russian national for attempting to recruit Tesla employee. So I was like, okay, I read that. It’s like, all right, okay. That’s why it felt like wait, didn’t we? Uh huh.

[00:24:26] Evan Francen: You are always people are always the best, you know, right? The best method of getting what you want so locked at 2.0, they promised millions of dollars to insider. So you come help us. You know, we will pay you through the nose. Uh, it’s locked it, you know, two dot org is a ransom as a service for people who don’t know what that is, essentially. It’s you know, we want, you know, here’s here’s what the email says. I’ll quote it. Would you like to earn millions of dollars? You know, if I’m hard up on money man and you know, you might have piqued my interest something I you know when I sit here in my normal frame of mind, when I sit here and I’m not, I’m not going through life events that require me, you know that that doesn’t pique my interest. But if you can put your put the shoes on of somebody who is, they’re desperate, they’re down on their luck there like things that they normally wouldn’t do. They do. Yeah. And if you talk about, you know, a company with 1000 employees, couple 1000 employees, you’ll find somebody who’s going through some desperate times and they haven’t told anybody either. That’s nothing at work, you know, with the culture of some organizations the way they work, you’ll never know the person who’s going through this desperate hard time, especially at home now and now we’re working at home.

[00:25:49] Brad Nigh: Yeah. Yeah. I saw it just kind of a little bit of a non sequitur bit. I saw comic like, yeah, it was like why don’t men talk about things? And it was like inside the box, I’m going through some stuff comes out was like, hey, I need some help and gets the stomach punch and then goes back in and like, nope, never doing that again. And I mean, unfortunately that is far too common.

[00:26:14] Evan Francen: Oh yeah, my son, you know, who’s a police officer in Lenexa Kansas, you know with all the things going on in law enforcement and he’s a good cop man, he’s out there to serve. I know him deeply, you know, I mean just I know he’s a good kid and uh so I was talking about, you know, what kind of support do they have for you guys in terms of mental health, you know, I mean it’s got to be hard, you know? And he’s like, well there’s a, you know, we do have a mental health, you know, doctor and everything. I’m like, have you gone to see them? He’s like, no, like why not? Is nobody goes to see them that goes on your record.

[00:26:52] Brad Nigh: Yeah, I mean how does that help?

[00:26:57] Evan Francen: Doesn’t but I know that I was talking to somebody last week. I think he was a former state patrol person but he has a lot of inside information on just different police departments and the procedures they are changing that. So there is a wave of like encouraging officers to get mental health and not holding it against them right almost in giving them awards for doing it right for stepping out

[00:27:25] Brad Nigh: definitely that like sigma Yeah, getting help. Does not mean you’re weak. Doesn’t either. Something wrong. Everybody needs it at some point.

[00:27:35] Evan Francen: 100% man. I mean show me the person who can get through this life without any help from somebody else that doesn’t exist. All right. So anyway, would you like to earn millions of dollars are company acquired good english. Yeah. Our company acquire access to networks of various companies as well as insider information that can help you steal the most valuable data of any company. We can provide us you can provide us accounting data for the access to any company. For example log in and password to rdP VPN corporate email et cetera. Are open our letter at your email launch the provided virus on any computer in your company companies pay for the for us companies pay us the foreclosure for the decryption of files and prevention of data leak. You can communicate with us through the tor messenger https slash slash talks to chat slash download dot html using talks messenger. You will never know, we will never know your real name. It means your privacy is guaranteed if you want to contact us news tour I. D. And then whatever you can trust us, your privacy is safe with us Attackers who are trying to convince you to steal millions of dollars from your company.

[00:28:58] Brad Nigh: Oh and by the way, open our letter at your email that we don’t know who you are.

[00:29:04] Evan Francen: Yeah. Yeah. Yeah just funny. Uh but it works obviously if it didn’t work then they wouldn’t do it.

[00:29:12] Brad Nigh: Which yeah it’s sad unfortunate.

[00:29:17] Evan Francen: Yeah so I think you know one of the things that as the sea so right, understanding that information security is more about people than it is about information or security keeping focused on that if you try to create an environment where people feel safe coming to you, you know they’re not going to feel judged letting you know about these things. Uh Yeah so it’s not just technology you’re not you’re not gonna stop you know these types of attacks with technology because the Attackers just finding a way around your technology.

[00:29:54] Brad Nigh: I mean how many, how long have you been saying? I’d rather go through the receptionist than your firewall. I mean

[00:30:02] Evan Francen: it’s the same man,

[00:30:04] Brad Nigh: well you look at the incidents outside of like these the last couple big like the solar winds and half the um and say where there is a major technical flaw. I would say 90 plus percent, maybe 95 plus r you know, somebody clicking something or doing something. They shouldn’t, it’s, they’re targeting people. It’s and I don’t blame

[00:30:30] Evan Francen: Yes. Right. They’re

[00:30:32] Brad Nigh: not trained and they don’t understand it. Okay.

[00:30:36] Evan Francen: And let’s either that or it’s the fundamental stuff like, oh, I didn’t even know we had that system. I didn’t know we had already p opened the internet. I didn’t know we had single factor authentication on our email.

[00:30:48] Brad Nigh: All that is open unencrypted to the internet.

[00:30:51] Evan Francen: Right? I mean it’s like those two things, Right? The people thing and the basics thing. All the other blinky light things are all just just, you know, so much distraction. Uh Yeah, but we’ll keep preaching that man. So speaking of solar wind, you mentioned solo against uh they made a motion to dismiss yesterday. I believe. Uh this is from the register. So the, the title of the article is solar winds urges us judge to toss out crap inco sex symbol. We got coned by actual Russia. Give us a break. Company says it didn’t skimp on security before everything went wrong thing. We’re gonna have two sides of this, aren’t you? Who?

[00:31:42] Brad Nigh: Yeah, I don’t man,

[00:31:46] Evan Francen: Well here’s the thing, you know, a flaw regardless of whether you should have seen it or not a flow and there are accidents too and there’s going to be interesting to see how all this gets argued out. But if your stuff purposely are an accident causes me harm. At what point do you like hold you accountable for the harm that you’ve caused me?

[00:32:17] Brad Nigh: Yeah, it’ll be, it’ll be interesting to see how this plays out because I mean mhm I’m not, I can see both sides. I don’t know. I’m not sure where to focus. Like how do you fault them for a nation state attack? We know that, that you can’t stop. Those are going to happen. We know that. But yeah, at the same time, like how do you recover as a client if you’ve been impacted And so this is, I don’t, I honestly don’t know. I think in the suit it sucks

[00:32:57] Evan Francen: just All right, well it’s important to stay. Yes. You know, keep one of the things that, that it seems like people do is they have a short memory span. So the solar winds thing happened and oh yeah, I remember something about that, you know, years down the road. Mhm. What I encourage people to do is things like this things that are impactful like solar winds continue to watch the story unfold. It’s not the end yet there’s a lot more to this, the because there’s also a case to be made that yes, this was a nation state attack, but solar winds, this was like your golden gold gold bucket of gold. This is your thing and they could have had you had it been, you know, done. They could have prevented it. Not now, I mean not them, but now,

[00:33:51] Brad Nigh: you know. Yeah. Well, and I mean it’s, this is what makes it so hard and why were, you know, being a C. So it’s, it’s kind of a, you know, sometimes it’s like a losing proposition. This was a never before seen attack. Right? So yes, could you have caught it? Absolutely. But would you have been, you never would have been looking for it right. It could have been caught if you had had stuff in the right place, but it doesn’t mean, Yeah, yeah, it’s, yeah, I want to go with everything sucks about this.

[00:34:32] Evan Francen: Well, so, and so this is the shareholders aggrieved shareholders. So this is not unlike the target breach, you know, special litigation committee stuff that I was on. I’ll read more about it. Um, but correct Yes. It will be interesting because here’s the thing that happens over and over and over again. So, you know, as a matter of Damage is done or accountability, solar winds their share price crashed, you know, from $24.93 to $14.95 shortly after the attack. Now it’s rebounded back to over $22, a share. So materially intolerance, you know, are, you know, the value of the company or whatever didn’t really change

[00:35:27] Brad Nigh: well And you know what’s interesting is have we seen anything or heard anything towards Microsoft because they’ve had a string of really like half the on the print nightmare. You have a pet a podium, the NTL n relay attack. I mean those are as bad or worse.

[00:35:47] Evan Francen: That’s the crappy thing about all this is, you know, this big powerful tech companies, nobody can really hold them accountable. So you’re like, yeah, whatever you don’t like it. You know, I stopped using windows. I can’t, everybody uses freaking windows,

[00:36:06] Brad Nigh: right? And we already know people are struggling with that. Can you imagine throwing? I mean, there are some very user friendly versions, you know, a boon to it. It’s probably the most well known. Right?

[00:36:22] Evan Francen: I mean you personally can go to something else, but if you’re

[00:36:27] Brad Nigh: an organization, Oh my gosh, that gives me like cold sweats. Thinking about it from the night. He perspective trying to deal with that.

[00:36:36] Evan Francen: Right? And so even if you went to go to Lenox or some other form, yes, I’m secure operating system. You still have to interact at some point with windows because anybody that you’re talking to. I mean there’s going to be a document, you need to open up, you know, something

[00:36:54] Brad Nigh: companies that work all on apple devices still have to do it. We’ve seen those, right? Doesn’t matter. You still have to interface at some point.

[00:37:06] Evan Francen: Yeah. So you know, I’m torn man because uh, I’m, I’m of the belief that I’ll just take my neighbor, right. If my neighbor created something I bought it and it hurt me or hurt my family. You know, there needs to be some reckoning, right? Rather than having my neighbor continued to sell that same thing to my other neighbors and it just caused me a bunch of harm. Should I step in and say, hey, uh, produced you just told me this thing and it just like burn my house down,

[00:37:42] Brad Nigh: make changes or he’s still saying that selling the same exact thing. Yeah.

[00:37:47] Evan Francen: And maybe you should pay for my house.

[00:37:50] Brad Nigh: You know what I mean? And that’s, that’s where it gets so tricky because uh, you know, do you, is there intent? Right? Or was it? And I mean we all know people make accidents, There’s bugs. There’s a, there’s a reason it’s there,

[00:38:08] Evan Francen: right. You know, I’m excited to see what the end of this is because there is, mm, we have swung for the longest time. We have swung way too far to the enable people to do reckless things and not hold them accountable for it and we’re all suffering. So the pendulum needs to swing back to, you know what? We are going to hold you accountable if you don’t do these things, these 5 10, basically whatever you need to start, if you’re not going to do these things, you are going to be held accountable and up until including, you know, jail time or something because people shouldn’t have to suffer anymore for things that we should be able to fix as an industry.

[00:38:51] Brad Nigh: Yeah, yeah, yeah. It’s gonna be tough because nobody’s gonna do anything unless you can prove negligence and that’s what is better. And they’re gonna, are you? Well, how do you? Yeah,

[00:39:07] Evan Francen: well, even the negligence piece, right? I mean, it’s a negligee, is it? Well, negligence is such a, you know, it’s the preponderance of evidence, right? It’s, you know, which way does the scale lean and uh is it reckless to not have an asset inventory?

[00:39:27] Brad Nigh: I uh Yeah, I would say so, but that doesn’t mean right right now, it’s tough.

[00:39:40] Evan Francen: Yes, Well, I sort of sometimes I sort of wish I was, I’d love to be in some of those conversations, be like, seriously, are you kidding

[00:39:50] Brad Nigh: me? Well, that’s why you would never be a lawyer because

[00:39:54] Evan Francen: I’d say that exactly get disbarred. Well, I started I’ve got and then we can go about our day because you know, I’m guessing everybody’s got a bunch of work to do. Uh Silicon angle, this is an article, it’s a bipartisan Senate report finds federal agencies continue to suffer cyber security shortcomings when I read this. I was like, no,

[00:40:16] Brad Nigh: what?

[00:40:18] Evan Francen: The federal government can’t secure their shit, I can’t believe it, you gotta be nuts. That’s true. Uh But here’s the thing, the report was released. What? Not that long ago, but it’s a follow up to an investigation and report that was done two years ago And it only includes eight federal agencies. I don’t know if you know how many federal agencies are. I don’t even know. I have no idea. I know the state of Minnesota has 87 to state agencies. I can only imagine how

[00:40:49] Brad Nigh: many. Well my question how many? Well the ones that were there? Those are pretty big. So I would assume that there’s a lot of agencies that fall under the purview of those major ones.

[00:41:03] Evan Francen: So of the eight only the Department of Homeland Security had managed to employ an effective cybersecurity regime in that time was a regime. It’s like I don’t like that word at all. I’ve never built a cybersecurity regime before built a program but not a not a regime. Uh The other seven agencies were found to still be lacking those agencies. Department of State. Yeah. Uh Department of Transportation, Housing and Urban Development, Agriculture, Health and Human Services. boy finally we haven’t had a law that we wrote in 1996 for that Education and Social Security Administration. So they’re all blacking now. I don’t know. I haven’t read this entire article so I don’t know all of the details. I will be reading it because I think it’s interesting.

[00:42:04] Brad Nigh: Yeah it was not good. The one thing I don’t like is on this article from some silicon angle is. Yeah. The chief research officer identity platform provider of iridium.

[00:42:18] Evan Francen: Right.

[00:42:19] Brad Nigh: Cannon should adopt password authentication. Gosh, guess what his company sells.

[00:42:26] Evan Francen: I yeah that stuff hit if this is me off so much because it’s like that’s the password less authentication is like that’s a little bit down the road brother. I mean what about roles and responsibilities? What about asset management? What about what the hell do you know?

[00:42:44] Brad Nigh: Well if you look at one of them shoot I just closed accidentally uh pull back up. It was the wrong window. Uh huh. Or is it Department of Transportation found 14,935 I. T. Assets belonging to the department of which there was no record. How the hell are you gonna do password list if you have 15,000 devices you didn’t know about?

[00:43:12] Evan Francen: I know. Well that’s right. You remember biden’s executive order right talking you know town and zero trust. Zero trust. Zero trust. Okay. You better understand what these 14,935 IT assets are you better put a system in place or a program in place to make sure that that doesn’t happen anymore or it happens a lot less often. Okay that’s a lot of I. T. Assets they’re like which one do I want to attack?

[00:43:39] Brad Nigh: Yeah

[00:43:40] Evan Francen: because if you don’t if there’s no record of that that probably means it’s not some of those are not in your patch cycles. Some of those are not

[00:43:51] Brad Nigh: if you don’t know about you, Do you have any sort of patch management, you would have known about them. So I’m guessing those are do they have endpoint protection? I would say no if they don’t know about them, they’re not getting patched. Yeah. Mhm.

[00:44:08] Evan Francen: Well and the reason why this continues to happen is because there’s no accountability for it. Oh yeah, it sucked two years ago. It still sucks today,

[00:44:19] Brad Nigh: let’s be honest. It’s not just the government. I mean yes, this makes a big deal but we’ve seen that in private sector where they’re like we do a scan or like what about these things and they’re like what? Okay. It’s universal now it is scary from a governmental perspective because of what they have and do and just the nature of how they operate. But

[00:44:47] Evan Francen: yeah, I love that Pimp wasn’t pip pip lasker so rajiv pin plaster from verity um says this is his, this is what was quoted as his advice right? There may be a God, I hope there was other advice along and they just picked this one but federal agencies can and should adopt password less authentication, utilizing phone as a token or Fido to security keys. Pimpin blaster added such solutions reduce the attack surface of credentials that can be exploited in a data breach making an environment impervious to such attacks further such solutions also reduce friction enabling a better user experience. Okay. Yes, that’s like step 48 yeah,

[00:45:38] Brad Nigh: yeah.

[00:45:39] Evan Francen: You know, we stopped, you know, steps 1 to 47, which are gonna take probably five years, 10 years to get to.

[00:45:46] Brad Nigh: Right? I mean, is that a bad thing to to, you know, multi factor doing this? Is that a bad thing? Absolutely not. But do when it’s approved. Yeah. How are you going to implement, you know, password, password less authentication across the board when you don’t know what you have, like? Uh

[00:46:08] Evan Francen: Okay, I hear you. I’m 100% behind. I’m not yeah, I’m just this is this is the state of the union, right? This is what our industry looks like. It’s so much pimping products, so much pimping solution so that you can make more money.

[00:46:28] Brad Nigh: Easy button.

[00:46:29] Evan Francen: Yeah. And everybody’s gonna scramble the only ones who sleep with the other ones that I think have earned the right to sleep all at night and do for those who understood did the work? Did the fundamentals enjoy your good night’s sleep? Those of you who are, you know, just buying these easy buttons and throwing this stuff in, you know, enjoy the sleep now because you’re gonna lose it later.

[00:46:56] Brad Nigh: Yeah,

[00:46:59] Evan Francen: the chicken’s do come home to roost,

[00:47:01] Brad Nigh: yep.

[00:47:04] Evan Francen: All right, so that’s that uh I got nothing else bread, getting shout outs.

[00:47:10] Brad Nigh: You know, I’m gonna give one to my wife, uh you know, just putting up with me, but also uh she’s gone through some sort of stuff as well, you know professional, but she’s uh looking like she’ll be a school nurse which is she’s so excited about and she’s gonna be amazing. So those kids will be lucky to have to and staff will be lucky to work with her.

[00:47:32] Evan Francen: Yeah. Yeah, she’s perfect for that man. Oh she’s got that, you know, calm motherly demeanor. I mean it’s awesome,

[00:47:43] Brad Nigh: nursing perspective, Nothing fazes her.

[00:47:46] Evan Francen: No, that’s cool. Well you don’t along those same lines. I’m going to give a shout out to my wife too because I asked you first, so then you’re like oh yeah I should do that because earlier this week I forgot you know uh my work as hard as we work, you know, we have to switch sometimes from work mode to personal mode and then back to work mode and personal mode, right? So we do this all day and there was a day I think it was Tuesday where I didn’t switch, so I was still in work mode and she was telling me about something and I was like so what do you want me to do about that? I was like oh I can’t believe I just said yeah shout out to her for putting up with that and giving me grace because yeah, I mean she could have kicked me right right between them. Yeah,

[00:48:43] Brad Nigh: as soon as you said that I’m like oh

[00:48:45] Evan Francen: yep, I deserved it too, but she didn’t, she showed me grace and and understood and she sets the uh huh she said to me and your wife is the same way as I’ve seen it. It uh they set the tone for how to love in the house, you know?

[00:49:04] Brad Nigh: Well, and I mean let’s be honest, they they’re the even hell dealing with article going from side to side keeping everything in track. So

[00:49:14] Evan Francen: Yeah, very true. Mhm. All right, well that’s that. Uh well, join us next week, we’ll have uh we’ll try to arrange getting some of these def con superstars yourself included brad in the show and talk about that stuff if you want to socialize with us. Don’t Well, okay, maybe I’m @EvanFrancen and Brad’s @BradNigh the companies we work FR Secure and Security Studio. You can find those @StudioSecurity if you’re on twitter folks are @FRSecure, otherwise we’re on linkedin and everywhere else you can find us.

Today, state and local government Chief Information Security Officers (CISO) are playing a game they can’t win. A Government CISO face many obstacles and are losing focus of their roles and responsibilities. So, how do we change the way we play the game? Evan and Brad attempt to answer this question in this week’s UNSECURITY episode. They also touched on: Apples recent IOS 14.7 and 14.7.1 and advisors listeners to get the update as soon as possible for their own good and safety.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right, welcome listeners. It’s good to have you join us. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 100 41. Yeah, Wow. I’ve done show notes in like last three weeks too busy.

[00:00:36] Brad Nigh: Yeah, I know it’s been crazy.

[00:00:40] Evan Francen: Uh well the date is July 29. It’s nothing I can’t I can’t believe already done with july man.

[00:00:48] Brad Nigh: I know,

[00:00:50] Evan Francen: thank you. Thank you. If you look back at the year, I mean, look at all the shit that happened this year so far,

[00:00:58] Brad Nigh: I think. Yeah, it’s just a blur last eight months yet solar winds half to him, cassia like now all the Microsoft stuff is going on. It’s been from a work perspective, just bananas

[00:01:15] Evan Francen: on the colonial pipeline. Right?

[00:01:17] Brad Nigh: That was the other big yeah, government coming out. Did you don’t know if you saw the cybersecurity requirements that are now are being required for utilities, which is a plus.

[00:01:30] Evan Francen: It’s a plus. But the one thing that we get wrong tonight and this will lead to somewhat, we’re going to talk about today because we’ve got really two topics today. One is uh caesars so often and too often I think are set up and again that they can’t win. They just can’t wait. Mhm. When you look at it from, you know, an objective perspective uh and that’s one of the benefits of being, you know, kind of an outsider is is a former C so myself and you know, virtual see so many times you as well. Ah and being a consultant, I’m not in the day to day, like, like a lot of them are. And yeah, it just dawned on me last in the last few weeks, like I was talking to the sea so and Washington Washington state’s see, so the nod unbelievable. I mean, there’s not enough good things I could say about him, you know, just in our conversations that we’ve had, but he set up to fail.

[00:02:37] Brad Nigh: I mean, well it realistically it’s not just security, its I. T to like if you think about it like, well I know coming up through the rings, it was always why isn’t it working? What’s wrong or everything is working, what are you guys doing? It’s always a cost center. It’s always, well, not always, but the vast majority of the time.

[00:03:05] Evan Francen: Yeah, totally, man. And the I know you know, this isn’t news to people that Csos have a difficult position, but what I’m saying is I think the new kind of spin on it is you’re set up to fail. I mean it’s like it’s a game you cannot win.

[00:03:26] Brad Nigh: Well, yeah, it’s not a matter of if it’s when so you’re always, you know, it’s coming at some point.

[00:03:33] Evan Francen: Well, right, and and that’s the that’s the game I mean and that’s the game right? So if we define the game if my job is to facilitate information security here right? Or I like to use the simple and I wish people would take notes and that’s more because so far I haven’t had anybody disagree necessarily simplify the CSS roll right? Simplify the job. Two jobs that’s it. You consult the business on information security risks that they’ll make good risk decisions and then you implement those risk decisions to the best of your ability. That’s it.

[00:04:14] Brad Nigh: So funny enough you you say that because yesterday as a matter of fact a one of our incident response, you know they had an incident and the I. D. And security was like I need help, what do I tell them to get MFA enabled? Right? And they finally see okay yeah we should do this. So how do I present that? And what basically you know I was like well what is the organizational risk tolerance because that without knowing that I don’t know how to approach it. And he was like basically like they were like and so I was like okay here’s my here’s what I would do and we talked through all the options about like what they would do. So I said here’s your bare minimum if nothing else you have to have a M. F. A. On VPN every external facing application and you know all the settings then go presented with three options that then your recommendations and saying, hey look this is the best practices what we should be doing and then give them a heavy handed one of like absolutely walk down, right. You know, because it’s a minimum you’re gonna win in terms of, hey, we’re gonna, You know, eliminate 90% of the risk by doing this external piece, right? Yeah, maybe you’re not internal, but let them make that decision, give them those options, let them decide and implement what they are, that it’s not your responsibility. And you could just were it wasn’t video that you could I could see the like realization that light bulb over the like in his voice. Right? Oh wait, I don’t have to O

[00:06:15] Evan Francen: one C and so and so that’s the game, right? So the game so and the ultimate game is risk management. Right? Right. That is the game. So then within that realm of risk management, you know, obviously I need to assess risk. I need to make or facilitate these good risk decisions. So there’s the game itself which is risk management and then there’s the roles of the people who play the game with you right now, if you’re playing the game by yourself as I see. So you know, forget about it. You can’t win that game because you’re playing roles that are, that you’re not supposed to play and or you’re playing roles that are just missing, right? There’s nobody there to play the game with you. Yeah. So if you look at like this, don I mean, numerous conversations this week, so I’m just using the one conversation with, uh, you know, the state of Washington. But I mean, I could use the same thing with the State of New Jersey who has a both of these guys. What I don’t want anybody to ever think is that these are not good, highly skilled. See, so that are in the right position. They’re the right people for the job. They’re amazing people. I would never take their job because I don’t like to lose, they take the job because there are amazing public servants. And I had actually asked Bernadette, You know, he’s running at 40% capacity right now. You know, that’s a staffing level. He’s fighting battles, not really fighting battles, but trying to to do, you know, all the security stuff. You know, when you look at all the things in a state that you need to secure some states are different than other states,

[00:07:58] Brad Nigh: I mean, I’m with you that uh hats off to those guys because yeah,

[00:08:06] Evan Francen: when I asked him straight out, I’m like, why are you doing this man? You can’t win this game. He’s like, because I’m a public servant. I’m like, oh man, I you’re the kind of, see, so that I would work for, you are in uh, you know, mike garrity out in New Jersey. But I think the thing that they, that we can do to help is a couple of things. Um, So if the game is risk management and my job is to make risk recommendations, right? Give the people who are responsible for making the risk decisions, good information so they can make good risk decisions. That’s job one then job too is to implement those risk decisions to the best of my ability. The problem is to take our backyard. I know our state probably better than any other because it’s my backyard like So there are 80, 90 different government agencies. You have 87 counties. Not be responsible for securing 87 counties, but they are within the state. There is such a close integration.

[00:09:14] Brad Nigh: Yeah, it impacts, right? It’s the same as a business unit.

[00:09:18] Evan Francen: Right? Realistically then you’ve got state and then you’ve got cities and municipalities and then you get departments have been all these things, right? So you sit up here as the sea. So for the state and you’ve got a you can’t incite a staffing issue. What I think it is is it’s a distributed accountability issue.

[00:09:42] Brad Nigh: Well, yeah, I think yeah, roles, responsibilities and understanding who and where and what and that’s not well defined and that’s not that’s not just a state or public issue either by any means.

[00:10:00] Evan Francen: No. And that’s the reason why I’m bringing that up because that’s where I’ve been working so much in the last, you know, six months is we figured out these issues with state and local government.

[00:10:09] Brad Nigh: Well, it’s also easy for everyone to understand, right? It’s a concept that I think everybody gets versus you know, we needed the private sector, it can get a little bit more muddied in terms of terminology and phrasing and all that. So it’s it’s a good example. Yeah,

[00:10:28] Evan Francen: well it’s and I brought this up, so I had a discussion earlier this week, I think it was Tuesday maybe with Tony Sager, you know, he’s senior Vice President, chief evangelist, whatever is C. I. S. Mhm. And so we’re talking about, you know, because things that we can do better together C. I. S. Is in it for the right reasons. You know, they’re trying to help as well. They run the M. S. Sx and also the stuff and and we were talking about this very same thing, I think he’s only working two states right now. So I think, you know, we’ve been working with a little bit more states from just from different angles, but the I was telling him how this distributed accountability and that was distributed accountability came from the discussion I had with Jim O’Connor at at Cargill. Uh I was like, what’s your biggest challenge? You know, you sit in this kind of the pinnacle of cso jobs, right? Almost uh what’s the biggest challenge, He said accountability. And so then we got to thinking, you know, and then we white board it for a long time and then came out with this, the construct of distributed accountability and I think this is how it works and this is how we need to deploy it, you know, because you can’t possibly secure Cargill, you know, without it, write something like this, people have to play their roles. And so I took that, you know, security, security, I think we get our wrestles wrapped around the axle. So much like security at home is the same as security and Cargill. It’s just, I’m a different scale with a lot of more stuff to it. Right,

[00:12:14] Brad Nigh: right. Well, I mean kind of a good segue. There is, I did a webinar yesterday on old school and why it still works like the fundamentals and it’s the same thing like you didn’t set it on, this is nothing new. You have to have asset management, you have to have good backups and a good process for it. You have to have a good isn’t response plan and test it, you know, And then, you know, one of the questions was, what do you think is the, what do you think machine learning and ai will do uh for the fundamentals? I was like, you know, will it make life easier in terms of parsing logs and those types of things? Yeah, most likely. I mean it can do it much faster than humans, but at the end of the day we’re still programmed by a person, there’s going to be a bias? We’ve talked about there’s gonna be bugs. We see that. So if you’re thinking, hey, I’m gonna put in machine learning and ai and problem solved, you are sorely mistaken,

[00:13:17] Evan Francen: right? I wish people was listen more because you would have you find yourself in a much better position right now. Had you been listening? I mean the sooner you start to listen, as soon as you start to do these things, the fundamentals, the better off your life is going to be sooner and think about your success or the person who comes into the position after you, the better off their job, their life is going to be right. You know, and we get wrapped. Uh and so even beyond, you know, and that that’s one of the things that really, you know, the traditional approach to information security was you had kind of an autocratic approach, right? You had a C. So who would say these are the rules for the company, right? And dow shelter, whatever what have you. Right. And so instead the right way to do it is distribute accountability and autonomy. Right? So uh I had, its funny how all these discussions sort of come together. Like I had a discussion with Cornell University on I think Tuesday as well. And uh then I’m like, help me understand how Cornell works. You know, I’m not going to give you an advice on how to make things better because I don’t even know what, how you do stuff.

[00:14:44] Brad Nigh: So isn’t it funny how companies and not to derail you, but how many companies go? I need, how do I do this? And you’re like, uh I don’t know. It depends.

[00:14:56] Evan Francen: Yeah. They

[00:14:57] Brad Nigh: just expected to be able to give them on almost like, you know, that easy button.

[00:15:03] Evan Francen: Well, that’s been a barrier, you know, in talking to state CSOs to they, I think a lot of times if they really knew what we’re trying to do, I think more of them would accept the phone call, but it’s not good that they haven’t because my hands are really, really full right now with, you know, the five I’m actively working with. But you know, when you really, they realize that I’m not I’m not trying to sell you anything, I’m trying to solve a problem. Like In Washington, you have 40% capacity, you’re trying to do the impossible. Maybe there’s a way we can change the way we play the game to put you in a better position to win. Same thing with with Cornell, you know? So it was explained to me how the school works and I was like, wow, that’s pretty fascinating. It’s amazing school. You know, you’ve got research faculty, right? And you’ve got PhD there in our one research, I think that’s what we call it, our one research university, which means right? That wins, right? even over the undergraduate stuff, right? It’s is the research

[00:16:18] Brad Nigh: top tier, right?

[00:16:20] Evan Francen: Millions and millions, maybe billions of dollars of research money, you know, going to really cool things and you cannot get in the way of that stuff. And so, you know, as I was talking to this to this guy and Cornell, I was was like, you know, this stuff, it translates so much to what we’re trying to do at states to, you know what I mean? Yeah. And so the parallels are like nuts man. So for instance, you are complaining, you know, he was complaining. You’re complaining about the fact that you can’t get these research faculty to do the things that you think they should do. Well, how about if you gave them the autonomy to decide to themselves what they want to do and how they want to do it. And you just account for that risk and the overall picture of things, Right? So, and you don’t force it, right? You say I’m going to let I mean, who wouldn’t like this in terms of like faculty, Like I’m gonna put you in control. I’m gonna let you call the shots and now you tell me how you do security, how you want to do security here, no judgment, we’re going to risk create it, you know, and we’ll put things into context, will put, you know, the scoreboard of all, whatever this is where everything scores and then let the provost or the Board of Regents or whoever is ultimately responsible. Let them ask those, you know, ask those questions.

[00:17:48] Brad Nigh: Yeah. Well, I mean, it was so funny to hear you. I mean it’s sustainment community college, right? And not to put, I want to sound dismissive but regular colleges and universities, not those top tier only, but it’s the exact same thing. It’s and the same arguments and it’s always my advice. Always. Just don’t be the no man, right? Yes, but you

[00:18:18] Evan Francen: let them, I don’t even make the decision. I’m not yes, but I’m like, here do an assessment. And the reason why I want you to do this assessment is because it translates into everything else, right? It’s the same language

[00:18:33] Brad Nigh: I like that

[00:18:34] Evan Francen: rather than you speaking german and me speaking spanish, let’s just speak the same language. You do your assessment and then you’re going to do your own roadmap. I’m not gonna tell you what to do. You make your own risk decisions, you’re an autonomous piece of this bigger thing.

[00:18:52] Brad Nigh: And so at that point this he says just there is a an advisor, right? If they have questions they can come to them that type of thing.

[00:19:00] Evan Francen: Job number one, right? My job number one is to is to give you the best information to make the best risk decisions and then you will make, you will make so many risk decisions that I would disagree with if I were in your seem shoes. But that’s why I’m a C. So and that’s why your department head or you’re the whatever you do because you know take this another example I was talking to somebody oh the same guy the Cornell guy. He was like S. And M. P. Version two right turning it off on printers and blah blah blah. And I was like you know how that affects your part of the world but you don’t know how it affects because you think printing is like not a big deal because you don’t print much. But what about the research people? Yeah maybe this is a really really big deal and you can’t turn off SNP version two and S. And M. P. Version three isn’t available on their printer. So

[00:19:57] Brad Nigh: you’re breaking. Yeah. You know that’s really interesting. Like I’m thinking as you’re talking I’m like thinking back to you know all my past experiences and yeah I mean to some extent not nearly that level but yeah but it makes sense. I think it’s it’s that next level up from that. Yes but right now

[00:20:19] Evan Francen: it’s like hey

[00:20:21] Brad Nigh: sure you can do that but here are the risks of it and here’s some options. You make the decision right? It’s taking that piece off of your plate as a C. So I’m giving it to the business unit or whoever. It’s interesting.

[00:20:42] Evan Francen: Yeah and then that way I’m now more of an ally a consultant to you. I facilitate your risk decisions If you you have questions. Yeah I’m here to answer those questions. If you want my opinion From a security perspective I can give you those opinions. But at the end of the day you make the risk decision for your research department. Not me. You wouldn’t let me anyway. Right. I mean even if I tried my hardest to like no you must do this. I always lose that game because you have the money. I don’t. Right?

[00:21:15] Brad Nigh: So in that model they would their responsibility would be to conduct that risk assessment, make those decisions and then report that up to the C cell so that they can take that into account.

[00:21:29] Evan Francen: Well exactly. So I yeah so I can put this into context because who I report to will be the provost of the board of regions or the you know in a company the Ceo. So I’m going to take all this information so that the Ceo can make their good risk decisions as well. And they might see that your department, your research department is glaring red. That’s fine. And uh and then the president or the Ceo or the provost of the border regions will ask me why is that one red? I will tell you and I will tell you because that research department makes their risk decisions that an autonomous within the bigger picture an autonomous entity. One of the things we cannot do from a security perspective is get in the way of their mission. Yeah. So these so these are the risk decisions that they made. We support them. I can’t not support risk decisions you make. It’s not my risk tolerance. So I may be like I would never accept those risks but I don’t live there. It’s not my risk, not my house. Right?

[00:22:37] Brad Nigh: As long as you’ve accounted for it in the overall picture. Right? Like I think yeah, that’s where you you would put in, you know, maybe some pretty significant network segmentation someday. CLS really restrict access in and out of that department within that pod. It’s a free for all

[00:22:57] Evan Francen: or maybe it’s it’s so risky that we just set them up as a completely different entity within this bigger entity. Yeah. You know and so but now I can have this decision. I can have this discussion with the provost to the board or whoever because they can ask why is this one red? That’s a great discussion. Yeah that’s a discussion we would plan. That’s a discussion we would never have before. Right? So now I’m giving them better information to make their good risk decisions. I’m allowing. I mean I’m like the good guy in all this. Right. I’m facilitating I’m moving pieces around rather than me being the person who is trying to do all these risk assessments myself or do a big risk assessment and then force a whole bunch of controls that won’t work anyway. Yeah. Here I can put controls in place that you said you wanted to have in place. You’re probably less likely to bypass them as well.

[00:23:55] Brad Nigh: Yeah. Right. Yeah.

[00:23:58] Evan Francen: So that’s what I’m trying to figure out with these guys.

[00:24:00] Brad Nigh: Would you set any sort of minimum like around hey you got to have passwords that expire and you shared accounts, would you, would you set that or would you just say mhm.

[00:24:15] Evan Francen: Because I think what I would wait to do is I would like to see what risk decisions that are going to make it to see if they make those decisions themselves. So, you know, if you have this department and the like yeah, we don’t even want passwords, blah blah blah. That’s usually a place where there okay, I get it. Life without passwords would be amazing. Trust me. However, these are the reasons why I would suggest that you don’t do that. If you’re still going to make that risk decision, feel free. We’re end up what we’re probably gonna end up doing is locking you out of everything over here. Yeah. Uh

[00:24:52] Brad Nigh: Yeah,

[00:24:53] Evan Francen: but in that conversation with the board and the provost or whoever, I would probably come with a list of hey here are 10 Yeah 15, 20 controls that I think we should implement university wide and this is why but I need your I need your backing.

[00:25:08] Brad Nigh: Well, you know, thinking about it really. This is this is fun. Uh Yo you don’t want passwords. Great. We know there is software and solutions out there. We see it in health care where it’s a badge. It’s an I. D. You swipe it. It’s like a USB connector that connects it. All right, great. You don’t want to, here’s what you can. Here’s your option hard password. Just spend the money on this. Yeah, that would be kind of a right. It’s interesting. Yeah.

[00:25:41] Evan Francen: Yeah. I think it’s your own waiting. Do it. Well, the and then you take like take that same thing to the state of Washington. Put a construct in place where you defined where are sort of my administrative units or you call them organizational units or you call them entities, whatever you wanna call them. And I think there are, you know, just like we went with security studio, there are three different types of entities, administrative entities, physical entities and technical entities. Right. And so figure out where all those things fit in the big picture of things. Like if you have a department that basically has their own policies, their own security, their own everything. Well, that’s an administrative, physical and technical entity. That’s its own entity. But I still need to know from my level, the things that they’re doing an account for it in my overall risk posture. Yeah. And then you have something that just have ghost it. They use our policies, you know what I mean? Okay, great. Have ghost it. I’m not going to tell you not, I’m not going to tell you how to run your business. But what I do need to know is what, what security risks that ghost it brings into the bigger picture of things, Right? Right. Because maybe I need to segment them too and you’ll have to pay for it because it’s your ghost tighty.

[00:27:04] Brad Nigh: Yeah, It’s almost, uh, hey, here’s the businesses minimum if you’re going to have it, so you’re gonna stray outside of that. Well, you’re gonna get cut out.

[00:27:15] Evan Francen: Yeah. Yeah. All right. So I think that’s one of the ways we can try to change the game that we’re playing because the way you’re playing today, the way most six, those are playing the game today. They’re, they’re not going to win. Yeah. You know, and who suffers for it? You know, a lot of people will say, oh, the poor see so, well actually it’s the poor people that trusted the information with the organization. That’s who’s who ultimately suffers, right? You know, take the state of Minnesota. That ain’t the CsoS information, right? That’s mine. It’s yours, that’s, you know, and I think that’s the next place you go when you talk about this distributed accountability is once you get your feet under you on this piece? Well then why wouldn’t you go to the next level. Why wouldn’t you go to, hey brad? These are, these are, these are your responsibilities with information security, your house, your responsibility, the technology you put in your house, your responsibility, how you secure it, the rules, all that stuff. And the reason why that’s important. It’s because your city, your city security or great Security has an impact on everybody else’s as long as we keep connecting people. Because I know you have a lot of people say, well, what about the privacy issues? You gave that crap up, right. If you want to get that back, then you can try to claw that back. But you have no privacy. I don’t know why you think you do? Uh huh. You know, maybe maybe there’s some privacy like the day to day things I’m doing on my computer. But in terms of my social security number, in terms of, you know, my identity information that’s gone. So

[00:28:57] Brad Nigh: on that is there? How do you ensure they’re even doing what they say they’re doing? Would that be part of that job is then to do and an annual audit, Right? Almost okay. You say you’re doing these things. I need to see that you’re doing those things.

[00:29:15] Evan Francen: Yeah. I think there’s, there’s certain baseline information things that you need to make, You need to be sure that they actually do what they say they’re doing or they understand what you’re asking, right. A lot of times we’ll ask them, but this or that and they’ll say yes. And it’s not an outright lie. They just didn’t understand what the hell we were saying.

[00:29:35] Brad Nigh: Yeah. You know.

[00:29:38] Evan Francen: Yeah. So I think asking for that evidence to just validate those things. There are also certain places within, you know, bigger entity that are more impactful than others. Right? Take like the state of Minnesota, the Department of Revenue is probably a really big important thing versus the department of, I don’t know, leave, it’s four weeks or whatever. I don’t know what dynamic. Yeah. Yeah. So, you know, I would probably put a little more scrutiny and even to the point of maybe a third party validation. But I wouldn’t make that call either. I would have the governor make that call. I would have the legislature make that call. You know, legislature, here’s your score card. This is what security looks like in the state of Minnesota today. Uh, you know, the first time I navigate, it might be disappointing, but here are the places we’re working to try to shore this thing up. Uh And then you’ll get to the and then you’ll have those discussions because you have to start with these discussions. They’re just not happening. None of them.

[00:30:47] Brad Nigh: Oh, no. I mean, again, it’s it’s like, you know, we talk about security isn’t an IT issue, but they are so tightly tied together and especially from how most organizations view them, you know, So, yeah, it’s what we gotta do.

[00:31:08] Evan Francen: I think so, and I mean, at least it’s worth a try and everybody’s invited to play and I was talking with you know like I said I was talking with C. I. S. He’s like oh distributed accountability, I like that like I think you know let’s work together. I don’t you know, it seems like a very logical way to play this game or to redefine the game to put us in a position, a better position to win.

[00:31:36] Brad Nigh: Yeah. So it’s interesting. Yeah it’s kind of like because it’s taking that how we been saying to do it can kind of. Yeah. Yes breading that, wow interesting.

[00:31:50] Evan Francen: Yeah. When it’s ironic to, you know because I’m a faithful man and you look at like security studio and how we built the sub entities and I’m like damn it all makes sense now there’s a lot of times You know, as an 80 d. person, you know you you create things and even the way back, subconscious you’re thinking this other thing. And then when that other thing in the subconscious comes to the conscious like oh yeah we built this

[00:32:17] Brad Nigh: what was, you know, of course just because of how unwired is I just seem like running through all these scenarios, it’s interesting because I just um one of my b. c. so the earlier this month I don’t like you said I don’t know what day it is um their international and I was talking to him about disabilities and I was like oh so we could have a europe, we could have an asia, we could have, I was like yeah and then how they run it, Yeah we can put in, okay we know that I. T. Is gonna be the same across the board, just that’s how it works or whatever it is, but then they can put in what’s relevant for them and we can see and break it down and then you have an overall organizational international level and you know the America is the europe all these different and so it kind of aligns very closely with what you were saying. It was it wasn’t I don’t I don’t think I had taken it to the level of it’s up to them, but it was very much in that thought of okay let’s find out where they’re at. Yeah.

[00:33:32] Evan Francen: Yeah. Well because uh and I think it almost has to be up to them because I don’t know what it’s like to sit in your in your chair, I don’t know what you’re, you know, all the intricacies of your that go into, let’s say a marketing department or or the research faculty, whatever department there. I don’t know what things you actually need and it would take me, I don’t think I could ever understand it, you know intimately enough to make good risk decisions for you, right? But I can take that stuff up to executive management so that now they’re like, oh okay this is what security looks like here. I don’t like these three reds. Okay, well let’s go talk to these people with the three reds and figure out ways that we can either make them orange or gray or blue or maybe we treat those reds as like, okay, you’re over here then we’re just gonna block you out of everything else. Yeah. So it hits the fan in your department, it doesn’t affect everybody else.

[00:34:36] Brad Nigh: I mean, you know exactly that hey, you’re you’re you need to do these things or we’re isolating you and your call whatever you want to do. I don’t care. I’m gonna protect the organization at the end of the day

[00:34:54] Evan Francen: and even isolating you isn’t necessarily a bad thing either. Right? I mean you may enjoy being isolated because you get to get your own playground, you own this domain. Ah That’s a good thing to not, you know, we’ll get you your own mail server. You get, you know, you get to do your own.

[00:35:13] Brad Nigh: Yeah, you’re completely segmented on your own. Yeah, interesting.

[00:35:19] Evan Francen: You can have your own I. T. Department. I mean you can do whatever you want to do, but we just have to account for this and you know the grander scheme of things. The and this is where we’re going. So right now I’m working with Minnesota Iowa New Jersey actively on this type of strategy, you know, trying to put them into into a position where you know, they can win. And then we’ll take those case studies as we continue to make good progress. Damn places. Yeah,

[00:35:53] Brad Nigh: I mean, I love the concept, it makes so much sense will be interesting to you how that actually plays out because it is a fairly fundamental shift in a lot of how the majority of people think,

[00:36:13] Evan Francen: yeah, when it gets them into the game to, right? Because we all know that whether you believe it or not, you’re part of the game, you can’t not be part of this game. So what role do you play in this game? And I think, and I think we’ve, we’ve we’ve played the game, we’ve gone so far down the game without ever defining with the rules for the game actually are Oh yeah, no, we definitely now we’re backing up going like, oh shit, how do we play this?

[00:36:39] Brad Nigh: Right? Yeah, there’s a lot of uh winging it,

[00:36:43] Evan Francen: right,

[00:36:44] Brad Nigh: making it up as you go,

[00:36:46] Evan Francen: well in the sad thing, you know, we’ve adopted technology way faster than our ability to secure it and certainly faster than our ability to be responsible with it and people will just continue to be victims until they sort of step up and realize like, oh shit, okay, these are the consequences potentially of me choosing this over that and it’s a long road to hold, but the way we do that is, I think is by empowering them, trying to figure out what language they speak, what motivates them. You know you take the research facility when motivates them is the research not security. They could give two craps about security. Right? Right. So you have to put it into context of like how a lack of security could potentially negatively impact your research.

[00:37:34] Brad Nigh: Yeah. Yeah. You can do those things. It’s a similar I mean it is similar. Hey, that’s fine. That’s your just your decision. Just be aware this could happen,

[00:37:47] Evan Francen: right? And don’t be there will be no I told you so there will be no there will be no, you know, don’t come crawling back to me kind of attitude. These are good. These are the risk decisions that you made. I support them asked me if I agree with him. I’m not in a position to do that. I don’t know what it’s like to run a research facility, a research department.

[00:38:10] Brad Nigh: Right? Like you said. Is it something that I would choose? Probably not, but

[00:38:18] Evan Francen: I don’t run a research department either. Thank God because I’d suck at that. Yeah. Uh huh. So we’ll keep pushing on that I think you know, because I hate seeing see so I hate seeing anybody loose. Especially when you don’t even know the game they’re playing. You know. Uh

[00:38:37] Brad Nigh: Well it’s because yeah, we’re playing this game where there’s making up rules as we go, but we don’t know what winning looks like. But we sure sell know what losing is like there’s no question when you lose, but you know your what? Trying to go upstream all the time. You don’t Yeah, interesting. Uh

[00:39:02] Evan Francen: huh. And I think it would also, you know, solve some of the talent shortage issues, right? So we say talent, you know, we have this talent shortage issue and I think a lot of times because we’re trying to do everything for everybody. I’m trying to make your risk decisions for you. I’m trying to implement this new technology, but you may or may not want, which may or may not be effective, which, you know what I mean? It’s just all this stuff and it’s like, why don’t you get in that game?

[00:39:29] Brad Nigh: You know, that’s it man. It’s still going back to the conversation yesterday. It was, you know, the organization was like until they had this email compromise. And then they’re like, yeah, we need to do a multi factor and okay, great. That. And so I mean that’s exactly what you’re just talking about. Like, okay, oh, you’re ready to do this awesome. Here are your choices,

[00:39:53] Evan Francen: right? Yeah. And, and sometimes because sometimes they’ll bring it up to there will be like, welcome. You never told us. It’s like we did, we did there was this assessment, you made these risk decisions, I was available to coach you and every step of the process. Yeah. You just made a poor decision in this instance. That’s not a bad. You know, it’s not don’t beat yourself up and don’t beat me up. Yeah. What’s our path forward?

[00:40:19] Brad Nigh: Well, yeah, everybody, I mean, everybody makes mistakes, right? It happens. Maybe. Like you said, you made this decision, not understanding what could happen from it.

[00:40:34] Evan Francen: Right. Well, how often do we how often do we grow through pain?

[00:40:38] Brad Nigh: Right. You learn from your mistakes,

[00:40:41] Evan Francen: right? In the long term, it’s actually good for you to have a little bit of pain because now, you know what it feels like, right? That’s good. It’s like almost like a parent, right? You see your child, you’re like, don’t ride your bike that way. Don’t ride your bike that way you’re gonna you’re gonna crash. It’s gonna hurt well again. And then they crash and they hurt night. Okay. You’re not probably not gonna ride your bike that way again. Right. That’s good. I’m not I’m not mad at you unless it’s going to cost me thousands of dollars in doctor’s bills again.

[00:41:09] Brad Nigh: But Yeah. Right. Mhm.

[00:41:13] Evan Francen: All right. Well, good. I like that. I like that. You know, you and I was the first time we talked about it and I think, you know, you’re somebody that I uh I respect. And so, you know, getting that validation, I think certainly helps. Yeah, I’m gonna keep pushing this hard.

[00:41:31] Brad Nigh: It’s definitely in line with how I would approach it. Maybe it’s really interesting think of it. Yeah, I’m interested to see uh if it works right? I would hope so.

[00:41:46] Evan Francen: Well logically I don’t I don’t know any other way to make this. Well, you know, we can’t just keep buying something

[00:41:54] Brad Nigh: has to change, right? Like we’re playing a losing game where we don’t know the rules. Okay, well let’s change how we’re doing it. Why keep banging her head against the wall?

[00:42:04] Evan Francen: Exactly, yep, I’m with it. All right, so the next thing I’ve got Apple had an update. You don’t use Apple devices? I do.

[00:42:12] Brad Nigh: Uh No I I do I am uh ipad

[00:42:15] Evan Francen: and ipad. Okay

[00:42:17] Brad Nigh: And kids all have one.

[00:42:19] Evan Francen: Okay. Yeah, so it’s this is a big deal. Uh And it’s sort of so I actually I’m you know, I’m weird, I’m a security guy so I knew that the 14 71 was coming out for the IOS and the ipad os uh prior to it actually coming out and so I had actually installed it before my systems prompted me to uh there’s some stress. Uh

[00:42:46] Brad Nigh: Yeah,

[00:42:47] Evan Francen: there was some serious security patches in this release. If you haven’t updated, go update. Now. If you don’t know how to update settings, go to settings. General security update, tap, download and install. Do it, trust me you’ll be happy you did it.

[00:43:04] Brad Nigh: Yeah, I have it you can set it to automatically update to without asking if I’m remembering correctly,

[00:43:12] Evan Francen: sort of it’ll download. It’ll still prompt you to like hey do you want to? Yeah. Uh

[00:43:21] Brad Nigh: Really? I don’t use it nearly as much as.

[00:43:23] Evan Francen: Yeah. Right well yeah so there’s two options you know I cannot feel see it on my phone but download IOS updates and install IOS updates so you could do both but you’re still yeah

[00:43:37] Brad Nigh: okay because I was thinking pretty sure I set the kids too automatically your Yeah yeah the installed because Oh why wouldn’t you like not again not that they wouldn’t they just don’t know or understand what the the risk is.

[00:43:57] Evan Francen: Right well it’s kidding little bit. Well it’s not getting it’s always been crazy but uh because after you Depending on how many applications you run on your iPhone or iPad you know you’re constantly updating those. Oh my gosh it’s every day I’ve got 20 or some you know but I run a lot of stuff. Yeah I got like 20 updates to apply various applications every single day.

[00:44:26] Brad Nigh: Yeah I have like yeah I use it for a different reason than you. I use it more for like entertainment kind of down time. But yeah it’s 5-10 every day.

[00:44:38] Evan Francen: It’s nuts. So in that release so there are release notes like like Apple always releases but there’s uh some of the issues are really really important. Attorney including you know Colonel extension uh stuff. The ability to run code on your iphone ipad without any interaction by you at all. Ah Especially that Iowa mobile frame buffer. Uh which is it manages the screen buffer can execute arbitrary code with colonel privileges and it’s already being exploited.

[00:45:19] Brad Nigh: What’s interesting. What the one I mean there’s a lot of it in there and it’s all I’ll say this I don’t necessarily agree with everything that they do, why I was I think they’re released notes and what they include are really probably some of the best. Uh But the one thing that I think was the most interesting to me was that how fast they fixed the um zero click attack that was being or well that people believe was used for that the Pegasus power like holy cow. That’s absurd how fast they turned that around.

[00:46:05] Evan Francen: Right. Well yeah yeah what’s protecting the integrity of their ecosystem. Right. The apple ecosystem.

[00:46:12] Brad Nigh: But I mean think about how long it took Microsoft and I have to look do they even fix print nightmare at this point or is it still a workaround? Because they tried to push out the passion didn’t work, it puts up another one that didn’t work.

[00:46:28] Evan Francen: I’ve become more and more anti Microsoft as each day goes on.

[00:46:34] Brad Nigh: It’s funny I uh so totally off topic that sort of in line with it. I set up my personal laptop, I pulled it out a storage because I I honestly hadn’t done anything with it since we moved so three years upgraded a couple of things but did I put I have a Microsoft license, did I put that on. No my basil s on that actually I just put on Callie because that’s what I’m familiar with and then, yeah, I’ve got virtual machines and everything running, but you know, I’m like, no, I don’t really need it.

[00:47:12] Evan Francen: No, no. Yeah. And the weird thing is too, is, I think a lot of many users don’t realize that Apple had just released an IOS update 14 7 about a week ago. So this is, if you, if you’re thinking, well I already updated probably, you know, Go Check again. You probably have a 1471 update.

[00:47:34] Brad Nigh: The 1471 came out Few days ago. Right? 27.

[00:47:38] Evan Francen: Yeah, Yeah. And uh, it’s crazy how many like 14 7 it’s a pretty good security updates to it. 1471 is more. Yeah. If you’re, if you’re using an Apple, just go, go check it again, go check it and help. Yeah, an update simple. Uh there are those security updates certainly have. Yeah, certainly worth it. That’s all I have for today, man. You got, you got any shout outs for anybody. Uh huh

[00:48:17] Brad Nigh: Gosh, so many uh, just everybody I would say just everybody that’s been supportive of me. Uh just the last few months, six months, whatever because everything, you know, just have it knowing I’ve got people that, that I can trust and lean on and you have support. It’s been phenomenal to so have that and luckily like we were talking about before the show, it seems like things finally kind of turned the corner.

[00:48:51] Evan Francen: I don’t knocking on wood right now, brother.

[00:48:54] Brad Nigh: I know it’s gonna say I don’t want to jinx it. So, but yeah, thank you to everybody that has listened to me so kind of vent. It’s been, yeah, that’s what’s kept me saying to be honest.

[00:49:06] Evan Francen: Well, did you went through some tough times, man and, and, and a lot of people don’t, you know, we don’t share a lot of the personal details on, you know, for your own benefit and mind and whatever, But yeah, right, You’ve got a rough road the last nine months man.

[00:49:22] Brad Nigh: Any time your kids have significant medical problems, it’s, it’s tough and yeah, like they’re talking about and I had the medical issue in november we talked about and I was, yeah, so luckily knock on, like you said, fake wood things are turning the corner and just they get everybody that helped me through it.

[00:49:41] Evan Francen: Yeah, that’s cool man. Yeah, I’ll give a shout out to, I don’t know, Gosh, I hate to do it because he pisses me off so much, but I’m gonna give a shout out to Kevin.

[00:49:52] Brad Nigh: Oh,

[00:49:54] Evan Francen: kevin, Kevin Norton,

[00:49:56] Brad Nigh: He is, I love kevin, we have a few that came up and I’m not gonna go into details, we can talk about it off, but he said back a response and I just lost it. I was laughing so hard. It was like, that is so kevin,

[00:50:10] Evan Francen: Oh yeah, I love them. Or hate a man. That’s where it is. It’s either love or hate. There’s some days I just want to, you know? Yeah, there’s some days where I want to give him a big hug and but he does a lot of stuff keeps he’s kind of the glue for a lot of things. So shout out to him. Yeah. All right, well, the hopefully next week we’ll be back on track again. Today is thursday. So we’re a couple days later and when we normally record, we’ll see if we can get that back on track next week. Um, for those of us, for those of you who like to do social things on social media, you can reach out to us. I become less uh social media because I’m getting ticked off the drama of everything. But you can find me @EvanFrancen. You can find brat at brad brat. You invited brat brad the brats. You can find him @BradNigh.

[00:51:03] Brad Nigh: My kids will love that.

[00:51:04] Evan Francen: Yeah, I bet. Uh, and you can email the show if you want insecurity at proton mail dot com. If you know us personally, you can always find us on linkedin and you probably have already mail address anyway. So, uh, where’s that? In the meantime, have a great week. Stay cool. Be safe. Uh, probably want to get vaccinated. Just my advice. But your call.

Recently, Amazon made changes to their terms of service. This sparked a conversation between Evan and Brad about terms and conditions, privacy, and what we tend to blindly agree to. Together Evan and Brad discuss Amazon’s Conditions of Use and what happens when you are blindly agreeing to terms.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. It’s good to have you join us on this funny Tuesday something. Hey, Thanks for Tuning in to this episode of the Unsecurity Podcast. This is episode 140. The date is July 20, 2021. Running is my good friend Brad Nigh. Hey, Brad

[00:00:40] Brad Nigh:  Good to see you have a picture of what’s actually happening outdoors right now.

[00:00:45] Evan Francen: Oh, all right. Yeah. Well I’m wearing a tank top. They, you know, working from home like you are and in downstairs my wife is like, why are you wearing tank tops and everywhere? Tank tops? It’s hot outside. Oh my gosh.

[00:01:02] Brad Nigh: Yeah, ridiculous. That’s me. Even hotter next week. You see next Tuesday, the forecast is like 105.

[00:01:08] Evan Francen: Yeah. That’s nuts, man. I don’t know. I don’t even know what to do outside. We are. Yeah, we came back from Mexico yesterday. That was kind of fun. Um, I’m kind of excited to get you down there and your family. It will be fr secure south headquarters. Here we are. Yeah, yeah, you’re fine. I’ll show you. I’ll hear some pictures with you. Awesome christian and we saw get lunch together dinner because I’d like to see it.

[00:01:42] Brad Nigh: Yeah, absolutely. They were like that in a while. That was asking about his ah we need to see his girlfriend again and we’re like uh like, you know, we we went and had ice cream with her and I sat with, so you remember your daughter? It was funny.

[00:02:01] Evan Francen: That’s awesome. That’s great, Libya. By the way, my daughter, she uh got her job today. So I’m excited because that should be last dollars out of my pocket. Pay for weird things that 15 year old girls by. Yeah, tell me about it. She comes home with like uh I’m gonna go down around the whole

[00:02:23] Brad Nigh: uh

[00:02:25] Evan Francen: All right, well things are good. A couple of things, so we have a packed show today. You can easily talk all day about, you know, some of the things I’ve got, we’ve got in store, the first one is um I’ll just go through the topics. The first one I just called it, you agreed to what layman’s you about all these uh the terms of service privacy notices on and on and on. I don’t think anybody ever reads these things

[00:02:54] Brad Nigh: very, very rarely well,

[00:02:56] Evan Francen: and I did, I decided to because there’s a couple of companies that I’m just kind of shut up with in terms of what I feel like is overstepping trying to do everything for everybody. Um We’re doing a whole bunch of things. Well, but not great.

[00:03:15] Brad Nigh: Yeah, well, and and if you read through them, they’re not written in a way that’s easy to understand their, it’s pretty intentional to, you know, make this confusing. You just, you know, very complex language. Uh Oh

[00:03:32] Evan Francen: yeah, totally. So we’ll go into that and you, you identified a really cool cool website that will bring to bear here in a little bit. And then um, kind of big news I guess not surprising, but big news is Pegasus. Yeah, that cyber surveillance weapon,

[00:03:55] Brad Nigh: we knew it was out there. And yeah, we’ll talk about that when I got some good thoughts on that.

[00:04:01] Evan Francen: Yeah, not cool, not cool. And then the other uh, three topics, the layman’s view into, you know, terms of use and all that, legally legal stuff. I’m not a lawyer. You’re not a lawyer. Thank God because yeah, well yes, I’m not a lawyer. Uh, and then we’ll go into the Pegasus thing and then we’ll talk, you know, last is we’ll bring up this chinese backed hacking group, a pt 40 you’ve been in that response for a while you’ve seen that come up here and there chinese and the US indicted some of their members for whatever that’s worth.

[00:04:42] Brad Nigh: You know, at least something’s happened.

[00:04:46] Evan Francen: That’s cool. They called him up my name. I think it sends a message, the chinese like we know exactly who this is,

[00:04:53] Brad Nigh: right. Yeah, it’s, you know, are realistically if you look at it, that’s a pretty big deal to do to another country, but we’re going to that one later.

[00:05:03] Evan Francen: Yeah. You don’t see the chinese announcing our guys by name, right?

[00:05:10] Brad Nigh: Yeah, it’s fine to talk about you.

[00:05:12] Evan Francen: Yeah. So first we’ll talk with this uh sort of this legal stuff. So what kind of spread this for me was, you know, someday maybe I got an email from amazon saying, hey, our terms have changed. Mhm. Yeah. For some reason they just caught me at just the right time. I’m like, well what? Yeah. So then I clicked on there link which led me to amazon’s conditions of use. I was like, oh my God, this is a lot of stuff.

[00:05:43] Brad Nigh: So I sent you another link that will back up what I’m about to say. So here’s the thing the is it the literacy project? The average reading level of the US Is a 7th or 8th grader. And then Take that. And when you look at uh studies are showing that people skin web pages and read about 18%. So you’re writing documentation at a, you know, graduate level. How the hell you read it? Are they going to understand it?

[00:06:18] Evan Francen: Right. And even if I understand uh the sentences of the words or maybe even a paragraph, the way they write these things, it’s like one paragraph weaves into another paragraph which then we’ve back into another paragraph previously stated, we’ve got another paragraph and then click link to another document. I can understand. What I’m reading. What I can’t understand is all the lakes here, there everywhere. A

[00:06:46] Brad Nigh: Section three, Paragraph 4. I’m what that was like I’m on subsection 20 what the heck is going on?

[00:06:54] Evan Francen: Well, exactly. So you know I, so I started reading these conditions of use and it was last updated on but they isn’t, there are terms have changed and so I was thinking that was click the link brings me to the conditions of use which says it was last updated on May 3rd. And I got the email mm july 18th. Don’t know if that’s the thing that changed or not.

[00:07:21] Brad Nigh: I don’t know.

[00:07:23] Evan Francen: But it brings you to this help and customer service web page. And on the left side there’s a, you know, heading is legal policies and then you’ve got conditions of huge privacy notice, amazon group companies, non exhaustive list of applicable amazon patents, the applicable placements, patents. You’ve got non exhaustive list of which non exhausted means it’s not everything. Yeah, I know what those words mean. I was like, well where’s the list of everything? Right? You know, and that leads to all this legal mumbo jumbo. Two words may may not. Yeah, this but not limited to. Right the hell. Right. Uh, and then the last one is amazon dot com gift card, an electronic message, customization service terms. That’s what you get in this page. So I started to read it and I don’t, you know, once I started doing something stupid like that I just keep going. So um, for starts off welcome to amazon dot com. Amazon dot com services LLC and or its affiliates amazon provide amazon in quotes, provide website features and other products and services to you when you visit or shop at amazon dot com. Use amazon products or services. Use amazon applications for mobile or use software provided by amazon in conjunction or connection with any of the foregoing collectively amazon services in quotes by using the amazon services you agree on so called and all members of your household. So that means if I’m using amazon stuff, the way I read this is I’m agreeing to the same things for my wife. Mhm. My kids. Yeah, I was in my household grandma’s living with me grandma. Just bring these terms too. Right. And it doesn’t say head of household either. It just says you and all members of your household. Yeah. God,

[00:09:37] Brad Nigh: the best. Well, not the best, but the thing I like is at the end or hidden in there in addition to other limitation and exclusion conditions of use our total liability, whether in contract warranty, tort, including negligence or otherwise, will not exceed the last membership fee you paid. So there’s the same, you know what we’ll refund you your membership fee regardless of what we did to you. Right.

[00:10:05] Evan Francen: Well, and that’s that’s the opening paragraph of these conditions of use and then in a big hole. Mhm. Writing please read these conditions carefully. Mhm. Yeah,

[00:10:17] Brad Nigh: I’m looking at the other side that we’re going to talk about here in a second. It was

[00:10:21] Evan Francen: out at the bottom. Yeah, I’m excited about that one. What I think what I want to do first is just paint how using this stuff can be. And then what what’s a simple place where I can go as a consumer to break this down. And that’s the link that you’re we’re gonna talk about after we get through this. But so it says please read these conditions carefully. And then it’s a whole bunch of blah blah blah blah blah. And then you’ve got headings of privacy, electronic communications, copyright, trademarks, patents, licensing likes us, your account, reviews, comments, communications and other content, intellectual property complaints, risk of loss returns, refunds entitled product descriptions, pricing, app permissions, sanctions and export policy, other businesses. And then you have the disclaimer of warranties and limitation of liability disputes, applicable law, site policies, modification, severability. Their address, which is a P. O. Box, so not really. Right. An additional software amazon software terms because we didn’t put it in somewhere else. Mhm. How to serve a subpoena or other legal process. Okay. And then notice, notice a procedure for making claims of intellectual property regiment. That’s all in this one document. Yeah. And it doesn’t get any easier. Right if you read the doctor any of the stuff under any of these um headings, man. It’s atomic crap. Yeah. So quicken their non exhaustive list of amazon trademarks. Look at that page,

[00:12:13] Brad Nigh: is it? Let’s see, yeah. Where, Where is that 1?

[00:12:19] Evan Francen: Okay, so if you go

[00:12:21] Brad Nigh: on this is exactly it. Right,

[00:12:23] Evan Francen: right. On the conditions of use page, if you scroll down to trademarks, there’s click here to see the non exhaustive list of amazon trademarks.

[00:12:34] Brad Nigh: All right. I’m on the wrong flight. God, that

[00:12:39] Evan Francen: one way I can so I can shut down here. I feel it.

[00:12:43] Brad Nigh: Yeah, because I’m

[00:12:44] Evan Francen: much on people’s face, which is good. Nobody wants to see my face anyway, so let’s go into here.

[00:12:51] Brad Nigh: Yeah. Right. Uh Yeah, so I real quick I just through their terms of service into readable calm. And is it a D. With a great level of 12.5,

[00:13:07] Evan Francen: I think you got the big 12.5. I know Lots of high schoolers that, but not understand any of this. I don’t understand it. I’m 50

[00:13:18] Brad Nigh: that education just being able to read it. Not not understand it there. That would be the difference there.

[00:13:24] Evan Francen: Yeah, I suppose after you read it. Yeah, I get the word I c I can pronounce pronounce the words you see

[00:13:32] Brad Nigh: with them. Uh huh.

[00:13:37] Evan Francen: Mm measure

[00:13:39] Brad Nigh: correctly and I’ll see it.

[00:13:42] Evan Francen: That’s probably not using zooms terms of condition correctly. Uh huh. No, I gotta click start broadcast. That’s why. Alright, here we go. You know, sharing your screen. All right. She

[00:14:00] Brad Nigh: Okay, yep,

[00:14:02] Evan Francen: there’s our conditions of use and then. Right here trademarks. Right, so you see the non existent with a list of amazon trademarks like oh my gosh, on and on and on and on. That’s why I’m going to ace yet. There’s bees. She’s the trademark F. B. A boost Felix fox film finder’s find treated french deluxe. The trademark french locks I think coffee ab camp happy belly hawk traitor. And they don’t. No way are they trademarks? They’re used on their site somewhere. It says in addition, graphics logos, pete headers, button icon scripts and service names included in made available through any amazon service are trademarks or trade dress of amazon in the US. So these are their trademark. Well, the trademark leather architect list of bests will a Macy mad dogs nectar the trademark Neo. Yeah, they trademarked prime red wagon.

[00:15:27] Brad Nigh: The conditions. Yeah, I pulled up their conditions of use and threw it in there and in the flesh, concave grade level, it’s college level. Yeah, at least.

[00:15:40] Evan Francen: Alright, so that’s their list of three marks. Let’s go back to ah patents. Oh my god, website will look like, let’s check, check it out. Oh it’s on a page. That’s not bad. I don’t know. It looks like maybe probably at 12345, 10, maybe 90 patents they’re listed.

[00:16:08] Brad Nigh: Uh That feels seems about right.

[00:16:11] Evan Francen: Yeah, we’re not looking at amateur uh mike uh IBM List of of pens.

[00:16:17] Brad Nigh: Yeah,

[00:16:19] Evan Francen: the patent freaking everything uh that’s your account. Mhm. So that’s that if you understand any of that, right? That and that’s okay fine. It’s more like uh you know whatever you stuff, this stuff doesn’t really bother me that much. Just had a baffling how big they actually are. It’s not, I mean I know they’re a huge company but also like you must have a legal team the size of like when the population of South Dakota.

[00:16:55] Brad Nigh: Right by the way, your your ads are still

[00:16:58] Evan Francen: broadcasting. That’s all mike I don’t care about either. So you can see that I was on United Airlines. Yeah. I get it. I want to go to uh go back here or here go here. I want to go to this other one to privacy notices. This is the part that that was really interesting film. The privacy notice. And they say if I didn’t read any any of these, I guess, you know, reading the conditions of use is sort of cool I guess. Mhm. But the privacy stuff, you know like what types of information do they collect about me? Where do they use? Where do they get it? You know, they don’t go into any real detail. They just give you like general stuff. Yeah. I think they’re so big that who’s going to fight him? Right? You can the state of say the state of California says that you’re in violation of C. C. P. A. In these sections or whatever, they’ll never get through it. Right what I mean? Yeah. Oh my gosh. What personal information about customers does amazon collect? Well they’ve got information you give us automatically and this goes back, remember when we did that uh podcast about this privacy? Do you have a right to privacy? And people debate? Yeah I have a right to privacy. It’s like okay you may have it. You actually have it because saying you have it and legally you know right right. Are you you know did somebody just take it from you and you look at this stuff you know and just in amazon and I can’t imagine you know if you look at amazon Microsoft twitter facebook, you looked at linked in all these places where you’re sharing information. You realize you have no privacy. No.

[00:18:57] Brad Nigh: Yeah. Yeah. And same thing with their privacy notice college level reading You know averages seven areas grades I think 12 13 14 year olds.

[00:19:09] Evan Francen: So who who would ever do you think that’s like um let’s say the F. D. C. Do you think they could force amazon to write this in a way that the average. Right. So you mean that the average reading level of amazon customers which you know maybe it’s ninth grade for eighth grade? Yeah. How how did you possibly hold them accountable? There’s something that they don’t understand?

[00:19:40] Brad Nigh: Ah I agree but honestly we preach this with uh security policies as well. You read some of those and it’s the exact convenience college level document and that. How are people going to understand it? And I have to double check but we made our acceptable use template at late. I think it was 9th or 10th grade.

[00:20:04] Evan Francen: What? That’s the side you’re referring to if our listeners wanted to take their own policies, run them through, Is there a site that you’re

[00:20:14] Brad Nigh: uh Yeah, you can do you see, I’ll throw it in the chat and you can include it in the notes. Okay, readability formulas dot com. And then you can drop grab it in there and it shows all the different reading the score and then all the different versions of our region. And

[00:20:40] Evan Francen: next I think that’s really important like because if I am writing a policy, it’s not that and the way I’ve always used policies in my own work is I don’t expect anybody to ever read them. But what I do is people to reference them. The reference documents. Right. Mm. And so if amazon was going the same way about this policy stuff, it’s obvious that they’re not, maybe they’re writing it as a reference document because they do have headings, you know, and I can find stuff. But um yeah, I don’t I don’t understand what they’re actually seeing here.

[00:21:15] Brad Nigh: Well and there’s a huge difference in these terms of service and a security policy because with the security policy you still have a resource to go to to explain it, right? That there should be somebody who understands it. So if you look at it and don’t understand it, you you have a resource amazon, you’re just agreeing to it with no way of understanding it.

[00:21:38] Evan Francen: Right? And what about like, let’s say Microsoft or amazon? You know, they’re almost so big that you can’t avoid not using them, right? Yeah. There’s no there’s no way I cannot use a Microsoft product somewhere in my like. Mhm. Apple is playing. Yeah. You’re almost forcing me when you are forcing me. I have no option. I must have this which whatever you put in here. I don’t know. Um I guess I’m glad the lawyers fight it out. I mean, if you have an opposing counsel that wants to stand up to the team of amazon hell, I should go back and see if you know, because amazon does have their list of group of companies. I wonder if they have a group that’s called amazon? No, they don’t. I don’t have their subsidiaries listed. They did. I wonder if there’s like an amazon legal incorporated? They’ve got their own, you know, law firm.

[00:22:44] Brad Nigh: Yeah. I don’t know

[00:22:48] Evan Francen: charlie. What’s that?

[00:22:50] Brad Nigh: It’s a subsidiary that doesn’t actually have any. If you lose, that doesn’t hurt company profits,

[00:22:58] Evan Francen: man. Yeah. I mean they’re so insulated from anything that you and I could ever do. I mean your power, this is a consumer, I think unless you can somehow lobby, you know, a government entity to stand up to them. But amazon’s got lobbyists, right? Yeah. So it’s you against the lobbyists? Yeah. Forget about it. Uh And it’s not just amazon we’re picking on amazon right now because this is the email I got. But I think the same thing would apply to just about any large tech company today.

[00:23:33] Brad Nigh: I would say anything that you click the terms of service that you have to agree to. I would assume that this is the case. Yeah. And you’re probably gonna be safe one of the few times you can safely assume something.

[00:23:45] Evan Francen: Yeah. The information that amazon what what personal information about customers does? Amazon collects four types 3 types information you give us willingly or unwillingly or knowingly or unknowingly Automatic information which is stuff they get from their 3rd parties and interaction with their stuff and things. And then actually automatic information like their cookies stuff like when I track you and where you’re going and how are using product everywhere and information from other sources. So that’s where they get the information. Uh For what purposes. Well this is what they say purpose and delivery of products and services provides troubleshooting to improve amazon services, recommendations and personalization. Which is basically so you’re more crab provide voice always crap. You don’t need to by the way provide voice image and camera services comply with legal obligations, communicate with you advertising which seems a lot like recommendations and personalization and fraud prevention and credit risks. So that’s why for those purposes you know. Okay what about cookies and other identified a whole bunch of stuff there does amazon share your personal information. They do. Uh huh. Mhm. Yeah they should transactions involving third parties third party service providers, business transfers which seems kind of funky and protection the amazon and others. That’s when they release information or share information with others. So amazon. Yeah. And then we’ll collect your information. But if they need to share your information to protect amazon they really do that. Mhm yep. So anything to protect amazons behind how secure is information about me? This is a part that sort of talk to me because I’m more concerned about amazon the name about an attacker with my information. Truthful.

[00:25:57] Brad Nigh: I mean we’ve seen it with some of these recent attacks. Where is the most value? Where’s the data? Right. You want to attack 500,000 individuals or one place that has that information? Well right.

[00:26:13] Evan Francen: Yeah. So we protect it. So this is what they say. We work to protect the security of your personal information during transmission by using encryption protocols and software. We follow the payment card industry data security standard when handling credit card data to maintain physical electronic and procedural safeguards in connection with the collection storage and disclosure of customer personal information. Our security procedures mean. And we may ask you to verify your identity before we disclose personal information to. You may ask better. Damn well asked

[00:26:47] Brad Nigh: I don’t like encryption protocols. What are they using? Like triple days Like what protocol?

[00:26:54] Evan Francen: Well they probably have good stuff but yeah but they leave it open ended. Yeah

[00:26:58] Brad Nigh: at least but industry accepted at least then I have a good feeling of what what they’re using

[00:27:05] Evan Francen: you think well there’s no that stuff come on they copied in pieces with somebody else you know? Yeah. Oh

[00:27:13] Brad Nigh: it does happen. Yeah

[00:27:16] Evan Francen: our devices offer security features protect them against unauthorized access and loss of data. He can control these features and figure them based on your needs click here for more information on how to manage the security settings of your device I. E. Sidewalk when it’s enabled by default. Mhm.

[00:27:34] Brad Nigh: And you get like seven days to disable it. Right?

[00:27:39] Evan Francen: Yeah. Now last Ballpoint under house security information is important for you to protect against unauthorized access to your password and to your computers devices and applications. We recommend using a unique password for your amazon account that is not used for other online accounts. Be sure to sign off when finished using a shared computer, click here for more information of how to sign off. That’s all you get for how security information about me in this privacy. Uh huh. Notice that risk. Yeah.

[00:28:13] Brad Nigh: So I can’t wait for you to go to the other site

[00:28:16] Evan Francen: and you know

[00:28:17] Brad Nigh: it’s like whoa okay

[00:28:20] Evan Francen: well this is some of the other I’ll go through the rest of this pretty quickly and then we’ll jump over to that. So what about advertising? A whole bunch of stuff listed there about advertising, What information can I access, ideally you’d be able to access every bit of information and you sort of can. But here there’s only limited number of things that you can access, I think probably through their front end. Mhm. What choices do I have? And they give you a list of choices? But essentially if you want to use amazon services, you don’t have any of this. Just take all those words. I’m just say you don’t have any. Yeah. Are Children allowed to use amazon services such as amazon does not sell products or purchased by Children. We sell Children’s products were purchased by adults. You’re under 18, you may use Amazon services only with the involvement of a parent or Guardian. We do not knowingly collect Knowingly being the key word, collect personal personal information from Children under the age of 13 of the consent of the child’s parent or guardian. So this is the way you work that knowingly is a keyword. And the second piece there is without the consent. The child’s parent or guardian hidden in somewhere and all these agreements and various other things.

[00:29:38] Brad Nigh: Right, Well, you we mentioned it, I agreed to, this includes your family.

[00:29:44] Evan Francen: There you go. So higher household. Yeah. Alright, California. Consumer privacy actually haven’t section here, but all they have is a sentence and then click on the link to read about disclosures required there. EU and swiss us privacy shield remarks are listed here. No G D P R uh practices and information a whole bunch of stuff there. But this is where I thought was information. So I’m gonna read through this quick and then we’ll get to the thing because I think when you realize how much information they actually collect about you, it’s what what did they miss? Right? So here here’s what we got information you give to us. You give us when you use amazon services, uh you provide information to us when you search or shop for products or services in our stores. When you add or remove an item from your cart or place an order through uh or use amazon services when you download stream view or use content on the device or through a service or application on a device. When you provide information in your account, you might have more than one if you’ve used more than one email address from mobile number when shopping with us or your profile when you talk to or otherwise interact with our Alexa voice service when you upload your context. Uh Configure your settings on provide data access permissions or we’re interact with an amazon device for service. When you provide information in your seller account. Kindle direct publishing account, developer or any other account we make available that allows you develop or offer software goods or services damage on customers when you offer your products and services on or through amazon services when you communicate with us by phone, email or otherwise. When you complete a questionnaire, you support again contest entry form when you upload our screen images, videos or other files to prime photos, amazon drive or other amazon services when you use our services such as prime video. When you compile playlist, watch those wish lists or other gift registries when you participate in discussion boards. Other community features when you provide and rape reviews, when you specify a special occasion reminder or new employer employee product availability alerts such as available to order notifications. That’s how we get information from you.

[00:32:22] Brad Nigh: Right to be clear. This isn’t just amazon, this is going to be anywhere and you’ll see that you know like you said we’re not taking on amazon. It just happened to be the one that popped up. This is

[00:32:35] Evan Francen: she entered No. This is what goes back to my point when I say you have no privacy. Yeah. So then it says as a result of those actions, you might supply us with such information as name at identifying information such as your name, address and phone numbers. Amen information, your age, your location information, your I. P address, people addresses and phone numbers listed in your addresses, email addresses of your friends and other people, content or reviews and emails to us, personal description and photograph in your profile meaning, pictures of you and things such as that voice recordings when you speak to Alexis. Now you’ve got voice patterns about me, images and videos collected or stored in connection with amazon services information and documents regarding identity including social security and driver’s license numbers, corporate and financial information, credit history information and vice log files and configurations including credentials. You choose to you automatically synchronize them with your other amazon devices. That is the information amazon has. Yeah. Out of you essentially. What did you miss? D. N. A. Is that in there yet?

[00:33:58] Brad Nigh: Yeah. What did they collect? Yes, exactly. Yeah.

[00:34:03] Evan Francen: So they haven’t got my D. N. A. Happened. Trust me they’re working on it. Uh an automatic information. So this is examples. So that’s just information you gave them. Right are they you as you giving them information that they collect and analyze automatically meaning using their things where they get it in a protocol address used to connect your computer to the internet, log in email address and password. The location of your device or computer content interaction information such as content, download, streams, playback details including duration and number of simultaneous streams and downloads and network details for streaming and download quality. Including information about your internet service provider device metrics such as when it devices and use application usage, connectivity data in many years or event failures amazon services metrics. Examples the currencies of technical errors, your interactions and features and content. You’re selling settings, preferences and backup information, location of your device running an application information about uploaded images and files such as file named dates, times and location of your images version and time zone settings purchasing content use history which we sometimes aggregate a similar information from other customers to create features like top sellers. The full U. R. L. Extreme to through and from our websites including date and time products and content reviewed or search for page response times, download errors, length of visits to certain pages and page interaction information. So just going clicks and mouse overs. Phone numbers used to call our customer service number and images or videos when you shop in our stores or stores using amazon services.

[00:35:54] Brad Nigh: Yeah. Yes.

[00:35:56] Evan Francen: Right. And that’s only two ways. Right. We’ve also got the information from other sources. Um I mean it’s all there right now. People people probably yeah thought this anyway. But when you actually read through the list of all these things, it really starts to hit home like oh my God you have everything. Mhm. You own you. Basic amazon basically owns me owns you. No. So crazy. Crazy man. All right. So I just want to bring that out. I don’t know what we do about it. Be honest. I think we’re so deep in this whole right now. Yeah. I don’t really know how to get out of it, but here’s I’m going to bring up very for our listeners. Right. So basically I mean, I think we just kind of painted the picture that you’re screwed. I don’t know, did we?

[00:36:59] Brad Nigh: I think, yeah, I think so. Right. There’s a way you can make it a little easier,

[00:37:06] Evan Francen: a little easier to understand how you’re being scooped. Right? So, uh, yeah, here’s a page now. Uh, people that are that listen or see it on youtube, you can see what I’m showing on the screen. But um, there’s a cool website that brad brought to bear its https Poland slash slash p O S D R dot org. Yeah.

[00:37:32] Brad Nigh: For, for terms of service didn’t read. Yeah,

[00:37:36] Evan Francen: this is really, really cool. This person I saw it, you know, when you bring it up to me. Yes. You money with them in the search and breaks it down nicely for us

[00:37:48] Brad Nigh: and it shows the different services to and so great. A best terms of service treat you fairly. The terms of service are fair, but user could be our towards the user but could be improved. Red Sea is, they’re okay. But some issues you need to consider brady terms of service are very uneven or they’re important issues that need your attention and a great E is in terms of service raise very serious concerns

[00:38:12] Evan Francen: help. So amazon itself gets a grade e amazon AWS E and amazon prime video gets a D. So nothing in amazon is created force the consumer. It’s all like,

[00:38:26] Brad Nigh: which if you click on amazon uh there like the logo. It will take you to the page and then if you hover over it. I mean it brings it down into uh, you know, human understandable language, but if you click over it it’ll actually show you the, the exact language within the terms of service

[00:38:47] Evan Francen: which when I do it on an ipad,

[00:38:49] Brad Nigh: it took me.

[00:38:51] Evan Francen: But it uh yeah, I mean this is a great, I’m going to spend time here. I think it’s really interesting now. Uh it’s kind of, this is an unbiased sort of review of the documentation without me having to read the entire documentation, yep.

[00:39:10] Brad Nigh: Yeah. And you know, it’s funny if you put in, put in, you know the major browsers. So we’ve got chrome and idiot dogs are

[00:39:19] Evan Francen: amazing.

[00:39:20] Brad Nigh: They’re protecting me from that. Horribly mean ups draft. Um Right. Uh I’ve been in like Chrome and Firefox and Brave and yeah. Mm Yeah, I took that first secured to but uh oh internet work though. Yeah, the the big ones score poorly. Firefox and Brave. Both score A B. No, yeah, things to keep in mind within your browsing.

[00:39:56] Evan Francen: Yeah, zooms courses. Yeah. What about twitter? Yeah, he still read uh I’ll link in Lincoln’s on my maximum now. Right.

[00:40:12] Brad Nigh: Uh Exactly. I would stop their own terms.

[00:40:15] Evan Francen: Any of the big tech, Not great any what’s that does any of the big tech not grade and eat

[00:40:23] Brad Nigh: what? Oh I believe. Well

[00:40:27] Evan Francen: IBM doesn’t have agreed

[00:40:31] Brad Nigh: Mozilla dot org. It has A B.

[00:40:36] Evan Francen: Subscribe to D.

[00:40:39] Brad Nigh: So let me why don’t I share my screen second show what I was talking about with the click over. All right. Yes. All right.

[00:40:54] Evan Francen: Yeah. And find my zoom.

[00:41:02] Brad Nigh: So here we go. So when you look at it, you know your day that whether you have an account or not so are over it and it actually shows and explains exactly what they’re doing. Yeah, deleted content. Not really deleted it is here and I’m not proud. You can review off facebook activities, but facebook can view your browser history.

[00:41:33] Evan Francen: Yeah,

[00:41:34] Brad Nigh: but your identity is used in ads that are shown to other users.

[00:41:40] Evan Francen: Oh, this this place in terms of service didn’t read. Yeah. I love the, love their mission for their quote at the top. I have read the I’ve read and agree to the terms. End quote. It’s the biggest is the biggest eye on the web. Yeah, we fix that

[00:41:58] Brad Nigh: this here. So it lays out differently on my screen than your I’ve had did. But uh, if you look there are a couple here Wikipedia gets to be that’s pretty good Doctor to say. That’s fantastic. Um Start page is A B and that’s about it. Everything else is pretty much an e interest. Apol Blizzard Khan Academy which surprised

[00:42:25] Evan Francen: even have porn hub on here.

[00:42:27] Brad Nigh: Youtube talking credit. You know, if nothing else. Maybe it’s a good thing. Good idea to kind of understand what services you’re using and what then then what services are out there. What are the options? And when does it work? Like they said, I use either uh, these duck duck go or start page and then Firefox or Brave Now does that at the end of the day. Does it matter if they’re doing all this other stuff? Maybe? Maybe not. But you know it do what you can,

[00:43:04] Evan Francen: you know when there’s so much. Well, I think a lot of people don’t realize how much power there is an information.

[00:43:10] Brad Nigh: Oh, that’s where they make their money.

[00:43:13] Evan Francen: How much? Yeah. But it’s a, I mean as a consumer is just like an everyday person like they give you this drug, right? The blinky light game, the, the interaction, the video, whatever they give you that really resonates with you. And then they just, I mean my God, it feels like we’re being rape.

[00:43:42] Brad Nigh: Well, and that’s why you know, the other thing is install something like privacy badger, right? It’s gonna block whose tracking pixels that are all over the place and at least give you a little bit of control over your privacy again.

[00:43:58] Evan Francen: Yeah. Mom and a bookmark this page for sure. Use it often. I quickly about us. Really interesting people I think, you know, you can follow him maybe interact with its got time. Um, you know we’re doing, I was talking earlier today with a friend of mine Can be starting a nonprofit and I told you about the Great Matter society will start that one in earnest. Right? It’s, it’s moving, it’s moving slowly. Nobody’s got enough time because everybody’s busy as hell. But whenever They retire, which is now, uh, 700 move on there 707 days it will probably be devoting most of my time to that. Hopefully we can bring these things together. You know, these pieces like what, what these guys in terms of service didn’t read what they’re doing and some of the other really cool nonprofit like take cybercrime support network, you know, christian josh, he’s doing over there and it’s gonna bring these things together because I think if you get these things together, maybe we can affect some change. Yeah. The only way we’re ever gonna get your privacy back is to change it, meaning you have to change whatever characteristics about you that you can change right. You won’t be able to change your DNA will change your facial structure without, you know, serious money, your fingerprints, stuff like that. But we can change things like social security numbers, Travis license numbers, uh, you know, and the lake. So pain in the butt man. Yeah. Again, if you missed it, listeners pos D R dot org someplace to go. It’s really interesting stuff. We also have some additional links that were put in the show notes. People can hopefully find some useful stuff. They’re kind of an eye opener. Yes. Well, being that we spend so much time there was going to go through these other two, Like pretty quickly, you’ve got probably more to share on the Pegasus stuff. But you gotta, I’ll bring up one article in particular, won’t bring it up on the, on the screen here. But I first thought in the Guardian and it was because what’s his face, who’s uh Snowden? Snowden posted on week then are not linked in on twitter sunday. This is gonna be the biggest news story of the year. And it was a link to the Guardian. The title is revealed, colon leak, undercover leak uncovers global abuse of cyber surveillance weapon is called Pegasus. Not surprising, but I’m definitely troubling, man. Well, I mean, yeah, privacy, right? No privacy with all this stuff. And then you get your own government. Well,

[00:46:51] Brad Nigh: if you don’t know if you saw that, there was some updates that I was reading earlier today that uh let me see, there was like Prime ministers, ah was 14 Heads of State. So three presidents and prime ministers and a king. So you’ve got the President of France Iraq and South Africa. And then the Prime Minister’s that our current of Pakistan Egypt and Morocco. And then the king of Morocco and easier. I mean, if you are that Guardian article as a thing about the freelance mexican reporter 60 leo in yet. Uh so I apologize if I watch that. Right?

[00:47:39] Evan Francen: I mean it’s

[00:47:40] Brad Nigh: terrifying, right? Yeah, he’s dead. He apparently was of interest to a mexican client in the weeks leading up to his murder. And the killers were able to locate him at a car wash coincidence. Maybe not like me. You know the amount of was the other thing that I think that this close up is the whole encryption backdoor. They don’t they clearly don’t need it. All it’s doing is weakening again our privacy and our security. So they already clearly already have the ability they got android and IOS what what else do you need? Like you’ve got the software just you don’t get to weaken my protections already ruin. That’s over.

[00:48:32] Evan Francen: Right. And so this is hacking essentially hacking software sold by the company called the NSO group. Right? Which is an Israeli company. They claim that they only sell to legitimate mara vetted government bodies. But how the hell? Who is that?

[00:48:51] Brad Nigh: Well and none of it, but users agreed to not only use it for specific purposes. Uh Great wink wink.

[00:49:00] Evan Francen: It’s insane man. So who they sell it to 51% the intelligence agencies, 38% of law enforcement agencies and 11% of the military. Ah yeah, this is just the expanse of it. And you’re right man that the mexican mexican client. Well who runs Mexico? The cartels run Mexico. Mhm. You know, maybe you could say, well the president. Okay. Sure. Right. But it’s crazy man. The attack vectors. Sms. WhatsApp. I message any number of God knows how many unknown vulnerabilities those the attack vectors. Once it gets there, things that can read malls. What type WhatsApp chats. If you thought that was a secure app, photos and videos, activate the microphone remotely. So while you’re not you don’t even know it’s being turned on and they’re listening to everything you’re saying, activating the camera, recording phone calls. Gps, data, calendar, context book, you name it right? It’s rooted.

[00:50:08] Brad Nigh: You know what bananas is? A factory reset doesn’t appear to get rid of it on at least some android phones. But the recommendation is until we know more. If you find out you’ve been affected. Get a new phone.

[00:50:26] Evan Francen: Yeah. Yeah. one. And how long was that 1? You know like the true right. Just being targeted that get you right, there was just only do anyway. But when it’s like right in front of you like this.

[00:50:44] Brad Nigh: Yeah. There was a Oh I’m trying to find it now. That was really cool. Think you could actually install to see if it was affected.

[00:50:56] Evan Francen: Mm. Uh We’ll work around it.

[00:51:01] Brad Nigh: Yeah. Yeah. I’ll put this in there. Well it’s not the analysis. You can if you are concerned, you can actually at least find out.

[00:51:15] Evan Francen: Yeah. Find out if you’re going to die next week. Yeah. Give credit to, Does it? I think 16 is a 16 journalists. They’re working on exposing this more 16. Okay, Uh investigation. My Guardian and 16 other media organizations. Yeah. You gotta have some serious uh gumption. Yeah, be going here because you’re talking about some pretty shady, very powerful people,

[00:51:50] Brad Nigh: yep. Yeah. You know, it’s always I just uh a link on how to uh well if your phone is affected but it’s amnesty international that’s putting out these indicators of compromise and kind of running this, which is, makes me feel at least a little bit better about, you know, is calling and testing to a lot of stuff.

[00:52:11] Evan Francen: Well, it’s good there. Yeah, I mean, I’m not, I’m not like a I’m not like tighten any, I always healthy uh skepticism I think about everybody, you know. But this speaks very highly of amnesty ah

[00:52:30] Brad Nigh: which they got to be on usd are so there you

[00:52:36] Evan Francen: go. He’s not been true. So really interesting. It will be interesting to follow that as it continues and see what the reaction is going to be, what’s going to happen.

[00:52:48] Brad Nigh: Yeah. All out on this.

[00:52:52] Evan Francen: Why? Because you know that the United States is multiple, you know, agencies and or multiple agencies prefer and the military, our customers.

[00:53:04] Brad Nigh: Mhm. Oh, 100%.

[00:53:06] Evan Francen: So the crackdown on themselves.

[00:53:10] Brad Nigh: I know it’s nuts.

[00:53:15] Evan Francen: So that’s gonna be uh yeah, will be a movie for sure and some other things, but it’s sad to that. And then the only way to really protect yourself at all your text and even then you know, whatever. But you can’t really get away from tech anywhere. Get away from my home. I can’t get away from it on the streets. There’s camera surveillance everywhere. There’s God knows I’m an electronic signals doing what, you know when I set up just a simple um, hello wireless. Uh, the band isn’t working today. It is man, I set up a set up a simple kid on a, on a raspberry pi. I live in a small town main street. I caught like 30,000 signals but then like week just different communications going on, whether it be weakening or what have you crazy. Alright. So that’s that keep keep a look out for that. We could cover that for days. But that’s uh, interesting. The other one, the last one that we’re at this thing up us invites members of the chinese backed hacking group MPT 40. I quoted that one from bleeping computer dot com but it’s all over the news essentially. Uh, we’ve indicted some hackers from china for their chinese. Everything is chinese government. So you think that there’s a private company and private entity in china? Mm No, no. And a man you say their names but interesting pictures that I have a picture of king green men that have a picture of him but they are being usually italian and wolf the wrong and zoo in men.

[00:55:11] Brad Nigh: Yeah. What, what I think is

[00:55:13] Evan Francen: looking folks

[00:55:14] Brad Nigh: big about this is the fact that they named him right like there. This is definitely an escalation in cybersecurity.

[00:55:26] Evan Francen: Yeah, for sure. And yeah, because you don’t I don’t recall. I’m sure not nothing. I thought my head uh resonates when china has called out a U. S. Analysts by the name of it that they may do things now. They do do things quite a bit different. Ah Yeah, you should see what comes with that too. And I wonder if china you talk about the customers of you know the NSO group. I want to china is also a customer. No, I’m sure. Well, but Nso is an Israeli company. Mhm mm. Yeah, that I would think that enemies of Israel made, there’s anything that comes out of Israel to is pretty tightly controlled.

[00:56:20] Brad Nigh: Yeah. Really interesting because if you the Guardian is gonna send it, if you read it that they’re going to start uh linking and naming the people and they started naming some of them. So and and it shows who the country of interest was. So that’s going to get that’ll be fun.

[00:56:43] Evan Francen: We’ll be your son. All right. Well, good stuff uh will turn out yet, but I’ll get them hopefully I can’t do it tomorrow tonight because I got have to talks to give tomorrow and I haven’t even started yet. Uh Yeah, but we’ll post the show notes here, Evan francine dot com will be an episode 1 40 show notes when I get those things. Family posted. We’ll talk, we’ll outline. We’ll have all the links to the things that we talked about in today’s show. Uh And if you have things that you’d like to add, like if you found a good resources, do you think other people would benefit from related to any of the stuff we talked about? Ah you know, today in today’s show? You know, send it our way 5%. Are you ready? Um

[00:57:33] Brad Nigh: You know, I’m gonna give a shout out to the exact because he’s been going on and stuff and he’s still man. He makes me smile. Just such a great attitude. It’s very, it’s nice to yeah, it makes you feel better as a parent.

[00:57:48] Evan Francen: That’s cool. That’s cool. I’m gonna get, this is a person who is never going to listen to podcast. Probably. I’m gonna get a shout out to Rudy. Rudy was our house, our house manager down in Mexico this week and we had a really good conversation. I’m one of those guys where I don’t, I’d like to know everybody, you know, there’s not like this. Uh I’m better than you think so. Getting to know Rudy was a lot of fun this week. He’s a hell of a worker works two jobs. Mm I got to give it to every mexican that I met down there has a really incredible work ethic. You know, there’s no, there’s no welfare, anything down there.

[00:58:34] Brad Nigh: So it’s if you want to eat you work. That was cool.

[00:58:37] Evan Francen: So I like Rudy and I’m looking forward to getting to know him more remedios now. Mhm. All right, well thank you to our listeners. Thank you brad again man. Good conversation to see your face. It’s good to see your health yet. Didn’t catch any drama out of your yeah, this past week. So knock on wood. Let’s keep that going

[00:58:57] Brad Nigh: brother.

[00:58:59] Evan Francen: Uh, if you have something you’d like to tell us. This is for the listeners. Feel free to email the show at un security. Pro com mail dot com. Your social social people twitter. I’m @EvanFrancen. It’s just my name and that is @BradNigh, it’s just his name. The companies we work for. If you want to learn more@FRSecure. Got a brand new website, check it out @StudioSecurity is uh, the other place. So that’s it. Have a great week. Talk to you later.

Evan is down in Mexico and took Ryan Cloutier (Head of SecurityStudio) and John Harmon (President at FRSecure) down with him. The two replace Brad this week, and together, the three break down cyber attacks in 2021 and more happenings in the security industry. Give this episode a listen and send questions, comments, and feedback to

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome Unsecurity podcast listeners. This is episode 139 and the date is Tuesday July 13, 2021. Joining me here, we’re on site in miss molloy to Mexico and I’ve got my good buddy and president of FRSecure John Harmon here. Say hi John.

[00:00:42] John Harmon: Hi John

[00:00:43] Evan Francen: yeah, I got that. And then my other buddy who runs the other company security studio Ryan’s also here. Right.

[00:00:52] Ryan Cloutier: Good to be here in Mexico.

[00:00:53] Evan Francen: Yeah. So I figured we’re not brad’s not with us because mexican band width is always kind of funky.

[00:01:02] John Harmon: Yeah.

[00:01:03] Evan Francen: So I figured we’d do the podcast here locally. Amongst the three of us share some thoughts about security things. You guys have both been on the show before, but it’s been a while since you’ve been here. So we talk about what’s currently going on in your world and what we’re seeing and see what the, I guess the conversation takes us sound good. All right. So desert with you, john, you’re president of fr secure busiest health great years so far. First half of the year is, you know behind us now we’re ahead of pace. Things are going well. What are you feeling

[00:01:36] John Harmon: feeling good? You know, it was all the covid stuff, you know, this time last year we had no idea what’s going to happen or what was going on. It seems like everybody woke up after Labor Day and decided like, okay. And there was no pandemic. We need security stuff. And it’s been kind of bananas since then, which is great. Unfortunately a lot of that activity has been, you know, forensics and incident response, which we’re very happy to do but rather be preventative work. You know, like it’s, it breaks my heart a little bit whenever you get that. Hey, I’ve been ransom weird and I don’t know what to do call. You know, it’s just uh, right in the fields. You know, you just, your heart goes out to them, but it’s nice to be in a position to help anyway.

[00:02:14] Evan Francen: That’s cool. But it was happy that, you know, you do say, I think year over year we’ve had more incident response work this year than in years past. However, the, I didn’t notice that the number one thing that we’ve sold in the first half of the year has been risk assessment, is that

[00:02:32] John Harmon: right? Yes, that’s still correct. Which is fantastic. Right? If our secure is kind of known in the industry for security risk has been quantitative risk analysis, which you developed and now security studio is perfecting and you know, get it out there and everything and then virtual Seaso continues to be, you know, having the data, having the assessment is great, right? Which can just point out problems with these people look right. So the ability to kind of project plan out what is your security look like over the next few years and that’s sticking around and open it through that still very popular thing. Yeah, that’s

[00:03:06] Evan Francen: cool. That’s very cool. So speaking of you mentioned scared studio, I got Ryan here, the not officially named president, but we call you president of security studio, I think it’s just formalities. Right? So you’re leading pretty much leading that organization now, which is really cool. I love the way you stepped up over the last year build off. We’ll adjourn just said, I mean, how are you seeing the business first half of the year? Success, not success. Yeah, I would say, you

[00:03:33] Ryan Cloutier: know, first half of the year was was a little bumpier just because the markets that we serve are the underserved markets, they were dealing with the pandemic. So you’ve got state, local government, you’ve got K 12 schools, they had so much to address during the pandemic that unfortunately a lot of the security work that they needed to do that back Bernard. But as we came out of the pandemic, you know, we saw a huge surge in a need and a demand for it. One of the things that we’re hearing a lot right now is around vendor risk management and uh the need for more organizations to provide virtual thunderous match because they just, they can’t keep up a lot of these organizations that we serve our, our smaller, uh, you know, the stretched really thin. So we’re working on some innovative solutions within the tool set to make that easier were this year we’re gonna be diving in deeper with our partners and helping them to stand up and structure programs and probably the thing I’m most proud of and excited to talk about this year that we’re working on, a matter of fact, we’ll have our official kickoff for it at the end of the month. The security studio has partnered with an organization called the accent A B A X M T, I believe. Okay. Uh, and what they do is they help underserved communities get employment. And so we’re partnering together to create a new workforce of risk assessors in the rural areas of Wisconsin where there’s a huge demand from the company’s their manufacturers, a lot of large manufacturers, but there’s a very small talent pool. So we’ll be working very closely with them to create new entrepreneurship opportunities and to actually create a formal training program where we can partner with them to create new certified risk assessors. So that’s really excited.

[00:05:29] Evan Francen: That’s super cool show, you know, information secure has always been known as being a cost center, right? Kind of one of those necessary evils. And we’ve always professed that if you do security, right? It can actually be, you can make money, you can set yourself apart in the marketplace to market differentiator, you can find areas of opportunity because complexity being the enemy of security than the opposite would be simplicity. Right? So if I take a 20 step process and make it into a three step process, not only do I make more money or profit, you know, but I also thank myself more secure, but on the other whole twist on this too and we do it at half are secure. Does the mentor program, right? There’s opportunity for you to create a career, for you to make money yourself personally. It’s cool. Now that’s serious. Studio is doing the same thing. Kind of a different men to write, reaching out to people in these rural communities that giving them opportunities to have careers and information security. That’s cool.

[00:06:32] John Harmon: Yeah, that’s pretty, I mean I think back, You know, when we first started doing and you know like formalizing the risk assessment and back then it took somebody with 10, 15, 20 years experience of like 100 hours to do an assessment like this. And it was very, very costly. And even still today, if it’s important to you to have like a rank level security expert, do the assessment. Still very expensive. Oh, but the tool is kind of outpaced the need for that kind of expertise. So you don’t have to be a virtual see. So you don’t have to be some high powered security professional to get a worthwhile risk assessment. So that’s awesome. We could create this niche in the industry of risk assessor and still have all that good data that you would get from a security professional. Just the software automates it. Right? So we can start moving the money from measuring the problem to actually fixing things right? It’s amazing that so often there

[00:07:25] Ryan Cloutier: Yeah, that really is the goal. The goal is to help people to be able to focus their budget On the solutions on actually solving the problems and putting in the necessary security controls. Uh and the reality is is uh you know, we have 6.5 million businesses right now going completely unserved because there is a limited resource pool, even if you have the money, good luck getting on anyone schedule right now. So being able to create more opportunities to get more folks doing this work. Um and the cool thing is a lot of people already possess the skills that they would need, You know, just to be able to converse eight, I tell people all the time, if you’re a business analyst, project manager, uh you know, it really any kind of communications type wall where you’re interacting with people and having conversations, you’re 80% of the way to being a risk assessor.

[00:08:20] Evan Francen: Yeah, and I love one of the things that I think when our minds sort of melded together, uh it was this information security of life skill, right? And people need to really embrace that, right? We did the s to me to try to get people at home, right? Nobody is responsible for information here at home more than you meeting the head of the household, right? You make the rules, you determine what’s appropriate, what’s not appropriate. You’re the one who secures that router or doesn’t secure that router, you know? So there’s and as we continue to go down this path, right? Where things get more and more and more electronic and more digital, that becomes more and more important, Right? And so trying to not leave people just kind of dangling uh and saying, oh yeah, I guess it is kind of the security guys problem. No, it’s

[00:09:05] Ryan Cloutier: not. I hear all the time and I don’t know about you guys, but all the time when I’m talking to, you know, your average small business owner or even just people on the street, What they say to me is you guys need to make this simple, Okay, I don’t have time to learn all these things. I don’t want to learn all these things. I don’t want 50 steps to secure my home louder. I want one. I want simplicity. Make it work easier for me. I know I need it. I know I want it. I know I’m supposed to be doing it, but there’s nowhere in my life today that I can fit in an extra five hours to eat a security pro. So I think we’re going to continue at security studio to focus on how can we further simplifying, how can we make this has turned key of a solution as possible to really accelerate folks to doing the right things being able to secure. But most importantly, getting them focused back on the businesses that they run instead of being in a state of fear about ransomware coming later this afternoon or tomorrow. We want to get them focused back on doing good work.

[00:10:14] Evan Francen: Yeah. And these are life skills, right? The, it doesn’t even have to be at home. I mean it works, it’s at home as well and we’re down here in Mexico and just prior to us starting this podcast, recording, john you are giving a talk to what some high school students about security things, how did that

[00:10:33] John Harmon: go? You know, it went really well. It was a favorite of a friend of mine was like, hey, there’s this thing that, you know, we talked a bunch of high school kids about security or privacy or whatever. So they focused in on financial apps, like banking apps or Paypal or cash app or you know, whatever that is and it was super cool. So you can kind of run through the content like here’s some good resources and then get questions. That’s my favorite part of the answer. Really awesome questions as the students that just to, you know, normalize this a little bit, if I can slander my own people a bit. I think technologists and security technologies in general like to keep a little veil and make you think that only we can do what we do because we’re so smart, you know what I mean? It’s part of something that’s broken in our industry until like bring that down and be transparent. Used to be like the name of the game is you can’t be 100% secure, so just don’t be low hanging fruit, you know what I mean? You transparent like help simplify this a little bit, make it a little more attainable because you put these like huge bars out there, there’s really high, like you must be at this level, otherwise you’re just wasting your time. People aren’t even going to attempt it. So it’s fun. And the kitchen young like that is always good to, you know, thinking here the questions are asking, it’s like better than some of the security box.

[00:11:50] Evan Francen: I love that man, one of the best socks paper gave us a bunch of sixth graders. Alright, my daughter’s going to ask questions like, wow, I love that perspective. And that goes back to, I mean we’ve preached this before to that, you know, I’m a big proponents, all three of us here about diversity, right? And I know that in the last few years that words kind of been stolen to mean something maybe a little different than what I’ve always thought it to me. To me, I love the different perspectives, right? If somebody with a different background, skin color and that stuff doesn’t matter. To me, it’s the background, it’s a different view of the world that you bring to the table. That’s so important. When you talk about those high schoolers, I mean they’re bringing this viewing like, wow, that’s a good question because if you’re going to connect with them, you have to take the time to do this, right? That’s really, really cool. You mentioned nothing about us using this vernacular. These words, I think that they make me feel really good. I feel super smart when I use some big ass word. You’re looking at me like, wow, you must be smart. That’s bullshit because I’m not connecting, you have to understand the words I’m using just this last week. I think it was maybe the real weekend, it was somebody used the word hacker and they take offense. This is somebody who is a, a hacker, right? And he was sort of taking offense at other people. Maybe don’t have as many years of experience in his industry calling themselves hackers. So I replied on, there I go. If you’ve ever used duct tape before, you know, hacker. Yeah, I mean it’s a you don’t, computer is not required, right. The ingenuity, looking at things from a different perspective, creativity, some skill to use something in a way that maybe it wasn’t originally designed, you know, for that, to me is a hacker, right? So we’re all hackers, some level,

[00:13:39] Ryan Cloutier: absolutely, I completely agree with that, you know, one of the things that I did this week virtually is uh, the gen cyber camp run by alexandria College back in Minnesota,

[00:13:54] Evan Francen: the technical school.

[00:13:55] Ryan Cloutier: Yeah, they did the kick off and I was on a plane on the way here in Mexico, so I had reported it. But one of the things that I tell those young aspiring security professionals to things when they say, you know, what, what other skills do I need besides, you know, learning how to actually pen test or do networks and things like that and it’s communication flash psychology. Uh, and the other one is no, that you work for the business, you don’t work for anybody, you don’t work for security, you work for the business. And if you have that mindset when you actually this industry, there is no limit to where you can go because that is the rare skill set in our industry to the point, john made earlier that you made, you know, for me security people always seem to want to be smart and right at the expense of getting the right things done at the expense of building that relationship that will allow for culture developed, which actually needs to behavior change. And so, you know, if I have 11 great to pick about our industry. One thing that I think is really broken in this industry, it’s that wanting to be smart, right to your point about the guy that you were interacting with you online, you know, you lost an opportunity there to build favor, to build rents to just have the ability to sway them to a different way,

[00:15:18] Evan Francen: right, and get off your pedestal, right? Being a hacker doesn’t mean that you can, there are some people who are very, very, very creative who are super duper smart that can’t even use it in computer, right? And I would try to be locked in a room trying to get out of prison with that person. Then some of these computer people, right? Because their creative, they think definitely they’re smart, they see things how things fit together. I think puzzle makers are great hackers because I see how pieces fit together one piece, go to this piece and they all fit together. So it I was kind of upset because you to take this elitist attitude like how dare you call yourself a hacker When I’ve got 20 years experience and I can take down this server right now. You totally missed the point of what hackers

[00:16:06] Ryan Cloutier: well, and can you get out of the puzzle room, right? Yeah, you

[00:16:10] Evan Francen: can you wipe your ass, you

[00:16:13] John Harmon: want to be right or do you want to be correct?

[00:16:15] Ryan Cloutier: Yeah, exactly.

[00:16:16] Evan Francen: Well you’re right because we’ve it’s kind of been weaved in this whole conversation to about information security is a life skill and it’s a safety issue, right? More than it’s ever been and it continues to go more and more than that way where I might have the most elitist hacker skills ever. I can’t protect the person at home, was about ready to have their child either preyed upon or you know, their privacy is gone or house burns down. I can’t help that. Right? So we have to get these other people to join us, you know, kind of this big mission.

[00:16:51] Ryan Cloutier: Well, and I think it’s a tie off on that. It’s it’s a societal problem and we have to approach it as a society today, we’re not, it’s a societal problem that we’re approaching is this niche where only this group of security people can can solve this. And I think that leads to them, the average person kind of throwing their hands in the air and saying, well, I can’t do anything about it. So why try and I honestly, the only way we’re going to get ahead of this is by approaching it as a life skill, as a foundational life skill. Light looking both ways before you cross the street, washing your hands, wipe your backside, right? These things that we teach our youth, especially we’re gonna put an ipad in the hand of a four year old, we need to understand the impact of that. We need to understand

[00:17:39] Evan Francen: that. And at what point do we, what point do we just give up on the person that’s just not going to listen and they’re going to cross the street by looking both ways anyway and they’re gonna hit kill. Yeah, I mean I started to ask, I started to ask myself that question. Like I told you, it’s not 10 times. I can’t waste any more time here. I need to move on to people that will listen, that will embrace that will protect themselves. Sorry, this one’s gone because you talked about it to john about some of the ransomware stuff, you know, or some of the incidents that we respond to. We have had to sit across the table from presidents ceos of companies and tell them essentially the company is not going to survive. You just got hit by a semi truck because you didn’t look both

[00:18:20] John Harmon: ways. Yeah, that’s uh you know, it’s never satisfying. You know, if, you know, there have been times when we met with people, you know, and it’s pretty easy to get people, you know, companies to talk with you about security, right? Everybody has a question. It was a little curious right separating the intellectually curious from the economically serious attitude over things. Like are you actually going to do anything about this? Are you going to take my recommendations? Are we just Bs and about security here? Like I’m happy either way. You know, but you should do something right? You should be getting a theft. You should have a plane should be working that plan, just you know, making those, those simple kind of fundamental incremental changes, but you know, you tell me what pound sand and you know, I’ll call you if I ever need to and then that call comes, it’s Your business is going to die because you didn’t make these fundamental incremental changes if there is no told you so like you can’t write but it is an urge, but it’s it’s so unfortunate and it was so easy to prevent most times, most of the time when we see these things, it’s not the 1% of hackers that can just you can’t stop. It’s not those guys thank God is right. It’s it’s somebody messed up, somebody clicked on emails, it was an oversight. It was just something knucklehead. It was, you know, rdp open on the internet, right? It’s just stuff that it’s best practice. It’s fundamental. It’s easy, but you just didn’t have her iron ball, but I think it can cost you everything.

[00:19:50] Evan Francen: Yeah, I think a lot of times people maybe get overwhelmed when you look at all the security things and we noticed this, I think c I s noticed this, I’m happy to see that implementation groups we want with level one, level two, level three, not all that unlike, you know, their implementation groups because we also have to meet people where they’re at, right? You talk about critical infrastructure one of the and it just keeps pounding in my brain, you know, the ultimate attack, right? Because that one was so well publicized, there’s lots of them, by the way, if you google, you know, water treatment facilities that have fallen victim to ransomware, you’ll find more than Oldsmar. But the reason why that one sticks out is it’s critical infrastructure and what we did with critical infrastructures that created this. Cool. And I see CSF we made it voluntary, which was one problem. And the second problem is you can’t give a water treatment facility manager, somebody who makes the water pumps work, make sure the water gets to your house, can’t give them a nice DCFs and say do this. Right,

[00:20:51] Ryan Cloutier: right. Yeah. And I do see a ray of hope, you know, one of the things that I’ve seen just in the last couple of months that that really gives me hope is our counterparts need entrance industry waking up to the fact that the model that they’ve had for the last few years of providing these large ransomware coverage, you know, offerings with very minimal expectations of doing the foundations and fundamentals with, you know, a questionnaire that has seven questions on What I’m now hearing from clients that we interact with is that set that one pager is now 15 pages and there, you know, chancellor underrate. Uh

[00:21:35] Evan Francen: but the one thing, one biggest complaint we would get about our risk assessments from, from cyber insurance underwriters was it’s too long and I was like, well seven questions, I mean, come on that’s too short. Can we find a middle ground and it’s good to see now that, you know, they’re kind of waking up. But it’s also frustrating because we told you when were people, you know, I don’t know. Listen, well,

[00:22:02] Ryan Cloutier: I’ll give you a personal story from my childhood. I was told not to run by the cool repeatedly. I was told this over and over and it wasn’t until I drove a tooth through my lips that I learned. And so I do think we are going to have a little bit of that. You’re going to have to hit the wall to wake up to this. But I’m hopeful. So I heard, uh, one of our mutual friends that Lloyd’s of London is no longer issuing very high value policies. They just won’t do it. Uh, and you know, that’s going to have a trickle down effect. And I honestly think when the business goes to renew and they see a 40-60% increase in their premium or an outrage which use will recover them. I think that’s not being the wall moment for these businesses. I think that’s when you’re going to see them start to wake up. Okay, wait a

[00:22:53] Evan Francen: saying from a vendor is management perspective to, I know many organizations that won’t do business with another organization. If you don’t have a cyber insurance policy thinking that that is

[00:23:02] John Harmon: due diligence,

[00:23:03] Evan Francen: they have insurance or not. There’s so many different ways to, you know, I think provide adequate security to the people you serve beyond just having cyber insurance. That’s a little frustrating. But back to the point tuba, um, You can’t save everybody, you know what I mean? And we’re Christian three Christian guys, you know, it reminds me of when Jesus said, you know, shake the dust off your feet and you know, continue down the path and I’m starting to see myself do that more, not because I’m frustrated, but because we have so many people, I think the help that I can’t keep spinning my wheels here. I’m sorry when it hurts when that tooth does go through your lip, I’ll be here to help, I’ll come running with a towel to try to help you

[00:23:50] John Harmon: Out. You know, it’s that 80, 20 right? It’s that 10% on either side because you have the 10%, they’re just like, it’s right, they’re not going to come along so that till it hurts enough. And you’re just like those are, those people are frustrating, but on the other end you have some companies that are over doing it right and they’re they’re eating up our time. You know, and you know, security experts time because it shows well because it looks good, like they have their act together, they have all their own security team, They have everything that you would possibly want, they’re very, very unlikely to have any meaningful event affect their the flow of their business. But they’re like over investing in security. And so we just sit around and twiddle our thumbs and do the same things over and over because it makes the board feel good or whatever it is. Like those people also drive me crazy a little bit. It’s like, hey You guys got this like you should be maybe spending your money somewhere else here in a different way. Now can we, you know, move on. And there’s that Middle 80%. That’s on the spectrum somewhere that we can get, you know, really move the needle on.

[00:24:50] Evan Francen: It’s like that guy, that guy, you know, you go over this house. We probably will have a friend like this. And There’s like 18 locks on the door. There’s camera surveillance everywhere, alarm systems inside the house. Everything. I mean they’re like over secured everything. It’s like, hey bro, you live in Konia. You know, there’s no crime right here, right? Right? You’re trying to protect

[00:25:12] John Harmon: against, you know, he wants your help. He wants you to come over and help him help you dig like a laser trip wire around the house. It’s like

[00:25:18] Evan Francen: no dude, come help,

[00:25:19] John Harmon: come help them unlock. I think so.

[00:25:22] Ryan Cloutier: Well that’s the same thing that usually has the 40 ft single Pane Bay window. All right? So for all that. And yet you still have, you know, easy to buy a piece of glass. And then we talk about this all the time when you’re managing risk. What’s your next most unacceptable risk. Right? What is that? You know, you can chase, you can chase down every little thing I deal with. You know what I’m working with schools. I will run a vulnerability assessment. It will come back with 12,014,000 findings. Well, that’s not 14,000 unique vulnerabilities. It’s two vulnerabilities across the entire environment and you know, so but helping them because they don’t know if they see as a number account and it causes panic. And so you’ve got to sit them down to number. Hold on. Really, only talking about to here. It’s just everywhere. Let’s push that patch out. And it still surprises me how a few organizations today are doing adequate patch management. All right. You know, we won’t go too deep into that press.

[00:26:26] Evan Francen: That’s not something new right now. It’s not everybody should know that now. So then on things like that I’m starting, I’m starting to sort of just with the dust off beat. The guy got the next thing that I need to work. You already know this, right? If you just choose not to do it, that’s your problem. Not only that, but we put it into context for you to write. We did we do assessments. Step one, step two, step three. Right? So, you know where it’s on the spectrum of things because it doesn’t it doesn’t make any sense for me to do patch management, I have no asset management doesn’t make sense to do any asset management if I don’t have roles and responsibilities figured out. Right? So back it up to, where do I start this thing, start shoring those things up and then you get to patch management and just the way you do business, Right, it’s work. And I think a lot of things, you know, in 2021 now we grew up hard working folk too, right? I mean you grew up in Montana, you know of texas and Montana working hard, you grew up following your dad all over the place, handyman, everything. And and I grew up a 20 you know, son of a 20 year marine, we all had kind of work beaten into us so I don’t mind work, but I wonder how much people we talked to like yeah that looks like we’re still easy button, can I buy something to fix it?

[00:27:45] Ryan Cloutier: I think that’s part of it. I also think there’s still that fundamental disconnect. We don’t treat this, we don’t treat information security or I. T. Like we do the rest of our physical world. If I go into a manufacturing facility and I asked them about maintenance, they can tell me an exhaustive detail about this equipment between this bearing when it’s going to fail the maintenance schedule, they have to prevent that, the downtime they planted their to their production line, all these things and then I asked him about maintenance and their IT systems and they just blankly stare back well

[00:28:22] Evan Francen: and to their kind of to uh, It changes so damn fast. Right. That big machine that you, you’ve had it in your plant now for 20, some odd years. You know, I’m like a second or third or fourth generation of mechanics maintaining that machine. And in it you’re like, Yeah, things were populated I think 14 times and we’ve installed eight other applications that basically do the same thing that that one does, but just in a different way because the guy over marketing likes his way and then the guy over there legal likes his way on the Ceo. He wants his own applications do the same. I mean it’s just like what the hell when you stop the chaos and say no, no, no, no more applications until we figure out what the hell we have

[00:29:02] Ryan Cloutier: for this

[00:29:05] Evan Francen: insatiable demand for more. It’s nuts because it does come crashing down how many times we’ve done john in an incident response where like I didn’t even know it had that system or I thought we were protected because we bought something like it wasn’t protecting the thing. You thought you had all the time.

[00:29:24] John Harmon: These uh setups that like on paper are impressive. You got a tool for this tool that a tool that double checks in case this one doesn’t work and all this other stuff. But they forgot to point all that at their assets, like you missed the first step, Like that’s the only works if it’s looking at everything and you’re going to have a look at everything because you’re not doing that, somebody sold you a bill of goods, saying that this would do it for you and it just doesn’t, you know, again, it’s always the fundamentals.

[00:29:51] Evan Francen: Yeah. And then from a veteran management perspectives, I just did the State of New Jersey is, you know, one where they asked us a bunch of questions and they actually, that was a good assessment. We’re not, I think I like the way they were to that, but um, a lot of times, you know, are customers or were the vendor will ask us if we have these certain technologies, but doesn’t really ask enough about how we’re using them while we were using them appropriately. And so it almost makes risk more than not having a tool in the first place, because now I’ve got a false sense of security, I’m not checking for, you know, cracks in the foundation anymore, because I feel like it’s hidden by like multiple layers of paint now, you know, until it comes crashing down and I was going to write something and I know this is nowhere near the right time to leave from a political correctness perspective, I’ll get my ass handed to me. Yeah, well, because I was going to write about the, you know, the building that fell down in florida, right? You talk about the difference between physical and digital, logically, there’s the same damn thing. It’s just the form that they take, right? So I have this building that we can all touch and see and whatever. And the foundation went to crap. It wasn’t maintained appropriately. Maybe not appropriately, but it was multiple layers of pain. They continue to sell new condos there. I mean, it was pretty well occupied and the foundation failed, it came crashing down. The same thing happens from a logical perspective, right? Where you build all these things, you put all these things, more stuff, more stuff, more stuff on the outside. It looks like a beautiful piece of art, right? But under underneath it, it’s all rotted. It’s coming down. It’s going to hurt. Uh on the physical side, people died, you know, 100 ish. Hundreds of people, you know, that which is really breaks my heart because the same thing is going to happen on the digital side, because we’ve become more and more and more dependent on the digital stuff to keep us alive.

[00:31:50] Ryan Cloutier: Yeah. Uh and we see that in all industries, you know, there, I’m working with some folks who are working on a project for an H and C. C. Because they’re trying to get this executive order, you know, they’re trying to honor the executive order, The fighting went out and they need to separate the O. T from Knight. This hasn’t been done before, the way that it needs to be done. And so, you know in those systems were talking about, you know the folks that are helping to snap it, hope it right now. We’re talking about research laboratories, being unable to conduct research or something happens. There is a physical impact. We’re seeing it in our critical infrastructure. Um you know, we’re uh huh. It’s just it’s spiraling. You know, the medical stuff fascinates me the amount we have surgery robots out, you know where the doctor is. Re remote hands. You know, you’re getting surgery done at your local hospital and the surgeon is 3000 miles away controlling that robot through an internet connection. Well, what happens on that dark day when somebody decides to hijack that signal? And unfortunately they’re not thinking about that. They’re not when they’re building this technology? It seems to me that it’s happy path only and they’re not thinking about the destructive use cases. We talked about this the other night on another podcast that we do about software development practices, How we need to take a really hard look at the security components and do secure by design at the onset of the idea, not trying to hot patch on some security control after build something that’s insecure

[00:33:27] Evan Francen: you’ve got so much wisdom that we shared over the years. I mean, we said that something that’s insecure the car will always be insecure period. So if you started an application. If you started an application, you didn’t start following good secure coding practices almost from the get go, you’re just piling more crap on top of crap on top of crap and it may look like lipstick on a pig, but it’s still a pig. We saw this happen for those of us who are running 24 was a thing. The reason why you had to completely redesign everything. The Colonel and everything from 24 to win the next version and you do this on multiple next versions is because the core of the colonel was written insecurely. You could never secure it. That’s why I always had to patch is always had service packs. You remember those days well and so if we could go back to writing securely from the very beginning good coding practices. Now the problem is the slow things down. We have a sensational lust for more and more and more new features, new features. We’ve adopted new security, we’ve adopted new technology way faster than our ability to secure it. We are so far behind the current right now. That’s why Biden’s when you look at Biden’s executive order, it looks like holy crap. You want me to do all this stuff. Yeah, that’s just kind of the beginning. Right? You’re so far behind right now. I mean it’s almost start

[00:34:47] Ryan Cloutier: over well and I think of it as getting to the start line, something I say a lot when I’m helping, especially the schools navigate this. The goal of what we’re about to do isn’t to get you scared. It’s to get you to the start line so that we can be again to secure, there’s just, there’s so much free work uh, in those environments, you know, they don’t know the networks, they don’t know the assets, news, you know, there’s just all this stuff, it’s on the internet, it’s like, okay, you got to go back

[00:35:16] Evan Francen: to square one building comes crashing down, you can’t patch the building right? You have to start, you have to wipe it clean and start over again and that’s what you need to do. And so many of these technical environments that I’ve seen from, from network to network infrastructure. Just that where the network was designed right, well, you’ve got segmentation. Well, great. And that’s really good from a performance perspective, probably because you know, limiting my layer to traffic, perform an isolation perspective, which is the secure way everyone things built. You can’t do it because you’ve got to, you’ve got applications all over the place, servers all over the place, clients all over the place. You and then you start to kind of go down this path, these are moving things into their appropriate little buckets, but you still can’t lock it down and then you start talking about zero trust stuff, Forget about it if you want to do zero trust you should have done that from day one now, you’re just retrofitting a whole bunch of crap and if you look at the Zero trust architecture stuff which is funny as funny, sad, it’s sad. It’s not funny. But look at you look at sts guidance on zero trust, you know architect architecture, you have to add like four or five serious components into the ark into the architecture, into the infrastructure to even get close to it. And from a guy like me, I’m looking at it. Okay, so I have more complexity to fight the thing that I don’t understand already. Seriously if I was doing zero trust in almost any organization, I would start scratch well you have to clean the brand new environment, move things over as you go.

[00:36:51] Ryan Cloutier: Yeah, absolutely on that. And you and I have talked about this Zero trust is a great buzz term but you can’t actually communicate

[00:36:59] Evan Francen: zero. There’s that guy, is that due to a Flasher who thinks he actually invented this. I’m like you invited the main, you did not invent any of these concepts like as some of the units guys that were. Yeah. Uh so anyway, uh first secure the theme, what would you say like the first six months of the year or calm now we’re moving on to the next six months. If there was a theme that you could think of that to summarize for the first half of you look like is there something that comes to mind the word or a phrase

[00:37:38] John Harmon: they have to sum it up simply. I guess it would just be focused right? We have a really good team and they’re, they’re doing their jobs, everybody’s performing at a very high level expected outcomes are coming true. You know, it’s all of that. Um, I think, you know, everything is going pretty well the second half of the year is going to be just as bananas were on this ridiculous growth curve and these commitments that we’ve made on that. But it’s all kind of born from, you know, I hope I’m wrong about this, but we’re not finding a lot of help out there. You know what I mean? Like there’s pockets in places where organizations are partnering and they’re doing things. But from our mission perspective, when we learned this when we’re on the road show not a lot of effort secures out there. There’s a lot of private companies that also consult. There’s a lot of compliance companies that also do some good things. But you know, A group of security professionals that are testing the way we test depend, test the way we test the assessments, the way that we do them the events in response the way that we do it. That is 100% solely focused on actually fixing the problem and not appearing to his way too rare when you find them. It’s like brother, I’ve been looking for you and you know, but it’s, we’re just kind of like all right. I guess we’ll just get to the point where we’re credible enough and big enough successful enough where people want to emulate, right? And that’s, that’s kind of been our focus and it begins and ends with, in my opinion, our security team, which you started and that has really grown and not the leaders that are coming out of that, you know, Megan and brad Oscar is a once in a lifetime kind of guy and his team american Tyler now, you know who we started. You know, he’s the one who, you know, couldn’t who are at a vulnerability scan at the hospital, right? And took it down way back in the day and now he’s, you know, he’s grown and learned so much and all the stuff that he’s doing with our party now. I mean like this is it’s a special, special experience. Very happy to be apartment. What’s

[00:39:39] Evan Francen: really cool man. And you lied at the teeth. I can’t believe how well it the whole company’s lead, you know it but it goes back to that foundation to, right? I mean, you remember the early days you are employed when it was 466, no one in my opinion, whatever. Yeah. No, but the you look at all the struggles, we went through trying to build this foundation, right? To build this. This is how we’re going to do things. We’re not going to compromise. We’re not going to compromise. Just like I wouldn’t compromise the foundation of a building if you’re going to compromise anywhere, why the hell would you compromise on that? But you were there alongside me, alongside Kevin, alongside numerous other people, Some have are still here something that have come and gone to lay this foundation and to see where you guys take it. It’s it’s crazy to watch.

[00:40:33] John Harmon: Well, in a couple of circle, we’re talking about perspective, right? We added that to our core values this year was like, we value perspective, right? So I’m writing now kind of uh, you know, as we get bigger because it was a short time ago, years ago, I knew everybody all right. Everybody knew who I was. Everybody knew who you were. We all we all got together all the time. We knew each other’s families now. I mean, there’s people that have started months ago I’ve never met in the flesh and you know, like they’re just, we don’t have the credibility with those team members and and rightly so, you know, I’m agree that I should just get credibility as leader because of my title, right? You gotta, But I said, I got to write some of the stuff down. What do our core values me? What what, what are principles? You know what I mean? And the thing that I’m adding, you know, right off the bat is like, hey, here’s our principles like product agnostic like meet people where they’re at like, we take care of our own. We’re always learning like these are, are things right? But I start off with what I consider the possibility that we’re wrong about all of it, right? Have a healthy skepticism that there is a better way, right? Like some like what we don’t have the monopoly on the truth. We’re doing what we think is best. We feel like it’s coming from a good place. But how many times have we done that? It’s only blew up on us. We’re wrong. So consider the possibility that even with all of the collection of experts, we have all the great minds, all the great horrors that we’re just not doing it right? Yeah. You know, it’s like, just have that in your mind, there might be a better way to never stop looking for that. Never stopped listening for other perspectives and looking at that Because how many times have you known something for sure? And it just wasn’t. So it was a Mark Twain quote somewhere. It’s like, it’s what you don’t know that hurts you. It’s what you’re sure that isn’t. So we’re going to be very painful lessons to learn

[00:42:24] Evan Francen: even in that man that you’re an exceptional leader and I’m not just blowing smoke. I mean, it’s true and I, there are two things like about, but I want to beat them together. One is, uh, we’ve always said truth. Uh, trust credibility and you need to like us, right? That’s how we get new customers trust is fairly easy. We struggle with that unsecured studio because people just don’t know us. Yeah. They think they’re full of crap honestly. And I even put that out there, like when I talk to people, like I know you think I’m full of shit, but you can look at what we’ve done. I mean, truly this isn’t, this is not

[00:42:59] John Harmon: no, it’s not

[00:43:00] Evan Francen: theoretical, right? The credibility piece, I think that does come with size and you know, uh, hearing more about us, right? We’re coming out of our own little market now, not little our own market in Minneapolis in Minnesota, even though we have customers across the globe, we’re starting to branch out and be physically and all their locations, which I think is super cool. But the one thing I think that, and I think that’s really unique about fr secure is most security companies are led by security people, meaning people that started in information security and grow a business. Right. The thing that makes you think just no damn cool is you didn’t start a security that you are now. I totally, I would trust you with my, I would trust you as a sea shell in a heartbeat because I understand your where you come from and how you do things logically and all that stuff. But a lot of the security companies you look at out there, you know, like Mandia kevin Mandia getting security guy, look at another company that I really admire, his trusted sec, you know, uh it’s a security guy relates that right all over the place. So I think it’s uh that’s pretty exceptional. The one of the things I was thinking about Lot of ransomware, 20, half of the year in the industry, certainly our own I. R. T. Uh we talked about zero Trust, I think security fr secures working on solutions on all those fronts. Uh now we’re going to be in Nashville.

[00:44:39] John Harmon: Yes, come to me about that. So hacks and hops, which is an event series that we have done for a few years. Obviously positive for 2020 is kind of now back on the menu, right? So this is a format, we’re extending the formats used to be kind of a half a day. We have a panel, you know, come to a cold spot. We do the U. S. Bank Stadium, you know, in Minneapolis. Well now that we’re deliberately focusing on some expansion markets, were going to do them in those markets right? Because in Minneapolis it feels more like a customer appreciation kind of event. Always get new people there. But it’s like, yeah, you see a lot of familiar faces like what we want to run the people through a track like an all day long track. Like a real value and get their perspectives and panels and have you speaking an Oscar and chris and you and like we want this collection of ideas were just like, hey, this is a rally, like let’s go do it. But you know, we have a couple of years and we enjoy each other. You get access to security experts will do it in a cool place that we’re doing it at the titan stadium hopes were doing it. I think like the happy hour kind of closing that is on the field Stadium. Yeah, more fans like garth brooks concert out there or something. But yeah, it’s super fun. So Alex is gonna kill me and I don’t know the exact date. I suppose I can find it here on a thursday

[00:45:59] Evan Francen: are secure dot com and find it. Yeah,

[00:46:02] John Harmon: sign up for, we’re expecting Between seven and 900 people to show up, which is, I know people

[00:46:10] Evan Francen: uh, from the school shit so, and other things that I do, you know my rabbit or squirrel chasing mine, we have people coming from florida, uh, new york I think, I mean there’s people coming from all over the country to go to that, which is really cool. I’m excited to meet some of those people.

[00:46:27] John Harmon: Yeah, we’ve, you know, our sales team and our marketing team have been very open, right? It’s like we’re not just focusing on Minnesota and five state area around it anymore. That’s always going to be our home base, but you can’t throw a rock in those markets is not anything fr secure and everybody knows who we are. You know, we’ve been around forever, but you know, we’re targeting, we called the bluegrass region so Kentucky Tennessee indiana Ohio, you know that kind of market because that’s Oscar a lot of his team, you know, are there. So it made sense. And then of all places Montana, which kind of, I called my home states where I’m having my family still lives and Idaho and eastern Washington and Wyoming, you know, that kind of areas exploded. You know, and it’s great and we told those people will start to meet with them. Like, hey, if you can help us, you know, like be a good reference force, if we do good work, you know, whatever, like we’ll put an office here, we’ll start hiring people, it will be a part of the community and it’s fun to see that coming true. It’s going to come with an event like, you know, packs and hops and all that stuff, you’re gonna start seeing that, that happening in a lot of different markets and all

[00:47:34] Evan Francen: that because not only is it cool to spread the truth because this is really, I mean where our heart comes from is helping people, we understand that information, security is not about information or security as much as it’s about helping people, you’ve talked, you know, Ryan, you were talking about the working with accent and all that really cool stuff and sub security studio does fr secure with the CSP mentor program with, you know, the product agnostic is, you know, sticking with the values. Uh, it just continues to show forth plus those are all really good Harley riding areas, just saying

[00:48:11] John Harmon: lots

[00:48:12] Evan Francen: of beer so I can do some here. I think, I think it’ll

[00:48:15] John Harmon: be fun. You’re going to think that a couple of successful times

[00:48:18] Evan Francen: using

[00:48:19] John Harmon: successful in that context. Yeah.

[00:48:21] Evan Francen: So Ryan on the security studio side, uh first half of the year, I think, was because that’s where I spent a lot of my time, john and his team are killing them and they are secure. If anything, I try to stay out of it so I don’t want to screw it up, you know what I mean? So like, all right, you guys just keep doing that thing. But on security studio, first half of the year was really cool. I learned a lot of things about us, about our markets, about what we’re doing, where we’re going, you know, it reminds me of a lot of the things we did at the security studio. I’m sorry that are secure with the foundation laying base, right? We’re not, there’s certain things we’re just not going to compromise on. It’s harder. It hurts more. Yeah, but I’m going to be a better person I think will be a better company for it. So first half the year, same thing, you’re sort of theme summary of the first half year and what do you think the second half of the year for

[00:49:16] Ryan Cloutier: security. So first half of the year, I would say, uh foundations, right? Making sure the foundations that we’re setting our solid strong, that that we have are fundamentalists as a business, as a product. Really solid. So that as we begin to build this more and more, you know, we’ve got that good groundwork laid. So that’s that’s the first half year really is a lot of foundations work. 2nd half of the year is expansion. You know, we we are very blessed uh anyone that gets exposed to the tool, you know, The tool self itself, that’s that’s one of the nice things because it is so simplified because it is so easy to use. We don’t have to be a security expert because the security expert lives inside the tool that that knowledge that seven

[00:50:07] John Harmon: half of the expertise.

[00:50:08] Ryan Cloutier: Exactly, right. And we’re continuing to do so as we add more frameworks, as we look at new ways to innovate to reduce the amount of time it takes. I can’t reveal too much, but we have a couple of really awesome things. We’re doing that will increase spender accountability. That will help that single source of truth the truth. So, you know, because we hear all the time. Right? Nobody likes doing a risk assessment. I’ll just be very honest. Right? I do. But I have a hard job, my job I have is convincing people to do this thing that nobody’s jumping out of bed doing risk assessment. Yeah, right. What we want to do is, and what we’re going to focus on for the remainder of this year is continuing to be able to accelerate them through the assessment, to mitigation remediation. We want to get them to mitigation remediation as fast as possible with a nice clean and easy to consume task list, right, let’s get him to doing the work and getting that going. And then the other thing that will focus on in the second half of the year is enrich our partner network and enriching our partner relationships and ensuring that our partners are fully equipped to be able to serve their customers and to create new revenue opportunities for them as well. So as we start to do some innovative things that are vendor risk management space, there’s going to be a lot of opportunity to prevent virtual vendor risk management, which we’re hearing a lot of demand for. Its a growing thing. People just don’t wanna, you know, they just don’t want to do it. Right. So being able to do that for them and I think, you know, probably toward the latter end of the year, we’ll start looking at the consumer as well.

[00:51:54] Evan Francen: I think that’s

[00:51:55] Ryan Cloutier: a that’s a big part of

[00:51:56] John Harmon: what we want

[00:51:57] Ryan Cloutier: to do it. It’s taking us to me to that next level. It’s and like with all things that we do, we want to simplify. So we want to simplify the processes simplify the tool and really again accelerate people through that that assessment process as easily as possible. So we’ve got some really cool things we’re looking at from an automation perspective. We’ve got some interesting cooling that were. And the process of developing right now that’s going to you know increase the accountability of the organizations to their information security practices as well as accountability back to those third party vendors which I think my gut instinct tells me will be the hot area of focus by the end of this year from a government perspective but also from a business to business perspective as we see more and more man service providers getting attacked. I think the conversation is going to shift to what’s in that contract and how are you protecting me? Can you prove that you’re doing what you’re doing? And that’s where I think security studio is going to shine is we’re going to be able to help those organizations even if they don’t have an I. T. T. To be able to hold those vendors accountable to be able to show scientifically exactly what’s going on. You know and just objective versus subjective approach I think is going to pay off in spades.

[00:53:20] Evan Francen: Yeah I had a good discussion with my guarantee this useful for New Jersey about that. They do an assessment. Like a lot of people have done assessments and skill You know, 1-5, right on every question, which is good. I think it’s going to get those opinions. And I think you could do that. If you, let’s say if you wanted an objective result, quantitative results, you have to do that and like Any 20 different perspectives. You know what I mean? In order to get that too, give you the truth. Right. I think the two falls. Okay. But anyway, you mentioned one thing that I think is really important and we’ll wrap this thing up the uh huh. Nobody likes to do risk assessments, right? But here’s the deal. Everybody likes to drive the damn car. Nobody likes to do the tune ups and all changes and you know, that’s our job as security people. Right? Right. Is to do the tune ups to do or make sure they’re being done appropriately. Right? And then you can drive the damn car thankfully. You don’t have to do risk assessments every single day. We will get there because we do have risk assessments that will dynamically change over time. But yeah, that, that, you know, stick in the ground once a year, once every couple of years. Risk assessment. It’s just maintenance man. I mean, everybody’s going to do it and look at it that way. Uh, awesome discussion you guys. It’s cool that we’re sitting here and portable arte. That’s the way, right. Next call this place from here. You call Puerto Vallarta. Uh, that’s cool to be here. The people here are amazing. I’m looking forward to a couple of years from now when, when I moved down here and we have between now and then we’re going to be down here a lot and we’re gonna invite people down here a lot and it’s not no other reason than to give thanks that they trusted us. They look at us as credible. That’s why I’m here. Right, I didn’t, I didn’t get here any other way than the map, so that’s cool. Uh So we’re gonna go check out the beach, do some stuff, we’re gonna go scuba diving on thursday. We’re gonna try not already had my first ticket for people that are listening, it costs, it costs me 100 bucks to get out of it and there’s no record of it anywhere. So you figure out is that finding, is that a bribe? It’s up to you. I’m just saying there’s no record cash. Um but wrap up, we’re going to find us on social media. Ryan, where do we find you on social media?

[00:55:40] Ryan Cloutier: If you want to interact and ask questions you can find me on linkedin or you can find me on twitter @cloutiersec.

[00:55:50] Evan Francen: Awesome and we’ll be done show thursday night to from here, Shinsho, we will john, what do people find you if they want to get in touch with you. What’s the best way to like? Hey, I heard you on the shit show. I’m sorry, I’m security podcast and I like this one thing to say, where would they go to find you?

[00:56:05] John Harmon: Uh always, you can always go to the fr school website, my information is there and feel free to reach out. Very responsible an email. So I always do that and then linked in this pretty good. I’m on a couple other platforms. Those, the two that I kind of keep up with.

[00:56:18] Evan Francen: All right, awesome and I think people need to find me and if you don’t probably don’t want you to, so we’re good and then I have a good one guys,

Kaseya VSA, a remote management software, experienced a breach over the holiday weekend that is already impacting a number of clients. It appears that this Kaseya VSA ransomware attack is connected to the Russian hacker gang known as REvil—but it has not been determined whether or not it is the work of REvil itself or an affiliate in their Ransomware as a Service (RaaS) program (and yes, that’s a thing). Evan and Brad break down the attack on this week’s UNSECURITY episode. Additionally, and flying under the radar because of Kaseya, news broke on June 30th about an impressive and potentially very damaging vulnerability in the Microsoft Print Spooler service. This has actually impacted a larger number of customers than Kaseya (millions of servers) and likely would have been bigger news had it not been for Kaseya.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. It’s good to have you join us. Thanks for tuning in to this episode of the Unsecurity podcast. This is episode 138 and the date is July six 2021. Joining me is my good friend. Mr Brad Nigh. Good morning Brad.

[00:00:38] Brad Nigh: Good morning Evan.

[00:00:40] Evan Francen: You have did we have yesterday off? We did, yeah. Yeah. So Independence Day, Happy Birthday America 245 years old. Yeah, lot of years old. Yeah. Mhm Good. Yeah, it’s good. I think it was nice to see people out this year. You know celebrating after last year. Yeah.

[00:01:01] Brad Nigh: Yeah. It was the only unfortunate part. It was so freaking hot here.

[00:01:06] Evan Francen: Oh God, yeah. Yeah, there was a ton of, lot of fireworks in our neighborhood and then around here and it was probably until was later. I mean more fireworks than usual and later than usual I think.

[00:01:21] Brad Nigh: Yeah. What school is? We can see our house faces the back of the house faces almost due south And we’re kind of on top of the hill. So we can see, we could watch the fireworks go from east to west, across the horizon over the like the tree line. So we got to watch fireworks from about 945 till 1030 just across the back of the house was kind of cool.

[00:01:44] Evan Francen: It is cool. That’s very cool. Also, another thing happened this weekend. It was friday I think second and news broke about casa. So I I don’t think there’s, you know, we can talk about a lot of things, but I mean it’s hard to not talk about cassia with, you know, kind of everything that’s been going on the last few days. Yeah. So you were mentioning before we got on line uh ri our team at fr secure is gotten hit as well, right? With incident response calls? Yeah,

[00:02:16] Brad Nigh: looks like there’s a, there’s been a couple there that have come in there looks like donkey, they’ll be busy here for a little bit.

[00:02:25] Evan Francen: Yeah. What’s good to keep them busy. It’s bad that here we are again talking about something really impactful I think across the globe. But then, you know, as your reports start to come in more and you start to dissect what actually took place, you know, it is a big deal, but I’m not sure it’s as big a deal as maybe we’re making it out to be. Yeah, I mean, I hate to minimize stuff that affects people personally, but when you look at the numbers, it’s

[00:02:56] Brad Nigh: like it could have been way worse, right

[00:03:01] Evan Francen: one. And when you first heard about it, did you think, Oh my God, here we are, another solo rents.

[00:03:06] Brad Nigh: Yeah, I was like, well I was like my, my initial thought was, oh this is going to be worse.

[00:03:13] Evan Francen: Yeah. Yeah, because that’s what I thought, you know, at first when I heard about it on friday was probably mid day and uh, you know, my first thought was I hope it’s not another solar winds attack. And thankfully it’s not right. This isn’t your traditional supply chain type, not like that, right? Because he has code based wasn’t affected.

[00:03:36] Brad Nigh: No, this was more that traditional attack, the zero day that out of law. And it just so happens that the software they found the flying is used by MSP s and is in installed in, you know, hundreds of thousands of businesses. So it wasn’t like, yeah, they they got the source code and compromise that it was what I would consider a more traditional attack.

[00:04:09] Evan Francen: Yeah, exactly. So the attack, you know, for listeners this was, you know, the essay servers and these were on premise, the essay servers, right, allegedly cassius still holding to the story that, you know, their cloud based servers were not affected by this. And there’s really no indication to questionnaire right now. But the B. S. A. Servers, these are things, you know, traditionally used well in mostly used by M. S. P. S. Managed service providers. And yesterday I was on the Here 11 News and I didn’t realize that uh, even in the news guy was talking to didn’t know what MSP stood for.

[00:04:51] Brad Nigh: I think that’s crazy because we just take so much of this for granted, we’ve talked about that how many times, you know? So wow.

[00:05:01] Evan Francen: Yeah, she was like well what’s an MSP? And I’m like, okay, if you’re, you know, usually a smaller company or you know, maybe a larger company that needs help with managing it, you know, you might engage with a managed service provider so they just provide these services that maybe you can’t afford or they don’t make sense for you to buy. Okay, so in this case the servers are used to remotely manage other systems to do patching to do monitoring, you know, do all that kind of stuff. And these Vanessa servers were on premise at MSP. S and they were also accessible from the internet. That’s not like you don’t want to rush to judgment and say, well how dare you make these servers accessible from the internet? It was

[00:05:51] Brad Nigh: common really. And I’ll be honest, is I don’t know enough about the software, Is was that necessary? Right? Like I don’t know when I don’t think we shouldn’t have it, but

[00:06:07] Evan Francen: yeah, I don’t think it was. I don’t think it was. I mean, I think you could have put this probably behind a VPN, you know, with multifactor. Maybe that’s where MSP s are going to go next with this. But I have done a lot of work with M. S. P. S. And you know, from an I. T perspective, keeping systems running, maintaining systems, you know from an I. T. Perspective they’re pretty good at that but honestly most MSP. S. Oh are not going to security at all.

[00:06:36] Brad Nigh: Uh Yeah are from experiencing some of the stuff we’ve seen. Uh No

[00:06:45] Evan Francen: but you know I know I think they want to and I think they want to get better. I was down at connectwise conference and Orlando I think a week before last on a panel and and and it’s all in this piece right connectwise is all MSP. S. Two. And we were talking about security stuff and the impression I got was there’s an admission that they don’t no lot about security but they want to they’re committed to it.

[00:07:15] Brad Nigh: I’ll say this there we worked with several bits. Oh yeah the one I think that’s the big thing is is if you don’t know don’t pretend right it’s okay to say I don’t know I’m not the expert in that right? And we worked with several that have said okay let’s do this. How can we do this? Right. And and honestly I’ve been really impressed with those and we get asked all the time for you know hey do you have any recommendations? Well I’m going to recommend the ones that we know are working to do things correctly and care right like there’s plenty that are not that way we’ll just believe it at that.

[00:07:58] Evan Francen: Well yeah and I sort of get it to write it. You see the same thing play out when you got your own internal IT department and you have security reporting up to I. T. All right yep this isn’t an I. T. Issue and sometimes I. T. And security are at odds with each other. So then it’s just another case for breaking that thing out. Breaking it out another group.

[00:08:20] Brad Nigh: Yeah and then and that’s a good point. No you know trying to put anybody down right? You know it’s not their thing but don’t pretend that it is because we do see that that’s those are the ones that bother me

[00:08:35] Evan Francen: when they’re dangerous. Right? I mean those MSP. S who think they’re more capable of more capable than they are or they’re trying to do kind of everything.

[00:08:45] Brad Nigh: Uh

[00:08:46] Evan Francen: You know you see a lot of these issues right now uh that are happening I think in our industry with companies who want to do everything right? I mean Cosio wants to do everything right? So you put all this trust into this Bs a. Server or this you know or something else right? And then when there’s a compromise on that thing that controls so many other things it becomes a really really big issue.

[00:09:13] Brad Nigh: Yeah. Yeah. Uh huh. Yeah it’s like I know how many how often do we have to if he feels like we just keep talking about the same things.

[00:09:27] Evan Francen: Oh yeah man for 25 30 years.

[00:09:30] Brad Nigh: Nice like uh

[00:09:32] Evan Francen: Well it’s funny like you know you’re you’re wise grandfather, grandmother or whatever on the farm. You know and they said don’t put all your eggs in one basket. I mean there was wisdom there and I think we’re just like whatever I can do that. The software and well maybe I mean you do you do run this risk right? You do gain some efficiencies by only having to pay one bill and everything in one place. And it’s really nice convenient. But it also comes with this other side of risk. And I don’t think we often think all the way through. Right. Right. Tell something like this happens. Yeah. So the thing that this happened. So this wasn’t a Solomon cyberattack. Nobody broke into the CIA in this attack. I’m not going to say nobody’s broken into cassia. But um This was a zero day uh C. B. E. 2021-30116. Is the vulnerability is given by an SD three. And in this case uh the the company that was actually found it was I think a company

[00:10:38] Brad Nigh: from

[00:10:43] Evan Francen: touch right? D. I. D. D. I believe is the researcher victor givers. I’m not mistaking uh

[00:10:53] Brad Nigh: her vulnerability disclosure.

[00:10:56] Evan Francen: Yeah. So D. I. V. D. Researcher uh week I must say it wrong wheat. See Boonstra. So W. I. E. T. S. E Boonstra. Um They are the ones who discovered the vulnerability. And then they reported it as you know as good citizens to cassia it seems like our sounds like cassia according to, you know, dived very amenable to patching with very responsive work. Yeah.

[00:11:27] Brad Nigh: Yeah. It’s just bad luck.

[00:11:31] Evan Francen: Well, you know, and it will be used to see what else comes out about that because it was really, they already had the patch. They were testing it. I think I’m ready getting really close to the appointment and then you know, our level are evil or an affiliate. We don’t even know if it’s our evil directly. It might be an affiliate. They run a whole ransomware as a service operation. Right?

[00:11:53] Brad Nigh: Yeah, nuts.

[00:11:55] Evan Francen: Yeah. You know, Prior to that, you know July two right? That that nation and you wonder part of me that’s not clear yet. Is did they have inside knowledge that this patch was coming or was it truly coincidence or luck Because I don’t think it was. I actually think they have some inside information that this was coming?

[00:12:22] Brad Nigh: Yeah. It’ll be interesting to see. I wonder they yeah, that’ll be an interesting thing, you know, where were they testing it? Did they push it out to like a beta group and they whatever the packers ended up being. I saw that when I’m to execute right like there’s there, it’s interesting this will be interesting to see the details

[00:12:41] Evan Francen: right? Or was there or is there an actual actual leak or an attacker within cassia Yeah. You know, sharing information or you know, they’re monitoring communications. But anyway, that’s that’s all speculation. So the attack vector and it wasn’t until I would say maybe 24 hours later when you know, I became aware that this wasn’t a solar winds attack. That this was an attack directly at the esa servers that are accessible from the internet and D I P D D. I think that a great job, you know, they scanned for the servers And prior to the announcement there were about 2200 the servers that were accessible from the internet. Yeah. And within, I don’t know, a day or two, it was down to 140. I don’t know what, I don’t know what the current number is. So it was good to see such a quick reaction, especially over a holiday weekend.

[00:13:42] Brad Nigh: Oh my gosh. Yeah. Yeah. Well, and you know that me that act is part of why I’m like, maybe it was just timing because you do have a holiday here in the US Now, Brandon this was a worldwide, you know, there’s companies all over the the world that got hit by this. But was that part of it? Hey, it’s the whole it’s the holiday weekend. People aren’t paying attention with, they’ve been cooped up for a year.

[00:14:15] Evan Francen: All right. Well, and so that makes me think of another thing too. We are, we’ve kind of, I don’t know if in our industry we’ve we’ve blown things out of proportion. I think sometimes where, you know we use here to sell more stuff. So so far, you know what we know in terms of numbers of organizations that were affected and this is worldwide 60 MSP s And 1500 downstream businesses. So we put that into context, I mean, how put that in the context of the number of cassia customers and you know, obviously that’s pretty significant, but but in the context of like the world, You’re more, you know, 1500 downstream businesses, how many businesses are there just in the United States alone? Mhm. So kind of know, it’s a big deal. Yes, it’s something that needs to be accounted for and address, but I don’t think it’s, you know, because I’ve heard some people say, well this is the biggest attack ever. Mm I don’t know,

[00:15:21] Brad Nigh: it could have been, but I think we got lucky.

[00:15:26] Evan Francen: Well there’s that too, we may have gotten lucky. So it was a direct attack against the V. S. A. Servers and then once you exploited the zero day and there’s a bunch of good IOC data out there.

[00:15:38] Brad Nigh: Oh, and and I’ll say this say, did you see they put out a tool that you can run like all things considered, it looks like they’re handling this correctly, you know, being very open, Their communication has been fantastic. Um yeah, putting out tools, but yes, so forth, I think you had it in the length has a really good write up of technical write up of what exactly it does, which, you know, from an incident response standpoint. It makes life a lot easier.

[00:16:13] Evan Francen: No, for sure. Yeah, that was good to see to it. You know how our community, you really got at it. And I think we had good IOC s like almost immediate. Seems like yeah,

[00:16:28] Brad Nigh: you know, and so just kind of going off topic a little bit. What’s funny is this has been so dominating that the whole thing, I was thinking we were gonna talk Windows principle or for remote code

[00:16:39] Evan Francen: execution too.

[00:16:41] Brad Nigh: That is like not even on anybody’s radar at this point. And I saw that last week on when that came out, Wednesday said that over the team and we were like, uh huh. So you can not friend or uh that this could be ugly. And then to see it happen, it’s just like good wars.

[00:17:02] Evan Francen: Well maybe we’ll talk about that too briefly, you know, in today’s show because that is really important and we can kind of, you know, we always go off topic anyway, so that’s easy enough for us to address that it’s

[00:17:15] Brad Nigh: still in the same vein. Right?

[00:17:17] Evan Francen: Right, for sure. For sure. So it’s funny that so they this hits and really, you know, one of the first thing that happened, it drops, you know, through a power Shell script, you know, drops the script and defense. Uh sorry disables Excellent defender for endpoint protection, which is so common, uh, uses certain util to decode malicious. You know, it’s malicious execute herbal uh, agent dot E x E. That’s a legitimate binary. Uh, M S M P E N G dot T X C, which is an older version of Microsoft defender and a malicious library and sort of sort of goes, you know, from there. The the attack vector is similar. We’ve seen this before. It’s not.

[00:18:13] Brad Nigh: Oh yeah,

[00:18:14] Evan Francen: that was another thing that I heard, you know, at the very beginning, I think we rush to judgment. Too many people rush to judgment because we heard from the very beginning. Oh, this was ultra super sophisticated. Mm No,

[00:18:25] Brad Nigh: no. This is almost like when you look at the attacks, we think we see they’re running encoded power shell that Exactly. Well, I mean not exactly this, but basically this is what you see. This is a fairly standard attack, which, you know, I don’t want to set downplayed or this time defensive, but it’s what you see.

[00:18:53] Evan Francen: Right? Well, that’s what makes me think too because we haven’t, you know, we haven’t determined whether it was art evil themselves or where there was, you know, a an affiliate because like I said, are evil runs a ransomware as a service. Yeah. You know, I can go rent right now. Yeah. Go ransom somebody because it doesn’t look, but I’m not, you know, I’m not in the weeds with authority incident response team or the incident response team, you know, fire I or anybody else. But it doesn’t seem all that ultra sophisticated I think especially if you had insider information on this vulnerability, ah, you know, if you knew this vulnerability was there or you know,

[00:19:37] Brad Nigh: well and the researchers that found it said it wasn’t hard to find, it was pretty easy to, to just attacked and yeah, okay. Not surprising that

[00:19:50] Evan Francen: Right. Well, yeah, because that was one of the questions I think posted on twitter was the question is how are evil got their hands on it or perhaps more accurately how the affiliate did That was from July three and then victor givers, You know, the researchers have found it and if I show you the PLC, you would know how and why instantly. I mean, I guess it’s like

[00:20:18] Brad Nigh: sounds pretty, it’s pretty obvious. So I’m gonna throw this in the chat. I don’t know if you’ve seen it, but this is why we preach turn on power Shell logging. We’ve been, I’ve been saying that everybody for a long time and Uh, actually if you just turn off, if you just Google power shell logging, there’s a fire I blog from 2016.

[00:20:40] Evan Francen: Also that’s not new. No,

[00:20:42] Brad Nigh: it’s been out for five years, 5.5 years. Turn it on because that’s what they’re using for a cat. And if you want to know what happened, you need to have that logging turned on. If you don’t have it turned on, it’s you’re going to be blind, you’re just not going to see what happens.

[00:21:02] Evan Francen: Well it’s it’s you know, and it’s easy to play Monday morning quarterback. It’s speculated all kinds of things, you know, like because as I’m sitting here, I’m thinking, you know, if these Visa servers, I don’t know, like I said, I don’t want to say a Visa either. But if these things are accessible from the internet, you know, how hardened are they? You know, would you have things like, you know, as part of the standard deployment to turn on power, shell script, you know, logging uh do these things have to be accessible from the internet or is it possible to put them behind a Bpm with multifactor authentication? So I’m guessing if the nature of the V. S. A. Server is for remote administration and all those other things. The only reason why I have it accessible from the internet and was so my technicians could potentially log into it and conduct, you know, some of their tasks which

[00:21:51] Brad Nigh: Okay, VPN.

[00:21:53] Evan Francen: Exactly. So yeah, and I don’t want to, like I said, it’s easy to play uh you know, monday morning quarterback, but I wonder and because I saw the guide institute that came from, you know, C. S. A. I’m sorry Sisa. And in the FBI. And as I was reading and I was like, okay, here’s what they recommend for MSP s enable and enforce multifactor authentication on every single account that is under the control of the organization. Okay it seems I mean enabling enforcing MFA for every single account that’s going to be hard that kind of exceed it’s a best practice and I’m for it but it sort of exceeds what we would normally suggest as a best practice because it is very destructive to do that.

[00:22:41] Brad Nigh: Yeah. Yeah so I just while you were talking about google to see and he says uh process server requires access to the internet for the following functions. Patch management reaches out to Microsoft, it’s patch information and then reaches out to cassia to get ancillary tiles and then hot fixes for the casino server. So downloading those so from a yeah sounds like from like a day to day perspective no it just needs to be able to reach out to Microsoft and cassia for the most part

[00:23:14] Evan Francen: and thats egress right? So yeah I need anything ingress.

[00:23:18] Brad Nigh: No that doesn’t sound like it because the question was I’m setting it up in an environment that doesn’t have internet connectivity. Well here’s what you need so worry that it no it doesn’t.

[00:23:30] Evan Francen: Huh interesting that was one of my big beats about solar mens says you know it was so super uh sophisticated and it was sophisticated that there was no way to mitigate it that’s like okay there’s always a way to mitigate things, right?

[00:23:47] Brad Nigh: So we saw it the I. R. S. Didn’t have their solar winds and they didn’t get hit, you know, they didn’t have it accessible from the internet. I mean, it kind of proves the concept, like it’s our that’s seriously Yes.

[00:24:03] Evan Francen: Yeah, it’s interesting the this is kind of for somebody reminded me of a talk I’m giving in Israel at cyber week on, I don’t know With its six today, uh 21st I think, but this is what it’s about, right? This is what the talk is and this is a worldwide audience really. The talk is it’s titled they’re winning, right? And the reason why they’re winning, if you look at like sports, you and I both played sports right? If there’s one thing I noticed about the best players, it was how hard they practiced and mastered the fundamentals

[00:24:47] Brad Nigh: 100%

[00:24:49] Evan Francen: right, whether it be footwork, whether it be uh you know, positioning uh head, whatever it was, you, it got drilled into every practice after, you know, it’s like I’ve done this same drill 250 billion times and here I am doing it again, and the reason why it’s business, the fundamentals, that’s what makes you, I mean there’s gifts and all those other things, but if you don’t have the fundamentals of your crap, if you’re in a position, if your footwork sucks, if your body position ain’t right? Yeah, forget about it. And so when you talk about their winning and the reason why they’re winning because we’re not doing the fundamental stuff. We’re going too damn fast. We’re um adopting technology much faster than we can secure it. And uh

[00:25:38] Brad Nigh: mm hmm. Yeah. So yeah, I agree. I mean, and we’ve been, This is what episode 138 I think we said fundamentals probably every single episode like it’s not going away. And you know, I, I would say the companies that make me feel good. Like I just had a call last week with somebody who’s going from exchange on prim oh 3 65 and they were migrating and they said, but the whole thing was, can you guys help us secure that as we move so that it’s done properly. We want to make sure because we don’t know. And a little yes, thank you. Yeah. That’s awesome to hear.

[00:26:23] Evan Francen: Well it is, man. I mean, I think, yeah, and you can see where we’re suffering in so many different places because we’re not doing the fundamental. So when you look at like President biden’s executive order, the reason why that’s so much stuff in there so fast so soon is because it’s almost like you got to start over a lot of places right? Because you didn’t do it right from the beginning and sometimes you do need to do a rip and replace we do that an incident response sometimes.

[00:26:49] Brad Nigh: Yeah. Well you mean, yeah, you see it. People, how many times have you seen or heard from the software company like you go in why is this this service account running is administrator. Well that’s how we could get it to work or the company the software company the vendor says well it just needs to be no explaining why because we couldn’t get it to work the other way or it was too much work. It was slowing things down. Well okay I guess that’s your risk tolerance and you’re willing to take that as long as you know. But this is stupid

[00:27:32] Evan Francen: this shit. Well that’s the thing with you know like you know when you plot one it’s I. T. Right? So I. T. Folks they are motivated to get things working once you know book I may not put in the extra effort to secure it. I just need to get to work

[00:27:49] Brad Nigh: well and I mean I’ve been in I. T. Like I totally get it. Your ideas is almost usually a thankless job right? You’re typically thought of as a cost center if you don’t if the company doesn’t see you doing anything you know that things are working. They’re like well what are they what are those guys doing? And then if something goes wrong it’s we’ll get it fixed right. It’s a very not like no win situation a lot of times. So yeah

[00:28:17] Evan Francen: there that’s for I. T. It’s even worse for security people

[00:28:20] Brad Nigh: for sure. Yeah I went from I. T. Security. So that says a lot about

[00:28:26] Evan Francen: you like paying

[00:28:28] Brad Nigh: right? Uh I like the challenge but yeah I mean I totally understand it because that’s the bit their job is to keep things up and running for the business. And that sometimes means you know not doing things securely but that’s again that’s not that shouldn’t be its job necessarily. It’s a mess. We’re at least we got we don’t have to worry about not having work.

[00:28:59] Evan Francen: Right one. And so like to see a, right I mean when you set up the CIA you allow listed right or white listed as the traditional you know so that it can talk to everything or you know you at least certain directories because it’s going to act like malware. Right. Yeah and that’s what happens when you install this system and that’s when you look at the technical details and so forth. That’s exactly what you know how you install it. And so that’s naturally where the attacker is going to go. Right going after systems like the esa. Perfect. Right Because under the esa promise or you know replace binaries whatever I’m doing uh I have free reign.

[00:29:42] Brad Nigh: Oh yeah I mean well it’s yeah and again this is what we see right the Attackers will take a valid process and inject the power shell into it and then it’s running under a valid process. Well in this case it was even worse because it’s not just like caliper note pad or whatever it is, which you wouldn’t traditionally like exclude from scans. Right. Right. Right. This is a software that you would tip me to exclude or because of its actual behavior and yeah, it’s not, yeah, it’s a mess.

[00:30:25] Evan Francen: Yeah, one in this case. So it hit on Tuesday. I’m sorry friday. Ah This the expanse of the attack 60, 60 casa well, they are aware of You were than 60 cassia customers have been affected. They were all Visa on premise servers. So there’s probably, I’m guessing well today some people get back to work today. Right. Some people had the fifth off because you know it was a holiday because the fourth, so sunday uh so that number might go up a little bit, you know, some people believe it or not won’t know until they come into the office like, hey My stuff is not working. Um but fewer than 60 casino customers known so far, all of whom, all of them were using psA on premise products. Um they were directly compromised by the attack. Right? So all those things had to be true. The customers downstream that were affected. You were then 1500 and this is all according to Cassia in one of their last updates. Right? When they have done a good job, I think in communicating uh when you put that into perspective, we’ve had much bigger attacks before. Yeah,

[00:31:45] Brad Nigh: I think the issue is the the number of companies. Right. Yeah, I think uh, are evil put out a million individual in points have been affected, which is a lot overall, but we’ve seen bigger impact. But it’s the number of companies that got it.

[00:32:09] Evan Francen: Well, they’re motivated, they’re motivated to inflate that number because they’re seeking a $70 million, You know, ransom. And I think they dropped that out of 50 million and basically stated they’re willing to uh, negotiate. Which is like, it’s always awesome when you have people that these guys are good coders and all that other stuff, but they’re not very good at negotiation because dropped from 70 to 50 you named to higher price probably at the beginning and now you’ve dropped it to 50 and then said you were willing to negotiate. Well that shows you’re desperate because you’re probably not going to get anywhere near that because we have our hands around it and you know that.

[00:32:49] Brad Nigh: Yeah. Yeah. It’ll be interesting. I don’t, yeah, it’ll be interesting to see what happens. I saw one article that was saying that they put out that one price for the universal unlock her because they were banking on insurance companies to say, well, it will be cheaper to just pay once and well, let’s all just split the cost. Right? Right. You know, we’re seeing more and more where insurance isn’t willing to pay that and they’re getting a little bit, I think they’re finally realizing. Oh,

[00:33:24] Evan Francen: right. When I wonder if, you know, yeah, Insurance eventually may not cover these at all anymore. And if you haven’t done certain things,

[00:33:32] Brad Nigh: we’re definitely seeing that we’re, I’m actually working on putting together a list of requirements. And you know, we’re seeing if you don’t have an M. F. A. On everything external. A lot of times they’re just not, I’m not going to cover you

[00:33:45] Evan Francen: period. Thank God. I mean we’ve been yelling and screaming that. Seriously. It is, it is absolutely. It’s negligence you to have something sitting on the internet without multifactor authentication.

[00:34:00] Brad Nigh: Yeah. Yeah. And you know, the other thing we’re seeing is uh, mm hmm. Critical systems internally, uh, will lower premiums. And then we had one customer that was going through the process and they said, okay. So they filled out the questionnaire and it’s one of them was, you know, around the incident response and playbooks and they came back and said, okay. You have, you say you have them show this one right now like immediate. Like you’ve got to produce this

[00:34:31] Evan Francen: nice yeah. People and lives because I don’t want that. There’s nothing that irritates the crap out of me, man. When people don’t tell the truth. Uh, there’s two different kinds of lies next. So there’s so many times. This is our number one core value at first you’re right. Tell the truth. Two different types. There’s omission and commission the old mission ones are things I didn’t tell you that I should have told you. And then the Commissioner when I the commission ones are the ones where I straight out tell you something. That’s not true. Yeah. And they’re both eyes and torch me, man. Because you know, we’re talking about doing business together, becoming partners, right? Use these big, you know, we’re going to be a partner and you tell me the truth, right?

[00:35:15] Brad Nigh: I can’t. Yeah. And that’s, you know, when we do the risk assessment, it’s, hey look, don’t try to make yourself look better. Just let’s, let’s be honest, I know what’s going on. So if we can help you, like if you’re going to tell us, you know, Oh yeah, we’ve got that. You don’t, you’re not helping yourself.

[00:35:38] Evan Francen: I don’t think anybody.

[00:35:39] Brad Nigh: Right? So yeah.

[00:35:43] Evan Francen: Yeah. People people have lots of reasons they do that, I suppose. Um Alright. So no other casino products were compromised. Yeah. Which is good. Which also is another indicator that this was a direct attack at the affected B. S. A. Servers themselves and not the code. So that just reinforces that Uh cassia has developed the patch for customers running VSE on their own servers. A patch should be available within 24 hours. I thought

[00:36:13] Brad Nigh: that their afternoon, the online version will be available today and the on their side bringing the on prim tomorrow.

[00:36:25] Evan Francen: Yeah, Customers should have the patches between two and 5 eastern today maybe.

[00:36:32] Brad Nigh: Yeah. Well, you know, we’ll see how that goes. But I think the fact that You’re looking at less than what four or 5 days. And they had the patch, they were they were on top of it. In terms of like already working through this, you can tell that they had been doing something. You don’t just turns out around that fast. Right?

[00:36:54] Evan Francen: Exactly. Yeah. They well, they like they said, you know, it reinforces what they were saying to that they already had a patch.

[00:37:02] Brad Nigh: Yeah.

[00:37:02] Evan Francen: Yeah. They were still testing it before they released it when this thing went down. Yeah, interesting, interesting story. I think we will survive. We will move forward. You know, I’m looking forward to the lessons learned. I’m guessing uh the lessons learned aren’t going to be all that different than the best practices we’ve been preaching from the get go. I don’t I don’t want to rush to judgment and start condemning people on this because I don’t have enough details. But believe me, when we do have enough details, if there’s something to condemn all condemn it.

[00:37:38] Brad Nigh: Mhm. Yeah. He said at this point, we know, I mean, what is the a lot of the number of bugs per, you know how many lines of code you have per bug or whatever it is. It’s going to happen, right? But it will be interesting to see what it was and truly have been something that was caught in the test QA process. How did it get this, But how they responded. I mean, I’m like the sandy, it’s textbook correct way to respond, right, controlling the communication being open and you know, not trying to hide behind, you know, like you said was omission type. You know, hey, this is what happened here, is what you need to do. Thank you sir, robert. Hey, turn them off or get them off line, right, get them off the internet.

[00:38:35] Evan Francen: And my bigger concern is, you know, the MSP s and the MSP deployments, you know, I’m not right. How do you, like if I was working at an MSP, you know, being a security guy and you told me you were going to bring this server thing online and it was going to do these things, would I have secured it different? I don’t know, you know what I put it behind a VPN, could it operate behind a VPN with multifactor authentication versus just let it kind of dangle. Could I harden this server or does it have to be a default sort of installation the way it is. You know, those are the questions that I’m looking at. Two because there are so many MSP s and there are so many customers who trust these MSP s and the third Timpson things we can do to improve their service ultimately, you know, protecting their customers because that’s the part that pisses me off, I think the most right now is you have small to mid sized businesses, you know, dentist’s office and you know, small retailers who Won’t recover, they will be put out of business out of that 1500 customers downstream that were affected, some percentage of those will be out of business. You destroyed their business. Either the MSP or Kazan, it doesn’t really matter who you want to blame. The fact of the matter is they’re out of business. So, you know, it, if the MSP can do things better to make sure that that happens less often, that’s kind of the stuff I’m looking for, you know?

[00:40:05] Brad Nigh: Yeah. Yeah, it’ll be yeah,

[00:40:09] Evan Francen: that’ll be interesting because I think because he is not going to suffer from this to say I will hardly suffer and and neither will probably the MSP and if I’m that small business and I’m like sitting there going, oh, great amount of business or recourse do you have, you know what I mean?

[00:40:26] Brad Nigh: Yeah, Yeah. And that’s what, and a lot of times that’s who gets hit, right? That’s who’s using these NSPS are those small mid sized companies that don’t have their own IT staff and yeah, that’s what sucks. Right?

[00:40:44] Evan Francen: So we’ll see what comes of it, you know, once things kind of settle down a little bit and we get started getting more details about, maybe I’ll do some research and find out more details about the NSA server product and how MSP s might be able to deploy that better.

[00:40:57] Brad Nigh: Yeah. Just reading more and more, it’s really interesting to see uh it was really looking at Hunter’s has a right up and it looks like there was a screenshot dot jpeg that was part of the attack chain that’s actually execute. Herbal does a bunch of cleanup, but looks like it may maybe a simple injection as a final vector for code execution, not strictly, but another form. So and they’ve got the actual code that is run, so yeah, it could have been just getting in and that’s how they they got in. Yeah, it’ll be interesting to read.

[00:41:39] Evan Francen: It will be, yeah. And I think my conclusion at this point is it’s not it’s a big deal. I’m not going to minimize it that much, but it’s not a big as big a deal as we made it out to be at the beginning. I think we jumped to a lot of conclusions just in the,

[00:41:55] Brad Nigh: well, I mean, like I said, it could have been a really big deal if I M S P s hadn’t responded and taken all those servers offline that quickly. Right. You know, this could have been exponentially worse. Yeah,

[00:42:13] Evan Francen: acquisition If the IDD 2200 servers And only and we only know about 60 that got hit. Yeah, it could have been much worse, yep.

[00:42:27] Brad Nigh: Yeah,

[00:42:27] Evan Francen: but I’m also not sure about the timing of their scans, these scans, that

[00:42:32] Brad Nigh: will be, I’m not I don’t have enough detail on that to know either. But

[00:42:37] Evan Francen: I wonder if they did these scans, you know when they were working on the patch and before any kind of detonation or anything or if this was after that. Yeah, we’ll figure that out too. Yeah, there’s a lot. There’s

[00:42:53] Brad Nigh: a lot that I mean this is still so new. Right? We still I mean you said it it typically takes, you know, a couple weeks to fully understand what do you do all the forensics and understand what exactly what happened. So

[00:43:13] Evan Francen: And and according to the governor’s quote in his tweet, the last, he said during the last 48 hours Number of the ece instances that are reachable from the Internet has dropped from 200 to less than 140. So that would have been Till June July two. Would have been the 48 hours. So yeah, would have been really close to the time that the ransomware hit. So it went from 2200 or less than 140. That’s quick. Yeah, that’s good.

[00:43:44] Brad Nigh: Yeah. I think the yeah. Yeah. I feel bad. The biggest one that I’ve seen is that the Swedish grocery grocery chain That most 800 stores will be closed for a second day because the cash register software supplier was crippled.

[00:44:02] Evan Francen: So the Swedes are resilient there. Was that where the Vikings come from.

[00:44:05] Brad Nigh: I think so up in that area. But I mean the dad shows right that here’s a grocery store. It has 800 locations closed because their supplier got hit by this. So it’s not just like that, that down stream impact is going to be, you know, that’s going to take a while to understand as well. Yeah.

[00:44:29] Evan Francen: Mhm. Yeah. That’s the part that ticks me off more than anything is the the people who suffer, you know, I mean, that’s what motivates me every day is trying to help people not suffer right to say it’s big enough that they’re not going to suffer too much. Actually. They’ll probably come out well in the end because of their good response. They did do a good job responding. And that’s that shows the importance of having a good incident response plan, strategy and getting ahead of the communications so that you can control and craft the message. They did, they did a wonderful job on that.

[00:45:06] Brad Nigh: Yeah. And again, it’s not just, it doesn’t seem to be just lip service either. Right. They’ve they’ve actually given tools and and you know, similar what we were seeing with with solar winds in terms of the communication and being open and you know, it’s what we need. Yeah, true.

[00:45:30] Evan Francen: All right. Well, good. I think we’re going to live through that most of us, um, and we’ll provide an update next maybe next week if there’s something to update. Otherwise we probably won’t talk much about CAssie anymore.

[00:45:43] Brad Nigh: Yeah. Just whenever we hear more like it’ll be probably a couple months from now when we finally get that report and see what happened.

[00:45:54] Evan Francen: Yeah, yeah, certainly there’s a Senate Intelligence Committee meeting. I’ll definitely tune into that. I love watching those. I’m weird like that. Yeah. All right. So the other one, yeah, that you mentioned and then this was this, you mentioned it it was Wednesday ish of last week. Uh, Microsoft had an pretty neat announcement about zero. Really is your day? It was, but it’s a vulnerability in the Prince cooler remote, what’s called? Windows permit, Windows Print Schooler, remote code execution vulnerability. Cbe 2021 345-7 released July one. That would have been Thursday. We might have heard about it on Wednesday.

[00:46:41] Brad Nigh: What’s what’s interesting on this one is they actually uh, put a release out in june and it apparently didn’t fix the issue.

[00:46:54] Evan Francen: Right groups.

[00:46:55] Brad Nigh: And then this was uh, what I’ve seen, it was accidentally disclosed to because the researchers that disclosed that we’re planning on doing a presentation at Black Hat and it got out or I’m not sure exactly what they did, but it was not intended to be released. But yeah, the biggest thing is, you know, there’s a whole list of uh, Bruce that basically would allow anyone in the domain if to exploit the domain controller. Right? And I mean, it’s a big list of recruits, uh, you know, admin, domain controller read only. Domain controller enterprises read only Domain controllers. Third admin schema. Admins group policy, admin power user system operator, print operator, Eco operator. Ah yeah, it’s that’s and uh yeah, I’m surprised we haven’t heard of this actually because there’s proof of concept that we’re out on Wednesday,

[00:48:04] Evan Francen: right? Oh, somebody’s been hit multiple people, I’m sure have been hit because it’s explainable from the network, right? I don’t so that’s fairly easy. The complexity is very low. Mhm. I don’t really need, I just need basic user privileges in order to run this. So how hard is it to get a user account? You just need to authenticate? You don’t need to have privileged authentication or to exploit. So

[00:48:32] Brad Nigh: I will say that the name of this was that on print, Nightmare. Yeah, I read that and I was like, oh, this is gonna be a nightmare. Oh, it’s pretty nightmare. Cool.

[00:48:42] Evan Francen: Alright. Yeah, totally.

[00:48:45] Brad Nigh: Yeah. All Windows versions.

[00:48:48] Evan Francen: Yeah. And when I had friends last week, I was talking to somebody and yeah, I was like, oh man, how you doing, what’s going on? He’s like, I got my whole team right now disabled principle or you know, throughout the entire environment. I’m like, oh because I hadn’t heard about it yet. I’m like, oh well it’s good to disable principle or if you’re not printing. So that’s that’s a good thing. He’s like, no, there’s a bad vulnerability. And like, again,

[00:49:13] Brad Nigh: Exactly.

[00:49:15] Evan Francen: But then you said, yeah, this is the one from, you know before, I’m like, oh, okay.

[00:49:20] Brad Nigh: Yeah. Yeah. Again, you know it sucks. We know in software there’s gonna be bugs. It just happens. It just seems like we’ve had some pretty high profile on our abilities lately.

[00:49:39] Evan Francen: Yeah. Yeah, for sure. We’ll put the post, I’ll put the post in the in the show notes for the, you know, Microsoft security update guide which labels this vulnerability and kind of tells you more about, you know how it operates. But if you google print nightmare, you’ll you’ll find plenty of good stuff about it. The sad thing is right now there is no patch and it’s not clear when Microsoft will have a patch. So for now it’s just disabled principle or that’s your isolate isolate the systems that actually need to have printing but Well who prints anymore?

[00:50:15] Brad Nigh: The nice thing is that they did put out a work around where you can disable the inbound remote printing through group policy. Right? So yeah, the server is no longer a print server but you can see that would allow people to still print locally if needed. Yeah, there are some don’t work around but yeah, I’m glad I’m not 90 right now.

[00:50:42] Evan Francen: Right. Especially in a company that is heavy print like like law offices, legal firms uh others but thanks health care. Oh my God. Yeah.

[00:50:56] Brad Nigh: Mhm.

[00:50:56] Evan Francen: Alright. Well there you go. So as soon as the patch was released and I haven’t heard when Microsoft we’ll be issuing a patch.

[00:51:06] Brad Nigh: Uh as far as I know, see I’m looking at their actual I don’t know. I don’t think I haven’t seen a date. Yeah, no dates at this point. It says they just say apply the security updates released uni and review the work around sections for how to protect.

[00:51:29] Evan Francen: That’s how you get.

[00:51:32] Brad Nigh: Yeah. Yeah. They don’t have an export yet.

[00:51:36] Evan Francen: There are exploits in the wild. Yeah. Yeah. Okay. Right. Well there’s that uh this was always going to farming go, you know, it seems well that’s that’s wrong. Probably more rewarding and probably more healthy.

[00:51:58] Brad Nigh: Yeah, that’s probably the last one. For sure.

[00:52:02] Evan Francen: Yeah.

[00:52:02] Brad Nigh: A lot more moving. I wouldn’t be sitting at my desk for and realizing that I haven’t moved for six hours.

[00:52:10] Evan Francen: Yeah. Exactly. All right, so just summarize today’s show uh you say uh that attack at not gonna die?

[00:52:23] Brad Nigh: Probably. No, it could have been much worse

[00:52:26] Evan Francen: have been much worse. Yeah. And I think lots of good things came of it and I’m excited, you know that you can do a little bit more and find out what else we can learn from it. It’s not like most most attacks, you know, you look at them and you’re like I’m really angry because you missed this. That and the other thing at this point I think I’m not angry with me. Say I think I’m probably going to have some anger about M. S. P. S. When we started digging in on that a little bit. Mhm. Uh But even then so far, I mean the way they responded quickly if they did indeed shut down that many servers that quickly. That’s pretty damn cool.

[00:53:02] Brad Nigh: Yeah, maybe this is the wake up call for MSP s who haven’t been taking it seriously because you know this again, this could have been really bad. And those ones that got hit, what do you what happens when you have that have you know, affect you. Every one of your competitors is going to be calling your customers and saying didn’t happen to us.

[00:53:23] Evan Francen: Yeah. We were running the same software. Funny.

[00:53:26] Brad Nigh: Yeah, our customers weren’t ransom.

[00:53:29] Evan Francen: Yeah, exactly. So there’s that. And then the other summary is just uh Yeah, they have the next soft principal. Er We’ll put the link in a if you google it, print nightmare, you’ll find it. But we’ll put the link in the show notes. Not much you can do about it other than uh mitigate the risk. You can’t catch it yet. Both the one make soft issues something. Yeah. Alright, that’s that’s all I got the shout out for you.

[00:53:58] Brad Nigh: Ah you know it’s funny. I know we’re gonna do this every week and I never think about it but I don’t right now um shout out to my family for putting up with me hobbling around all weekend on a broken toe and complaining.

[00:54:15] Evan Francen: There you go. I’m gonna give a shout out to a sales guy, believe or not. But it’s a safe. Yeah, I’m going to give a shout out to juve. Okay. Uh I got the sit in for uh john harmon Last week on some sales calls for three days and was fun to hang out with them. And I love the fact that our, our sales people do it right. They don’t compromise our mission or value. They believe it, it was amazing. So shout out to him and the whole sales, you know.

[00:54:49] Brad Nigh: I will say I’ve said that before too. But uh yeah, brought me in on calls where they’re, they’re like, hey, the customer just wants to clarify or understand this better. Can you, can you jump on a call with them? I love it there. They do that vs just tell the customer what they want to hear, right? Like, and it’s not always in the best interests of the sale necessarily, but it’s the right thing to do.

[00:55:17] Evan Francen: That’s it. I mean they take it to heart man and it’s so rare to find that with salesman because they do get held to of accountable to a number, just like anybody else in sales. You have to sell a quota and all that other stuff. But they do it right.

[00:55:34] Brad Nigh: Well, and honestly that the fact that they do it right is why they’re doing so well. I mean, you get a reputation and that’s good thing. People talk, Yeah, totally. These guys did the right thing.

[00:55:49] Evan Francen: So totally yeah, gives me a lot of trust in the management team, you know, all the way down to you and to Drew and Oscar it’s just it’s really cool. They have so many people with real integrity, you know, working beside you.

[00:56:07] Brad Nigh: It’s the no a horrible and it it is from top to bottom.

[00:56:13] Evan Francen: Yeah, that’s cool. I love it. All right, thank you to our listeners. Thank you brad. It’s good to see you man. And we’ll catch up some more. Uh if you have something like to tell us if you email us at the show on security of proton mail dot com. I think this might be the last time I announced that because nobody really emails us because wants to talk to us.

[00:56:33] Brad Nigh: I mean they just reach out directly. Yeah. You don’t go to the

[00:56:37] Evan Francen: podcast. If you have a social type socialize with us on twitter, I’m working on some cool projects so you’ll see some stuff coming eventually from that. But I’m @EvanFrancen Brad you’re @BradNigh twitter handles handles that. Don’t really matter. But they do matter, but you don’t have to follow them insecurity is @UnsecurityP security studios @StudioSecurity and that FRSecure @FRSecure. There’s a lot of good stuff there. But that’s also like I just gave you five twitter handles. I’m like two minutes. So that’s a lot of all right. That’s it, man. We’ll talk to you next week.

We look at some surprising online fraud statistics. Between pirated games, customer support tools, SolarWinds group targeting customers, customer service systems being hacked, a malware supply chain fiasco, and a nasty Edge bug, Microsoft has a lot going on security-wise. Evan and Brad break down all the notable Microsoft security news surfacing recently on this episode of the UNSECURITY Podcast. Give episode 137 a watch/listen and send questions, comments, and feedback to

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 137. The date is June 29, 2021. Joining me is my good friend, my pal Brad Nigh, how are you Brad? Good. And it’s good to have you back man. You know, for the listeners, it’s uh 7 11, 7, 12 in the morning And we jump on usually Tuesday mornings at 6:45 to you know, start talking. So we’ve been spending almost last half an hour just talking about life stuff.

[00:01:00] Brad Nigh: Yeah. But well, I mean, I’ve been open, we’ve had a pretty stressful yeah, a couple of weeks and then we’re all going back even to last november when I started when I had the uh, well we actually can you think of what it was that your

[00:01:19] Evan Francen: balanced? Oh, that’s right. Yeah. Holy crap man. There’s so many things that I’ve kind of forgotten about, some of the things that’s

[00:01:27] Brad Nigh: just absurd,

[00:01:28] Evan Francen: right? Yeah. So listeners, uh, you know, if you’re the praying type, you know, some prayers for brad and his family because it’s a tough stretch man. But like you said, like we said earlier, it’s got to end sooner or later.

[00:01:42] Brad Nigh: I hope, I

[00:01:46] Evan Francen: mean the fact that you kept it together as well as you have, it’s been I think inspiring to me, you know, and uh we also talked about before jumping on, you know, just the helplessness. You know sometimes when you see anybody, you know, I have three or four friends who are struggling with different health issues and either them or members of their family and it it sucks because there’s really nothing you can do right off your good thoughts. Try to check in once in a while to see if you see how you’re doing to encourage.

[00:02:23] Brad Nigh: Yeah, I think, well, I think, you know, we talk about mental health within Yeah. Yeah. The workplace to and this is one of those things. Is that a good example where I mean, let’s be honest, what’s going on at home affects what happens at work, right? Like Um I’ll be totally honest, I haven’t been able to be 100% have I got my work done? Yeah. But am I you know, am I distracted because of everything else? I mean, how can you not be here? Human? Yeah,

[00:02:59] Evan Francen: man, for sure. You know, like lots of security people, I think, you know, we get very passionate about our work and sometimes it blurs the lines between what’s work and what’s home. Uh and when you’re, you know, you’ve got sicknesses and things to deal with and you know, life issues. Uh huh it starts to become pretty obvious what’s work and what’s, you know, what’s home, what’s life you know what I mean?

[00:03:27] Brad Nigh: Right. Yeah yeah. You know and having the support of the team and leadership and everything has been it just so helpful and so yeah we’ll get through it and keep on. But it’s very weird. It’s very different from from work where what we were talking about we were in control right now controlling things but I know what’s going on. I have a sense of like their stability even when things are chaotic. I know what’s going on. I can handle it. I can’t do anything hole and stuff and that’s what’s so tough. So very very different from what I’m used to.

[00:04:10] Evan Francen: Yeah well maybe that’s part of you know on the other side of this you know it seems like those life things we talked a little bit too about you know when I was diagnosed with cancer and just the other life issues man, I mean in hindsight you could I can always look back and and see the lessons and appreciate going through it when you’re going through it. It’s the worst thing you know? Yeah. Yes. Yeah I mean I said I have no like who was I talking he was talking to somebody last week and they were talking about regrets you know uh because I’ve left you know d d d I’m not blaming on E. D. D. I mean Maybe blending on something else and it’s 2021 so I ain’t taking any credit for myself can’t be me but uh you know I’ve done some crazy things over my lifetime you know? And uh yeah just being here still kind of just still kind of a blessing I guess.

[00:05:19] Brad Nigh: Yeah. Yeah. Fun. That’s our Yes. Oh the uh Stuart Smalley old saturday night live without franking.

[00:05:33] Evan Francen: Yeah. Big time. We’ve got some stories to cover today. I do appreciate you know Ryan filling in for the one week that uh and I appreciate that, I appreciate that you and I have that kind of relationship and you know you have actually set a good example for me and I’m priorities because it was the morning. I don’t know, maybe it’s the night before the episode 1 35 when you text me like yo not doing the show. I’m just not

[00:06:04] Brad Nigh: can’t it was one of those things where I was like I just can’t do it, I’m not here, I’m not functionally able to do it but you’re right. So but I appreciate that you know we do have that relationship. Can I feel like I can be honest with you about that and I don’t have to take it.

[00:06:26] Evan Francen: No no and I I want shit man. You know people think it that because you can only take so long and then I’ll send you hit it right? You hit the wall or well they do have those mental breakdowns where it’s just like well and then bad things happen, man.

[00:06:46] Brad Nigh: Yeah. I think, uh, it was helpful. Uh, anybody listening that Washington post had a really good article about burnout and using the whole look that up and you know, that, that came out after, uh, that I was like, oh yeah, because I always started burnout as work. Like I’m sick of this job. I’m tired of this, I’m done. And that’s not the case. I love what I do. Like even, you know, here’s what’s crazy. It’ll be five years next month and I still like love every day. And, but reading, it’s like, oh, prolonged exposure to, you know, what is, it looks extensive or excessive stress or something. And then all the kind of the symptoms. And I was like, yeah, okay. I know that that explains it so much. You know, so anybody listening look that up, it was actually really, really helpful because I guarantee you there’s a lot of people going through that, not realizing, you know, what’s going on, right?

[00:07:53] Evan Francen: Yeah. And people that want, you know, Yeah. The link I’ll do, will be posting the shout outs this week, probably this evening. So if you’re, Which would be Tuesday night, so they’ll be the 29th because my wife is out of town. So I got all kinds of time to do all kinds of stuff, but we’ll also put the links to the news articles we’re gonna talk about today. So, um, yeah. And maybe next week we’ll talk about burnout. Yeah, yeah. I think a lot of security people, I’ve talked to a number of, you know, uh, veterans in our industry who have been doing this for a long time and they’ve either thought burnout or they actually burned out.

[00:08:40] Brad Nigh: Right. Right. And, you know, it’s interesting because, like I said, I always thought of it as solely like a work thing where I it felt burned out at work. Like I just don’t, I don’t want to deal with this anymore. And it never even occurred to me that it would be just in general, Right? It was pretty eye opening.

[00:09:05] Evan Francen: Yeah, man. And I think, yeah. And then we’ll move on because I think, um, knowing you like, I do, you know, all the stuff that you’ve gone through at home Over the last, you know, 6, 9 months, including stuff not even in your home, but in your family. And you’ve got, you know, covid and I’m dealing with all that crap and oh my God, man. Yeah. Yes, Yeah. And who’s been watching you go through it? I get it.

[00:09:35] Brad Nigh: It’s been a long uh meal, 15, 16 months, but we’re getting out of it.

[00:09:41] Evan Francen: That’s right. Here we are, man, still Alive, New Day. So Microsoft has been in the news quite a bit the last, well, they’re always in the news because they’re Microsoft and they’re big and they’re the king and the Queen and the court and their Microsoft. So uh but there were some newsworthy things over the last, you know, week, that sort of stuck out for me, one of those, the malware um in Pirated games. Well that’s really not all that surprising because if you’re pirating, I mean if you’re using anything Pirated, you sort of expect you should expect some malware. But there was one story particularly that caught my attention and the Nobel um is still around, you know, that’s uh those are the same Attackers that that house. Yeah, so we’ve got a few uh, got three news articles, you know, kind of getting different angles on, you know that. And then Microsoft uh actually for news articles on that and then Microsoft, signing, signing a root kit.

[00:10:50] Brad Nigh: Yeah, yeah, that’s tough.

[00:10:54] Evan Francen: It’s not much you can do to protect yourself when Microsoft itself signs the driver. Uh Yeah, unless you’re sort of paying attention and you see, you know, the communications happening, you know, from your computer egress, you would never see those command and control. Uh, I p addresses come up. So I got two articles there. And then the last one I got around Microsoft is the Microsoft edge bug. Never been a big fan of Microsoft’s browser. So the fact that we stick edge on, you know, my pc Yeah, no less hacker steuer. Yes. Good.

[00:11:36] Brad Nigh: Did did you give one for linkedin 700 million linkedin

[00:11:40] Evan Francen: Users? I did see that one. Yeah. Yeah, I don’t know, man, you got to wonder if people are getting like breach um don’t just preach numb. Just like whatever. I don’t care, I didn’t steal it. Many have that victim sort of attitude. Uh then I’ve got three more things that we can talk about if we get there quick enough one. When we talk about this one. Actually first I want to talk about john mackey real quick because he was such an iconic figure for so many years in her industry. Um billion dollars lost by people over the age of 60 through online fraud in 2020 says the FBI last week. And then uh this one always caught my eye, it’s critical see so initiatives for the second half of 2021 because I always like to hear what What people think CSOS should be working on in the second half of 2021, I’m guessing most seasons probably half the second half, 40 already planned and probably had it planned. I

[00:12:48] Brad Nigh: e I like to say that my experience with our customers and working as a V. C. So right yeah. It unless something were to like pop up unexpectedly they already know what the focus is.

[00:13:08] Evan Francen: Yeah when yesterday I was like yesterday I was on a round table and uh it’s a bunch of cee IO’s and uh you know they were talking about you know their challenges and in the digital transformation and uh what else? You know the big buzz words and and I was on this round table, there’s a private round table, so there wasn’t like an audience and I was the only security guy there and I was like, do you think maybe you know because yeah, We use the same buzzwords, not really the same buzzwords, their new buzzwords, but for the same crap that we were doing, 10, 15 20 years ago. and we just kind of regurgitate the same thing over and over and over again digital transformation, You’ve got to sleep the business language. It’s like, do you think we just keep coming up with these new words and angles because we’re sucking our doubts?

[00:14:02] Brad Nigh: I mean, yeah, I don’t know, I mean maybe not suck from a you know, talent standpoint, but stuff from the communication standpoint, I could definitely see that

[00:14:20] Evan Francen: well in, you know, having the, you know, the perspective of a Ceo and a security guy. Yes, it is, you know, I don’t take that for granted because the what I don’t want on my management team is yes, men and yes women, you know, people just tell me yes, yes, Yes. And so I was thinking, you know, from other Ceos perspectives, you know, when the CFO says you can’t afford something, you can do something, you listen, it’s we can’t do it right, we don’t have the money, right? And so but a Ceo how often does the CIA and what happens, but I don’t think it happens often enough for the CIA doesn’t assert that same sort of uh authority and maybe you know with the Ceo we’re like no, we can’t adopt any more technology. We can’t even manage the stuff we have today.

[00:15:18] Brad Nigh: Right? Well because yeah, it comes across as I’m not doing, I can’t do my job at right? But CFO, because we can’t afford that. Well why not? Nobody? Nobody would question, you know, you don’t hear that? A good point.

[00:15:37] Evan Francen: Yeah. Yeah. So. Yeah. Alright, alright. New malware so Pirated. We’re going through this one real quick. New malware and Pirated games. Disables. Windows updates and defender. This is from hack Read. Yeah, crack A nash. Is the malware been around since 2018? So it’s not really all their much news but a vast it’s a I guess additional research actually. There was some additional research that was done uh And crack a nash actually is a word that it actually means. Something means mountain spirit and tech folklore. Mhm. There’s a trivia. Thank you for you.

[00:16:18] Brad Nigh: It’s interesting. Yeah. This was there the net filter driver. Right? Where?

[00:16:25] Evan Francen: No this one is this one is different, a different, that’s a

[00:16:29] Brad Nigh: Different one where they signed

[00:16:31] Evan Francen: It. Yeah, this one’s a $2 million. This one minds. Cryptocurrency?

[00:16:39] Brad Nigh: Oh yeah, I know the one that I was thinking of because we didn’t really talk about this ahead of time. But net filter root kit to chinese C. two E S and spoofs. Amos Geo locations to cheat system and play from anywhere.

[00:16:56] Evan Francen: Yeah, that one’s coming next. Yeah, Okay, we need to keep, you know, that’s what I’m telling you what, that’s why Microsoft caught my attention this week. I’m like, really? And then I would, I did the same thing you did. I’m like, okay, is this one the same as this one is a different one? Uh, yeah, this one minds just minds. Cryptocurrency. It’s and it’s been around for a while, but it’s in Pirated games, so the game has to be Pirated for this. Okay. The other one, it’s legitimate, like, like software, it’s not Pirated.

[00:17:33] Brad Nigh: Yeah, that’s what I was, that’s why I was thinking you were going with that one, wow.

[00:17:39] Evan Francen: Yeah. So crack and josh don’t use pirates offers the, you know, the end of the day, that’s the right thing to do is to pay for your software or somebody spent a lot of time and put it together.

[00:17:50] Brad Nigh: Yeah, I’m looking at it now, but I haven’t heard of that one. There’s, there’s so much going on. It’s crazy.

[00:17:59] Evan Francen: I know I’ve been talking to a lot of Csos, you know, at states and things and uh, actually was a theme yesterday too in the, in the, in the round table boys, it is overwhelming, right? See, so so, so, so often I don’t think people realize the position that they’re put in. It’s really an unwinnable position if you’ve defined win as you know what’s the most common thing, you know that most common but a very common thing is the ceo so just keep us out of the news. But I can’t, I mean that’s that’s the truth. I can’t keep you out of the news,

[00:18:33] Brad Nigh: you know? And I think it’s interesting because you know, we’re working with people. I’ve had customers go, hey, have you heard of this? I’m like, wait, how did I miss that? But you look at it and there’s just so much, you know, Firehose coming. It’s like, yeah, you can’t possibly stay on top of everything. You know, things are going to be, you’re gonna like this one. I had not heard of this. I was thinking you were talking about, you’re always like, oh

[00:19:07] Evan Francen: well that’s the thing that I think in in our industry too is, you know, being because you see it happen all the time where you know, somebody last, did you see this? And you say yes, what actually did him. Uh And you may have thought you did, but you didn’t. But I think what happened so often is we feel uncomfortable saying, we didn’t know like I was on a call last week with the C. C. So for New Jersey and he asked me, you know, have you ever heard of this thing? I was like no, never heard of that thing. He said no. So I went and checked it out and like okay yeah I probably should have heard of that thing but I had never heard of that thing. Yeah.

[00:19:47] Brad Nigh: Yeah. Uh one of mine asked that they had found a free open source software that will compare like neSA scans one against the other and show like and I’ve never heard of it. I was like oh this is actually really cool.

[00:20:03] Evan Francen: Yeah, that was me.

[00:20:05] Brad Nigh: Yeah. It’s fantastic though that you know, that’s I think that’s what makes as good as is that ability to say no, I haven’t heard of that and then go and learn about it, right? But there’s not. I think a lot of that comes from like maybe some Arians or something along those lines where people are like, you know, I can’t admit I don’t know something right?

[00:20:31] Evan Francen: You can’t. Especially as a consultant right? You’re you’re the expert and that’s one of the things I think on the other side to is you know when a ceo or you know somebody not in our industry asks you have you heard of this thing or heard of that thing? They say no. Sometimes they think, well I thought you were the expert. I’m like I am but there’s 30 billion different, you know, strike them out there.

[00:21:00] Brad Nigh: Oh my gosh, I’ll send you a one of our CSM was asking for some help in that I was we were on a call and there was they were just talking about all these different technology and, and you know, I understood it. And afterwards they’re like, we have a call. I have no idea what what, what just happened. And so I found this graphic that shows the in Passaic, you know, I. D landscape. And they’re like, whoa, I’m like, yeah, that’s the problem.

[00:21:33] Evan Francen: But it’s totally the problem to us. And it’s getting worse. You know? And I keep preaching, you know, especially the last few weeks, we’re adopting technology faster than our ability to secure it. Um, at some point there’s a critical mass where this is going to come crumbling down and it is going to hurt, it’s going to hurt a lot of people. Yeah, yeah, yeah. I mean, you just see it happening, right? Yeah. Look at look at CSOS today, you know, I was talking with the sea. So for from Hawaii vince on friday are, I mean, all of them, man, they put in this position, my heart has gone off to them since I started working with them more. I have so much more respect for what they do. Um, because I thought I’ll state employee. Yeah, Okay, tough, tough job.

[00:22:18] Brad Nigh: No, no.

[00:22:19] Evan Francen: Yeah. 9-5. Got to check out. I mean, these guys are put in an impossible position because they’re asked to do the impossible. They’re not empowered to do it anyway.

[00:22:31] Brad Nigh: Right. Right. And you know, I’ve worked with a bunch of uh, let’s see how to do this real quick. Uh Yeah, it’s crazy. It’s it’s same with K to 12 with, you know, higher ed uh you guys, you know, we’ve talked with them and it’s they’re not, yeah, it’s tough. You know, anything the way I look at it with, not when I get showing something that I hadn’t heard or some of these shares, especially from a consultant perspective, it’s like, oh, well, well, this is the benefit you’re getting, is that, you know, working with us, you think you’re the only one telling me something that I hadn’t seen? Well now I’ve known and what am I gonna do share it with others because it’s gonna make things better, right? So there is, you know, a benefit to the, to that and not being, you know, like, Oh yeah, I know about that. Yeah. Being open to to learning

[00:23:34] Evan Francen: totally man. And the and also, you know, I think to help with the burnout. Thanks. We talked about that already a little bit today too, is recognize what your what your job actually is, right? It’s not risk elimination. Your job isn’t to get isn’t, you’re not paid to know everything you’re paid to know, you know, certainly the fundamental, certainly the basics. Uh but man, things are gonna happen, right? If its risk management, which is, it can only be, it can’t be risked. Well, I guess it could be risky risky, ignorance, participate. I don’t know, whatever, you know, you just don’t care and you just don’t do the basics or there’s risk management or there’s risk elimination, we’ll risk elimination is not possible. Risk ignorance. Should you should get thrown in jail for that. Yeah. And then there’s you know, risk management, that’s our job. It’s don’t stress it.

[00:24:28] Brad Nigh: Yeah. Yeah. It’s always fun when working with somebody talking to someone when they’re, you know, considering working with this kind of this, you know, okay, what exactly is it easy? So what does that mean? And we get that a lot because well I mean honestly there’s a million different the company’s doing it, everyone is doing it differently. But to come in and say, look, here’s our approach, it is our job insecurity to alert the business to the risks, provide options and then implement what the business society, it’s not our it’s not our job to make that decision, it’s our job to present options, okay, you can do that, but consider these things okay? You’re good with it. Let’s implement this solution. And so many, you know, a lot of them are our I. T. People there. It’s the same with I. T. Right? I mean the from that perspective we’re custodians and they’re like you can see the light bulb go off and they’re like oh wait, you mean I shouldn’t be, they know you shouldn’t be determining what the backup schedule is. You shouldn’t be determining, you should be saying, what do you need from us and then implementing it from there and Yeah, it once. Well what do you realize that? And then even more when you find a company that buys in. Oh my gosh, it’s such a huge difference totally

[00:25:59] Evan Francen: man. Holy alright, so this crack and ash malware, Pirated games, lots of different countries for everything from Italy India spain, United States U. K. That’s where the victims are all getting well it’s you know, in a lot of times you don’t even recognize when you, when you’ve got, you know, crypto miner uh you know, on your system. It’s just a performance issue. Usually the scary thing about this one is it actually disables Windows updates and disables defender. So that gets a little scarier, right? Because those are things that we had in place protection. Well, Pirated versions of these games are, you know, uh known to be uh I think infected far cry five NBA two K 19 the sims for culture. Uh however that say that work at you, we have we happy few fallout for.

[00:26:59] Brad Nigh: What’s crazy is I’m looking at, I just pulled up steam like All out for $12 right now. I know like is it really worth hierarchies doing this when I, you know, I get people maybe don’t have a lot of money, but it’s not worth it.

[00:27:23] Evan Francen: Well if you don’t have a lot of money, maybe you should be playing games either,

[00:27:28] Brad Nigh: you know.

[00:27:28] Evan Francen: Yeah, you can’t afford to $12 to play the game, maybe you shouldn’t be playing the game, you should be working and you know, or something else. Yeah, there’s always different circumstances. The sims, four seasons, grand theft auto, €5 truck simulator to Jurassic world evolution and pro evolution. Soccer 2000 and 18 are all known Pirated versions anyway. Not not to pay for ones. Uh, the least the registry entries turn off automatic updates, debates. Uh, Windows defender malware. Some of the antivirus solutions that are disabled by the crack nausea includes scan, panda Norton ad aware, f secure Kaspersky defender and mcafee scanner only.

[00:28:20] Brad Nigh: Yeah. Not good. Not just not worth the risk.

[00:28:24] Evan Francen: No. And really, you should sort of expect this with any piece of Pirated software because he’s about pirate software. It’s compromised software, right? It’s trivial for an attacker to insert malware and get the program to do any kinds of any number of things. Well,

[00:28:41] Brad Nigh: right. Exactly. Especially people that maybe aren’t savvy records. Yeah, don’t worry about it. It’s not,

[00:28:54] Evan Francen: it’s not worth it. And even if I was savvy, you know, I would never ever run those types of things on anything but a sandbox. Mhm. You know, in a lab. I mean, why would I? Yeah. No. And I wouldn’t even if I confirmed on the lab system that, you know. Yeah. There’s nothing malicious here, I still wouldn’t put it on my, you know, my work normal computer. Yeah.

[00:29:23] Brad Nigh: I mean, even like when it’s totally legitimate, like capture the flag or those things that happen in a virtual environment because you don’t know what’s going to be dropped in there. I was doing, you know, one the other day uh and it’s like what software or what malware is, was the attacker deliver was looking into it? Oh yeah, I know they had um attack as part of the types of the flag, like, well, I’m glad, I mean sally and a sandbox, but you know, you just don’t know what’s going to happen.

[00:30:01] Evan Francen: No, that’s very true. You reduce your risk of going back to the risk versus risk elimination thing, even in a sandbox, Yes, it is possible to jump the sandbox, but I mean, fine, that’s oh, it’s rare and it’s, it’s a risk management thing, so if you wanted to really do it and then you can just do a dedicated machine even on its own network, you know, totally isolated physically and logically, but that’s a hell of a lot of work.

[00:30:30] Brad Nigh: Uh so yeah, I may have done that over the last two weeks is a mental health break is filled out exactly that, but you know,

[00:30:42] Evan Francen: that’s that’s how we call brother. So the next one is uh Nobel yeah, it’s all over the news, this is big news, uh sort of members, big news rebellion, hackers, access Microsoft customer support tools, so the Nobel liam is from the solar winds, the original solar winds attack, it’s a Russian attack group that goes by a whole bunch of other met, a whole bunch, a few other names goes by dark halo, UNC 2452 is the common name dark yellow, oh belly, um, silverfish, stellar article uh, two. The operations most known for obviously the fiery compromise in the solar winds supply chain attack toolset, malware, sunburst, teardrop, supernova web shell, comic Gail power shell tool and cobalt strike around known tools for this group. Uh, yeah, sophisticated stuff. It’s

[00:31:44] Brad Nigh: crazy. So they said in this one, it actually got, you know, Microsoft’s in own, uh, they said they could see a billion contact info, what services they paid for and some other stuff and then they turned around and use that as a part of this attack. And honestly, I mean, I think with these shows, regardless of the hour for Microsoft, whatever. Yeah, I mean you don’t think Microsoft has a ton of controls in place and it still happens. I mean, you cannot prevent this from happening if in this case, not a actually a nation state, but let’s be honest, it’s a nation state attacker when, when you have somebody at that level, they’re going to get in if they want, right? So what do you have in place to detect, what do you have in place to mitigate and limit what they can do, right?

[00:32:41] Evan Francen: And you’re still limited in your options. It’s one of the reasons, you know, I don’t like, you know, the fact that we are sort of forced to use Microsoft because you have really no alternative. And You know, you start putting all your eggs in one basket, right? If I’ve got everything in that. Sure. And I’m using office 365 and obviously my windows, you know, desktop and yeah, there’s, you know, it’s, it’s kind of dangerous, you know, so hey, maybe, I don’t know, but, you know, anything give me attached.

[00:33:14] Brad Nigh: Well, the problem is that, well, Microsoft and they’re really easy to install and run a computer. Great.

[00:33:21] Evan Francen: I

[00:33:23] Brad Nigh: like Lennox, it’s great. But it was a nightmare getting drivers working and fixing this stuff and if you’re not technically sally, it’s nobody’s gonna sit and try and monkey with this stuff and figure it out and do command line and all this stuff. And that’s the problem. We don’t have a easy alternative. Yes, there’s easy versions out there, but it’s still not, it’s not plug and play as it were with Microsoft.

[00:33:54] Evan Francen: Yeah. I think your best, you know, probably easiest plug and play, it might be, you know, Macintosh might be an Apple. Yeah. You know that ecosystem because it is fairly easy to use, my friends, my friends, it, yeah, they have completely gone that way.

[00:34:08] Brad Nigh: Yeah. You know, when you’re looking at it prices in the issue and it’s not cheap, right? Yeah. It’s tough. We’re gonna tough spot with that.

[00:34:19] Evan Francen: Yeah, for sure man. And, and it takes me, it sort of takes me up because you know, I mean, Microsoft tries to do everything for everybody and so you, you know, even in their own ecosystem, I have integration issues with um, you know, I’m in two different domains, right? Because I mean if our security and security studio in dealing with the authentication issues, you know, through one drive, it’s just, it’s the biggest pain in the ass. So we, oh, they can’t get their own stuff to talk to each other. You can’t even, you can’t even keep Excel from crashing on me, you know, two or three times a week. And you want me to put all my stuff. No, it’s just, it’s irritating but truly Microsoft there don’t lose track of the motivation because it makes, it makes everything else sort of makes sense. So the motivation for Microsoft is not to protect your data. The motivation for Microsoft is to make as much money as possible. Mm That’s that’s the reason they exist, right? You know, in that they’re going to say things like we take the security of your data seriously and obviously right, because if they didn’t you lose fascinating lose customers, right?

[00:35:40] Brad Nigh: It’s almost like they’ve gotten so big and so diverse. It isn’t one company anymore, it’s all these different companies and that’s when you start having these mrs, right? So

[00:35:53] Evan Francen: and expect more of them?

[00:35:55] Brad Nigh: Yes, I’ve got to slow down

[00:35:57] Evan Francen: nope nope. Uh So in this particular attack what was happening is you know the way the Attackers essentially we’re pivoting into other things. His passwords, phrase and group force attacks, passwords, phrasing group force attacks are really noisy. Uh Pretty easy to detect if you’re you know watching. Um But that’s how they were getting into these unauthorized accounts and essentially guessing passwords. Right? Another reason to have multifactor authentication as a default. Yeah. Um All the activity was targeted towards specific customers primarily I. T. Companies 57%. Now why would you think that they would go after I. T. Companies? Well I

[00:36:41] Brad Nigh: mean there no brainer because we’re who do you think it’s gonna be installed across the largest 8? You know either support wise or software wise.

[00:36:51] Evan Francen: Exactly you know people trust us you know we’re not an I. T. Company or a security company but you know if you’re an MSP. And M. S. S. P. You know you white list my stuff because you know I’m testing for you. I’m doing pen testing I’m doing whatever the hell of doing and I

[00:37:07] Brad Nigh: gotta say I’m not going to say who it is but we work with a MSP. And I remember talking to them you know when they first were considering it I really like their approach and they just signed up for uh they’re doing to pen tests one on themselves you know hey can you get in and then if you were to get into the corporate, could you get to customer and then they’re standing up a dummy customer account and managing it exactly like they would any other and saying, okay if you got in here, what could you do? Could you get back, you know, could you get to other people? And I mean how many do you think do that? This is the first that I’ve seen. It’s done that and it’s phenomenal. I love seeing

[00:37:55] Evan Francen: that. Yeah. No and that’s the right way to do it, right? I mean Now there’s an extra burden. I think two with 90 company or consulting company, it’s even another step removed from whose data it actually belongs to you belongs to you know, an individual somewhere who will suffer if that data is lost or stolen. If they, you know share that information with, you know say a hospital or a retailer or whatever. And then there you got the MSP, you know, and then you’ve got us, you know, I mean it’s just like these additional layers. But yeah, at the end of the day it’s you know, somebody suffers when this stuff goes wrong. So you do you sure take it seriously unless you like people suffering and then you’re a tyrant. And we should send you to Iran you can Uh right 57% of the company’s R. IT. Uh 20% government. Um and don’t think for a second that states aren’t targeted here Also it’s not just federal government, it’s also states and uh counties are also part of this. I’ve seen it myself and some of my own research that I haven’t shared with anybody but I do a lot of that stuff. I don’t share certain things. But yeah, Largely focused on US interests. So 45% followed by 10% in the UK smaller numbers for Germany and Canada and all 36 countries were targeted. So this is not a small evert. It shouldn’t be something that’s just brushed aside as like whatever it’s Microsoft. No, it’s Microsoft. And then And then and then right it’s the way Attackers have always worked from day one. You know, you identify that vulnerable to get a foothold to elevate your privileges that leak logs, plant the back door, pivot, pivot pivot until you hit something, right? You know that part that part is not anything new. So anyway, yeah, so there’s a bunch of news articles about that if you just google no belly. Um it’s N. O. B. E. L. I. Um uh and Microsoft together we’ll see all kinds of interesting

[00:40:12] Brad Nigh: bad times.

[00:40:14] Evan Francen: Mhm. And I would suggest you know for readers to read more than one article right? Having those different perspectives on you know news things is always good this believe it or not. News people have Morris also the one from bank info security. I like this one. It’s and the title is group behind solar winds attack targeted Microsoft customers. This is good because I like some of the information you know the bible administrations accused Russia’s foreign Intelligence service or spr of conducting the solar and supply chain compromise. Then there’s just other sort of that’s a different angle that you didn’t see any other articles about, you know, what does this mean geopolitically and mhm It’s interesting how this is all going to play out.

[00:41:04] Brad Nigh: Yeah.

[00:41:05] Evan Francen: Yeah, ceases involved but don’t expect that’s another thing that that’s kind of irritated me lately is you hear a lot of people saying, well the government’s doing this governments and that the truth is Number one The government can’t protect you. No this isn’t like a normal war or battle where we protect our shores, protect our skies. No, they’re already in our shores that are already in in this country. They can’t protect you. Yes. I take it upon yourself right.

[00:41:36] Brad Nigh: Yeah. I mean are they going to do something? Yeah, probably. But it doesn’t mean they were going to be able to stop Russia from targeting your company. It’s just not possible.

[00:41:50] Evan Francen: It’s 100% not possible. Exactly is in that same, you know, bake bank info security article they talk about C says involved cisa the cybersecurity and infrastructure Security agency part of the Department of Homeland Security. Yeah they’ll do what they can to help but they are in over their heads to right now because, you know, they have an executive order. Yeah, but they have to comply with that’s going to require about four or 500 at least I would think. And new employees and where are

[00:42:23] Brad Nigh: they going to find them?

[00:42:25] Evan Francen: You gotta come from somewhere, man. You don’t just like,

[00:42:28] Brad Nigh: yeah, it’s interesting to see how this plays out

[00:42:32] Evan Francen: big time man big time and I know that across the country at least And I haven’t followed all of them, but I know at least two former state CSOs have joined CISA as part of that, you know, state outreach thing that they’re doing okay. So that’s kind of weird because yeah, that must be a pre alluring position or something to be pulling, you know, well it’s position,

[00:43:06] Brad Nigh: honestly, if you think about it, there’s long term career rising, there’s some prestige at those upper levels to say, hey, I did this, it was at CISA and did these things, you know, did they stay for a couple of years and then go to public sector or they’re gonna, mm. Yeah, okay. It will be interesting to see how, like I said, it’s really gonna be interesting to see how these play out

[00:43:37] Evan Francen: it is. And you mentioned, you know, prestige too because I’ve been asked, you know, people, you know, want to aspire to be a c so and you know, I always ask why they, you know, they come up with some reason, but I’m not sure they truly thought it all out. You know and why they want to be a C. So uh and if its procedures, you know I get that but I don’t think it’s worth it sometimes. You know I mean if you can be consulted and you know now I have to be in the grind all the time. That’s I mean you’re still in the grind but it’s it’s not like in dog grind your in a bunch of grinds.

[00:44:09] Brad Nigh: You know it’s what I tell people that they asked, why do you know why you’re in consulting now you don’t have your own shop anymore. And that’s one of the big challenges is when you move over you don’t own it anymore. You I was like yeah it’s once you kind of process that it’s fantastic because that I get to come in and say hey here’s all the things you need to be doing, go do them. I don’t I’m not I can’t do those things for you. I can just tell you what needs to be done and you know it’s

[00:44:44] Evan Francen: want anything. Honestly some sometimes you feel so if you seem and I must say seem so smart too because like how did you know that? Well one of the things people don’t know about good consultants is we steal everybody’s ideas all the time. Oh that oh you know we see something over here like damn that’s really cool. I like that. Oh that’s really cool to it. And then you, you know, there’s so many different tools in your repertoire.

[00:45:17] Brad Nigh: Yeah, what I mean, if you do it correctly, that’s what makes us so valuable, you know, and that’s what a lot of people pay for is the fact that we do have that much exposure to everything else going on. They don’t see, you know, all these other things that we do.

[00:45:40] Evan Francen: Very true. Last thing about the Microsoft, solar wins nobel liam latest news thing is the attacks are highly targeted. Uh, so there is a purpose behind it. These aren’t automated attacks. They’re highly targeted, small number of affected customers. But it’s the spread man that I think people should be concerned about. The next thing about Microsoft because here we are, it’s Microsoft bleeping computer, that’s where this article comes from. Microsoft admits to signing a root kit malware in supply chain fiasco. So that doesn’t help matters when your job is to verify and validate that the software does what it says, it’s going to do and it doesn’t violate the rules. So you do that and then you sign it right with your certificate saying this is a true safe thing and an eight.

[00:46:38] Brad Nigh: Yeah. You know, and I’ll be honest on this one. I I’ll I do feel for them and that, you know, if you look at the sheer volume of drivers and stuff and I mean we’ve seen it where they how good these Attackers are hiding it? I’m not

[00:46:58] Evan Francen: absolving them. Yeah, I don’t feel for him at all because it’s like you keep taking on all this stuff. I mean you keep going after this new thing, a new thing, a new thing. And it’s like why doesn’t somebody else take care of this? You know?

[00:47:11] Brad Nigh: It’s well yeah, it’s yeah I’m not absolving by any means, but it’s like having seen how difficult this is. I do feel for I mean that these Attackers and some of the methods are like holy crap right now. And the fact that this isn’t more common even, you know, not just Microsoft, but you know, google and apple is pretty amazing

[00:47:41] Evan Francen: one. And the and the way things work to those, maybe it is more common. And this is the first one we’ve sort of found. Because I mean because it’s always that obvious stuff, it’s always like yeah. So why didn’t I check that? You know, I don’t know. So that the driver is called net filter. Uh It was observed communicating with chinese command in control i. P addresses. It’s a driver distributed with gaming environments. And not to be confused with what we talked about earlier. It this is uh this is legitimate signed mm software. So g data malware analyst Kirsten han first took notice of the events uh and then you know sort of hey this thing’s happening, you might want to do something about it. Uh what does that filter do? Uh because originally it was flagged uh they appeared to be a false positive but it’s not.

[00:48:42] Brad Nigh: Yeah it was What did it say? It basically connected to an I. P. Address in china multiple?

[00:48:51] Evan Francen: Yeah well if you look at the signature in the in the version that he shared, it was signed may 16 2021 so it’s not like this is old uh stuff either. There wasn’t a patch for it. Uh And since Windows, is there any code that runs in kernel mode has to be tested and signed before public release? Uh Well yeah, Canada’s solemn without thought. The Microsoft certificate so there is that much like trust Bird in to the signing process uh and then there’s a whole bunch of technical details, you know, it’s nice that they are shared IOC’s are shared in detail in a blog post from the believing computer news articles so you know, check your own environments for these things.

[00:49:48] Brad Nigh: Yeah what’s interesting is basically the whole point of this was geo locations to be that gave me. Uh huh. Let’s let’s be honest, that could be uh I mean proof of concept wise that’s that’s not ideal.

[00:50:07] Evan Francen: Right. Yeah it is true. It’s used to circumvent region based restrictions and games and snoop on players. Well that’s what’s being used for now. Right. Right. Yeah I think yeah interesting thank you china but we can trust them. Don’t worry about it. Moving on to last Microsoft thing I have is Microsoft edge bug. Uh Yeah, could a lot Attackers steal all. Uh So this has been hacker news is where this comes from. Microsoft edge bug. Could have left hackers steal your secrets for any site. This has been patched I believe. But it’s interesting news that if you don’t keep up with patches, which is a bad thing, she um using computers, if you don’t patch, just sam should be driving a car unless you change the oil just saying. Mhm. Uh What’s that?

[00:51:13] Brad Nigh: It’s really interesting now, yeah, like how it was exploited is nuts. Like you trigger the attack by adding a comment to a Youtube video written in a language other than english along with the cross site scripting payload like right, because it who thinks of

[00:51:40] Evan Francen: this, you know, you know how it happens most the time man, it’s stumbles on it. Right? Very sure your browsing the internet and it’s like, oh what the hell is that?

[00:51:52] Brad Nigh: I mean we’ve seen it. Right. Oh yeah, yeah, yeah,

[00:51:57] Evan Francen: I’ve definitely broken more things over the course of my career than picks things and it’s a broken things where you find these things, right. Yeah, crazy. And that’s what I think, you know, hackers uh a d d is a great, it’s a superpower we can do that, we can just break things and still be fine and move on to the next thing. Forget about that other thing like, oh what is that? You know? And then you go down that damn hole. That’s what happened right now with me at states now, it’s like okay where does this go? is your 80 then turns into like ultra focus,

[00:52:37] Brad Nigh: right? We have a rabbit hole.

[00:52:39] Evan Francen: Yeah, it’s nuts man. All right to to last news articles and then we’ll practicing up a whole bunch of Microsoft stuff. If you just like I said this show notes be posted. It’s Evan francine dot com. Easy to find the show notes that we posted tonight. If you want to uh review any of those uh those news articles we just talked about uh you know, stay abreast of these things. You know, you don’t try to learn everything but you know try to pay attention. I think one of the big things about, you know that makes good security people good is situational awareness. That’s situational. Like no everything. This situational awareness, understanding where you’re at what you’re doing, what’s around you. Um

[00:53:23] Brad Nigh: Well yeah no your technology, you know your software and pay attention to the cooler of those things. What do you have to be aware of it?

[00:53:33] Evan Francen: Exactly. Yeah. Uh One more or two more. Actually real quick. We’ll get through a hot for security. Power bi big defender. This uh this one comes from $1 billion lost to over sixties through online fraud in 2020 says FBI. I’m actually putting together a course class for women’s suffrage, fujitsu in Jacksonville. And it’s for a bunch of it’s for mostly people that want to transition from I. T. Into security, right? Ladies that they want to do that. So I’m putting a hack yourself course together where heck your own home network. You know? And what I’d like people to do is to hack your home home network and then go find mom dad, grandpa grandma, go back to their network to so you can find where their vulnerabilities are and help them Trying to teach a 60 year old to become a hacker is probably not going to happen. They’re going to find ways it’s a different generation. It’s not an intelligence thing. You know, he didn’t grow up with technology. It came so late in the game for them.

[00:54:58] Brad Nigh: Well you know you mentioned that uh We had one. Yeah. Well you know I’ll tell you later but I got put in touch with the women in cybersecurity at texas A and M uh they’re trying to put together a K. Through 12 program and understand more about it. So I’m gonna be working with them to help which I’m super excited about it. It kind of along those lines like let’s get this early and do it right and prevent this from happening for future generations

[00:55:34] Evan Francen: for sure. And the thing is about security security is security, right? It’s the concepts are the same at home as they are in the office and then the same in the offices they are in protecting the nation. Right? It’s start with an asset image. I can’t possibly protect the things. I don’t know. I have start with understanding when you’re the one responsible for your own security. It’s not my responsibility. It’s nobody else’s it’s yours. It’s not the I. S. P. S. Responsibility. It’s not the places you visit on the online, it’s your responsibility. You know what I mean? It’s starting with those basic things. So you know running we did it on the show once right? Running map on your network. See what you got running. Take inventory of it. Try to identify it, try to figure out who is communicating with just you know, I don’t know lots of stuff but there’s some good information in this article in particular. I thought you know what was interesting to me was the crime types. There’s really good data here. So confidence fraud, romance is the number one loss type at $281 million for over sixties which I

[00:56:42] Brad Nigh: would be willing to bed if you look at, you know, Well back in the day as it were. Uh that would not be any difference than you know partying older. That may be lonely for.

[00:56:56] Evan Francen: Absolutely. And and one thing I thought was interesting too is ransomware is like number what 28 5 I mean it’s way down there. Well is that five million. So The over 60s aren’t getting hit by ransomware. The over 60s were getting hit by, you know, romance scams, business email compromise, tech support scams, those types of things. Well, you know, it

[00:57:25] Brad Nigh: makes sense though, right?

[00:57:26] Evan Francen: Like no, your

[00:57:27] Brad Nigh: target, you know, your audience, right? You know, it sounds callous to say that, but that’s the reality right there. Why would they ransom, You know, a 70 year old computer who’s gonna just not know what to do and isn’t going to pay Bitcoin and try to figure that out as opposed to, you know, socially engineering them and getting money that it’s gonna be a lot easier. You know, it’s what Attackers do.

[00:57:56] Evan Francen: That’s, you know, it’s always it’s always the same. Right? It’s easier to go through you. It’s easier to go through your admin. It’s easier to go through your secretary than it is to go through your firewall. Mhm. Right. Why would I go through all the work of creating custom malware for attack on grandma and speed up the phone. Yes. 30 seconds vs, you know, I don’t know how many hours I would spend crafting another attack, but the all right, So there’s that and the last one before we close this sucker up, I was going to talk about the critical see, so initiatives, but I thought it was more, I was gonna make fun of it more than anything else. You

[00:58:38] Brad Nigh: and me both.

[00:58:39] Evan Francen: Yeah. So I’ll just let that go. Maybe next week, let’s let’s do that. Let’s talk about burnout. I think that’s a good thing and we’ll cover you know a few news articles. Uh The last one is you know, if you didn’t hear john McVie is dead, he uh you know, he allegedly took his own life, we could do a whole episode on that. I’m gonna say, I

[00:59:01] Brad Nigh: don’t know, knowing him, he’s going to turn up in like five years somewhere.

[00:59:06] Evan Francen: Well not just that, but if you remember back in the day he was because he was a pioneer in our industry regardless of the kind of person you think he is, he was a pioneer or industry in early in the earlier days and he had access to the highest echelons of the U. S. Government. And so you see the things that have happened, you know, I don’t mean I’m always skeptical when somebody turns up dead in a prison, when you have guards and cameras and things that are supposed to be making sure you don’t take your life. It’s just it doesn’t sit right with me. Mhm. I know he knows things. I mean come on he has to.

[00:59:45] Brad Nigh: Yeah. Yeah interesting. And you know that’s one of those things that will never I ever know that the truth or know all this stuff about,

[00:59:57] Evan Francen: right. So anyway we can speculate about that. But yeah you know, you know I wasn’t a big Mac phy fan because you know I just I’m not a big fan of kind of anybody like that, but it is sad, you know, when you see, you know what was in, you know tech, the tech giant, you know, who was part of the revolution really in yes, flexes handball. He was entertaining too.

[01:00:29] Brad Nigh: He was a very interesting

[01:00:31] Evan Francen: character. Yeah, totally. So goodbye to john Mcafee. Uh yeah, it sucks alright. Any shout out to speak sir.

[01:00:42] Brad Nigh: Uh, I’ll give you a shout out, thanks for the support over the last couple of weeks and just, you know, knowing it, you got, you got my back is it’s great uh, philosopher a shout out to the same thing. We’ll have the whole leadership team man. It’s just been amazing to see everybody being so supportive. It’s, it’s been really been helpful.

[01:01:04] Evan Francen: Oh, cool man. Well we do genuinely love you man. I mean some people just use those words, but you know, I’m hurt, you know? Yeah, it’s always funny.

[01:01:15] Brad Nigh: People always are like, you know, you get your company can’t really be, No, it is. Why didn’t you? It’s crazy. Everybody here in leadership has been in that position and is dedicated to not let that happen and they truly care about each other. It’s so awesome.

[01:01:35] Evan Francen: Yeah, it is cool man. It’s cool. Uh I don’t know who am I going to give a shout out? I’ll give a shout out to my dog. It’s weird, but Violet is especially when my wife is found, you know, she’s, she’s a lot of thomas week, well, it’s like my pal, she’s just been hanging out with me. She yells at me. I yell back at her. We’re just loving life.

[01:01:58] Brad Nigh: It’s funny how yeah, When Katie takes the kids out of town. Yeah, dogs are like, oh yeah, good.

[01:02:05] Evan Francen: Yeah. I told my, told marla said I was sleeping in the bed with me now and say, what she replacing me? I’m like, well, you’re not here. She’s

[01:02:16] Brad Nigh: a talk back as much weight. No, Right.

[01:02:19] Evan Francen: She’s, she’s easier to tie

[01:02:22] Brad Nigh: up. I get annoyed. I can just throw it in the backyard.

[01:02:28] Evan Francen: That’s true.

[01:02:30] Brad Nigh: Yeah, that would probably get you in trouble. We’ll have to have Brandon edit that part out. Our wives don’t hear

[01:02:34] Evan Francen: it, that’s fine. Uh, we’re, yeah, thanks for the conversation, man. It’s good to see you. It’s good to see that we can share some laughs together. Laughter is a good, a good medicine and we’ll continue to pull for each other, You know, uh, good things. Good things are ahead. There’s, there’s sunlight on the other side of this thing. Uh people listeners if you want to tell us something, going to sleep back or you have an opinion to share, which we, it won’t be those, but if you want to share them. Feel free If you’re the social type socialize with us on twitter. I’m @EvanFrancen Brad is @BradNigh. I know that’s not much of a social media user in general and I’ve been swamped. So if you social us there we might get to it. Uh yeah, there’s other social media stuff. It’s very easy to find out whether it be the security podcast or fr secure or security studio, any of that kind of stuff. Uh that’s it. We’ll talk to you again next week, enjoy be safe.

Ryan Cloutier joins this episode of the UNSECURITY Podcast. Ryan has taken a special interest and focus on cybersecurity in K-12 schools, so he and Evan talk all things K-12 security—including Ryan’s “Awesome Top 5.” Give episode 136 a listen/watch and send questions, comments, and feedback to

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the un security podcast. This is episode number 136. The date is June 16, 2021. Joining me is my good friend, Ryan Cloutier.

[00:00:39] Ryan Cloutier: How you doing? Doing? Good man. I’m excited for today’s topic.

[00:00:43] Evan Francen: Yeah, Well, it’s right up your alley for sure. Uh, so listeners brands taken out a few weeks off. You know, we’ve all got tons of things to do and he is no exception. So, and that’s not like you and I don’t have tons of things to do. Two, but everybody needs a break once in a while. So brad’s taking his um, Yeah, our topic today figured we talk about K- 12. So we’re security, you know, a thing or two about that, don’t you? Just a little bit. Yeah. So, you know, I’ve been working on state and local government and you know, it’s kind of a Trying to figure out where the lines are, you have that struggle with K- 12.

[00:01:25] Ryan Cloutier: I do. It’s, it’s a very complex environment and, and it can be different state to state and it can be different culture, to culture within the community. So urban districts tend to do things a certain way. Rural districts tend to do them slightly different um, you know, and what’s really interesting is you try to navigate the who’s who? Right? So it’s as we try to implement information and cyber security risk in these institutions, You got to get the right buy in from the right folks. And one of the big challenges that I think we share between K-12 and state government is finding out who the right players in the game are. And it’s not always the ones that you would think it would be. It’s not automatically just the CIA or the sea. So, right. It could be that the sea so needs to buy in of the house chair or, you know, other other players in the legislative space on the state side and the school space it can be and different types of leadership or in some cases even buying from the union from the teachers Union.

[00:02:26] Evan Francen: Yeah, it’s weird because like it seems like in states there’s no two states work the same way. I think it’s even worse in K 12 because, you know, you’ve got who governs K 12 in the United States.

[00:02:42] Ryan Cloutier: So interestingly enough that no one there is no, you would think department that would be your automatic default right. The federal Department of ed. Well know, they set guidelines and standards for curriculum and for, you know, what the students need to learn to be accredited, but they don’t set guidelines for how you manage your district and, you know, in Minnesota here, we have independent school districts. So they could actually span county lines, city lines. But if we look at our friends down in florida, they do it based on county. So each county has a school district, we go to our friends say in texas, texas is also independent schools district set up, but they tend to do it more based around city.

[00:03:30] Evan Francen: Mm. Who decides whether it’s independent or not? Is it a state that kind of sets that piece up?

[00:03:38] Ryan Cloutier: Yeah. So that’s what that comes down to is, is the way that the funding works within a given state. So an independent school district gets its funding based on property tax value from the cities or counties within their defined district boundaries, uh, in all the schools, in all the states do get a small portion of money from the federal government and they get a small portion of money from the state government. The rest of the money has to be made through either bond initiatives, property tax hikes, bake sales. A lot of schools use events as a way of generating revenue for the school to be able to pay for things like laptops and books and books are a little dated out that they actually use those anymore. But you know, what does

[00:04:23] Evan Francen: anybody read anymore?

[00:04:25] Ryan Cloutier: Well, I mean, based on the way I see people behaving no, right. But it’s, it’s a hodgepodge and ultimately it comes down to the local community that that school district is serving ultimately has the most authority and say over how that school district, it’s funded what they’re going to spend that funding on a lot of times. The school board is the one that ultimately carries the authority.

[00:04:52] Evan Francen: Yeah, that’s okay. And I’m gonna take us on a little side track as I remember, um, especially this last year, right? There’s been a lot of this race thing, you know, not race thing. It’s racism and discussions about that. And one of the things, somebody uh, said something about systemic racism, right? And I was like, I don’t really know what that is. So give me an example of that. So that because I think all of us want to be part, not all of us, but all of us should be, should want to be part of the solution, not part of the problem. So they brought up the issue of schools being funded by, like you said, local property taxes. So you take our backyard here. Minneapolis, you know, is mini apple school district is funded by property taxes and where I live in Laconia. Uh, you know, the, I think that income per capita is higher property values are higher. So students in Laconia seemed to get better equipment better, probably better instruction, more opportunities and people in the inner city is that right?

[00:06:10] Ryan Cloutier: It is absolutely right. Uh, you know, we here in Minnesota, we have a couple of districts and I won’t, I won’t name them, but they are what we call the Gold Coast. They have the money, that’s where the majority of wealth and the state is concentrated into a handful of cities on the western edge of the metro and they have the best funded programs. They have the best talent, they have the best equipment and that’s because they’re able to offset that state dollar value. So the state gives every school a flat fee for a student and then the difference has to be made up by the local community. So a community that is or impoverished is going to struggle to overcome that offset where a community that’s wealthy is able to do so more easily. The other thing that I found interesting, I was actually talking with one of those districts who I won’t make and I said, how come you guys seem to always have so much more money left over? And the answer I was given as Ryan, one family can write a check for our entire athletics program and now we don’t have to spend that money. So I, I uh, affluent parents being able to write very large checks to cover things like re turf ng of the football field. That money, then that was allocated for that can then be re allocated to something else. And when you get into an urban setting or an inner city setting, you just, those opportunities are so much more reduced. You don’t have a wealthy families that can come in and just so I’m going to buy new uniforms for a mascot, new lighting for the football field, There’s a couple $100,000. You know, when they have to pay for those things, they have to pay that out of what we call the general fund and the general fund is really used for everything. So when you take away $30,000 to pay the parking lot, well that’s a whole bunch of laptop upgrades. That’s a whole bunch of being able to pay to protect the Internet or things like that.

[00:08:14] Evan Francen: Yeah, that’s mm I mean, that’s probably for another discussion because I mean, that certainly seems like it needs to be fixed, right? I mean, there’s such a, when it comes to information security, what we do, uh, I think the richer become richer. School districts have more leeway, they have more, uh, they can make mistakes and recover more easily, meaning they can misspend, they go by that blinky light, even though it’s not maybe the best thing for them to buy from a security perspective, they can afford to make those mistakes. Whereas rural districts and you know, districts in the inner city urban districts, they can’t afford that.

[00:09:01] Ryan Cloutier: Exactly. And, you know, even fundraising, You know, let’s say they do make that mistake and now they got to recoup $1 million. Well, I know for a fact that one of our richer districts was able to make $1 million dollars selling candy marks, wow, you’re never going to be able to do that in an inner city setting because the families don’t have enough disposable income. So while they, while they want to buy that candy bar, they want to buy them all, they don’t have that financial capability. And so their students ultimately end up suffering. And I think that’s where the systemic just to tie this often or not. That’s where I think the systemic piece comes into play is that you have a disadvantaged group of people who In order to get the advantage, have to be able to take advantage of the advantage and they can’t, so the loop perpetuates itself. So I can’t, I can’t make $1 million dollars in candy bar sales. Therefore we can’t offset that mistake that we made or in the cases to a lot of times, you know, school districts have to pay lawsuits. School districts have to cover staff that, that are inappropriate in some cases or other types of things where they, where they get sued and then that money comes out of that general fund and they’re left with even less. And the bigger the school districts are generally speaking to the largest school districts in the state of Minnesota are also the most impoverished.

[00:10:29] Evan Francen: Yeah, absolutely. And I know that you and I have talked a lot because we, we strategize a lot on different things. And you were telling me about some of the mega districts now mega districts they sort of run themselves like a business. And so that’s one side of the spectrum and then the other side of the spectrum is maybe a rural district where the person who’s the technology director is also the gym teacher is also the baseball coach. You know that’s hard

[00:10:58] Ryan Cloutier: and it’s and it’s very common. Um You know I’ve worked with districts of all sizes and all demographics across the country. I’ve worked with inner city urban districts. I’ve worked with rural districts and predominantly caucasian communities. I’ve worked with southern districts and northern districts and and they all approached things a little different. But the common theme is the rural districts tend to wear more hats, they tend to have to be the security person, the network person, the best top support person. Plus they’ve got to pop out to teach history and they’ve got to go help out on the football field because they’re the coach. You don’t really see that problem in the metropolitan districts. Or especially the mega districts, mega districts really do run like enterprises. They’re funded like enterprises. You know one that comes to mind that’s one of the largest in the nation. You know they have a I. T. Staff of 1500 people that’s more I. T. Staff the most big businesses of of a similar size and budget.

[00:12:02] Evan Francen: Right? Well it seems like so every one of these you know when we talk about protecting data protecting information, uh, I think one of the big really important, you know, types of data to protect our the students, right? And their families, right? Protected personally identifiable information. But then there’s also the whole skill level thing, the skill set. Um, we need more security. People, you know, we’ve said before information security is a life skill. Uh, it’s probably more likely in some of these more affluent school districts that they’re getting those things then, you know, the rest of the students. I mean we have to fix this. I think there’s a lot, a little many issues because let’s say that I am an inner city and it’s not just black and white. It just happens to be that most of the, I think blacks in our country are concentrated in cities, right? There’s also white students there. And if I’m already starting off disadvantaged, right, I’ve got kind of the deck stacked against me meaning I don’t have the same opportunities you do. I don’t have the same equipment, you do it on the same quality construction, you do lots of things couple that with the fact that is probably more likely that my data would be exposed because it’s not being properly protected because you just don’t have the resources to do it maybe. And now, you know, stack that on top. Right now my it’s more like that. My identity will be stored off to deal with that, you know, I mean, it’s just, it’s kind of beating them down a little bit, isn’t it?

[00:13:46] Ryan Cloutier: Well, it is. And the other thing that, You know, I think a lot of folks outside of pay 12 don’t realize Is that a K- 12 school district has all the data all the day, medical data, financial data, behavioral data. They have, they have data on your child and on the Children and staff are responsible for that. That bumps up against him up. But they’re not a medical facility, they’re not an insurance collector provider or doctor’s office. So they’re not regulated by them. The laws that regulate school districts, Traditionally Our laws that were wrote in the 1970s specifically so that families could know what records the schools were keeping about their student. Not so much so that that data needed to be protected. Um, and then what you now have is a hodgepodge across the country of different attempts to create student privacy laws. The best one I’ve seen yet to date is out of Illinois. It’s called Soap up. And what it says is that all school districts in Illinois must maintain reasonable security. What they failed to define was what is reasonable security. So now you have a law that says, you have to do a thing, there is no definition for what that thing is and we, we’ve seen this over and over 20 plus years in this, in this industry word, reasonable gets thrown around, but nobody wants to define what it means. And so now everybody scrambles to try to meet that And you still wind up with 150 different ways that people attempted to hit it. And maybe out of that group 10 actually achieved what a real that would a security professional would would then call.

[00:15:34] Evan Francen: Yeah. Well, one of the things I know that we’re trying to do, you know with security studio and that’s to school and the things you preach is trying to level that playing field a little bit, right? So we can bring as we know that most of, most of the protection, most of the breaches happen because of lack of fundamentals, right? It’s not because I don’t have a i it’s not because I don’t have ah you know, some super sophisticated machine learning device, it’s the basics the fundamentals, right? Uh somebody left rdp open or somebody click the phishing link or you know, it’s stuff like that. So I think without transferring a whole bunch of money, I mean that one thing does need fixed, right? But we don’t do that for security people. I don’t determine how schools get run. They don’t determine, you know, funding stuff. Well what I can do is do my best and we can do is do our best to make sure that school districts aren’t pissing away money that every dollar you’re spending on information, security is being spent wisely, it’s being spent towards those fundamentals. So things are really, really important that you do.

[00:16:48] Ryan Cloutier: Yeah. And you know, I just published a article, you can find it on security studio’s blog. It’s the top five things that schools need to do to prepare for ransom. Um, I’ve started preaching, not prevention, but recovery. Prevention has seemed not to work. We’ve tried prevention, it didn’t work. So now I’m, I’m pivoting to say, you know, prevention, we still need to do it. It’s still important. But what’s more important right now, what’s more helpful to where you invest? That next dollar is making sure your recoverable, making sure that you’re ready for the event when it happens and you’re able to get back on your feet. There’s, you know, and part of this is, uh, two things that are going on in schools today that don’t go on at the same volume outside of school. And the first is insider threat. So insider threat exists within a company, uh, private business. And when you discover that person, you fire them, you call the police and you prosecute. But in a K- 12 setting, that’s not what happens because really you’re talking about a curious child, a child who is now demonstrating some skills and talents and curiosities that should be shepherded towards the right things towards, Hey, I’m, well, I’m not happy that you hacked us. I’m not happy that you took down the firewall. That’s actually a job skill, let us redirect you and schools are the only place where the inside attacker is invited back three days later and handed back their computing equipped and and so you have that factor in play and that’s that’s actually a bigger factor that really makes the news for a handful of different reasons. A lot of which is because it involves a juvenile and potential crime and so that’s why it’s not hitting the um And the other the other challenge there is that in a lot of cases those students are actually helping the I. T. Staff to secure the network and so we’re using

[00:18:47] Evan Francen: Children

[00:18:48] Ryan Cloutier: to secure the network of the school and you don’t see that in in the in the business side. So I think you know that’s where a lot of schools Struggle when it comes to where to spend the next dollar because let’s be honest they’re getting their cybersecurity advice from a 14 year old.

[00:19:07] Evan Francen: Yeah good point. Good point when I love you brought up a couple of other good points. So and I do want to talk about you know your article. I think it’s awesome. I love the fact that she kept at five, it’s simple, it’s straightforward and that’s one of the things that is our mantra right simplicity is your best friend complexity is your worst enemy. So keeping things simple. So the more stuff you add into the environment, the more networks the more devices the more technologies the harder it gets to secure those things. So if you are in a rural community or you know, an inner city where you do struggle with funding the wrong, wrong place to spend, it is probably on technology, you probably need to spend more time figure out where you’re at right and being make sure you are recovering. You know, this has never been about risk elimination. It’s always been about risk management. And if you understand what risk management means, it means you can’t eliminate the likelihood and or impact of something bad happening, it will happen, it happens to everybody. It’s just a matter of time.

[00:20:15] Ryan Cloutier: Well in schools, you know, it’s interesting because schools, no, this for everything outside of information. So they have very robust plans for dealing with severe weather fire, active shooter vastly. You know, whatever name a scenario that could potentially jeopardize life or limb. And they’ve got a plan for it. They’ve got a plan that they’ve, they’ve documented that they’ve tested, that’s got 18 copies around the building. Everybody knows where it is and they know what to do where we have fallen down is by treating information security is somehow separate of those other activities, somehow not related to or associated to those activities. And and so when I’m consulting and coaching these schools, I tell them don’t do this separate, make it part of involved the same humans by the way who helped you figure out your severe weather plant. Let’s talk to them to, they’ve got a role to play. This isn’t all just about computers. Now you brought up a point earlier, I just want to circle back on which is complexity. So I just got the latest stats or wireless access point planning or K 12. So as they just figure out how much coverage do I need and how many devices or the new number per student is nine devices per student

[00:21:30] Evan Francen: who? So what

[00:21:32] Ryan Cloutier: nine devices for students. So when they’re planning their wireless access uh volume, but they’re trying to decide how many access points they need and what kind of coverage volume they’re going to need to support from a device perspective, The current guidance is advising them to account for nine devices for human being in the building.

[00:21:58] Evan Francen: How How can I have nine devices,

[00:22:00] Ryan Cloutier: wearables I suppose. So we ignore the wearables. Right? So we’ve got, we’ve got wearables, you’ve got smartphone, you’ve got district issued equipment. So they could have a laptop. They could also have, there’s some some Ed tech technology, they might have a laptop and also have kind of a smart device. Um you know, part of that is when they’re doing the per student there. Also factoring what happens when mom and dad comes to school. So now I’ve got an auditorium, I’ve got mom, dad, brother, sister nephew grandma. Yeah, they’ve all got 2-4 devices on the beach all connected up to the wifi. So it’s just, it’s fascinating because The K- 12 building has more technology inside of it. And some of the most sophisticated businesses in the world. It’s amazing when I started doing these device counts. Even in a rural community, Let’s say they have what we call 1-1 initiative. So what this means is there’s one piece of technology per student. A lot of cases it’s a Chromebook or an ipad or something like that. But each student has their own dedicated device. So if I’ve got 1200 students, that’s 1200 devices, that’s not including the management network, that’s not including the backbone infrastructure. That’s not including any of my switches and pours and routers or any of that stuff. It’s not including my staff. It’s not including my transportation services, uh, technology, my food service technology, my athletics technologies that maybe my athletics field is using or my athletics department. You know, and so when you start looking at that, you’re like wait one human being, One singular human beings is responsible for 5000 devices. And when you have that many devices and the listeners who have worked to support no, this, um, you don’t have any time left to do the right thing because you’re constantly in a break fit site. You’re constantly replacing a laptop fixing a screen, Rebooting something jiggering the RJ 45 port that’s too worn out. But you don’t have time to replace it. So you slash the Scotch tape on it and hope that it holds right. That’s the reality. That’s what are poor rural schools are dealing with today as thousands of devices even at the smallest size And no time or ability to even if they know the right things to do they can’t do it because they’re too busy doing the day to day support work of making sure that Johnny’s iPad that he just drop kicked for the 14th time today is going to work. Right.

[00:24:32] Evan Francen: Well that does go back to the you know better funding for schools. It doesn’t mean more funding. I said better funding. Right? I mean if you’ve got some schools and I’m not a Socialist but anything that you have the the government provides for you you’re already a Socialist that’s a Socialist enterprise right? The government is providing something for me that is what socialism essentially is. And schools are already there anyway so sort of but I don’t we have to figure out a better way to distribute income.

[00:25:11] Ryan Cloutier: Well you know what’s interesting is there’s a lot of funding now available. Um So there was some cares money and they could spend the cares money on cyber but the I. T. Team never knew that. And so we got eight up by the other departments then there’s another grant from Homeland that came along but if you don’t know it exists you don’t know to apply for it and they’re not promoting it. Well then we have the whole eric so one great that I’ve had over the years. And working with K. 12 is that the majority of K. 12 schools in the United States today get their internet and the associated hardware to take that fiber and turn it into an available internet source for the students that comes through a grant program from the FCC. That’s called a ring E rate up until recent wasn’t even considering protecting the network that they paid to have installed. So they provided the danger if they paid for the danger to be present. But they did not allow you to spend that money on things like anti virus, anti malware or I. P. S. I. D. S. Or any of the you know, effective Linke lights. There are some blinky lights that you help you. Uh Most of them don’t put a couple of them do but they couldn’t use the money for that. They couldn’t use it for managed service. Now there’s been a petition through an organization that I work closely with called chosen or the consortium of school networking to sway FCC to say a rate needs to be made available to spend on site and we’re making some progress in that regard. Well while that’s happening a new funding initiative has come up because there are still schools today that don’t have broadband access. There are schools today. So we talked about this equity and inclusivity right. One of the big challenges between urban and rural, not just from a demographic challenge but from an actual availability is my outer rural communities don’t even have broadband available to them. The best they could hope for is a couple of you know, parent he wants Or maybe maybe some rip roaring 25 megabits a second, you know, DSL connection. Well how do those students in those communities compete with somebody in my neighborhood who’s got a gig fiber connection right to the home. Right. And so they created this new funding stream to be able to bring broadband to the homes into the schools. Uh one of the things I just read about is uh they’re actually taking the school buses that have like 55 G hotspots on them and their parking them in like the shopping mall parking lot so the students can go work off the school bus now, think about the safety element here, you’re leaving in an empty school bus in a shopping center parking lot and just saying, hey kids here’s where you can go get internet because you don’t have it at home. No, no one is monitoring that no one supervising that, there’s no staff member present to ensure the student safety or crazy idea the safety of the wireless hotspot itself. Right?

[00:28:27] Evan Francen: And so but so all those things are good but they were all more funding,

[00:28:34] Ryan Cloutier: you know, I mean more funding but none of the funding actually focusing on fixing the core fundamentals.

[00:28:41] Evan Francen: Right? And the and sort of leveling the playing field right? I mean, it’s just the problem continues to get worse worse when, you know, this goes up and this stays the same, right? I mean, simple geometry would tell you that. So that’s a challenge because even if I told you all, like you said, even if I told you all the things or you knew all the things to do to secure your environment, you don’t have the staff the time. You probably, I mean most of the stuff you don’t need equipment right in which more people would learn to use the equipment. They have better as opposed to going out and getting more equipment. So to me that’s not the big problem. The problem is you need to use it. Right? Mhm. And so and then it goes and it goes hand in hand with what you said before about information security being a life skill. It’s not all this, you the basics, the fundamentals. You don’t need an expert, You don’t need me or you to go do this stuff for you. You can do it yourself assuming you have the time of the staff

[00:29:50] Ryan Cloutier: well and that and that therein lies. The thing. I just actually was talking with one of the districts that I mentor today and It took us two years two years and this is with dedicated people, dedicated focused and dedicated dollars. Leadership, support all the things that you need to make a successful security program. And it still took us two years to get to the point we were today where I said, we’re now ready for our first tabletop. We’ve done enough block of tackling. We know what we’ve got for the most part. We will never be perfect, but we’re about 97% accuracy. We’ve got plans for responding. We’ve got the right phone numbers of the right people and we printed it off and took it off site, right. We’ve done these basic blocks and tackles, but it took us two years. Um, and the biggest reason for that was they were so far away from the start line at the beginning of our journey. And there was, there were tools that have been purchased that they weren’t using effectively or correctly, tools that you know, they were sold at a conference that this is the answer to your problem and the vendor maybe forgot to mention you need two FTS to configure this thing and five FPs to run this thing I

[00:31:05] Evan Francen: forgot to mention.

[00:31:06] Ryan Cloutier: I forgot to mention. Right. Um, and now we’re there and what’s nice though is and, and keep your eye on security studio because we’re going to continue to publish some stuff out in the next coming weeks. We’re gonna be doing a case study on this district. We’re going to give you the recipe. I’m going to tell you what we did and how we did it, why we did it, why we picked the order of things that we did and how we built support within the leadership within the non technical community. How we got the community at large to be on board with that. Because I think that is where everybody could be doing something today. That doesn’t require a knowledge of how info sec works. It doesn’t require a bunch of money. Were any money in a lot of cases. But just some basic stuff, how do, how do you start to build support for security culture? Because without that you’re really going to struggle to implement. That was the other thing is, you know, getting something simple, like multi factor implement was part art, part science. And it was a very much a political dance of making sure we had the right by and from the right folks before we even mentioned, we had to build support in the back channel and then we went to the staff with all the support behind us to say we’re doing this for your Mac. And, and it was basically telling the staff, hey, if you want to get paid on friday, we have to do this. If you don’t do this, we can’t guarantee you get paid. And all of a sudden all that resistance went away. Yeah, But it was, it was a creative process. And I think that’s what a lot of schools today and those of you that are listening if you’ve got kids in your school and you know even a little bit about information security go down and see if you can lend an hour, you can probably do more to help your school in one hour of donated time and they will be able to get accomplished on their own in three years.

[00:32:54] Evan Francen: Yeah. Well, and you bring up a mean again, a lot of good wisdom man. I think we have this instant gratification sort of society nowadays where removing so fast, you know, when you do an assessment of an organization or school, there’s this, uh, I don’t know desire to go from, Let’s say 400 to 700. We got to do it by next school school year. Mm Right. But you can’t, that’s not how security works. Right? It takes time. You have to lay the structure. It’s not that those blinky lights that you buy aren’t effective a lot of times. You’re not ready for it. Right? That’s not your blinky light today. You know, you need to do things like asset management and actually that’s a great segway. Let’s go into your article. So like you said, it’s, it’s on the security studio. If you go to wet the website and under resources, go to blog. You see that the article that you wrote, Um, top five things to prepare for ransomware in K 12. The number one thing you have listed here is know what you have in your environment.

[00:34:05] Ryan Cloutier: Hello. Basic basic inventory. Right. What do I have if I don’t know what I have, I can’t protect it. And if I don’t know what I have, I don’t know how critical it is because I’m not necessarily going to apply the same level of protection to everything. Not only does that not make sense from a practicality standpoint, but if I’m pinching pennies I might I might ignore a lower risk thing. I might make that decision. I might decide that the best risk decision for my district is not to worry about the thing that has no P. I. On it. And instead double down on the thing that has all the pia if I don’t know, we don’t know. And actually quick story of what prompted that. Working with the district a few years ago and we did a we did an AD map. We did a network analysis, scan the network, see what we had and we found a network segment that no one could tell me what it was. I said what is this? But we don’t know. Well I see a lot of traffic going to it. What’s going on. So we started digging into it and nobody knew nobody would that have built the network was still there. Well then we started doing some trap and trace and what’s actually going across this below. And behold we find it’s the public library. So then we go to the public library and we found out that they have a V land to the fire station. And so here we now have emergency services traffic routing through a public library routing through a school district and no one knew the fire department didn’t know. They figured they just get the internet from the city and the city says, yeah, you get your internet from us. They forgot to mention that we built a bridge off of the library to give you that internet because you guys were physically close in proximity and the library didn’t know that they were getting their because they said, well we get ours from the city. Well it turns out that the school had gotten the grant money to get the big 1010 gig trunk dropped in. And somebody in their infinite wisdom said, yeah, I compare off a few gigs for you forgot to write it down, forgot to tell anybody. So I’ve run into that a few times. That’s the most extreme example I’ve seen. But I’ve run into it a few times and so knowing what the heck you got, especially if you have a high turn environment and a lot of times K 12 tech will have low turn at the senior level. Those folks that got in early but in an Apple two E. And are now the CTO but you tend to have a higher turn at the younger uh 123 years experience because once they get that through your experience there off chasing paychecks, right? And so you lose that, you lose that knowledge. So yeah, they may. I knew what was going on, but then they left to go get that next job

[00:36:48] Evan Francen: and you can’t blame them for that. I mean, and

[00:36:50] Ryan Cloutier: the only thing

[00:36:51] Evan Francen: and the thing is to about your top five Security is security. These same top five applied to the private city, You know what I mean? It’s like and and it’s just logic. I was talking to a friend of mine um today, I don’t mean, you know, some people get, people will get offended, but they always get offended I guess. Um like people get dumber after cove hit, you know, it seems like it because when you talk about just these straightforward logical things and I I mean as I said the same thing to the state of one of the states. You know, I was giving a talk to their blue ribbon commission and you know, they’re talking about zero trust they’re talking about this and that it’s like, can anybody hear tell me what the current state of security is here in the state? Right? No. Well then how the hell would I know where I’m supposed to go and what I’m supposed to do and all that other good stuff. I don’t even know myself. You know, So I did a another one of the organizations that you and I are doing a trial with uh you know, for an integration in the security studio. Uh he he did a just an ascent on using his tool on this state. Mm my God man.

[00:38:10] Ryan Cloutier: 1007. Finding. Yeah. Finding.

[00:38:14] Evan Francen: Oh my gosh, right. And I’m not even going to go and talk to this state C so about that right now because no, you couldn’t do anything with it. Yeah, it would be just alarmist. I think that’s what sometimes they do. Right,

[00:38:30] Ryan Cloutier: right. Well in what I saw in that, by the way, was an overarching theme. Saw the it’s actually not even a security thing. It’s what I observed in the data. They lack of a process. I won’t go into any more details that I want to give away. You know what it is I saw but what I saw was The end result of a lack of a process and had a particular process. But in play, 98% of what I saw would not have been.

[00:39:03] Evan Francen: Well you you mean the same thing applies that states K-12 and at home. Yes. How often how often do you know people just go and buy something plugging into the network and look now I got this thing that does this thing. Oh that’s really cool. And then your friend comes over. I want a thing that does that thing too. And so they go by the thing that does that think meanwhile nobody’s I forgot about the other 11 things are 12-20 things they already have on the network that are doing a bunch of things. And that’s what I was saying back to the complexity of being your worst enemy at some point. You have to stop the the insanity and just take inventory. What do I have? What am I responsible for? What? Networks? What equipment was software? What data? The problem just continues to get worse and worse and worse. Sometimes you have to do it

[00:39:57] Ryan Cloutier: and then if you want to take it to an advanced level, the next question is what does it do for me?

[00:40:02] Evan Francen: Exactly.

[00:40:04] Ryan Cloutier: Yeah, I like that. But then what does it do for me? What is it doing?

[00:40:08] Evan Francen: I love that question. My favorite question to ask is why yes. We want to go by this thing. Why? Well because well because you know how to do that. Why? You know, and you get that too from you know, we do you and I do a lot of mentoring and you know, everybody wants to be

[00:40:26] Ryan Cloutier: a C. So not everybody, but a lot of people do. But yeah, why?

[00:40:30] Evan Francen: Yeah, I love asking that. So why? And then they’re just like mm Yeah. You said don’t know why you might want to think about that

[00:40:40] Ryan Cloutier: when I find most surprising with that question when I challenged back to why I more often than not. The first answer I did is because I want to be able to control the direction of the technology and then I have to break their little hearts and say you do realize that’s not the job that you don’t get to play with attack. That’s your, your so you are a politician, You are a a cheerleader, you’re all these things, but you’re none of those technological things that you love, that you think you’re going to have all this sway and influence and it’s just not how it works. And when they hear that they’re like, wait, I don’t wait, I’m just standing around waiting to get fired. Yeah. That’s kind of your job way.

[00:41:26] Evan Francen: You don’t play it right?

[00:41:28] Ryan Cloutier: Yeah. I don’t know. I don’t want that. I wanted to do the tech

[00:41:31] Evan Francen: search for any new person who’s listening when somebody asks you why you want to be a C. So you can say because I love serving people and I want to do everything I can to protect something like that.

[00:41:43] Ryan Cloutier: That’s a great answer.

[00:41:44] Evan Francen: You know what I mean? Because that’s why I do it and I think that’s why you do it. 200%. Yeah. Alright. So number one in your list is know what you have in your environment. I agree 100% and it asset inventory. It doesn’t sound sexy, It’s not sexy, but you have to do it. And if you’re doing this, you’re going through your asset inventory, keep in mind as you’re conducting that inventory. that you’re going to need to build process to make sure that it continues, that you don’t find yourself in the same crappy position that you’re in right now. So things like acquisition, how do we add new things into our inventory? How do we get rid of things in our industry? It’s not just, what do I have right now? How am I going to maintain this thing I have right now. Right? That’s very important. I Love # one Man. Number two, know your risk level, risk. It’s like the game, the part game kind of risk or what

[00:42:40] Ryan Cloutier: exactly, you know, you gotta know your level of exposure, you know, And just because there is a risk doesn’t mean that it’s a problem. You know, we talk all you and I have talked about this many times, right? It’s it’s it’s impact likelihood. I have uh as a human uh with my jeans, I have like a 70% chance, a risk of getting cancer at some point in my life, it seems to run in the blood. It’s a family thing, right? Um Now the likelihood is pretty high, but because I’m proactive because I have good health care because I go and get my scans and do these things, the impact is greatly reduced. So I don’t need to run around here that I’m going to get the cancer tomorrow and die from it because I’ve got a strategy for identifying, yep, responding right or containing. Yeah, we’re cleaning it up. Right? So ultimately eradicating it and the monitoring, right? And it actually cancer is a great example because it lays directly on top of Incident response process. There are 1-1 relationship you first must identify, right? So, I think, you know, all too often the vendors and I don’t want to just pick on vendors, but all too often our industry as a whole has overblown certain risks while completely ignoring things that, to me are just flat out alarming. Just like whoa, you’re worried about that. But that’s okay. No way. No. How

[00:44:09] Evan Francen: Right. Well, the thing is, and I try to tell people this to you do risk assessments all the time. We all do

[00:44:15] Ryan Cloutier: continuous. It’s hard to be

[00:44:16] Evan Francen: constant. Right? When I put on that seat belt, when I start up that car, when I decided I’m gonna eat this thing or I decide I’m gonna smoke that thing or drink that thing, you’re doing risk assessments all the time when you drive down the road and you come up to you see the light turned yellow, you do this really quick risk assessment. Look around, right? What’s the likely to be getting T boned here or a police officer, you do these things, Those things come natural to you because it’s usually in your physical realm, right? That you’re using. You can touch that stuff. You can see that stuff. He also grew up with that stuff. You and I me more. So I’m not part of that generation where I grew up with technology right? I didn’t have a cell phone. Uh So I I gap this thing so I had to learn it as I went. So that’s why one of the reasons I know that this is a learning herbal thing. This isn’t like, oh you just you were just born into it. No, you learned it. We all learned it. Uh And so the challenge that is taking this new world, this electronic digital world, How do I make that natural to me? It is natural to me because I’ve been doing it for so long and it’s natural to you. So how do we take this thing and Started to others? What 1st? I’ll tell you for sure. It’s mundane. It’s confusing, it’s uncomfortable. It doesn’t feel good when you do your first risk assessment. I think that’s why a lot of people don’t do it. But believe me on the other side of it is safety. You know, I mean

[00:45:56] Ryan Cloutier: well and part of that too is how we look at risk assessments. Um lot of times, especially if you’ve ever had one, I run into this all the time in schools. I’ve actually had people hide the findings from their leadership because they were afraid that it would be interpreted as them failing to do their job and what I try to tell people is just like when you go to the doctor, okay and you go to the doctor to get your physical or in my case, you know, I gotta get colonoscopies every couple of years. It’s totally not a pleasant experience by the way, the procedure, who cares? I don’t remember the procedure but the day before it is awful, right? But I do this as a preventative as as an inspection and when they have found things and they have found a polyps and other such things over time, then they deal with them, right? Because that’s part of the management. Um I don’t get that report and go, Oh God, oh I’ve lived such a horrible lifestyle that I’m now dealing with this and get the report now that the doctor did say maybe I should cut back on sugar a little bit and maybe I need to be thinking about the fact that I’m 40, not 20. So some of my invincibility has worn off and I need to need to maybe eat a few more vegetables and do you know these things, but that’s because that’s what I need to do to continue to ride this ride when we do these risk assessment, that first finding is always going to be awful because you’ve never done it before, Nobody gets there first one and it looks great. It’s just not reality. But instead of looking at it as a negative, as a failure on you and the efforts that you put in your career or your time with this company. Look at it as you’ve just never been at this maturity level before. You’ve just never been 40 before. And now you do have to start worrying about eating those vegetables and you do have to start worrying about doing exercise and not just sitting in a chair in front of the keyboard all day. And so I try to try to shape the message that way to say this isn’t a naughty report. This is our roadmap for improvement because we’ve never been here before. So let’s not use it to look at things retrospectively because I think that’s dangerous. I think if you do that you you create more fear and more hesitance a I think if we use it as a however we got to where we are was good and we’re here but now we need to do things different to go forward I think. Yeah,

[00:48:12] Evan Francen: absolutely man. And it’s like I can’t hold somebody accountable for something that they didn’t know they were accounting right. You know what I mean? You do an assessment so I can hold you accountable for doing an assessment. I can hold you accountable to those things. But that first assessment, the first few assessments, yeah how could I possibly you know bus you know come down hard on you when you didn’t even know that these things were there.

[00:48:35] Ryan Cloutier: But our industry sucks at that because we have come down on them like a stack of bricks. Oh, you better fix all this tomorrow or the apocalypse is upon you. That’s not helping anybody to say I want to invite you in to help me do this. I want it. Right? So we get that resistance. And that’s why we see a lot of times that only compliance driven organizations invite openly invite people into the risk assessment. And if you go to the smaller businesses, you go to the non regulated industries, they’re like, oh, we don’t need all that. We’re doing just fine. Everything’s fine,

[00:49:09] Evan Francen: right? Right. Well I am until and, and that’s another reason why if you’re going to do well, eventually you’re going to do a risk assessment because there’s no other way to do security. It’s part of the equation when you do it, uh, do it yourself. Right? There’s so much good education in there. And we talked, you know, I’ve mentioned it numerous times about this being a life skill. It’s a new world, right? This is how this is how we operate. Uh, you know, it’s not just about risk in making things better. It’s also about learning, there’s such a good learning experience. Yeah.

[00:49:49] Ryan Cloutier: Well, it’s about making sure I got baked, let’s be honest. We’ll start fixing things here. There’s gonna be less vacant available. So for no other reason do it for that.

[00:49:59] Evan Francen: You do not want to see me without bacon. That’s not good. Number three. Okay, so number one just to recap real quick and then we’ll get through this last three. Pretty I think pretty quick. Number one was No what you have in your environment for sure. You can’t can’t protect things. You don’t, you don’t know you have. It’s just how it works. Number two, know your risk level, do a risk assessment. Obviously security studio, that’s what we do. But if you want to do it on a sheet of paper with you know with a group of staff members in a over lunch fine. That’s a start right. You have to start. You have to do it and I banged people please. Number three is air gapped your system and data backups. Why would ask people to do that?

[00:50:47] Ryan Cloutier: So the only way to guarantee that a backup is safe from cyber criminals is to have it completely physically offline truly Air gap, not just not just in a box that’s connected to a wake on land and turned off actually removing the data media physically out of the technology and placing it in a cardboard box and a locked filing cabinet taking into your neighbor’s house, whatever that looks like. But it’s the only way to guarantee that that backup is safe from cyber criminals. If you put it in the cloud then you can get to it, they can get to it. If you have it on an as I don’t care how many V lands and multi factors are in between. If you can get to it, they can get to it. The only way they can’t get to it is if it has been physically removed and start separate. And I, you know when I say that, I also encourage you to store that securely because if you don’t encrypt that backup that maybe you have an employee who decides to go rogue it can get to it. But doing that will reduce the amount of time that you’re down with ransomware and it will speed up your ability to recover and get back to an operational status.

[00:52:03] Evan Francen: 100%. Yeah. and ransom where schools are getting tagged all over the place all the time. So you need to protect just they know that they’re going to get paid right and now insurances more and more likely to not cover you if you’re not doing these things, you know, and what I’ve been telling people, you know, go check that back storage, that storage room that everybody has, you know, and see if you’ve got the tape library and they’re still, if you do dust up reactivates. Yes, because I don’t know why we decided. I mean I do know why it’s because of convenience

[00:52:41] Ryan Cloutier: and

[00:52:41] Evan Francen: right and we’re such, we’re still addicted to convenience. It’s nuts. You know, So, but t backup was it worked from a security perspective there was no need to ever change it other than, you know, deterioration of the media over time, blah blah blah. But that was, you could account for that, right?

[00:53:04] Ryan Cloutier: Plummets back in fashion. So if you don’t have something, you can go buy some brand new ones. They’re pretty sweet.

[00:53:11] Evan Francen: I’m tired. I have fond memories, man of, of Iron Mountain coming, you know, every so often, you know, the same time, every time is it with them? Hey, I it’s going, you know, whatever you remember those and we’re taping even taking tapes home with me, although that’s not the best place to store it. It certainly protects it from grand somewhere. Right? You know, Excuse me. uh number four is implement multifactor authentication. So we and for listeners who don’t know what multifactor authentication is just real quick. There are three factors to authentication. It’s something, you know, something you have and something you are right. Those are the three factors. Something, you know, an example would be a pin, number of passport, something in the head, something you have would be something physical, whether it be a phone that you get a text message on, there will be a dongle that you put into the USB port, whatever it’s something you physically have and then there’s something you are would be, yeah, you know, biometric, maybe a fingerprint scan when we say multifactor, usually referring to something that you have, something that, you know, right, that’s the most common implementation of multifactor. The reason why this is really, really important is because fishing is still the number one way to get into your environment. All I have to do is talk you out of your password right? It’s really hard to talk you out of your phone. I can do that but it’s a lot more work and it’s probably not going to happen.

[00:54:40] Ryan Cloutier: Exactly. And you know, it’s it’s a good stopgap measure. And the reason I put that on the list is because multi factor, if you have implemented it can be the first indicator that something funny is going on. And so not only is it act as a as a uh why can I not do this? We just thought that preventative preventative control but it’s also a detective control,

[00:55:10] Evan Francen: yep. Yeah, good point. Which then leads into your number five. So where two use multifactor authentication in my opinion, there’s absolutely zero excuse anywhere at any time that any externally exposed resource not secured with multifactor authentication. So the remote access to be your email, you know, if you have remote access to your email, uh all your logins, you know, for what are the one of those school most technologies,

[00:55:40] Ryan Cloutier: the information system.

[00:55:41] Evan Francen: There you go. All should be multi factor And it’s gonna like you said you have a ton of experience, you’re going to write this case study. I’m super excited to see that because you went through the process of getting a school district that didn’t do it to doing it and embracing it so huge success. It can be done

[00:56:03] Ryan Cloutier: and we actually just announced today we’re going to be wrote mandating uh, VPN with multi factor for all access to district resources going forward. Hard stop. Oh don’t expose district resources that are not public resources. There are some that have to be public for mom and dad and the community at large. But when it comes to anything that has sensitive data no longer will those be allowed to be publicly exposed in any way shape reported the internet. You will have to be PM then you will have to M. F. A. Every single time you won’t be able to do to remember me. So I’m very, very excited about that because let me tell you that was, that was a hard sell.

[00:56:45] Evan Francen: Those are huge winds man for a lot of times the work that we do, we never get thanked for because the people that were protecting never know that we’re protecting them right doing the best job we possibly can so that all that hard work will pay off. I know that there are some listeners, you know, in some, you know, leaked hackers well, but I can still hack it. That’s not the point when people, when people say that stuff, it makes me laugh as you don’t understand what the goal is. The goal is. Risk management math stopping all you little hackers. Uh, so I always think that’s funny, but you mentioned multifactor authentication can be used as a detective control, which then, you know, it’s what I can’t prevent. I’d better be able to detect and what I once I detected, I better have your number five a response plan. No excuse for not having a response plan.

[00:57:36] Ryan Cloutier: Well. And you don’t have to start out with some crazy overblown plan. The other thing that I do with this district that will be in this case study is we walked our way into it. As a matter of fact, there are still about three sections in our I. R. P. That need to be filled in. Hey, we’re not done, but we’re ready. We’re functional. We’ll be able to manage an incident. We’ll be able to get the right folks engaged in the, in a timely fashion and get our hands around it way better than we would have say two years ago. There’s always room to improve and its continuous improvement where I have seen folks fail time and time again is trying to achieve perfection out of the gate Trying to create this incident response plan that is 977 pages long and completely ineffective because of it. A three pager is a great starting position. A three pager can do more to get response happening and start activating the other legs of the stool. If you will Then going with this good, we do the same thing with our d our plan. We started out with critical assets first. We started out with about 35 assets. Let’s just make sure we know how to turn them back on. And then because we got that hurt. Good, got the process. Good was small subset. We were able to then scale that equities.

[00:58:57] Evan Francen: Yeah, absolutely man. I mean you can start, you can start with your incident response plan on a map Yellow, you know, and start with a phone number. Who would you call? Yeah. And that’s, that’s a plan. That’s the start. Then start expanding out from that. Right. Start talking about, well, what inputs might I have into this plan meaning what are the detective mechanisms? Is it a person who called the help desk? Is it, you know, because you have to work through the workflow. Right. But yeah, trying to get that. And there’s no such thing as a perfect plan. There’s no such thing as a perfect policy. There’s no such thing as a perfect risk assessment. Perfection. Would, would, would imply risk elimination. Again, that’s not the goal. So having a plan that is functional and having a plan that lives. It continues to mature where you eventually want to get with a good incident response plan is to make it an operational plan. Meaning you’re always using your incident response plan because you’re always having incidents right? Because an incident doesn’t mean it’s like a breach. There’s low severity incidents, medium severity incidents and high severity incidents. Usually only the high ones where you bring the incident response team in, but you’re having incidents all the time. People are losing their passwords. You know, those things need to be noted, but that’s, that’s the other end of the maturity spectrum. Right. Right. Start here. But having that in mind as helpful as you march down the path. Right.

[01:00:26] Ryan Cloutier: Exactly. And, and you know, it’s defendable, I can assure you by middle of 2022 if you do not have some type of cobble together incident response plan, if you don’t have multi factor authentication place, if you are not air damping your backups and you can’t say what’s on your network, you probably are not insurable. You may very well start if some of this legislation passes that I’ve seen, you will be found to be grossly and willfully negligent. Especially uh for those of you listening, if you work in critical infrastructure or you work in anything that looks like it might turn into critical infrastructure, you guys are gonna get it first and they’re not going to be nice about it. I’ve seen some of the initial stuff that they’re talking about doing it. It is very much a boot on the neck approach,

[01:01:17] Evan Francen: which should be because one of the things we’ve been missing for so long. His accountability who’s responsible for what and then just saying it and not actually holding them accountable is like, you know threatening to punish a child and never actually punishing them, there’s no consequences to their bad behavior. So they’re never going to stop it. I love the fact that they’re doing a lot of those things, but I also think when I think of education and I had this discussion today with the state of New Jersey there folks, um we don’t do this for the money.

[01:01:49] Ryan Cloutier: No,

[01:01:49] Evan Francen: I mean when you work in education, when you work in state and local government, you can get paid more in other places, you do this because there’s something special about you, Something special about the people you’re serving. So even beyond like the negligence, when you don’t do these things, at least these top five start here. You’re actually hurting the people you’re trying to serve versus serving them. You’re kind of going against your whole purpose. So look at it that way. Maybe that’s not really, Yeah, will help you. I mean crap man. My wife yells at me all the time because I failed you. I wanted to say no, I’m like, I can’t, I’m addicted to Yes,

[01:02:36] Ryan Cloutier: that’s probably, you know, I’m catching grief, you know, it’s not the weekend with me. I caught grief for working on a workday. I

[01:02:44] Evan Francen: know man on my wife, my wife doesn’t listen to podcasts, so that’s good and don’t you tell her about this in there, but I was so engrossed in my work on monday evening, I didn’t go to bed looks yeah, So I was up from 6:30 AM and it wasn’t because I was, you know, it wasn’t like an incident. I was just getting into my jam man. I was I was it was a good good night. And before I knew it it’s three o’clock in the morning And I have my meeting with Antennas for 30 Tuesday. I’m like, well I can just cancel or I’m here. Well I guess I’ll just take the meeting. Yeah. One thing led to another

[01:03:24] Ryan Cloutier: careful with that about, yeah, I got some catching up to you.

[01:03:29] Evan Francen: Oh it does, it does. My body tells me like this morning when I got up at seven a.m. My first thing I thought was, but I do yesterday afternoon. And did I make any sense? Mhm. So I replied by my meetings. I’m like, I think I’m good. I don’t think I said anything stupid because you do. One of things people don’t realize maybe some people do is you make really make a lot worse decisions when you’re super tired, you just don’t make the decision. Alright, awesome man. I love this episode. I’m excited about next week. Uh You and I got a chemistry just like me and brad. Got a chemistry just coal. So thanks for thanks for that. Any shout outs for you this week real quick.

[01:04:13] Ryan Cloutier: Uh if you’re in the Miami area, come find me next week. I’ll be down at the MSP expo and the I? T expo at the Miami Beach Convention center. Come find us. Security studio will be there were in booth number six something. We’ll get it into the show notes. Look at the booth number. But come find us, stop. I say hi, I’d love to chat with you. We’ll have some of Evans books that will be giving away. So for no other reason, come get your free copy of insecurity

[01:04:49] Evan Francen: and if you don’t know how to read, it’s good Kinley.

[01:04:51] Ryan Cloutier: Well, I mean you could I guess, but Oh yeah. So come, come find us. We’re gonna be there, having a good time.

[01:04:59] Evan Francen: Love to chat

[01:05:00] Ryan Cloutier: with you. Good to meet some of you guys.

[01:05:02] Evan Francen: So you’ll be in Miami and next week I’ll be in Orlando on a panel with some really good guys connectwise there. Uh 80 nation

[01:05:14] Ryan Cloutier: or whatever. Yeah, I know those guys. Yeah.

[01:05:16] Evan Francen: Yeah. But everything they got going on down there. So somehow I got into that. I didn’t say yes. I think someone just volunteered me. And next thing I know I was there. So

[01:05:25] Ryan Cloutier: how that happens.

[01:05:26] Evan Francen: Yeah, that is what it is. Uh thank you to our listeners again. Thank you Ryan, being a great conversation as always. And I love, I love talking to you. Uh, if you have something like tell us or you know, feel free to email the show at You’re the social type and socialize with us on twitter. I’m @EvanFrancenh, that’s it. We’ll talk to you next week.