Transcription of podcast episodes.

Evan ran across an article this week titled “15 Security Pitfalls and Fixes for SMBs.” Small- and medium-sized businesses (SMBs) tend to be an underserved market, and with many businesses starting to regain their footing post-Covid, now is a great time to discuss SMB security. Brad and Evan analyze the “15 Security Pitfalls and Fixes for SMBs,” provide their thoughts on the list, and give recommendations for those in smaller businesses to avoid these cybersecurity mistakes.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 126 And the day this nine April 2021 joining me is my good friend, great guy and info sec expert in Osaka short for information security to say thank you.

[00:00:40] Brad Nigh: appreciate it

[00:00:41] Evan Francen:  Yeah, I just want to be clear Brad Nigh. So welcome brad.

[00:00:46] Brad Nigh: Good morning.

[00:00:48] Evan Francen: Good morning. We were just talking before the show how sleep deprived we are lately.

[00:00:53] Brad Nigh: Yeah, well we’re recording today because I woke up yesterday with like four with a migraine that finally cleared up about three in the afternoon of I was able to at least function from about starting at nine. But I woke up and I was like, you gotta be kidding me. Evan is gonna be like, what is he don’t want to do this anymore.

[00:01:15] Evan Francen: Now. You know me man, I got smart.

[00:01:18] Brad Nigh: I know it’s just been crazy the

[00:01:22] Evan Francen: because I don’t even, and I actually don’t even question that stuff, you know, because you know, number one core value is tell the truth. So I give people the benefit of the doubt man, this is how we are right? So when I come to you and say like, hey, I got this thing, you know, you, you give me the same, you know?

[00:01:41] Brad Nigh: Absolutely, yeah, yeah. It’s been uh like you’re talking about, it’s been like I’ve got 20, is supposed to be better. It’s been a crappy, like late february through early april so far.

[00:01:58] Evan Francen: I know man, it’s gotta get better. That’s, you know, me being a faith guy and you know, and I have, I don’t I’m pushing on people and I don’t, you know, we’ve got our beliefs right? Yeah, you got your own thing, but the uh I was telling a buddy of mine, you know, another christian friend of mine that uh you know, when you talk about like spiritual stuff, right? And got God and you’ve got satan right, you’ve got good and you have bands, you know, maybe and so it always seems like the people that are being the most effective or that are on the verge of some kind of breakthrough are the ones who are getting attacked the hardest.

[00:02:43] Brad Nigh: Yeah, yeah. I always one of my things. I like to joke and say it was like, you know, I know guy wouldn’t give me more than I can handle. I just wish you didn’t trust me that much, right? It’s like, come on. But anyway, yeah, we’re yeah, getting through it.

[00:03:02] Evan Francen: Well there’s, there is, I mean there’s blessing there’s grace, there’s good things on the other side of it man and we were talking about that too, right, when you’re, you know, you just be persevere, right? A lot of these things are outside of your control. But you know, you lead by example. I love the way you leave your family and as a friend, it’s cool to see it. So

[00:03:22] Brad Nigh: yeah, I’m like, I’m so I was I shared with you yesterday. My oldest guy uh, asked to be a recommended by one of her teachers to be an editor for the school newspaper. Yeah, freshman year. And it’s a pretty big thing. I was like, awesome. I’m so glad you got your mom’s school like study ethic than rather than my mind was in high school, wait till the last minute and do as little as possible to get by,

[00:03:52] Evan Francen: right? Yeah. Michael’s sports school or sports girls. Yeah,

[00:03:59] Brad Nigh: drinking. So I didn’t, I didn’t drink in high school, but it was, yeah, it’s not a wasn’t a bad like disruptive student, but I would not consider myself has been a good student in high school.

[00:04:13] Evan Francen: Yeah. I look back in high school and I think I was a lot the same. I was more of a protector than I was, you know, Like I was telling my daughter she’s 16, you know, um, about yeah, there’s just got this friend who if, if I was back in high school, his name is, uh, name is his name crap. But anyway, I would have called him something then when he gets called today. And I had a and it reminded me back in high school where I had a there was a guy who man, he was so full of himself, He was mr king of everything, right? And and his name is Bill Bader, B.

[00:04:55] Brad Nigh: A D. E. R. Okay.

[00:04:58] Evan Francen: Now he’s probably off, you know uh Ceo of a company doing great. I don’t know, I haven’t you know that was a chapter of my life that’s closed now and you know you’re onto another one. But yeah I used to call Master.

[00:05:11] Brad Nigh: Uh huh. She said his name like I knew

[00:05:16] Evan Francen: yes master. Yes Master. And he would get so pissed off that I was that kind of guy.

[00:05:21] Brad Nigh: Yeah. More of the class clown.

[00:05:24] Evan Francen: Well yeah and I don’t like you know, just like today man, the only the thing that gets under my skin the most is people taking advantage of other people. I hate it. You know what I mean? That’s why I don’t get too wrapped up into politics every once in a while I’ll say something. But because that’s all politics is to me, you know, is people positioning themselves manipulating others lying, whatever they can so that they can get elected. That’s why I don’t play uh I’m gonna go down that path and it’s gonna get masking so

[00:05:55] Brad Nigh: yeah, I’m with you. So yeah security uh a security will make the awkward transition because I’m with you on like yeah we’ll go off on a rant. Uh

[00:06:09] Evan Francen: Just hate people taking advantage of other people. I don’t hate the people, I hate the action of taking advantage of somebody else. And so you can apply that in, I think so many places in life, whether it’s, you know, protecting somebody from a bully, you know, in high school or you know, doing what you can to step up and step, you know, for somebody or like today we’re gonna talk about, you know, that small, small to medium sized businesses, they get taken advantage of in numerous ways. I think one way they get taken advantage of is obviously the Attackers like the people who coming, you know, plant ransom, where or business email compromise or whatever else, right? And take advantage of the small business, but then you’ve also got the people inside our own industry, I call them the wolves in sheep’s clothing who are peddling goods and services to these small businesses that are not the right fit uh, to waste of money and they don’t have money to waste. And that also pisses me off.

[00:07:11] Brad Nigh: I think that pisses me off more.

[00:07:14] Evan Francen: Yeah,

[00:07:14] Brad Nigh: right? We know Attackers are not ethical, We know that, you know, to expect that from them, but when you’re in the industry or selling into the industry and then taking advantage, that’s, that’s bad,

[00:07:30] Evan Francen: right? Yeah. I mean it also not only does it, uh hurt them, but also it makes our jobs that much more difficult, right? Because you give us a bad, you give the rest of us a bad name.

[00:07:43] Brad Nigh: Yeah, they, that small business has a bad experience where they get sold a bill of goods or you know, pay a huge price tag and something happens because it wasn’t the right solution. It was configured properly. Now there, are they going to trust anyone else?

[00:07:59] Evan Francen: Exactly, Exactly. Yeah. So yeah, so we’re gonna talk about that day, we’ll talk about these 15. So that I came across an article, I don’t know, yesterday day before, I can’t remember what day it is anymore. But there was a day when I came across an article, it’s 15 cybersecurity pitfalls and fixes for smes. I’m gonna talk about that. And then I also want to talk about how we’re going to transition. I think the show and start inviting some really cool guests on a pretty regular basis. So we’re gonna start actually, It only took us 126 episodes before we’re like, hey, let’s let’s formalize a schedule then be cool.

[00:08:41] Brad Nigh: I mean, I kind of a lot about, I mean it’s how we, we roll, it’s kind of like, well just, yeah, we should probably do something,

[00:08:49] Evan Francen: right? Yeah,

[00:08:51] Brad Nigh: maybe not. We get quite so much.

[00:08:54] Evan Francen: Well, totally man, because like, I didn’t even, I got up yesterday morning, I got up at four or something in the morning, like, oh, we got the podcast today, What are we talking about? Oh, crap. We didn’t do show notes and what I don’t know. So that’s why that’s what I was like, oh yeah, let’s do this. And so yeah, that’s what leads us to this. Uh, but you’re right man, this is life right last minute. It’s funny. I have a talk coming up and I don’t, I don’t even remember, cause I’m trying to do a little less talks. I don’t, I don’t necessarily like them because it takes so much time usually to prepare for them and you know, and I like to create stuff like a new solution to something or

[00:09:42] Brad Nigh: yeah, it’s, I don’t, I don’t mind doing the talk itself and getting up and doing, it’s all the prep work that, you know, people don’t realize, you know, you’re going up there for an hour, but it’s, you know, for six hours depending on what you’re talking about. If you’re creating something new, could be even longer, Right? Figure it out. I know what you’re going to talk about. Being familiar and comfortable with the information, you know, with the content. Yeah. It’s a lot of work on the back end.

[00:10:15] Evan Francen: It really is. And I think a lot of speakers will just reuse, that’s why it’s probably to just take the same talk and maybe I’m, maybe I’m going to create three or four talks for the year and I’ll just give those talks. Well I’m more a d d so I’m like, I want to talk about this. But I’ve never talked about that before. So then I got to go create all this stuff. Anyway, there’s this, I guess pretty big good size conference and infra garde thing coming up. Mm I don’t know. Not me. I think only I should find out what it is. But they, they emailed me, hey, you know, thanks for being a speaker. And I was like, I don’t remember ever like, did I do this? Did marketing do this? I don’t know who what this is. So thank God they have a page dedicated to the speakers so I can see what, you know, I’m like, what am I even talking about? So I look and I’m like, oh, okay, I can do something about that. So then, yeah, we create, you know, but you have to create and then they want to make like my slides like, you know, it’s a month before the talk and you want my slide deck already. I don’t break my slide deck until about 15 minutes before I’m ready to talk. And then even then I’m making changes.

[00:11:40] Brad Nigh: Well yeah. And we get a lot of really custom requests, especially from customers like in May, I’ll be giving a talk to a health network I guess. Uh, they want to know a review of just how all the different health, all the different affiliates scored on as to what trends and what are, you know, what can they do with that as a whole to work together to get better, you know, where is there any trend that they can do something as a group, Right? That’s a lot of work to pull all that info together and create, you know, a slide deck when you’re looking at probably 15 ISH, different entities that I have to look at and figure out what I mean. That’s gonna be a lot of work.

[00:12:34] Evan Francen: I’ve also found it difficult to find good data in our industry. You know, we’re supposed to be such a data driven industry. But most of the data I see, you know, or find when I’m doing research for things just either old. I mean Past 12 months, you know what I mean? Things move so fast that really in certain instances, anything that’s older than that is kind of, I mean as the, as it ages, it becomes less relevant, right? If there’s if things are pretty stagnant then their data sort of lives longer. But, you know, if things are moving quickly, moving quickly, moving quickly, your expiration date, um It’s almost like an expiration date on milk versus an expiration date on cheese. Mhm. You know, I mean milk, that expiration dates like a couple of weeks, right? Usually something like that. Whereas cheese, I mean, I just scraped off some I’m not gonna tell you about that year. Me. I mean, I don’t know, it’s a long time.

[00:13:33] Brad Nigh: Yeah, fully agree. So

[00:13:38] Evan Francen: yeah. All right. So anyway, we got that. Uh So I’m excited. I think one of the uh it’s not I got a whole roster of people that I think we’re going to have that our listeners will really enjoy hearing from Because you know, after a 126 episodes it’s not like you and I don’t have cool stuff to say, but I’m like oh bring in someone else’s perspective. Might be really fun.

[00:14:02] Brad Nigh: Well, I mean that’s what we talked about. Like you want a diverse team. Well, same concept. Let’s get you know, there’s many people’s opinion and talk through things and I’m going to guarantee it at some point we’re not going to agree with, you know what they say. But it’s a good that’s always a good discussion of.

[00:14:22] Evan Francen: Yeah, it’ll be fun. I’d love yeah, it’ll be fun when somebody comes on your tries to sell something.

[00:14:28] Brad Nigh: Mhm. Oh

[00:14:30] Evan Francen: no. You know what you need you need dark trace and not about it. I was like okay this isn’t gonna go, well probably I

[00:14:37] Brad Nigh: didn’t tell you this. I got something I maybe I did I’ve been getting bugged quite a bit about uh somebody about how how we can better monetize the podcast and we should share pollution and it’s like, come on, right. Although it’s kind of cool that we’ve gotten to the point where people are, you know, reaching out to us for that.

[00:15:02] Evan Francen: Yeah. Well you know, it’s uh Madam C. A. T. V. S taking me all over the place this morning. The, there’s account, there’s an organization. So security studio en fr, security both doing really, really great. But security studio, it’s a software as a service company, Right? So you always gotta push faster

[00:15:21] Brad Nigh: faster.

[00:15:22] Evan Francen: That company is not constrained by people, right? Like fr secure the hottest commodity. The most important commodity we have are the people

[00:15:32] Brad Nigh: we tell the analysts and consultants time. I mean, at the end of the day, that’s what it is. It’s that expertise

[00:15:40] Evan Francen: and it’s hard to find good people and I don’t, and I’ve told people, I don’t know how many times I don’t care about your skills.

[00:15:48] Brad Nigh: You know, we can keep skills.

[00:15:50] Evan Francen: Yeah, just, you know, be a good person, be genuine. It’s something that I would like to hang out with and if I were drinking beer, I would drink beer with you. Right. Be that kind of person. Um, yeah, I don’t know how I get off on that tension. Uh, but that was, oh, sorry, that that company is growing secured studio, but we’re going to take an investment. I think we’re gonna take an investment. Uh, so that we can accelerate certain parts right? At some point, you have to do it every, every software as a service company. If you want to grow, that’s what you have to do. Uh, but one of the, one of the people uh, that I was introduced to, that’s also in this investment pool is squad cast FM Zach Marino. Uh, so we might start using some of their stuff because I got to know him. He’s a cool dude. I think you’d enjoy his background is I realize background his motivation is a lot like ours.

[00:16:49] Brad Nigh: Yeah, I have no issue if if we find a better solution on our own. It’s just when yeah, I believe it is. Hey, I can, we can make you more money. That’s you get the point.

[00:17:05] Evan Francen: He totally missed it. Right. All right. So this article, this uh, its title is 15 cybersecurity pitfalls and fixes for SMB S and SMB small to mid sized business. The article features a round table discussion between hem a script names. I’m sure Teamer Kovalev that’s the cto of untangle eric chrome from noble for who we were just talking about before the beginning of the show Greg Murphy. The ceo order. Uh, this was on threat post and they gave their take on what? S. MBS think about information security, the common mistakes that they make and how they think they can do things better. So, um, I like kind of dissecting these things because in our opinions are opinions are cool, right? As long as they’re coming from the right place and we have no shortage of experts and I say, you know, air quotes experts to so you have experts. Let me have experts who aren’t really experts and then whatever. So I wanted to go through the list and see if we agree, disagree if we have something to add to the discussion,

[00:18:18] Brad Nigh: You know? And this is kind of funny coincidence I had a was supposed to be a 30 minute call. It turned in about an hour and 20 with a 22 23 person company uh last week that they were they were very, very unhappy with their current and some sex uh provider. I won’t even call it a partner because they have like kind of some of the things that I was sold. But yeah, it was they basically were sold old. Hey, you do this and you know, it’s a here’s boxed hipaa compliance, right go with us and you’ll be hipaa compliant right away. And she said they’ve been with him for like within six months. She was like, what have I done? What? I don’t I’m not getting any value. And so I’ll be able to kind of talk as we go for this like real world, like what recent, what are they going through it? Mhm.

[00:19:26] Evan Francen: You know, it’s really common when we were intentional when we started fr secure that we were going to not abandon these underserved markets. We’re not going to abandon the small to midsize businesses. Uh because what happens often in our industry as companies come into this industry to start a business and we start serving the small midsize businesses and then as quickly as you can, you move into the enterprise. Mm everybody wants to play in the damn enterprise. And it’s so damn competitive. Whereas you know, the rest of the world, the 80% or whatever is less sort of floundering, right? You look for, they try to create automated solutions quick hit solutions, ones that they can monetize them, um, scale right quickly. So, you know, this sMB thing is really important for us because we’ve been intentional about it. We’ve had the opportunity, we’ve had many people come into fr secure leaders who want to push us in the enterprise. We got to go after the enterprise, go after the enterprise. Like why?

[00:20:32] Brad Nigh: Well, I mean, you’ve got a

[00:20:34] Evan Francen: pretty well served right now.

[00:20:35] Brad Nigh: Right, well you’ve got a Fortune 500, you’ve got 500 companies. Well, how many small to mid sized businesses are there? Right. I mean multitudes more. Right. You know? Yeah. And yeah, I’m with you. Like why go try and fight with other people and this like highly competitive. They’ve got all the services and offerings they could need when we can help people and and still, like you said, MS mission before money, right. If we help these people and do it right, the money will come. I’d rather work with 25 small to mid size rather than one enterprise.

[00:21:17] Evan Francen: Well, for sure. I mean, Equifax doesn’t go out of business when they have a breach. Target doesn’t go out of business breach facebook isn’t going out of business because of their latest breach. But these small to mid sized businesses, the majority of them do go out of business because of a breach, you know? So yeah these are a big deal for me. So the first one, the first one out of the 15 common smb mistakes. So this came also from like a I guess a study that they did uh where they said you know, how confident are you in your ability to you know be resilient or how prepared are you for an attack? And this was a study of I guess a bunch of s. and b. s. and 57% said they aren’t confident. Which I think is an interesting number right there because that seems high to me. I mean low to me, I’m sorry, It seems like if I talked to smb? S more than 15, are not confident in their ability or confident and how prepared they are. 29% of medium confident, 14% said they are rock stars. Like to know the s. and DS who think they’re rock stars.

[00:22:29] Brad Nigh: Those are the ones that get hit the artists because they they probably think and maybe maybe they are. But yeah it’s not that would be surprised based

[00:22:40] Evan Francen: on when you put when you put yourself out there and say rock star usually the next thing I’m going to get served some humble pie.

[00:22:47] Brad Nigh: Yeah exactly

[00:22:49] Evan Francen: crap. I think uh

[00:22:52] Brad Nigh: we’re an S and B. And there’s still stuff that we’re constantly working on, right? Like regardless of how good you think you are, there’s always going to be something and as soon as you’ve kind of get cocky about it and quit looking, that’s when it hits you. So I mean, I think we’ve got a we’ve got a very solid security program but we’re still improving, still updating and upgrading and doing things to stay on top of it. So

[00:23:25] Evan Francen: Yeah, and I don’t think I never called myself a a rock star, I mean, yeah, really good fine. But rock star to me means like you got a mailman go to, you know, I guess rock stars, you gotta nail go take some drugs, but I’m not doing that right? It seems like the rock stars go there. Yeah, Alright, so number one mistake, they think they think they’re too small to be a target.

[00:23:50] Brad Nigh: I would agree with that as a pitfall. I mean we hear that and I are like, I can’t believe that I got hit where you know people and we do this very niche thing. Yeah. Yeah, the Attackers don’t care,

[00:24:10] Evan Francen: right? Yeah, I think I do think and that’s always been the mentality right? There’s two things I think that mentality one is were too small to be a target, right? Who would want anything that we got? I mean we’re just, you know an HR company or you know,

[00:24:26] Brad Nigh: even manufacturing is a big like, yeah, we need a widget or we do, I don’t want steel stamping, right? Like it’s not anything. Why would anybody care?

[00:24:39] Evan Francen: Right? Yeah. Take fazio mechanical, right? In the target breach? It’s an H back company. What are you going to get out of that? Well, Maybe 50 million credit card numbers, right. So yeah, and I think the other pieces, just people still think it’s just generally not going to happen to them because it’s never happened to them before, so they’re like, I’m not going to happen, not going to happen to me that happens to, you know, johnny down the street,

[00:25:09] Brad Nigh: 100% here. That

[00:25:12] Evan Francen: which, you know, and we stand here screaming and it is going to, but you know, that’s a whole other thing, you know, Have we cried wolf too much to where they’re like, I’m not even listening to you anymore.

[00:25:25] Brad Nigh: Yeah. Oh yeah. There is so much fun out there that people I’ve had to deal with for so many years.

[00:25:36] Evan Francen: Yeah. So this number to our mistake number two, no business risk evaluation. Why the hell would I do that? I

[00:25:47] Brad Nigh: mean,

[00:25:48] Evan Francen: you know, it takes us back to the definition of information security, right? It’s risk management and it’s good to see that the industry now, I think it’s starting to look up more to that because you see it more Like 5, 10 years ago. This wouldn’t have been on your list because people weren’t talking risk like they are today. That’s good.

[00:26:10] Brad Nigh: Yeah I agree. And I think you’re seeing, you know, we’ll see em and see and some of these other things that are requiring it and you know it’s like oh well I guess it is kind of important. Oh I but yeah I agree. I would say we’re definitely seeing more outside of what you would expect, you know like healthcare and finance and banking, that’s the majority of our customer bases in that arena and maybe some insurance things like that but they have to because they’re regulated than they were required or we’re now starting to see manufacturing C. P. A. S. Law firms more of these so what you wouldn’t consider it traditionally or what you wouldn’t see, right? So you’re are you are starting to see a lot more and of these small companies realizing that oh yeah we should probably be doing something.

[00:27:18] Evan Francen: Well it’s gonna start with risk management too. I mean that’s the erick Rowan is the one who I think you give some good stuff here, you have to do a risk assessment.

[00:27:29] Brad Nigh: Mhm.

[00:27:31] Evan Francen: Now I agree that this is heavily regulated industries um there’s a big difference and I know in my own life between being told what to do and doing the right thing, you know, most self motivation versus somebody forcing you to do something and I mean that’s what it comes down to. Either you get this right yourself, do the things you’re supposed to be doing as a responsible business leader, as a responsible owner or you’ll be forced to

[00:28:02] Brad Nigh: uh

[00:28:03] Evan Francen: which do you

[00:28:03] Brad Nigh: prefer? Right? Yeah. And you know, he has a really good example in there, where you say he’s talking to his chiropractor and chiropractors, like if there’s nation states out there doing things like solar winds and they can get the big guys don’t stand a chance. So why bother trying?

[00:28:23] Evan Francen: And it’s the wrong mentality,

[00:28:25] Brad Nigh: right? Because it’s not the nation state. So you have to worry about what? Yeah, here’s the thing. The people that are doing something are going to be a better shape than that, because even if you just, you know, something simple turn off iCMP responses from externally faced, Right? Well, if he hasn’t done that, they’re going to light up before you do. All right, It’s just you know, they’re gonna the Attackers are going the path of least resistance

[00:29:00] Evan Francen: and S. And B. S for sure.

[00:29:02] Brad Nigh: When you Yeah, exactly. When and where you go, what are you gonna do? You are the path of least resistance,

[00:29:09] Evan Francen: Right. Well, and you see that mentality changes when you get into large business, because I I remember working for a big big bank and uh I was talking to the sea. So and and he got up and give a talk to the entire security team and it was a good sized team. And he said we don’t have to be secure, we just have to be more secure than the other guy now that that mentality for me works fine in small to mid sized businesses, but an enterprise that is not the truth enterprise, your targeted specifically for reasons, right? They’re not looking for the lowest hanging fruit at jp morgan versus uh you know, Wells Fargo versus U. S. Bank. They are specifically targeted small to mid sized businesses. Yeah, you’re the, you’re the lowest hanging fruit. You’re the one that looks the most interesting. That’s where I’m gonna go. And oftentimes the small midsized businesses, they’re either attacked directly. Like this is a quick hit ransom where going to get some money there or in the in the worst case scenarios it’s, I’m gonna pivot here, I’m going to use this like I. E target I many, many, many third party risk management type breaches. I’m going to use this SMB and pivot into the bigger companies.

[00:30:29] Brad Nigh: Yeah, or you know, we, we had an Ir where they had a wire, it was wire fraud and they, they found out because there vendor was like uh are you gonna pay us What’s going on? And I mean it was, Gosh, I don’t remember the exact amount, I want to say it was like 10 grand or something, like not insignificant. And then as we started working through it and they started looking, it had been going on for like several months, like three or four months, at least something like that. I don’t remember the details, but right. Like that’s a tangible. Uh can you imagine losing 10 grand a month is a small company. That’s that’s not an insignificant amount to to try

[00:31:17] Evan Francen: and you keep down another false mentality. Illogical. It’s not reasonable. It’s not using reason to think that. I mean, we say it’s gone on for a couple of months. Why didn’t you attend to this at the very beginning? It’s not going to go away. It doesn’t just disappear. It’s not like, oh look, we’re good now

[00:31:38] Brad Nigh: you’ve got to make fundamental changes or it’s, you know, like how did nobody notice that the nah transfer the bank account information change?

[00:31:52] Evan Francen: Like, yeah, you have a wound on your forehead and it’s getting bigger. But don’t worry about it. They’ll go away. Right? All right. So mistake number two. No business risk evaluation. Every small business everywhere. I don’t care profit nonprofit government. Public private. We must do risk assessments. Do risk assessments that are simple, easy to understand. Effective measurable. Um, and then make risk decisions, right? Because just doing the assessment that’s where people stumble to. They just do the assessment and like, oh, we’re good now. No, you’re not. This is, this is a new habit that you need to learn. And just like any other new habit, right? It’s uncomfortable at first. You have to fight through that. Do your assessment. Make risk decisions, build roadmaps, execute on road maps, come back, do the whole thing all over again, becomes part of your normal business operations, right?

[00:32:52] Brad Nigh: Oh yeah. And we talk to people all the time and like do this and document if you are accepting the risk, that’s fine, that’s completely legitimate decision. But you need to document that you’ve at least looked at it and why you’re accepting it,

[00:33:10] Evan Francen: right? And I’ve heard that so many times to the illogical argument from CeoS or cease elsewhere. Well, if you tell me about, if you tell me about a risk, we’re gonna have to do something about it. So that’s their justification for not doing a risk assessment. I’m like, you understand that risk ignorance isn’t going to defend, you know? Right? So you really don’t have a choice. And to your point, just because there’s a risk doesn’t mean I have to do something about it. I can accept it, I can acknowledge it. Say it is what it is. We’re going to live with it, move forward. Maybe look for some mitigating controls, like maybe increased monitoring or some sort, you know, add that specifically to your response plan. So if this one risk does get compromised, this is what we’re going to do about it. But yeah, you don’t have to fix everything, man. You’ll never will forget about that.

[00:34:06] Brad Nigh: Yeah, I mean, we absolutely have accepted some risk. I’m not going to go into detail because why? But there’s certain things in the S. Two that were like, yeah, we’re just not going to do that. It’s not

[00:34:19] Evan Francen: the totally legit.

[00:34:20] Brad Nigh: A good example is we don’t have a generator backup or backup generator, but we don’t have. But everything we use this cloud based, there’s no business really. Like how would I justify, you know, saying we need to spend at the thousands of dollars, tens of thousands of dollars on a generator and a fuel contract when there’s no business benefit, we’re going to accept the risk of we lose power at the office. Okay. We’ve all been working remotely for the last year and had no issues. Cool, We’ll just do that.

[00:34:59] Evan Francen: Exactly, man, 100%. So mistake. Number three. So number one, again, I’m just gonna keep your cap on these because if you’re a small business and you’re listening, we need to start paying attention. Not that you’re not, I don’t know you, but, You know, one thinking you’re too small to be a target. That’s a mistake. No two Not doing, not treating this as risk management, from not doing risk assessments and making risk decisions. That’s mistake. Number two, mistake. Number three, you haven’t made an asset inventory. You don’t even know if it is, you’re trying to protect.

[00:35:30] Brad Nigh: Well, I uh 100 whatever percent. Yeah. And that’s not even S and B. S. That’s absolutely not limited. S and B. S. That is all over the place. We see that all the time for companies that you would be like well really you’re right okay I’m going to create a virtual card to work with you

[00:36:00] Evan Francen: now. Right. Well this one actually ticks me off too because this is one where I get pushed back. Believe it or not from other security people or I. T. People like well do you have any idea how hard that is? I’m like how much do you get paid? Are you getting paid?

[00:36:14] Brad Nigh: Right. Well

[00:36:16] Evan Francen: this is part of the job right? You have to understand what it is. You’re trying to protect you. There are tools you can get their scanners you can use there’s all kinds of things you can do to get creative. You don’t have to be like well Excel spreadsheet that there’s too much work

[00:36:31] Brad Nigh: well you know and obviously we’re product vendor agnostic you know. But personally I’ve used spice works in the past. It does an automatic scan. You can set it up to alert if it finds new things.

[00:36:44] Evan Francen: Solar rinse.

[00:36:45] Brad Nigh: And it’s well but the spice works is totally free to though. Right? So I mean there are quality we get

[00:36:54] Evan Francen: started with N. Male

[00:36:55] Brad Nigh: and Memphis even. Yeah. Yeah I like the that the other one because it you know it does do software inventory as well as hardware and you can set it up to you on changes. So if it finds new software even right

[00:37:11] Evan Francen: I like using dual purpose tools to write if I can use one tool for multiple purposes. So yeah, Spice works is a very broad tool set. There’s a lot of things that

[00:37:21] Brad Nigh: you

[00:37:22] Evan Francen: can configure it correctly. Right. It probably doesn’t need to speak to the internet except for a certain occasions. So you can close that off if you get your worried about solar winds type attack.

[00:37:34] Brad Nigh: No, absolutely. Yeah. Yeah. They have a cloud solution or on prem and you know, you determine your risk tolerance when we did it was on for him. And yeah, that was it. Didn’t none of the servers that didn’t need to talk to the internet. Talk to the internet.

[00:37:53] Evan Francen: Right. One another thing I like is, uh, well that I’ve used very much so and advise clients a lot on this is getting started use your vulnerability scanning data, your vulnerability scans on a regular basis. There’s a ton of good information in there. Yes. It doesn’t rank critical high medium and probably not even low. A lot of it’s the info stuff there are uh, and it’s all an xML format so you can get xml parcels, you can parse it yourself. You can code something. It’s a lot easier than you think start there. And then like, okay, I’d like to know a little bit more about these data types and things like that. Well, then look for other tools, but you probably have tools right now on your own toolbox to get started on that.

[00:38:36] Brad Nigh: Although the issue there is you’re assuming that actually doing vulnerability scanning,

[00:38:41] Evan Francen: right? I don’t know how you are and I don’t know how you manage risk without understanding vulnerabilities, threats. So that’s another man. It’s logic. All right. Number four. So number three, again, asset inventory, hardware, software, data data is probably your most valuable asset, but it’s also the hardest one to get your hands around. So, start the other way hardware software then go after your data. That’s my advice anyway, but what do I know, I just do security shit stuff. Sorry, wow. Number four insecure digital assets. So, this one, you know, this one kind of like, what are you talking about, insecure digital assets, but it’s basically the same thing we’re talking about uh, you know, a digital stuff, the stuff you can’t touch, Right? Yeah, yeah. Web

[00:39:39] Brad Nigh: servers, clouds from, you know, things like that

[00:39:43] Evan Francen: and configure that stuff. Right. When you implement a new server, it would just go with the defaults and stand it up. It works. Everything’s cool. No, no, no. You gotta lock that thing. So, building security in early on in the process and any process is really, really important. We’re gonna build this server, are we going to use, you know, maybe some c I s you know, config templates or ds dig, right?

[00:40:07] Brad Nigh: There’s a ton of really good free, like it walks you through it step by step, what do you need to be doing, what should you be doing? You know it’s not it’s not rocket science

[00:40:23] Evan Francen: you know? But I think I do think people struggle you know because you’re busy running your smb, you know there’s a lot of like ok great I need to secure my My S. three buckets.

[00:40:37] Brad Nigh: Well here’s another thing

[00:40:38] Evan Francen: I just having to search for that stuff is hard to times

[00:40:41] Brad Nigh: well but how many S. And B. S rely on an MSP. Right? Like they outsource their I. T. And security ever ask like what are you doing On these 15 things? Tell me what you’re doing

[00:40:58] Evan Francen: Actually that’s not a bad idea would be to take these 15 things put put it into a template contracting kind of thing and say here give this, if you’re outsourcing your I. T. Or security management, Make them give you some kind of assurance that you’re that they’re doing 100 okay I’m gonna we’ll take that as a take away or add it to my list and get done with it in a year and a half.

[00:41:25] Brad Nigh: Right? Well you know a good example is I’m working with the company and the two readiness and they outsourced to the MSP and a lot of it is um asking about you know well logging and things like that let’s talk to and the MST was asking some really good questions about like hey we’re not familiar with this, what does this mean? Like, you know, they’re asking for saying that they need to have firewall logs and all these are different. What what is the proper time frame? Can you help me understand what, what do we need to be doing to make sure that they’re compliant and me that’s a great MSP because they’re working to make sure that they’re doing the right thing.

[00:42:10] Evan Francen: Yeah, exactly. So number five is no network segmentation I think of the step further, I’d say network isolation, you know, difference is segmentation is typically a later three thing, right? Where we set up the lands. Whereas isolation as I’m actually gonna use some packet filtering between the villains. That’s a much better approach. Not all your systems, all your servers need to talk to all your systems and all your servers on all ports and all services. Right. Start to understand that lock that down more.

[00:42:42] Brad Nigh: I talked to a company that was again looking to do the right thing. They wanted to do. The person that had set up their AWS infrastructure left and mm they don’t, they’re like, what we don’t know what we don’t know. And so we’re talking through there how it’s set up and it, you know, it turns out that there web server results, it’s a flat uh and they’re so their web servers on the same segment as their database that has the, you know, sensitive information like Yeah. You know, great. You’ve locked it down so that only certain protocols can get to the to that front end server that accesses the database, but you are wide open because your web server is open. Right? So it happens all the time. And yeah, I told him on the getting a call of scoping cause like, yeah, I’m gonna tell you right now that’s gonna be a recommendation is that you segment and isolate that web server from anything that is internal.

[00:43:54] Evan Francen: And the cool thing too is, you know, when I first started in this industry, you know, things were simpler. And so that’s why that always resonates with me. The complexity is the greatest enemy of security because I’ve seen that happen over my career. I’ve seen what happened in organizations where you just get so many different tools, so many different servers, so many different things overlapping. It’s just crazy, right? And that that’s much harder to secure. But another thing that I learned early on in my career was the better I understand something the better I can secure. So if I intimately know my environment, I’m better. I’m a better security person, I can secure that a lot better than one where there’s a whole bunch of stuff going on. I’m just not sure what that does. Now. I understand that a lot of us are working in environments where that’s just not possible for one person to really understand intimately what goes on. But if you have a little chunk of your universe, a server that you’re responsible for a database that you’re responsible for. If you’re responsible for the network responsible for this set of firewalls freaking master that, you know it so well, so intimately that you’re almost dreaming that stuff. Because I could tell back in the day, you know, being I grew up in a network guy was a network. I network, I took so much pride in my work. I can tell you how the network was performing. I could tell you something was off based on the lights on a switch. I wouldn’t even need to log in because I knew it so well. It’s almost like you could feel it. You can sense it.

[00:45:25] Brad Nigh: Oh yeah, yeah. You know, I was Windows VM type of background and the same thing. Like if you’re doing it right, you want to be proactive, you want to find those issues before they get reported by the user.

[00:45:40] Evan Francen: It was embarrassing if the user had to report it.

[00:45:42] Brad Nigh: Yeah. You never want that anyway.

[00:45:47] Evan Francen: Nowadays, You know, we just don’t, I don’t know. Maybe some of us just don’t take as much pride as we used to, especially in SMB s I guess because it is usually outsourced. So it’s a third party coming to do a lot of this stuff for you. Well, they’ve got a lot of clients, man. I mean, maybe there it’s hard for them to understand it. Like we did. Yeah. All right. No six. Not understanding basic security hygiene. I don’t like that word hygiene because I would spell it wrong.

[00:46:15] Brad Nigh: As I say. Isn’t that what we’ve been talking about? This whole thing? Like Yeah, these are I don’t think this is a separate. I don’t think this is what these 15 things

[00:46:27] Evan Francen: Are. Right. And when we get through the list to what I think we should do is take their information crater almost 15 because I agree hygiene. When you talk about basic security hygiene, this is all basic stuff. And we’re not talking about like any ai weird strategy type things. This is like these are fundamentals

[00:46:51] Brad Nigh: well and everything that they talked about in that section is covered in one of the other things on the list. So I Yeah,

[00:47:00] Evan Francen: yeah. It’s almost like we just added this one for the sense of adding this month, but they do have, you know, in here, which we’ll talk about a little later too is, you know, backups, access control. Those are also high gini things, patching, you know. But yeah, I don’t like I don’t like the fact that they this is a Yeah, it’s too much overlap here. I think, you know, we need to make it cut and dry for SNPs. Number seven, no business risk evaluation. Didn’t we just talk about that for number two.

[00:47:27] Brad Nigh: That the duplicate.

[00:47:28] Evan Francen: Yeah. So Okay. We just made 15. All right. We could have made this into 14. Maybe we just had complexity of the sacred complexity.

[00:47:38] Brad Nigh: Yeah, We can probably get this pin and be cover everything.

[00:47:42] Evan Francen: Exactly. And make it actionable. Right? I want to I want I don’t want an S. And because they have preached the hell out of here, man, we’ve told them so many things and they’re all like whatever. Because when I’m when I’m told something and just think about it like your own self. When I’m told something that I don’t understand, I have choices. I can either go learn what it is. You just told me so I can’t understand it or I ignore it. Mhm. I did it with my own. I mean, hopefully my wife doesn’t listen to this, but I do that with hurt. You know, she’ll say something. I’ll be like, I’m just gonna let it go. Yeah, ignorance. But I think the same thing happens with the SNB’s We we need to make it super simple and actionable. Yeah, I’m sick. Number eight, know what normal looks like. Absolutely. This requires you to be really intimate.

[00:48:39] Brad Nigh: Yeah. Well, it’s because I agree that if you don’t know if you don’t have that baseline and we’ve reached that you don’t know what your baseline is. How do you know if there’s a problem got to establish a baseline and then that’s beef. I mean, that’s gonna be one of your earliest warning signs. All right. You know, I know like you were saying, I know the performance, I know that this does this at these times. If I suddenly have a spike outside of the normal time. Well, maybe want to look at that and understand what’s going on.

[00:49:15] Evan Francen: Yeah, I mean, you need to be

[00:49:17] Brad Nigh: oh, go ahead. It could be network traffic. It could be CPU usage. It could be memory usage. It could be, you know, disk activity, you know, regardless of what you’re looking at. Set a baseline and monitor against that baseline.

[00:49:32] Evan Francen: Yeah, I agree with that completely. The thing to remember about computers and networks and anything digital, they only do what you tell them to

[00:49:42] Brad Nigh: do. And

[00:49:44] Evan Francen: there’s a reason behind every single thing that happens. Every single packet that sent on your network, every single CPU cycle every single execution. Something made it happen. There’s a cause and effect that happens. And so when you see a deviation from the baseline, don’t just blow it off why there’s a reason. Yeah, it actually, it becomes kind of fun if you like, you know, detective, we work and forensic kind of things. It can be really fun actually hunting that stuff down. You learn a lot.

[00:50:16] Brad Nigh: Mhm. Absolutely. I’m looking at where we’re at in the time. This might become a two part.

[00:50:23] Evan Francen: Oh, we’ll go quick. Number 92 factor authentication. Absolutely do two factor authentication. If you don’t on anything externally exposed. You’re naughty. Yeah, we ate misunderstanding cloud security. That’s a can of worms.

[00:50:37] Brad Nigh: Well, it doesn’t it’s not the same as insecure digital assets.

[00:50:42] Evan Francen: Yeah true. We’re gonna have to we’re gonna have to clean this thing up aren’t we? Yeah. And see A I. Q. C. S. A cloud security alliance has got some good, you know documentation on that stuff to lack of security training. Absolutely and it’s not just training.

[00:50:58] Brad Nigh: Yeah exactly. It’s all up to.

[00:51:03] Evan Francen: Yeah well long training and awareness like there’s the same thing, they’re different training is when you’re teaching somebody specific skill. Mhm. Write something that they can do that. They didn’t know how to do before awareness is like hey you didn’t forget, did you like this stuff is still happening.

[00:51:19] Brad Nigh: You know one of the things that is, well maybe not in the last year but one of the little tips that I’ve given that is super effective. Put your awareness posters on the bathroom stall doors. Yeah well like what you’ve got, I mean it seems kind of silly but you’ve got a captive audience.

[00:51:42] Evan Francen: Yeah absolutely that’s why they put all those ads now on the stalls at the bars, right? You’re going to the bar and you’re standing there, you know urinating, you’re like oh look at that, I could get a new Lexus for, right? Yeah

[00:51:55] Brad Nigh: I’ve been people don’t, they don’t think of those things and it works and it’s a good way, you know, your training awareness is effective. You’re getting more uh questions or reports from your employees

[00:52:12] Evan Francen: you want, incident response goes up, yep. Yeah, for sure, man and quirky always stands out, right, do something funky weird out of the ordinary. That’s the stuff that sticks in people’s brains, not the dry, same old, same old. Yes, mistake. Number 12. No business continuity plan. Oh yeah, there’s a supply chain. One of their number 11. Don’t understand the supply chain threat. Your supply chain threat. Mean the threat you post the supply chain, I think probably more in an smb than the threats posed by your supply chain because um you probably don’t have as many suppliers as the people that you affect upstream. So anyway, yep. Stick 12, no business continuity plan.

[00:53:05] Brad Nigh: Why? Well, they haven’t done a risk assessment. So you can’t really have a continuity plan. If you don’t know, you don’t know your assets and you don’t know what the risks

[00:53:14] Evan Francen: are. Why would they do with business continuity plan plan? I think I’m good enough to continue it as it is. Now. Anyway,

[00:53:23] Brad Nigh: there you go,

[00:53:25] Evan Francen: There’s something state 13 lack of strategic asset allocation and budgeting. Good luck budgeting. If you haven’t done a risk assessment, good luck budgeting. If you haven’t done risk management Because you’re, you’re budgeting is absolutely 100% should be based on our risks and these are the risks that are unacceptable and therefore it’s going to cost this much to do these things if it’s based on something else, I don’t know what your budgeting on. Thanks. 14 and 15, wow we lumped up to more together feeling to back up and lacks patching e hygiene which we already talked about two.

[00:54:01] Brad Nigh: Right? And I don’t yeah, I think that there kind of covering that altogether. But those are very different things.

[00:54:10] Evan Francen: True. Very true. So and they also have another I just think it’s kind of a weird written article because there’s also a graphic in there that I think breaks Donald breaks it up a little differently. But we’re gonna do a follow up to this. I think we’ll create our list of AR 15 and make it you know try to make it actionable for people. Yeah. All right. Up against time news uh as of 9:15 a.m. On the fifth which I think was monday We have 4 5,618 students registered in the CSP Metro Program

[00:54:46] Brad Nigh: blows my mind. Uh

[00:54:47] Evan Francen: huh. It’s gonna be fun.

[00:54:49] Brad Nigh: We

[00:54:52] Evan Francen: just divide up the the teaching load yesterday. Um Did you get you didn’t get models? Did you

[00:55:01] Brad Nigh: uh You know what I honestly I saw it and I haven’t looked to see what I actually what that actually means. I think

[00:55:10] Evan Francen: the schedule is now set on which instructors teaching which

[00:55:17] Brad Nigh: is that is that security engineering or security operations? I can’t remember.

[00:55:21] Evan Francen: I think we want to I’m not going to speculate, man, I don’t remember which one because if it ends up being you again on my heart,

[00:55:29] Brad Nigh: I’m like, well you mentioned you’re like, I’m doing it totally random and I was like, I’m totally good with it being random, but if I get models again, I’m it’s there was it was

[00:55:41] Evan Francen: rigged it. I really believe you fully automated. So it’s like if these guys come back to, you know, you rigged that game. I’m like because I also saw that I got network in communications and I’m like that’s the bomb,

[00:55:59] Brad Nigh: That’s the easy one for you, that’s your real name.

[00:56:02] Evan Francen: It totally is. So I’m like, I like how that worked out. But yeah, it was totally random. Mhm. All right, interesting news articles this week that we’re not going to get a chance to talk about, but in case you’ve been sleeping under Iraq or living under Iraq, there was a big breach, like actually a couple of breaches that kind of hid the, how this all happened. But 500 plus million Facebook accounts, you know, I don’t know how big of a deal it really is when your social media user anyway, and you’re already kind of given out your date of birth and your name and your email address and everything else on the cell phone. Yeah, it’s like

[00:56:38] Brad Nigh: one I found yesterday afternoon that I somehow missed on Freddy Lewis there’s a big Fortinet, uh

[00:56:46] Evan Francen: that is a big for us.

[00:56:47] Brad Nigh: Yeah, that is actively being exploited. So if you have Fortinet get on it, start patching immediately.

[00:56:56] Evan Francen: Absolutely. And then the other one I had was uh, ransom or gangs emailing victim customers for leverage, which is, you know, this is what scammers do, right? If you close, they’re going to go to the it’s like pouring water, right? If you block one, one, escape for the water, it just leave, it goes around or find another path to go down, this is just another path. So if you do have your backups and you’ve done the good cyber hygiene things that you should have been doing to protect yourself, you’re still not out of the woods, right? Because these gangs now know that you’ve been doing that. So now there emailing your customers. Yeah, I should have expected that. I mean, the thing is with these scammers too, I should we should just do some predictions because they’re so predictable in the way they operate, right? They’re not we give them so much like, man, these guys must be super duper smart, Right? But no, they’re not. I mean, these are

[00:57:54] Brad Nigh: crooks. Well, and there’s a reason, I mean, I r isn’t easy, but there’s a reason we know we know to look for every time. Like it’s the same stuff or very similar, right? You know, the things to look for. There’s a reason for that. They’re doing the same thing all the time or

[00:58:17] Evan Francen: uh All right. So wrapping up. Good talk brad seriously dig, dig. Always dig talking to you man. Uh you got me kind of fired up a little bit this morning, so that’s good. It’s good to start. I

[00:58:28] Brad Nigh: mean we’re both tired, so I figure you got to get that adrenaline going.

[00:58:32] Evan Francen: Yeah, I got a new energy drink I’ve never heard of before called G Fuel. Yeah, sounds pretty good to do. Alright, shout out, just make real quick.

[00:58:42] Brad Nigh: Um You know, I’m gonna give a shout out to my daughter’s just with the past year. They finally are hopefully going to be going back. Uh they’re they’re quarantining this week because they did go to a water park for spring break with my life whose who is fully vaccinated, but you know, the past year has been really hard where you know, they’ve been basically isolated from their friends and just super proud of how they’ve handled it and that there’s both getting on a roll and getting accolades from teachers, so just shout out to them for putting up with me for a year.

[00:59:19] Evan Francen: That’s awesome man, I’m gonna give a shout out to somebody that a lot of people are, you know, but it’s chris roberts, you know, I think a lot of, you know, he’s kind of a public figure, but people don’t realize a lot of stuff that goes on behind the scenes, right? Human beings have things that you know, get hit by all kinds of different directions. So I just want to give a shout out to him because I know him personally and I know how hard it is, how hard it gets sometimes to kind of face the storm that he does. So I appreciate people that do that, right? That just, you know, persevere man. Yeah, exactly. So I appreciate that. Thank you to our listeners, send us things by email. I think I saw a couple of emails that I got to go respond to at proton mail. So it’s at insecurity at proton mail dot com. If you’re a social type we, I tweet more than brad does because brass is not very social. Uh mm he’s a he’s an in person social kind of guy.

[01:00:24] Brad Nigh: I just don’t have time.

[01:00:28] Evan Francen: I go the same way I do like, like as a hobby like almost at light or something. So anyway on twitter I’m @EvanFrancen brad is @BradNigh. Not very creative. Just take our names and munching together and that’s where you find us. Yeah, twitter handles,

[01:00:44] Brad Nigh: if you talk to me directly or talking, I will respond. I just don’t proactive on sending stuff out most of time.

[01:00:53] Evan Francen: Yeah, when I tag you, you respond other twitter twitter handles where you can find stuff insecurity, this podcast and that’s not very active. But I I assume it will get more active is @UnsecurityP, security studio @StudioSecurity and FRSecure @FRSecure if you haven’t had a chance and you’re interested in signing up for the CSP mental program, Go do That starts on the 12th. That’s monday. That’s it. We’ll talk to you next week.

We’re just under two weeks away from FRSecure’s annual CISSP Mentor Program—a free event that Evan and Brad host every year in the spring to help train industry professionals and get more people involved in the industry. In episode 125 of the UNSECURITY Podcast, Evan and Brad take a look back at why the program was started, how it’s grown, and what to expect during this year’s sessions.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 125 and the date is March 30, the last day of March In 2021. And here with me again, two weeks in a row is Mr Brad Nigh, how are you Brad?

[00:00:41] Brad Nigh: Good. Yeah, it’s ah had a bit of a scare on friday. I was like, not sure what was gonna happen, but everything turned out good. I was it was it was a rough weekend,

[00:00:53] Evan Francen: but I’m glad you’re back and I’m glad you got some good news. You know, I’m hoping that you’re getting a streak of good news now and

[00:01:03] Brad Nigh: you know, you can read it. Yeah, it was crazy like, you know, I won’t go into details, but there was probably what, six or seven separate like, are you kidding me? Type of things that we’re all, it’s independent over like a, you know, or five week period is just like, good Lord.

[00:01:23] Evan Francen: Right, well, back to the back we’ve never heard. Yeah, now we’re heads down working are our tails off again.

[00:01:36] Brad Nigh: Yeah, yeah. Yeah, that’s the downside. I have to catch up.

[00:01:39] Evan Francen: But I finally got caught up an email man, I think maybe someday From having my week off two weeks ago.

[00:01:50] Brad Nigh: Yeah, yeah, I know I took the week off well, and by taking the week off, I mean I did all the meetings that I had scheduled that week, luckily they were all on monday and Tuesday, so it wasn’t horrible. But yeah, I’d like I would say like 1600 emails that week.

[00:02:12] Evan Francen: Yeah, I do you ever get do you ever get anxiety when like you saw an email? Because you know, a lot of times I’ll see the emails, I just don’t have a chance to respond to them so that they kind of go down and then I’ll remember like a few days later, like, oh my god ahead, make kind of respond to that email, Do you run into that

[00:02:30] Brad Nigh: all the time? It’s like for me it’s always like, right as I’m laying in bed ready to go to sleep, I’m like, oh crap, I forgot to do this apply to so and so well I’m not getting up and doing it now and then I forget in the morning and then I feel bad because I’ve forgotten like three days later, I finally remember to do it when I’m in front of the computer.

[00:02:52] Evan Francen: Right, well today I wanted to uh so I figured our show would be well talk about the 2021 fr secure CSP mentor program, we’re only a couple of weeks away now. Uh this one’s pretty exciting and I think a lot of people may have heard of it, they may not know some of the details about it. They may not know some of the background of the history, They may not know how to get involved, you know. So we’ll cover all that stuff today. Um And then I also wanted to talk about just kind of any current kind of security things that we’re working on. I know I got a personally got a uh uh an incident response email yesterday now when I’m getting them, it makes me wonder like what the hell is going on.

[00:03:38] Brad Nigh: I was in I was in meetings because I got copied on that and they were like, I was in a leadership meeting. I’m not checking my emails were discussing Important things and I had to Miss two voice mails from him and the email I got out of it. You already responded. But like, oh my gosh, what is going on?

[00:04:00] Evan Francen: Well, it’s not like I appreciate the fact that on this particular incident that you know, you attend to it right away and you he treated like you don’t, I mean you let the facts take you where you they take you right. So you don’t know on the surface, you may think, oh, It’s just, you know, compromised email account or two or 60,

[00:04:23] Brad Nigh: right?

[00:04:24] Evan Francen: You know?

[00:04:25] Brad Nigh: But yeah,

[00:04:27] Evan Francen: you know, we’ll just change passwords and go on with our day. But that’s that’s really dangerous because you don’t know.

[00:04:35] Brad Nigh: Oh yeah, no. Yeah, I mean we could go down a rabbit hole of, right? We have the team has put together just a ton of scripts for what you have to run to check like the basics after a business email compromise. And you know, most people don’t think about that. Like you said, they just change password and good to go, well, did you reset all the sessions? Did you do this? Did you do that? Did you check for these things? And

[00:05:03] Evan Francen: well and where else is where else could that password potentially laid somebody and their environment, you know, I know in this particular one, you know, yesterday you had email that was only secured by, you know, museum and password, but you also have the PMO the same way, right? And Attackers aren’t stupid.

[00:05:21] Brad Nigh: No, it’s all publicly accessible, right? They username password, they’re going to now check what else can they get to for that company? Yeah, definitely. Good. And so

[00:05:36] Evan Francen: yeah, and you don’t want to freak out either, you know, so people that are listening haven’t been through an incident before. Maybe you have and you know, maybe I burned, it’s uh let the evidence take you where it takes you, right? There’s logic think things through engage an incident response team that has been there before that. And one of the things that’s really cool that I was talking with Oscar about, I think maybe last week, did you talk about these scripts? You know, he’s automated. That team is automated. The entire, you know, you know, initial evidence gathering.

[00:06:09] Brad Nigh: It’s, I mean you think back to kind of, gosh, mm well, well tom just had his second anniversary. So it’s you know, to two years and where we’ve gone and in those two years is it’s amazing to think about like how far that team has come. I mean they went from, You know January February of 2019 where I was, you know, basically the only one doing anything to, I’ve got what, eight people on the team and just Not nine, I don’t even know, I can’t keep track.

[00:06:51] Evan Francen: Well they’re hiring and there continued to add to it and and the thing that I’m most impressed with is just the, I would stack this team up against anybody.

[00:07:02] Brad Nigh: Oh absolutely. Well we’ve had, we had one for sure like that the insurance said no, you got to go with this other company. The other company only did the one thing on like the exchange server that was it for, you know, the big book and they came back and said no we don’t, we don’t think they did a good job. They just basically said we fixed it. You’re good and they came back to her like yeah we want you to, we want to engage you guys to make sure.

[00:07:32] Evan Francen: Well that’s interesting for people to hear too because just because your insurance company recommends that you go with an incident response, this incident response team and also included, right? No matter who, um, don’t just don’t just take it at face value, Right? I mean, you forgot us telling you they didn’t do a thorough enough job. Ask somebody, you ask somebody you trust, don’t ask somebody is trying to take your money. And uh, another thing about that is just because an incident response company is on an insurance panel doesn’t mean they’re good.

[00:08:08] Brad Nigh: Oh, good board bill.

[00:08:10] Evan Francen: Right? Because people, people need to realize what it takes to get on that panel. It’s often who, you know what strings you pulled and

[00:08:18] Brad Nigh: well, an insurance company, Yeah, they’re looking to the lowest, uh, you know, yeah, lowest price. What are they gonna,

[00:08:29] Evan Francen: that’s yeah, that’s definitely one of the things that maybe we’ll get into that may well have Oscar on and we’ll talk about what’s broken, broken in the cyber insurance industry from an incident responders perspective, right? None of us are insurance experts. You know, I can’t tell you what your policy should say and shouldn’t say, but I do know you should read your damn policy and I do know that if stuff hits the fan that you’re going to be in good hands, right? You need to have that assurance.

[00:08:59] Brad Nigh: Yeah, yeah. You know, I think one of the best ways that we can tell that that team, you know, is just in general is doing well well as lawyers seem to like us, which you never really, it’s not it’s kind of like a double edged sword, but but at the same time, you know, that they’re super picky and have they usually have really good questions of you’re making the lawyers happy. That’s a uh it’s probably a decent sign of you know what you’re doing and can speak to, you know, the quote unquote normal people.

[00:09:37] Evan Francen: All right. And as a business owner, I the lawyer better understand it, better be comfortable with my case because they’re the ones who are going to have to defend it should it come to that? You know what I mean? So, the fact that lawyers are pleased with the work we do uh It just makes everybody happier. Yeah. Right, so the Sea Ice has been Metro program for people who don’t know this uh This is free uh Like free isn’t free, free, like there’s no strings attached kind of free that nobody, it’s just it’s free. Um We started this in 2010. His free CS speed training. And really what it’s meant to do is train you teach you everything you need to know to pass that exam. Mhm. And then teach you some security life skills along the way and teach you what you can forget about after you pass the exam. Like things that just aren’t practical.

[00:10:40] Brad Nigh: Yeah, I think well that’s exactly the word I was going to use. Its practical training, right? It doesn’t mean you go through this and you have to pass, like you don’t have to do any other work, you still have to do with studying and all that. But I think my goal and it is like you just said is what do you need to focus on? What is the, what are the areas, what are the tips and tricks, you know, what should you be memorizing versus, you know, just sort of threw a book and reading off of it.

[00:11:13] Evan Francen: Yeah, absolutely, man, because, you know, there’s street smarts and there’s book smarts, right? I mean, you can get through the C I S. P exam with book smarts and not know the first thing about how to actually run a security program or do a vulnerability scan or uh figure out network or a firewall, but it’s the street smarts, right? It’s a combination, I can’t be street, I can’t be booked dumb and street smart and I can’t be the other way either. It’s kind of this mixture.

[00:11:39] Brad Nigh: Well, I mean, there’s definitely things that the only time I ever think about are when it comes up in the class, you know, it’s like, oh yeah, that’s right, I don’t use that ever, but you know, it’s important to know and have that history.

[00:11:57] Evan Francen: Yeah, for sure, man. So we started in 2010 with six students last year, I think we had 2400, some odd students.

[00:12:06] Brad Nigh: Yeah, 20, 24:00 somewhere where it

[00:12:12] Evan Francen: Was really cool. It’s really been really cool that over the last 10 years of strong to that. And then this year We’ve got what? Yesterday? You send me a message. We have over 5300 students.

[00:12:24] Brad Nigh: I mean, I’m excited. That’s fantastic. But holy crap. Yeah.

[00:12:31] Evan Francen: What is It is a lot of people and it’s, but it’s it’s so cool to because the reason why we started this thing way back when I guess it was just me was our mission, right? Our mission is to fix the broken industry. Our mission is not to rate people over the coals. These are skills nowadays that are, they should be considered life skills.

[00:12:54] Brad Nigh: Yeah. Yeah.

[00:12:55] Evan Francen: I mean in the 21st century now

[00:12:58] Brad Nigh: we’ve absolutely had, I mean, you know, some of the people, but we’ve had see IOS and steals that have gone through and have no no intention will never take the exam. I mean even Renee right, she might take at some point, but it just makes them so much better at their job to just to understand it. I think the biggest thing people miss is even if you’re not gonna take it, it changes how you think changes how you look at things and that’s a good thing.

[00:13:30] Evan Francen: Oh, absolutely man in it. Yeah, because I mean, okay, so you bring up a really good point. So our, I’m gonna, I’m gonna get to that like who takes, who takes this thing, who goes through the mentor program. Uh but we still, you know, going back real quick that we started in 2010 or six students, it’s grown every year, last year, you know, the pandemic hit kind of the same time, you know, because we teach this in april every year and uh so it was weird having this quick transition to going all online

[00:14:03] Brad Nigh: like this before we were supposed to start.

[00:14:06] Evan Francen: Yeah. Right, right. And this year it’s all online. Uh and uh so you know, the part that’s really kind of just amazing to me is how many people we’ve touched and helps, you know what I mean?

[00:14:26] Brad Nigh: And I don’t know about you, I’m sure you get it to, but it still blows my mind the linkedin invites from all over the world that are like, hey, I really appreciate you doing this. You know, it really helped me if we connect and it’s like, I mean it literally all over the world, like every top. It’s crazy.

[00:14:48] Evan Francen: It is crazy. And it it feels good because I mean this is why we exist, right? We’re mission before money we make money, right? Security studio fr secure will make money, but focus on the mission make money, focus on the money. You won’t make the mission. So it’s kind of just giving these priorities straight.

[00:15:06] Brad Nigh: Yeah. And I think I’ve said it before, it’s a for me it’s giving back and being that resource that I didn’t have when I was kind of coming up and you know, it would have been incredibly helpful. So if I helped someone else, why why wouldn’t I?

[00:15:27] Evan Francen: Absoluteing 100%. So now the people that typically, because we’ve seen hundreds, thousands of people come through the program, ah some of them are coming with the intention of taking the exam. This is there. I just saw a message yesterday in the in the community group about this year’s class that they’ve already got their exam schedule. That’s for july. So this is there kind of like, you know, I’m studying for the exam in, I want to pass the example. That’s one approach and those people and that’s the thing about everybody, truly everybody kids or even, I don’t know how much kids will want to sit through all this, but high school students, college students, I’ve had

[00:16:12] Brad Nigh: multiple that I’ve gone and done presentations at the schools around here. High schools ask and say, hey, would this feel a good thing to recommend in my kids to the suits. Yeah. And some of it’s gonna be way over their head. That’s okay. Get them thinking if they can get into it and it interests them. That’s fantastic. Even if they only understand 25% of it. Get them interested in it.

[00:16:39] Evan Francen: Well, that’s the thing too about learning right? Very rarely. Do you hear something the first time and you, you know, just immediately a master it. Right. Right. Usually the first time you hear something like what the hell is that? I’ve never heard of this before. I don’t doesn’t make any sense but then you hear it again you know maybe a year later, maybe a week later and you’re like oh I’ve heard that before, where the hell did I hear that? And then you make that connection? Well that’s how learning works. By the way you start making connections biological and ecological connections in your brain. They’re like oh okay yeah I remember hearing about that. Where did I hear about that? All that CSP metro card. Ok now you made a connection Right and then you’ll hear about it again because this stuff isn’t going away by the way security is here to stay just like the internet is here to stay

[00:17:29] Brad Nigh: it’s only going to become more prevalent.

[00:17:32] Evan Francen: Exactly. And the more you hear those things the more you start putting these connections together. Now the cool thing about which means you start to learn it and master it. The really cool thing about the C. S. Sp that I’ve always liked it won’t make you a master or anything but it makes you kind of the jack of everything right? You you can put things into context and so now when you hear something again a year from now you’re like oh yeah I remember that that was part of this thing on that leaves these other things. Right?

[00:18:02] Brad Nigh: Yeah, absolutely. And I mean you can put it into just so many different examples, but you know, I think just encryption, right. A lot of people are like what we start looking at what the algorithms are and then how did those get implemented in what ssl certificates and you know, it just all comes together. You don’t need necessarily need to know how AS to 56 works. You just need to know. Okay, that’s a good like what? Right, from a high level perspective, what’s good? What’s not, what should I be looking for?

[00:18:40] Evan Francen: Right. Well, the thing about security is security is risk management, which means assess decide, you know, implemented. It’s that kind of construct. Right? So the people who can make the best risk decisions are the people who can put risk in the context. So when you look at an information security program, when you look at all the things that go into play right, roles and responsibilities, asset management, training and awareness, uh, you know, policies, procedures, network architecture, application development on and on and on and on and on. When you can take Oh yeah, that thing fits here. If I make a change here that will affect this thing over here. Now you cannot really understand and appreciate how risk management works.

[00:19:28] Brad Nigh: Right, Well, I don’t know about you but like personal life with like friends and neighbors and family. When when I explain to them what I do exactly what you just said, risk and this is what we do every day is assess this and make a decision and suddenly not even information security, just general things. They’re like, what do you think about this? Because right, when you think about this stuff all day all the time, you do tend to look at things from maybe a little bit different perspective because you are, you do have that bigger context a lot of times. So I get that all the time. Like, hey, we’re thinking of this where we got this. What do you, you know, it’s like,

[00:20:09] Evan Francen: well that’s the thing, man. I mean, people, people will recognize the fact that you are better at putting things into context, right? You take like even, and I’m going to get off on a little bit of a tangent even think about like covid all the stuff going on, right. If you look at any one piece of it, you can either be paralyzed with fear or ignorant, right? I mean those are kind of the two sides of the spectrum and everything else is sort of in between. But when you do have this ability to put risk in the context, you can put it into context like, okay, yes, Colbert is a serious thing. No, I will not be paralyzed by fear, but I also won’t act like it doesn’t exist, right? You figure that stuff out. Well, it really works the same way, right?

[00:20:59] Brad Nigh: Yeah. It’s at risk tolerance is really what it comes down to and wayne, pros cons you know innocent and. Yeah absolutely. That’s one of the bigger ones that people are get asked about is like what do you think about?

[00:21:12] Evan Francen: Yeah they did the same thing with me. Right. I think they just pick up on the fact that wait a second, you know how to put risk in the context. I mean they don’t think that they don’t say it but they’re consciously but then they ask you these questions all the time like hey you seem pretty reasonable. What do you think about this? You know? Yeah. Well I’ll tell you what I think about it. But you know hopefully you’ll make your own decision. So uh those things and that’s one of the things that that’s cool too about the C. S. Sp mentor program is you do talk the CSB itself is like the perfect thing to do a mentor program with because it’s so broad. I don’t have to dig deep and specialized in any one piece of it. Which then opens the door for information-security professionals. People have been in this business for 10-15 years who want to get the the certification. It also opens the door for students. It opens the doors for business leaders that opens the door for everybody.

[00:22:07] Brad Nigh: Yeah people I mean we’ve got we’ve talked to her last year during the women and securities victoria. You know, people changing career. Right. Right. It’s, there is no wrong person For what? What’s the audience? Yes.

[00:22:24] Evan Francen: Right. Yeah. Not only do we need you as a practitioner in this, uh, industry because we are allegedly short on talent, but we need you. The thing is that people don’t realize is that people are, people are creatures of habit. You’re the same person at work as you are at home may act different. You may do certain things different because you’ve kind of been conditioned that way. But information security skills, uh, they apply at home at home. You’re the ceo, you know, I mean, you’re the one making executive decisions, making risk management decisions for you and your family. The thing at work is if I make the wrong decisions or let’s say I just dropped the ball altogether. We lose some information. We get hacked. Whatever The thing is, the sad thing about at home is your kids potentially suffer your wife and your husband significant other,

[00:23:24] Brad Nigh: which directly impacts your ability to work.

[00:23:27] Evan Francen: Oh my God. Right. So, yeah, so CSU metro program, uh, it’s how many weeks is it? It’s about

[00:23:38] Brad Nigh: what I think.

[00:23:41] Evan Francen: All right. It starts April 12 its evenings, uh, usually two evenings a week. So we’re not, we’re trying not to, you know, I think it so you can’t do your other duties.

[00:23:56] Brad Nigh: Right? And I think it’s like every three classes or so there’s a break after. So three classes day off, three classes a day off. So it’s right, gives people a chance. I mean, yeah, I mean we know it like there’s real life, you’ve got family, you’ve got work responsibilities, maybe you’re gonna fall behind so give people a chance to stay uh or to catch up I guess.

[00:24:23] Evan Francen: And what year did you start? What year did you start helping?

[00:24:27] Brad Nigh: This will be in 2017? So I did 17 18 1920. Yeah, it would be like, oh my God, you’re,

[00:24:34] Evan Francen: it’s crazy is the ones before that man, I used to uh you know, it was like one of those things where you feel like you’ve been called to do it, but I’m not really enjoying it because because of that it was too much work, man. It was, yeah you have a normal day job, you have family responsibilities and then you would teach. And so it would be like 78 weeks every spring where Yeah, you know, I just started to dread it. So the fact that you came along uh and then last year Ryan came along last year was like this is easy.

[00:25:16] Brad Nigh: Well it like I mentioned last week like having the online moderators that just like I don’t have to worry about that stuff and I know it will get taken care of the questions will be answered and if something comes up, they’ll let me know via a back channel that I can actually see. Yeah. And I have to try and keep up with. I mean, you, you moderated some and saw the chat. It’s just like, I’m not gonna be able to talk and watch that. Yeah.

[00:25:48] Evan Francen: Yeah. It’s cool to see how it’s evolved because I think last year it was really well done. It was professionally done. We had, we had our technical glitches because I think we had to switch things so fast and find their technology.

[00:26:02] Brad Nigh: We have, we have two weeks from the start of it. They shut down to, oh crap. We’re gonna have to do this. All virtual.

[00:26:11] Evan Francen: Right. Yeah. And so for people, so we start in April 12 in April 12 where we ease into it, right? It will be the introduction class. It will be our introduction to the program and introduction to security and everything. And that’s taught by me and we’ll dig in and get into domain one that security and risk management. Both of those things will happen in the same week. That’s a pretty easy week, right? It’s not like we’re gonna slam me with a whole bunch of stuff.

[00:26:41] Brad Nigh: We’ll get him hooked and then dropping,

[00:26:43] Evan Francen: it’s about it too, man. Because the next week it does kinda dig in with, you know, yeah, we get, we get going pretty fast after that. And some people uh, feel overwhelmed. Um, if you like, they’re drinking from a firehose, that’s normal and that’s okay. You’re not supposed to master this the first time you go through it right you’re not like oh I got it I’m ready for the exam. No you’re going to have to do some study afterwards.

[00:27:11] Brad Nigh: So I mean personal experience if it helps people you know and where I was living at the time down in Lexington there’s there just wasn’t very many C. S. P. S. I didn’t have a lot of support so I didn’t know what to expect right? So I read the Sean Harris book cover to cover and field to legal note pads with notes. Then I read erich Conrad’s uh book did I did a. S. C. Squared uh you know webinar and then did the cyber very uh free word version and you know it’s not like I mean that’s a lot of and then I can’t even tell you how many practice tests I did at on a see see here right I was at the end leading up to it. I was doing basically a full 250 three times a week for the last like month. Just because I was like I don’t know what to expect a lot of stuff. You can’t don’t take it lightly.

[00:28:18] Evan Francen: No no you know that but also don’t get overwhelmed The

[00:28:23] Brad Nigh: oh I absolutely over

[00:28:25] Evan Francen: prepared. Everybody goes everybody goes at their own pace you know what I mean? And uh so for the people that are taking this to get the exam that’s you know, we’ll give you plenty of advice along the way and you’ll have the support of other students, right? We set up the study group online, you know, where people can share ideas and thoughts and whatever they do. Then, um, you got the other side of the spectrum where I’m just here to learn. Um, because there’s always some nutrition, right? You start with with the first class and you know, just about everybody’s there and then it starts to wane a little bit. We didn’t lose a lot last year, I think by percentage. But because as you get through it, people are like, man, this is just more than I can handle. Uh, and it’s may because at that point it’s probably may and you’re like, the weather is nice.

[00:29:18] Brad Nigh: I don’t want to sit inside for two hours after being

[00:29:21] Evan Francen: right, right.

[00:29:24] Brad Nigh: A big part of why I wanted to do with this and volunteered is because I didn’t want other people to go through what I did because like I said, I didn’t have those resources to know what should I be doing? What, how do I know if I’m ready or not? And so, you know, that’s, I think that’s the biggest takeaway and probably the biggest feedback I’ve gotten from people is yeah, the content, I mean the content is what it is, right? It’s not like we’re creating something new, It’s those practical tips of here’s what to focus on here is what you need to be understanding versus just memorize a book,

[00:30:05] Evan Francen: right? And for people on a, Sorry, we got so far in before I even mentioned the Lincoln where you can go to legislate because it is April 12 is the date. You can register up until that date and maybe even after, but it’s fr secure dot com slash ci SSP dash mentor dash program. And on the bottom of that page you’ll see a little description in the schedule and, you know, in the middle of the page, you’ll see a register now button, you can register their um as for minimal information, really, it’s just, you know, how do we stay in contact with you basically, so that we can tell you,

[00:30:44] Brad Nigh: right? I get the links for the class is really like,

[00:30:50] Evan Francen: well, that’s another question we get all the time too, is when will I get the links where you’ll get the links for the day’s class, the day of the class, because we’re finalizing everything kind of getting everything, you know, all the bugs worked out and everything. Uh we’ll also post those in the study group. Uh so we have multiple places where you can find where to get into, because people panic on that, like, you know, like two days before the class. So like, where’s the link to get into the class, I don’t have the link to get into classes, like it’s okay, you’re gonna get it

[00:31:23] Brad Nigh: and well, and now all of them will be on our Youtube channel as well. So if you miss a class it’s not the end of the world. Yeah. It’s a little different and that you don’t get the opportunity to maybe ask questions in the chat as you go. But everything is there Right.

[00:31:40] Evan Francen: Yeah. Yeah for sure. And the books, you know the books that you’ll need. So you will that’s where you’ll have some expense right? You’ll have expense in two places. You have to whatever supplemental training stuff you want, meaning books. We found some practice exams or things that you’d like to purchase that’s that’s going to be on you. Um And then the other is the exam itself right? We don’t cover that cost. That’s expensive as hell. We probably go to business.

[00:32:09] Brad Nigh: Yeah it’s like $6.5700 or something like that. Now

[00:32:14] Evan Francen: I don’t know what it is but

[00:32:16] Brad Nigh: At least at least now it’s adaptive. And the most you have to do is 150 questions because you and I

[00:32:23] Evan Francen: I don’t mind on paper man. I had to fill out the holes.

[00:32:26] Brad Nigh: Yeah I did I had a computer exam for CSP but it was the 2 50 but then my CSM was yeah was scantron filling out the Yeah that’s you know, so 11 of the other things that I think we want to probably want to talk about and I’ve had asked I can’t do the two digits is well the Why are we using the Eric Conrad book from 2015 and then is what are you going to update anything because um like they’re gonna be coming out with another version here in June or July yeah what what what is this going to mean? So you know from my perspective we’ve talked through this, I think the Air Conrad book was for the Old when they had 10 domains vs eight. Like the content in those domains changed like less than 1%. It was just rearranging where they fit and with the new version coming out it even says on the iC squared website. Hey, this is, it’s a oh gosh well have this out like a life style exam right? You can’t just study it, you have to have practical experience and again I keep coming back to that word, but you have to have done this stuff and worked in it. Um So if you are studying on current material, it shouldn’t have an impact if you take the exam on the next version And I can tell you I studied on the previous version, the 10 domains and took it on the eight domains and I didn’t have any problems. Right, nothing in there.

[00:34:17] Evan Francen: Well that’s the thing. I mean security is security right? It just doesn’t, it’s the same. What’s changed is maybe some technologies, maybe some, you know a few techniques, maybe the names of a few things. But really security is security,

[00:34:31] Brad Nigh: uh

[00:34:33] Evan Francen: 2015 book is absolutely still 100% applicable to today’s test, the future test, you know, what’s coming in july uh there’s hints about what that is, but there is no book for that right now. There’s no training for that.

[00:34:48] Brad Nigh: The thing is, what’s crazy is they’re going to start doing the newer tests before there’s even a study guide or a book officially from IC squared. You can’t even buy a book yet. Right. So to me that indicates it’s not going to be a fundamental shift there. You know, if if they were going to make major changes, I don’t know how they could possibly justify making people take a test on the new content without having anything to study, Right?

[00:35:19] Evan Francen: Yeah, I agree. Mhm. So that, that’s a good question. We do get that question a lot. The just, you know, why are you using a book from 2015 when the year is 2021? And the reason why is it’s a very well written book. It’s tried and true and it covers everything. We need to cover

[00:35:37] Brad Nigh: that. The content hasn’t changed has just been moved around. Yeah,

[00:35:42] Evan Francen: the instructors for the exam, I mentioned that I’m one brad is also one and then Ryan Cloutier, we’ve heard on this podcast before. Uh he works at security studio. So that’s kind of cool too, because I think if I was a student, I would get sort of tired of the same instructor, you know, every exam, because you’re talking about What, 26, 28 hours of instruction? Mhm. So switching it up, getting a different, fresh perspective, we all have different experiences, right? We’ve got similar stuff, but they were different. Yeah,

[00:36:21] Brad Nigh: and and now, well, you know, you and I have kind of switched which classes we had taught in the past, So, you know, if you go back, you can get all of our, you know, different views on these different topics. So, you know, I think this year even we’ll switch it up, so it’s not going to be, well, I’m definitely not doing security models, I’m drawing the line there. Uh that was painful as you give it to Ryan, yep, I think it won’t, it probably won’t be as bad this time because we’re used to it, but I mean, at the time it was like, what am I doing? Um but yeah, you’re gonna get different perspectives on the different topics, because we do rotate those year to year.

[00:37:09] Evan Francen: Yeah, yeah, for sure. So that’s cool. I can’t think of anything else. One of the things that I’ve been asked before, and we actually put it on our website, you know, the value of the training, Because some people like that, I mean, we had 2,825 students, so the average cost perseus just be training for self paced online courses, which isn’t the same. This is actually a little better than that because it’s, it’s instructor led training. But the average cost for online self paced Courses is $2,795.

[00:37:45] Brad Nigh: I was gonna say about 2500. So yeah, that’s higher than, Yeah, I know that. I mean back in 2000 and Pen 11, I paid 3500 for instructor delight training. Well, my company did luckily at the time, but

[00:38:04] Evan Francen: uh huh. Well, that’s another thing that, you know, I uh I really like is the number of people we’ve been able to help um that couldn’t afford it. Mhm. You know, if you do the 5300 students at which, you know, we’ve surpassed that. That was yesterday At $2,795, You’re talking 14 million

[00:38:30] Brad Nigh: And you wonder why the financial people are like, well, couldn’t we charge like 50 bucks,

[00:38:36] Evan Francen: nope, we’re not charging a dime for this. We never will as far as, you know, as long as I’m around

[00:38:41] Brad Nigh: and I will be honest when you, you say that I have to talk to people and told them that and you do get some looks like what is wrong with you,

[00:38:50] Evan Francen: our mission men. I mean we make money in other places, right, doing other things

[00:38:55] Brad Nigh: and the reality is we’ve gotten some phenomenal hires from students who are like, I really like what you’re doing. I’d love to work with you.

[00:39:05] Evan Francen: Yeah, I guess there is kind of now that I think about it, you know, there is sort of a weird kind of way strings attached because it does give us a really good reputation, you know, in the industry has come as a company that generally cares about people that generally want to help people gonna

[00:39:21] Brad Nigh: ask anything of any of the students. I think that’s the big thing, right? We’re not gonna sell their information. We’re not gonna do anything. It’s, it’s getting back like you said and helping others.

[00:39:36] Evan Francen: Yeah. Another thing I’ve gotten to is the future of the CSP mentor program. So real quick, what I’m thinking the future is going to be is Uh, two things I’d like to figure out is how to get more. Uh, we have a company, an organization, not a company, a nonprofit called Virtual testing out in California. They do some really amazing things there too. It’s a nonprofit. Well, they’ve been sending a bunch of students are way too, you know, it, which got me thinking, you know, we’re working on, I’m working on another, I told you I have a D d. Right. But another thing, it’s a, it’s a nonprofit called uh The Gray Matter Society. You and I talked about, you know, before we started the show, just the, I think the inability or unwillingness for people to think through things critically. So, you know, we’ve got some really big issues and problems in our industry that we need that we need to think through things critically. So we can come up with solutions. The no strings attached, no partisan crap. It’s just how do you solve problems? But that’s going to be a nonprofit. I think kevin right now is in the middle of setting up that 5013 C or whatever you call it. Very cool. Yeah. We might move the CSP metro program into that nonprofit and the reason being is so, you know, fr secures a for profit company. Some other companies may not want to partner with us because of, you know, whatever intimidation competition, whatever if we put it in a non profit, then we can do, you can grab that far secures all across the country and get them to participate

[00:41:19] Brad Nigh: joke,

[00:41:20] Evan Francen: that’s one thing. And I think that will also lead to this perpetual training I think rather than having, you know, only doing this once a year, why don’t we get, you know, experts from all over the industry and teach this thing you’re wrong you and I know the benefit in terms of the blessings we get,

[00:41:39] Brad Nigh: I mean, even if he did it three times a year, right? Or once a quarter, which would really be year round because it is that long. But yeah, even if hell, jeez, just a second one in the fall because we had that’s that, that’s the other big one. When is it going to start? What you have to wait till spring? Well, because it’s a lot of work, it’s just really three of us with three or 45 moderators behind the scenes. Right?

[00:42:09] Evan Francen: Yeah. So I think we can make it, you know, year round and uh invite other people, you know, to play with us. Yeah. I think because this is for the benefit of society, it’s not for the benefit of our secure or any individual. It’s about like how do we help people? Right. Yeah. I’m not it’s not monopolize that

[00:42:34] Brad Nigh: people just don’t. It does, I guess, you know, society or businesses typically or seem to be, you know, there’s always a bet gotcha what’s attached. You know, just like we do this because I mean I will, I’m gonna speak for you because we care. Right? You said it a million times its information security is about information security is about people. Yeah. I said I didn’t have this kind of resource coming up. Well, I know how tough that was that you were the same way, I’m sure because you were you were in focus on security a little bit earlier than I was even and yeah, like if I can help someone with my experience and make their life easier and then not only that make them better at their job or even if they don’t take the programme or take the exam or not, security. Yeah, it prevents a breach. That means it’s less work to write for everyone. It’s there is, there’s no downside other than giving up our time.

[00:43:42] Evan Francen: I agree with that man. And it’s uh in the way the way the world works, right? The these are the basics of security, right? We’re not going to teach you how to hack things. I mean, there may be other court when we move into the nonprofit, we may decide to do other things, teach other specialist courses, but these are the basics here. And the thing that frustrates me about the basics is technology is going way faster than our ability to secure it. So the gap continues to widen and we have to do something in order to close this gap. Otherwise society will fail.

[00:44:18] Brad Nigh: Right? People going back to the book and they’re like, what, 2015 and now you’ve got next gen firewalls and you know what, I don’t care. Do you have port security enabled? Do you know what your rules are are you doing ingress and egress traffic filtering? I don’t care how you do it. Are you doing those things? It doesn’t matter what you’re using for those right now, fundamental, but it’s gonna always be the same,

[00:44:44] Evan Francen: yep, totally agree completely. Alright, lets get some news and so that’s good stuff. Everybody go sign up for the CSP metro program. Don’t just do it just to do it, I guess though. You really do want to sort of commit. It’s going to be april 12th through June two. It’s some weeks it’ll be one class, some weeks it’ll be two classes, never more than two and classes are two hours long. If you miss a class you

[00:45:12] Brad Nigh: what’s that roughly? Some go a little longer.

[00:45:15] Evan Francen: They do especially some of those. Yeah. Really? God, a little shutter their um they you know, if you miss one you can always catch it on youtube. Um and if you are going to sign up commit to go and do it all, you know for almost force yourself to because you’ll be better off for it. You know, even if you’re not planning on taking the exam, sit through all of it. Right? Because you won’t know some of, you know, you’ll find that when we get to the main seven and eight we’ll be making connections back into domain one and two. It really it really makes things. Oh okay. Now I got it.

[00:45:56] Brad Nigh: Yeah. Yeah sick with and I love Drew our sales director, but if you could make it through it, then he did last year anyone can do it because that’s not his interest. He’s a sales guy through and through and he stuck it out. So I love you. Well

[00:46:16] Evan Francen: maybe you will know all right. So I’ve got three news things that will hit real quick and then we’ll close up for the for the day. The the first one comes from Fox news and uh it was really interesting. Um The title is U. S. Strategic command twitter account accessed by child. Mhm. So this is kind of weird because these are the same people that this is us stratcom. So this is strategic strategic commands that maintains our nuclear I guess arsenal. Um They are the ones who keep the codes and you know all that stuff. Well last week actually is only just two days ago uh there was a tweet that came out and it was semi colon el semicolon semicolon G. M. L. X. Z. S. S. A. W. And that was it. You can imagine that caused quite a stir people like what the hell? You know this is a place where you’re normally getting you know legit tweets that. So let’s have a legend bunch of jokes and things. Well it turns out that the guy I think it’s a guy who maintains the twitter account for you know U. S. Strategic command. I was working at home and walked away from his computer and his kid came behind him and send a tweet.

[00:47:50] Brad Nigh: You know what? Yeah I’m just reading the actual response to the freedom the freedom of Information act. But I can only hope that the computer used for twitter is not connected in any way to the uh the confidential top secret like beyond top secret stuff that goes on and stratcom.

[00:48:23] Evan Francen: Right? Well I’m yeah I mean it’s uh you know I agree with that completely. And I’m also like I expect better.

[00:48:32] Brad Nigh: I would hope that well the other thing would be kind of you know you would think that that I got some sort of a written warning or something.

[00:48:41] Evan Francen: Right. Well it just shows how important it is. Like take this to a halt to my work life. Right? Do I walk away from my computer in my home office without locking it?

[00:48:53] Brad Nigh: I like it when there’s nobody else here. Right. Right. It’s just windows key. L is it just is an ingrained habit if I stand up and walk away from my desk for anything more than further than where I can see the computer. That’s my rule. If I’m going to the fridge I can actually see it in the office. I can no nobody came in but if I can’t see it it’s locked.

[00:49:17] Evan Francen: Right one. You’d think with government especially you know something even if it’s just twitter. So some people will be like oh this is cute ha ha it’s twitter. This is information dissemination. So this can mean thank God it was a kid because in the hands of somebody more nefarious you can do some real damage a false information. You know using this twitter account because people come to trust like oh it’s us central command. I can trust tweets that come from here. Mhm. Can you? Yeah if they’re not following good security best practices I. E. In this case? You know, locking your workstation when you’re when it’s unattended. So hopefully they take this as like a okay we can do much better here. I understand that thank God this was you know, a child doing just this but yeah. Uh huh. So kids kids be kids man. I mean what do you expect?

[00:50:22] Brad Nigh: That’s that that is the reason that if I can’t see my computer

[00:50:26] Evan Francen: right. Yeah, you never know what those kids are going to be.

[00:50:30] Brad Nigh: I mean I think my kids are probably more aware than most because we do talk through this stuff but yeah it doesn’t matter.

[00:50:42] Evan Francen: All right to other news articles and we’ll get through these quick and then we’ll uh we’ll head out. So um this one is from security affairs dot c. O. Yeah the title is hackers breached the PHP S. Git server and inserted a backdoor in the source code. Yeah they got they found it. It’s

[00:51:02] Brad Nigh: bad. I mean I think right this is the exact basically what what we just saw with um solar winds is it? I mean not the exact same thing but the concept right? They get in and push it to this trusted source people. I mean how many people use HP HP s I mean

[00:51:28] Evan Francen: PPP is all over the damn place and this was recent to write, this was on March 28. Yeah so two days ago that’s when the Attackers pushed to commits to PHP dash SRC which is the repository. Um Yeah. How does it say how they were

[00:51:48] Brad Nigh: alerted? No, but what’s crazy is the account they used Rasmus Lear dorf, ph d s author and then Jetbrains developer Nikita pop off. But I mean these are not exactly low profile accounts that were used.

[00:52:11] Evan Francen: I so it looks like the Attackers compromise the accounts and then use that.

[00:52:16] Brad Nigh: Uh So they said we don’t know how it happened. Everything points to a compromise of agate dot PHP dot net server rather than a compromise of an individual account. Okay.

[00:52:28] Evan Francen: And that’s here. It says in the future in order to access the repositories users will now need to be part of the PHP organization on get up and their account will have M two FA or two Factor authentication enabled. Does that imply that you didn’t have to have multifactor authentication enabled? Little repository before? It’s like, oh my God people.

[00:52:55] Brad Nigh: Mhm.

[00:52:57] Evan Francen: All right. Well anyway, think how they found it uh hopefully will restore our confidence in PHP source Karl and source code security please people come on. Especially

[00:53:15] Brad Nigh: now I think the last with Ryan and the exchange you’re starting to see some changes so hopefully

[00:53:24] Evan Francen: it’s gonna get worse. It’s gonna get worse before it gets better, sadly. Yeah. All right. The last one I got is from the register and the title is intel accused of wiretapping because it uses analytics to track keystrokes mouse movements on its website, it’s like okay, I mean tell us not even close to being the only

[00:53:50] Brad Nigh: I was just isn’t that like um what every big website does?

[00:53:57] Evan Francen: Right. Well yeah, it’s uh it’s marketing, right? And they track where you go on the website because if there’s certain parts of the web, you know, you want to put your content in the places where people are going and you know, steer people in the right direction. It’s pretty important intelligence and I really don’t. So this isn’t based on a lawsuit. So a lawsuit was filed against the chipmaker against the intel. Uh huh. By its at a florida state court, the plaintiff is a person named holly launders hello N D E R S. And she’s you know complaining about this thing. And the uh the only problem I really sort of see it because if you come to my house I have, you know, my virtual house, my website, I should be able to track where you’re going on my website. I should be able to know where you’re clicking. I don’t see it really a problem with that. I think maybe the problem is you need to tell people that you’re doing it.

[00:55:00] Brad Nigh: Yeah. And you know, reading through it if you look at the seven most it says in here the seven most popular session replace services account for our unused on 482 of the Alexa Top 50,000 websites. So you know that this is happening I think where the concern comes in for me is if you’re putting in social security information, credit card information that what are those, why are they capturing those that information? Because that that’s not an issue if they’re not capturing that. I mean kind of it is what it is. It’s not surprising.

[00:55:38] Evan Francen: It’ll be interesting to see what comes from the lawsuit. You know, if I don’t think, I don’t think she’ll win, but if she does, it’s going to set a precedent.

[00:55:49] Brad Nigh: Yeah. Here’s the list of companies that have been sued over this banana Republic blizzard, CVS, Fandango, Footlocker, Frontier Airlines, General Motors, Home Depot, Old Navy, Nike, morton Ray ban T mobile and web MD among others like it. As long as they’re not, like I said, as long as they’re not capturing that sensitive information, I don’t really, I kind of feel like it’s expected,

[00:56:15] Evan Francen: right? Yeah, I agree. And the claim is this is a wiretapping privacy claim and I don’t think that she’ll win. But because like you said, it’s it’s common practice and I have the same, you know, concerns. You do as long as there’s not no sensitive or I guess highly sensitive information that’s being captured or exposed in the tracking to come to a website expect to be tracked. That’s just how it works, What I don’t like is when you track where I came from. I don’t like when you track where I’m going. So things outside of your domain outside of your website. I don’t feel as comfortable with you tracking. So that’s why cookies, blocking scripts and all those things are good practices, but at least you have control over that. You can’t really do that when you go to, well you can, but most people won’t, you know, when you go to these other sites.

[00:57:09] Brad Nigh: Yeah. You know, there’s there’s some good plug ins to for blocking that stuff if you’re really interested.

[00:57:15] Evan Francen: Yeah, exactly. Yeah. Mhm. All right, well, that’s it for the show, man. What else do I have to shout out to get me shout outs?

[00:57:25] Brad Nigh: Yeah, I’ll give a shout out to my wife for taking care of the medical emergency with our son friday. Uh It was, yeah, she did a phenomenal job. You can tell she’s a nurse, she had her medical nursing approach kicked in and it was fantastic to have that because I didn’t do so well.

[00:57:51] Evan Francen: Yeah, we’re good man. Well, that’s what, that’s what makes a really good partner. Well, since you gave a shout out to your wife, I’ll give one to my wife for let me buy all my Harley parts. So they keep buying. She hasn’t lost patience with me and she’s like, what did you get now, Like this thing, don’t worry about it. It’s good, but she’s uh yeah, I mean it’s it’s amazing how I mean, I don’t think I’d get through life without my partner. You know my wife. Oh

[00:58:21] Brad Nigh: yeah. No, I think you and I both would have worked ourselves silly and would be in a padded cell at this point.

[00:58:32] Evan Francen: Yeah. I tell people all the time I’d be dead or in jail. They’re like, oh no, you wouldn’t like. You just don’t know me man, seriously? Mhm. All right, well thank you to all our listeners. Send things to us by email at unsecurity@protonmail.com if you like doing the social thing. The social media thing. I have a social media account. It’s @EvanFrancen. That’s my twitter account, brad’s is @BradNigh uh other twitter accounts that they might be interested in as UN security. This podcast is @UnsecurityP security studios @StudioSecurity and fr security @FRSecure. That’s all we got for this week to talk to you next week. Have a good

After a two-episode hiatus, Brad is back this week to join Evan for episode 124 of the UNSECURITY Podcast. In this episode, the duo attempts to answer as many questions about passwords as they possibly can and offer some password hygiene tips. Finally they touch on some company happenings like the CISSP Mentor Program and S2 updates.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. Today is episode I’m sorry. This is episode 124. The date is March 23rd, 2021. Back from taking a couple of weeks out from the show is my good friend and co host Brad Nigh. Welcome back Brad.

[00:00:40] Brad Nigh: It’s good to be back. Have a nice to have decompressed and get a little bit of a break. It’s been way too long or it had been so

[00:00:48] Evan Francen: I missed you. It’s not like, you know Ryan’s chopped liver or anything, but he’s no Brad. So I like having my Brad back.

[00:00:57] Brad Nigh: Yeah. Like I said, I’m glad to be back. It’s fun doing things.

[00:01:03] Evan Francen: All right. We’ve got a good show plan for today for the listeners today. I want to talk about passwords. Everybody just loves passwords, passwords. But I want to take this. I want to take those many common questions as we can about passwords. Uh, and uh, you know, nail it in one show. So the first question, you know that I have is you know what? I think a lot of times when we talk to people, you know, non security people, we just assume that they know why passwords are important. Yeah. Why we have them in the first place. So that’s the first question. Why do we need passwords in the first place?

[00:01:45] Brad Nigh: Yeah. Well you have it there. It’s the it’s part of authentication. It’s not all, well shouldn’t be all of the only part of authentication you want multi factor but it’s not proving you are who you say you are.

[00:02:02] Evan Francen: Well exactly. I think you know we profess you know that for listeners and for people who you know maybe just take this stuff for granted. You know there’s identity and there’s authentication right? After that comes authorization and accounting. Right? So we we talk about these things like triple A right identity, you know, authentication, authorization and accounting. Yeah. We assumed you know we kind of treat these things mix them together. They’re very closely related. But identity is just professing who you are, right? Professing an identity to a system or to somebody else. Right? The second piece is to prove that identity. So you know without the authentication you just have to take my word for it. Right.

[00:02:49] Brad Nigh: Right. Yeah. So your identity, you know, think of your user name right then password is your authentication. That’s how you get into the system. Exactly. It would be like similar to I’m trying to simplify it a little bit but you know, not exactly the same. But like if you know the code to your keypad for your garage door. Right? That would be enough medication, right? Not necessarily unification because it’s there, but Yeah.

[00:03:21] Evan Francen: Well and you know, a lot of times, you know, when I meet people, when you attend the meeting, it’s rare for people to, you know, ask for my id. Uh they don’t ask for my driver’s license or my passport. So certain systems, certain things, certain people, I don’t need to authenticate with them. They take my word for it. So I say, hey, I’m having francine and they’re like, all right,

[00:03:44] Brad Nigh: right. Right.

[00:03:45] Evan Francen: So that’s just identity without authentication. It’s when, you know, let’s say I’m crossing the border from Mexico into the United States or vice versa. You know, I profess that I am Evan francine, but they’re not going to take my word for it. Right. They need some proof that I actually am who I say I am, that I came from where I said I was coming from. Uh so you know, you have to produce your passport or something like that. So that’s that proof of, that’s authenticating Me too. You know, maybe customs. Right, yep. And the same thing sort of happens with futures because I tell a computer that my user name is e francine. Okay, great, anybody can come to my computer at any time and profess the same thing, right? If there’s no proof. Yeah. Right. Yes,

[00:04:35] Brad Nigh: exactly.

[00:04:37] Evan Francen: And that’s fine in some sense. And I think it’s fine. In some situations to not have to authenticate, you know, we browse the internet all the time without authenticating, it’s when I need to do something, you know maybe a transaction or maybe something that’s a little more critical sensitive. That’s when I need to authenticate.

[00:04:54] Brad Nigh: It’s when you’re doing something that you want to protect. Right? Right. You know you’re logging into your bank, you’re logging into work, there’s something sensitive going on. Right? That’s when you want to make sure there’s an authentication ahead of it.

[00:05:10] Evan Francen: And so so users, you know when they ask, well why do we need passwords to begin with? Well it’s it’s to prove your identity to our system, prove your identity. Use the same thing when you go to the bank. The same thing when you go to the T. M. The same thing when you get carded for alcohol or you know at the bar right? You need to authenticate it proves something about your identity that they’ll accept as okay it’s valid. You’re going to continue. Mhm. So if that’s that then what happens when a password is compromise? Why is that a big deal? Why would I care if a password is compromised or not?

[00:05:49] Brad Nigh: Well that goes to that last a of of accountability right. As soon as your password gets compromised, that person is acting as if it’s you or whatever they do looks like it came from you which is angry. You know I think about that from a bank standpoint. You know they transfer all the money out? Well they’ve logged in as you how is banking and all the difference.

[00:06:15] Evan Francen: Right? Exactly. So it’s it’s impersonation, right? Somebody else acts like they’re me. That means they can do things that are reserved for me. Things that I only I want to be able to do. Right? Imagine an imposter like coming into your house, you know what I mean? Deepfakes style like they look exactly like you, they act like you right? They’ve authenticated with your wife. They’ve authenticated with your kids, but it’s not you.

[00:06:43] Brad Nigh: Right? Yeah.

[00:06:45] Evan Francen: And then think of the damage they can do.

[00:06:47] Brad Nigh: Right? And that’s basically what’s happening digitally.

[00:06:50] Evan Francen: Exactly. Yeah. I think a lot of times when people can make that, that an analogy that cross between this is what I see it physically. Because I’m used to physical, right? I can relate to it more. You can use vision. I can use other senses that I can’t use digitally. But it’s essentially the same thing, right? If you impersonate me physically and Impersonating me digitally. Different mechanisms but essentially the same potential outcome,

[00:07:19] Brad Nigh: right? Yes.

[00:07:20] Evan Francen: You destroy somebody’s life if you do it right?

[00:07:23] Brad Nigh: Oh, and we’ve seen it happen. Yeah sucks.

[00:07:28] Evan Francen: It totally sucks. So, okay, so that that’s what happens when somebody compromises potentially my password, right? You need to have the identity piece to write, you need to have my user name. But that’s pretty trivial because usually share you use your name openly.

[00:07:45] Brad Nigh: Right? Because I mean realistically that’s not sensitive. A confidential type of information. I mean it’s you have to declare who you are.

[00:07:56] Evan Francen: Right? Exactly, yep. Right? So that’s that’s how, you know that that’s the reason why I think, you know, for users that you know, we stress password security. Um so then if that’s the importance of protecting my password, then how could my password potentially be compromised so that I can identify ways that I need to be active in protection.

[00:08:27] Brad Nigh: Right. Well, I mean, you know, you have a listener, I think the most common is probably gonna be the disclosure where you know, you’ve logged into a service that wasn’t protecting those passwords correctly. They weren’t getting too technical, they were assaulting or hashing passwords are stored in clear text so that anybody could read them, right? They weren’t obligated in any way. Um Yeah, you know, I think and you hear about those all the time and the week when I actually have a really good story about that. So in I want to say 2017, maybe 2018 but three shows 2017 I did a security training for a city government and part of our awareness training is how to create a good we we don’t use password, please pass phrase we’re trying to get people away from thinking password because at this point length is really the the best way to protect it, but you know, like, okay, well what are some bad passwords and it was like spring 2017, you know you know like common things for that area you know you know Vikings one or whatever. It was after I had like four or five examples and after the training head of someone come up to me and go so if I saw my password on your presentation I should change it. Yeah, probably right. I mean

[00:10:11] Evan Francen: yeah. Well he well I think you know to simplify like simple you know me man if I can take something complex and break it down into components and and make it simple because simple it’s easier to manage simple. It’s easier for me to understand. So I think there are two major ways that passwords are compromised. It’s either caused by you or it’s caused by somebody you shared your password with right? Caused by someone. What else. And I think the two primary ways that happens when it’s caused by you is either I disclosed it meaning I told it to somebody I shouldn’t have told it to or I was just weak to begin with. Right? It was something that was easily guessed. It was something that was easily derived from any number of different variables but it was just a weak password.

[00:10:59] Brad Nigh: Right Well and give you an idea and I don’t know the exact number but last kind of anecdotally the from our pin test team I think when they get to do an internal pin test and get hash obviously we have Cracking rig and these, you know the rainbow tables in different tools. But typically they get 25-30 of passwords when they do those right. Just because people aren’t doing the right thing because I think more often than not it’s it’s a lack of awareness. Not like intentional.

[00:11:35] Evan Francen: Sure

[00:11:36] Brad Nigh: as I say that I think is it’s a recurring theme that we keep coming back to is a lot of these there it comes down to a lack of awareness regardless when you have but a normal person having issues.

[00:11:51] Evan Francen: All right. And I think, you know, it’s rare to find somebody who is not aware, right? When you talk to somebody about passwords, you know anybody on the street, they get it. They get like, oh yeah, you know I’ve been told that it needs to be strong whether I know what that means or not a different thing. But I think another thing that we do often is we overcomplicate stuff. That’s why simple for me always wins. It’s like all right. Your password is going to be compromised or either because you did it or uh somebody shared it with. Right. And so what can I do to protect myself from disclosure or weak passwords? Well, if I want to protect myself from disclosure, I have to be very very careful with who I share my password with. Right? Um like my password. I’ll just tell you, you know at home. Uh Nobody actually nobody in the world anywhere nose my password safe password. Nobody haven’t shared it with anybody. Right. It’s it’s a unique password to open up my password safe so I can get access to all my other passwords. I don’t reuse that anywhere else. It’s that is such an important

[00:13:03] Brad Nigh: password.

[00:13:05] Evan Francen: And where I do have that password stored is in a safety deposit box. So should I die? Mm My wife can, my wife knows it’s there, right? But I’ll also know if she goes and gets it right. Which is, it’s not that I don’t trust my wife. It’s just that as soon as I tell somebody else, anybody else my password that is now disclosed. Right? Yeah. So that one’s, it’s in a, it’s in an envelope in the safety deposit box because you know I will die and chances are I’ll probably die before my wife because she’s healthier than me. You know, she knows that to go get it. This is the, this is the procedure that you need to go through if something happens to me because then you have access to all of my accounts, which somebody has to, somebody has to take care of that. Yes. So that’s the disclosure peace. Now I don’t, in terms of other passwords always ask like anybody who’s ever asking me anywhere for me to approve my identity to them. Why? Why do you need my identity? Why do you need my password? Mhm. So every email I get, I’m always skeptical like oh yeah, who are you?

[00:14:19] Brad Nigh: Yeah, it comes from the, you know the bank or credit card or whatever. I never click the link in the email. I always go directly to the site or open the app and you know you go in that way. You know, the other thing is, you know, using a password manager password safe. A lot of them if you do click the link, they’re not going to auto Philip. It’s the wrong U. R. L. Right. So it does add an additional level of protection if if you click a link in your, you know, whatever you’re using and there’s a bunch of really good ones. Doesn’t auto fill. It would actually be a red flag right away.

[00:14:57] Evan Francen: Yeah. You should definitely make you question things. So password disclosures either come from me meaning I disclosed to somebody that I shouldn’t have. I would say that I did disclose to somebody that I shouldn’t have immediately go and change the password. Right? Change that authenticator. The other way that a password compromise can be caused by me because there’s only two ways that I disclosed it or I made it weak to begin with is to learn what makes a password strong. Uh It is a learned habit. Trust me, I don’t, it’s not something that came, I didn’t fall out of my mother’s womb knowing how to create strong passwords. I had to learn

[00:15:36] Brad Nigh: it. Yeah. And you know I think the thing that I always like to do when I’m doing the training or the um the I see the volunteering for the parents is giving examples and it’s always you can see the people the light bulbs going off and going I didn’t know you could do that right. Like use a phrase you use proper grammar like use spaces and commas and numbers and upper and lower case the more complex in terms of that combination. Not necessarily again keeping it simple, afraid that you’re going to remember but using that variety is going to be stronger and I don’t think so. We are you know you’re talking about that. I have my personal password manager, my work password manager, my uh domain log in my recovery email for personal and my bank account. Everything else is all in a password manager. Those are the five passwords. Yeah, that’s it. I have five that I need to know. And they’re all different. Right. I mean you look at I think I have like 60 passwords and are in the work password.

[00:16:55] Evan Francen: Like I was gonna I was gonna go through that in a little bit too about how many passwords are actually in my vault. The uh so choosing a so here’s a couple of places that people can go places that I go regularly just because I like to play around with stuff. So if you go to how secure is my password. dot net right? And there’s other password checkers out there just throw password in there now don’t use a password that you’re actively using. Use example passwords just to see what makes a password strong. You know, if I if I choose the password, you know Evan space is space a space cool space guy exclamation point, that’s actually a very strong password right? Because long is strong, yep.

[00:17:44] Brad Nigh: Yeah, minimum 16 Yeah, I mean realistically at this point,

[00:17:50] Evan Francen: so that’s one place I go. The other place I go to mess around with passwords as have I been phoned? Mhm. Because there’s a link there where you can type in passwords to see if they’ve been owned before to see if they’ve been cracked before. Not now, it’s not going to be 100% effective obviously, but the really well known passwords that have been compromised through various breaches, you know, they’ll show up there, You know? So if you take, you know, spring 2000, I don’t know, take spring 2020 or 2021 and put it in there. Yeah, do that.

[00:18:26] Brad Nigh: So another one I just put it in a chat that I like is it’s by Gibson Research corp Haystack, How well is your needle hidden and you get the same thing, you can put in a test password again, I would not use the here you real one but use a similar one. Right? If you have free words that are, you know each four letters and a space between use the same uh huh construct but don’t use the same your real password.

[00:19:00] Evan Francen: Right? And then it goes to so Disclosure is one way using a weak password is another way. So there’s a couple of tools that people can you use to choose or 10 ft what’s what’s a strong password and what’s not the third way is some of you shared your password with gets compromised or they didn’t take you know, they didn’t secure your password as well as you are securing your password. That’s another area of compromise. And that’s the reason why I wouldn’t choose. We were saying don’t use your real password in these sites protesting because you don’t know if they’re protecting it. You don’t know if it’s going to be stored somewhere. Um and that’s another reason why you know, I hate the guidance that we’ve received recently that changing passwords is a bad practice and we’re no longer going to force users to change passwords. Well that would be fine if all three of those things were true meaning I didn’t disclose it to anybody. I chose a strong password and everybody that I shared it with didn’t disclose it.

[00:20:04] Brad Nigh: Well and I get asked that all the time. And my answer is what’s your risk tolerance if that password gets compromised? Yeah. And you don’t know about it. How long are you willing to have your account potentially accessed or domain accounts access before you’re going to lock the person out? And people like Yeah. Okay. Exactly. You know it I would say multi factor definitely helps. Right? You have to train your users. We’ve had incidents where uh, you know, the user. Okay. The multi factor even though they weren’t logging in and let an attacker in. So you stuffed to train your users, it’s not a like, can I see that here all? But you know, personally, I wouldn’t have an issue if you’re using multi factor six months, maybe 12 depending

[00:20:58] Evan Francen: on the service. And let’s get to multi factor to after we get through the password stuff. Because I think a lot of times to we assume that the everyday, you know, user the consumer at home even knows what multifactor is. We use it all the time to us. It’s second nature is part of our language. But I’ve used multifactor many times, you know, as a word and they looked at me like, mm I’ve heard it before, but I don’t know what that is. Yeah. You know. So. All right. So passwords caused by you disclosed for a week caused by them. That’s you know, one of the reasons why we make you or want you to change your password on a regular basis because even if you are the best password manager person ever, right? You you are a master of choosing the strongest best passwords ever. And you’re a master of not falling for phishing attacks or giving your passwords out to anybody. You still need to change your password because you do have to give it out to somebody in order to authenticate.

[00:21:55] Brad Nigh: Um Right. Yeah at some point it’s shared with

[00:21:59] Evan Francen: someone. Yeah you can’t you just can’t get away from that. All right. So one of the things that we’ve been working on, you know because we have the s to me at security studio and one of the things that uh Panesar lead developer started putting together a a new password strength slash score algorithm. So it’s not going to be the same as what you see in um

[00:22:27] Brad Nigh: I think it’s going to be swelling. It’s it’s similar to what the haystack link that I sent you. If you look at that I think it would be very it’s gonna be so in that same vein which I like more

[00:22:38] Evan Francen: Right one It’ll be we’re going to insert it in between your account creation and storage in the database. Yes. So we’re gonna run it through the algorithm so we’re never gonna know it other than theirs that brief, you know, split half second when it does get transferred from here to there. You know and that happens all in memory on the server and stuff. So you’re always gonna have that

[00:23:02] Brad Nigh: you can never get away from that otherwise you can’t indicate.

[00:23:06] Evan Francen: Exactly. So the but yeah so when you create your account We’re going to tell you hey your password score was 420 You know that’s on a scale of 350. So that’s not good. And then we’ll tell you why.

[00:23:23] Brad Nigh: Yeah. Right. Yeah. I don’t like I don’t like some of those password strength I think it gives a false sense of security. I agree. Right? Like let’s let’s give let’s look at it slightly differently in terms of you know how many combinations what are what’s good? What’s bad? Why is this not good or bad?

[00:23:46] Evan Francen: Yeah because a lot of those password you know testers and things online we’ll tell you well it takes x number of days to crack your password and you’re not really sure where that math comes from anyway. Because Like if you tell me it’s going to take three million years to compromise my password yet. Quantum computing is like on our doorstep You’re three million years is B. S. Right? Because you know computing processing speed calculations happen much quicker when you get quicker processing. So you know, So the way our math works we have 18 rules with weights applied kind of according to risk and we can manipulate it based on things that change in the real world. But number one rule number one and you hit a dead on is password length right? The good length. You know basically what would be You know essentially a six I’m not going to give away the math but Between would be in the good to excellent range would be password longer than 16 characters. If it’s shorter than 16 characters it’s not a good password as it gets shorter and shorter it becomes a worse and worse password. So That’s rule number one strong, strong as long Number two is only numbers and the reason why only numbers is important is because I’m sorry. Yeah, only numbers is because then that’s the only name space.

[00:25:17] Brad Nigh: Yeah,

[00:25:18] Evan Francen: yeah characters that we go

[00:25:20] Brad Nigh: Back to search probably grant in their training. If you think about it, you’ve got 26 upper case 26 4 case 10 numbers zero through 9 and then a special characters kind of vary but usually around 50 ish. So use all of those your upwards of 100 you know they there’s some good tools out there that will show you exactly that and say hey, you know, and I I do like that. I really think that’s a much better approach.

[00:25:56] Evan Francen: Absolutely. Yeah, that’s financial. Rule number two is only numbers. Rule number three is only lower case numbers are only lower case letters. So it has taken numbers out of the equation. Only if it’s only lower case letters. This is going to be, you know this calculation only uppercase letters. More calculation only letters. Um well what’s the next rule I have only letters character wait for passwords, another one. Mixed letters and numbers. So no upper lower case. So we’re still reducing that. We call it a key space you know the space needed to crack the password and then we usual seven so the number of times passwords are you know that we know about have been compromised in the breach. And I gave you one example of a place where you can go find that if you’re interested is have I been phoned? You can type in a password and see if it’s been that’s one place there’s multiple places where you can go to see if a password is already in the wild you know as part of a breach disclosure. Now the reason why that’s important is because if I was an attacker and I was gonna load up my tables I would make sure that I account for all those passwords that have been breached in the past in the past. Yeah and it’s just good seeds. Yeah. Uh does a password exists in the dictionary? So there’s two types of attacks three really nowadays but you know two primary types of attacks is a dictionary attack in a password crack where you go through the key space, you know you’ve got you know, combinations using rainbow tables and such. But if it’s in the dictionary that’s the fastest way to crack a password.

[00:27:32] Brad Nigh: Yeah. Yeah. You know to go to your point You can have a long password over that 16 character length and have it still be weak Right? Like you know I just put in there. That university of Illinois Chicago has a has something kind of it’s a little bit wonky to look at but 19 character all lower case and it really poor. It wouldn’t take very long to crack it because it’s dictionary words and it’s only 26 letters in each one. That doesn’t take long to get rid of.

[00:28:09] Evan Francen: No exactly. So you have to take into all these rules, there’s actually 18 rules but from a user perspective uh choose a long password. Right? And we use

[00:28:22] Brad Nigh: variety.

[00:28:23] Evan Francen: Yeah exactly. And even if you have a long password with variety at the end because we used to tell you to mix them up right? We tell you to put special characters inside of words as opposed to on the ends of words. That’s that holds more true in smaller shorter passwords but in longer passwords you still you know pushed that key space. So you’re usually okay.

[00:28:47] Brad Nigh: A thing that I like to um Uh huh A good example that really gets people’s attention. That makes it like, hey this doesn’t have to be complicated. Now obviously you’re not gonna want to use this but a phrase very famous one to be or not to be. That is the question right, comma spaces and a period you know that gives you a You know 41 or Let’s see I can’t I don’t even know what that is. Is search pages is 1.29 times 10 to the 79th. Okay. Uh that’s gonna take You know even looking at 100 trillion guesses a second, it’s going to take trillions of centuries to go through brute force right now that’s brute force. In fact password is being used and they know it it’s gonna be a lot shorter than that, which is why it’s so important to um you know use different passwords in different places.

[00:29:51] Evan Francen: Right okay. How many passwords does the average person have?

[00:29:58] Brad Nigh: You know? That’s a really good question.

[00:30:01] Evan Francen: There was a study that was done I think last year that said the average person has 100 passwords.

[00:30:11] Brad Nigh: Yeah so I looked uh closed it, hang on. Mhm. I have so I will say I do have I do share a last pass with my wife just because we do have a lot of joint accounts but there are like you said there are passwords, she doesn’t know she has access to it in an emergency but I have between the two of us. 100 Fiji Probably close to 200. It’s not a little higher.

[00:30:50] Evan Francen: Hi there I’m looking at my my password database right now and I have uh 317 passwords.

[00:30:59] Brad Nigh: Yeah

[00:31:01] Evan Francen: I don’t know how you could possibly do this without a password manager without you know and certainly given the other benefits with a password manager. A Good one. A reputable one. Uh It’s a an absolute necessity.

[00:31:17] Brad Nigh: Well and so I have uh 93 work in my work one. Oh wait, no more than that. That’s just over 100 on that one too. So you know between the two, how how what’s up?

[00:31:34] Evan Francen: No, no, it’s not man. And you know, you know benefits that I like about password managers as well as reminders to change passwords for certain accounts. I can put account, I can, I can organize my accounts according to sensitivity. So the ones that are more sensitive, I can put, You know, reminders to change them more often. Maybe every 30 days may be over 45 whatever my risk tolerance says. And then the other passwords that are just like, yeah, this is a test account somewhere. I don’t care if it gets compromised. I may not ever, but pastor managers allow me to do all that stuff or there are times when I’m like in a rush and I don’t have time to think of a strong pastor that I’m actually going to remember. I’ll have the password manager just create a damn password for me according to these rules and populate it and store it. And I’ll come back to it later.

[00:32:26] Brad Nigh: I’ll be honest. I almost don’t always use a generated password with and I will always do, you know the complexity, all four of those different um, character sets. And as long as you know the length that the longest length that whatever service will support. Right? Because I don’t have to remember it. So if it’s 50 characters. Great. I don’t care. I don’t I’m not going to be very worried about that getting broken anytime soon because I know it’s strong length and complexity to it but I don’t have to try and remember it.

[00:33:06] Evan Francen: Yeah that’s true. I mean you could put a gun to my head on most of my passwords and say disclose your password. I’m like I I honestly don’t know what it is

[00:33:13] Brad Nigh: right? Like I said I know like five passwords.

[00:33:17] Evan Francen: Yeah and I actually I probably don’t know how many actually. No no But the one I really no it’s just the one open my password state and I have forgotten that password before. Thank God. You know there’s recovery mechanisms because if I were to lose that and not have the ability to recover that password I would have my life would come to an end basically. I mean my digital life.

[00:33:44] Brad Nigh: Right Well and that’s why you know last past had that issue years ago where uh they basically reset passwords because they you know the passwords were compromised and because they were salted and hashed so it would be very difficult to actually get the passwords but you know they changed passwords. Well people couldn’t log in because they didn’t know their recovery email password because it was in last past. So that’s one of the things that I always like to recommend is whatever you use for your recovery mechanism, don’t he had, that is a separate password. Don’t have that story. You’re going to need to know that one.

[00:34:23] Evan Francen: Right. Right. And if you have to I mean truly if you have to uh write it down and store it somewhere safe in your home or the in a safety deposit box because the risk of being disclosed there is less lessened because you know, it’s not digitally, it’s not connected to the rest of the world, right? You know, I do know people good, really solid solid solid info sec people that actually store their master password or recovery password in their wallet,

[00:35:01] Brad Nigh: you know? Well

[00:35:02] Evan Francen: at least their risk tolerance, I’m not gonna, you know,

[00:35:05] Brad Nigh: I think as long as you don’t have you know the service of the what you’re using or the user name, the identifier. I mean yes, you could guess those things, but at least it’s somewhat safer. Yeah, I’m with you know, I wouldn’t do that. No.

[00:35:23] Evan Francen: So the average person has 100 passwords, I have a lot, you have a lot more than that. And so um when you think about it, you know a lot of these passwords have access to really sensitive parts of your life. Uh I think it’s a good idea for people because we we we advise the same thing at work, you know for you know, business clients you have to take inventory of these things, You have to take inventory where what identities do you have? Where are your digital identities? Uh And there’s no single tool that’s just going to go out there and scour the web and tell you what they all are at some point. You just need to and I wouldn’t even if you if you’ve never done that before, I wouldn’t even attempt to do them. All right. Now what I would do is say get a password manager or something like that where you can start tracking your digital identities and just start using it eventually it will start to become populated and you’ll have identities that you haven’t used in years that you probably you didn’t need any way. Maybe some of those might still be sensitive. But uh you know out of sight out of mind until something happens I guess on some of those we just won’t know. Yeah but you have to take an inventory of this stuff. Um I have an inventory of all my accounts and they’re all of my password, save the computers. Um All the computers that I use including my work computer, my home computer by multiple work computers. My ipad, my iphone I’ll have password managers on them.

[00:37:03] Brad Nigh: Yeah I’m looking through my personal one and I’ve seen some and I’m like yeah I probably haven’t used that one in 10 years,

[00:37:13] Evan Francen: Right? And some of those accounts, you know uh you know might be a good idea just to you know, I want to win and close it up.

[00:37:22] Brad Nigh: I’m sure that some of these have been kicked out because of an activity.

[00:37:28] Evan Francen: Right? And if you look up, if you go to uh you know, have I been postponed any type in my email address? You’ll see that my email address has been phoned in 17 data breaches.

[00:37:47] Brad Nigh: Mhm. I’m lucky. I’ve only had five.

[00:37:52] Evan Francen: Right? If I use my other email address it’s zero. So there are there are I mean if you get a little more sophisticated with your identities and things like that, I’ll use one email address for things for accounts and account sign ups where I expect 17 2030 data breaches over the lifetime of that I d then I have other ones where it’s like I only use this one in very sensitive accounts. And so if I ever did get an alert on that one, that would be a really big deal

[00:38:19] Brad Nigh: For 100%. I have really like for emails that they exactly that it’s whatever. If it gets postponed it gets boned, it’s nothing sensitive. You know, you know, log into I don’t know some some website to read news. Right. Right. Right. And then going up in sensitivity levels and they’re all different. Right? It’s not like there’s a pattern to them per se. So I I know and I will say I do use Gmail which you know it is what it is but it’s

[00:38:56] Evan Francen: easy to you’ll never get away from google, you

[00:38:58] Brad Nigh: know, but the one that I use that for the least sensitive things. But one of the things that I really like about that is you can do a plus and then something afterwards. So let’s just say my email is and this is not it. But if it was B and I at gmail dot com, I could do B’nai plus uh yeah, CNN dot com or CNN at gmail dot com or you know, the United Plus Washington post or WP whatever you’re logging into and gmail sees it all the same and then you can set alerts and if you do get it won’t, you know, who leaked it?

[00:39:39] Evan Francen: Yeah. Yeah. It’s like it’s it’s own little digital watermark. Alright. So in, you know, saying for, you know, everyday users, you know, we’re talking about things, you know, I think strategies that we use and I think for a couple of reasons, one we’ve been speaking this language longer, right? It’s not a question of intelligence or anything like that. It’s just a question of the language we speak, you know, the longer you speak at the more you master it. So, you know, we do stuff like this,

[00:40:11] Brad Nigh: you know, I think because

[00:40:12] Evan Francen: of that

[00:40:13] Brad Nigh: medical professionals parking medical and it’s just it’s what, when you do it and it’s what you do, it just comes naturally when you’ve been doing it this long,

[00:40:23] Evan Francen: right? And the thing with everyday users is that information security, some of this stuff that we’ve talked about in this podcast, our life skills.

[00:40:33] Brad Nigh: I mean at this point, yes, absolutely.

[00:40:36] Evan Francen: Yes. To managing your own identity, meaning taking inventory as much as you can about where your identity is being used. And I would start to start with a password manager and as you’re using the password manager, you will start populating with your identities.

[00:40:51] Brad Nigh: And so if you’re curious to now it’s not it was more aimed at at businesses, but a lot of them do you have uh free home um versions? See I’m trying to find it, we actually put together kind of a comparison of password managers because we get asked that so many times. So let me see if I can find that and I’ll give that, I’ll send that over to you here in a second. Yeah, you can send that out and the or

[00:41:26] Evan Francen: you can add and I never mind sharing what I use. I mean I get asked, I think more than I get asked about which one is a good one I get asked about which one do you use? I mean I used last pass like last past because it does span across different systems so I can use it on my IOS devices. I can use it on my Windows devices. I don’t know if it works on Lenox or not. I never really uh much account stuff from Roxbury. Yeah, so I like it. Simulators.

[00:41:55] Brad Nigh: Yeah, there’s, you know the other one. Uh, well we hear a lot, right? There’s a lot of of options. I’ve heard, you know, a lot of good things about dash lightning. Um one password is another very common one

[00:42:12] Evan Francen: when I think a lot of times to for people like don’t get wrapped around the axle about which password manager is the best password manager. Just use the damn password manager. You know what I mean? It’s like because you may ask me, it’s like which antivirus is best. Mhm depends on who you ask. Right? If you ask me and you might even depend on the day you’re asking me, you may have just had a crappy experience of last Pastor and I’m like, don’t use that one, right? You know, But so just use one. And then um, the question I get a lot too is because then we’re gonna go into multifactor. We’re going to multi factor really quick. But I want to talk about, are we going to be stuck with passwords forever. Okay.

[00:42:58] Brad Nigh: Yeah. I mean until we have some other form of authentication, you know, and biometrics to me is not good because you can never change it. So if it’s not implemented correctly and you’re algorithm, you get compromised. Like you need your fingerprint or whatever so that I don’t I’m offer biometrics as an identifier. Not as an authenticator. Uh, so, you know, you’re gonna have some form of this fur the foreseeable future. I mean unless you go to like a physical device. Right? Yeah I

[00:43:44] Evan Francen: agree with you. You’re you are going to be stuck with passwords forever. Uh Because when you think about ways to prove your identity to somebody else and that leads to our factors. Right? So there’s three factors and authentication today. Some some people will argue 1/4. But really there’s only three. It’s something I know something I have and something I am. And so there’s something I know peace is those are passwords. Now I could use something I am like you said like uh you know biometrics you know retina scan, a hand geometry scanner. You know, fingerprint whatever. But like you said changing those things is very difficult. So what happens if there’s a compromise of the image of my thumbprint? How will I change that?

[00:44:37] Brad Nigh: Right. Well and and the other thing is we talk about this and it will be a nice transition. But in the mentor program there’s my ability and security concerns with that because if you have diabetes that will change your eye or if you’re pregnant that can change things. And we’ve heard the stories of you know somebody that you know kept having to get their scan, I scan updated. It turns out they had diabetes and didn’t realize it.

[00:45:07] Evan Francen: Right? Yeah. I know there’s the geeky ones out there saying well they don’t actually store the image. They start the minutia right? So you’re not actually storing my fingerprint image which are storing is mathematical calculations from the world’s and things on my fingerprint. That’s true if you’re playing by the rules but you know that there are people out there who take shortcuts all the damn time. So everybody who’s using but you know that as authentication. Are they following their rules? Are they strong my whole image Because if they’re strong my whole image boom gone

[00:45:42] Brad Nigh: well and not only that but we know people aren’t doing it right. How many password breaches have passwords stored in clear text? You hear about that all the time. That’s that is development. And one of the one like if you can’t do that you shouldn’t be a developer, you shouldn’t be putting out anything. And we still hear about it. So how how can I trust that these companies are are storing that data correctly.

[00:46:09] Evan Francen: Exactly. Exactly. So so and then that that third form something I know something I have. Well that changes right? I can lose things. I can I can pick something up and put something down. Now. I know there’s been discussions about you know implants putting implants into people and things like that. Sorry that’s not going to happen here. You’re not putting an implant into my body that you can use for authentication. I don’t trust you

[00:46:37] Brad Nigh: right? And then it leads to a whole another host of of concerns and issues you have to deal with. Right. The organization not just as an individual.

[00:46:46] Evan Francen: Exactly. And so if those them, so getting away from those things like uh passwords are just they’re not going away. I don’t see it happening. What I do. You know, you see things like um, you know large global single sign on, you know, efforts, things like that where I just need to authenticate with a centralized service and it we’ll authenticate me to everything else that still doesn’t get you away from passwords. Maybe it’s it’s less passwords but you still have to have passwords.

[00:47:18] Brad Nigh: I mean it’s similar to using a password manager. You don’t have to know those passwords. You still have to have the password though.

[00:47:26] Evan Francen: Right? Exactly. So when we talk about multi factor authentication, we’re talking about two of those three factors. Right? Something I know something I have. It’s something I am and you can put them in whatever order you want. You don’t need to get technical about which order they go in fun. And I love using the example because people can relate to it. Most of us have gone to the ATM machine before. That’s multifactor authentication. Right? It’s something you have the KTM card and it’s something, you know with your pin

[00:47:57] Brad Nigh: number.

[00:47:58] Evan Francen: I only have one of those two. I’m not getting any money out of the A T M I need to know birth. Exactly. And so the same thing applies when I go and browse the internet. You know the multifactor authentication. It’s going to be something I know which is typically a password or passcode and then it’s either going to send uh maybe a text to my phone. Maybe I’ve got a key fob, maybe got a UBI key, I’ve got something else that’s going to be required for me to complete that authentication sequence. Yeah. And I don’t want to get into the wrapped around the axle either about well but you know sms you know second factor is weak, weak, weak and it’s like okay it’s I get it, you can crack it but it’s stronger than just using your damn password. So I actually got to start start there.

[00:48:45] Brad Nigh: Right? Yeah. Again it’s not ideal but it’s better than nothing, right? You know and luckily there are some really good um authentication apps, you know Microsoft has one google obviously has one last pass I believe has one, you know most of password managers have something like that that are free, right? They’re really easy to set up. If you go to these sites, they put a QR code a little funky square like

[00:49:14] Evan Francen: google authenticator right? There

[00:49:16] Brad Nigh: you go. Um But they’ll have that QR code, you open your password, uh your authenticator app, hold it up to the screen. That’s it. It’s super simple to do. I mean you know uh The way I like try to do training is because it is easy to talk over people uh do it like I’m talking to my mom, right? I try to imagine that love her to death. Not technical. She was able to do it. So you know, I know you can do it right?

[00:49:50] Evan Francen: Oh well that’s it man. You know, and if you need to start with smS and that’s when you feel comfortable with feel free, you know, start there, you know, most of the attacks against sms, you know that have been successful. Well, I mean it was sim swapping attacks, right? So you would know when to swim a sim swap happened because your phone would stop working. Right? That’s a telltale like why did my phone stop working? And you call the phone? They’re like, well because you know, whatever, it’s pretty easy to figure that out pretty quickly. Um So yeah, anyway, I think this was a good discussion because I think that we take for granted passwords a lot. We just assumed that people know, you know, a lot of these things I don’t like passwords. I don’t think anybody likes passwords because they’re a pain in the ass. Right. I mean 300 passwords, are you kidding me? All right. What’s up the password manager? It makes life simpler. I don’t like when my password manager times out, which means, you know, I’m browsing the internet and I have to re authenticate with my damn password manager again. Is that password as hard as hell to type every time.

[00:51:01] Brad Nigh: My mind is like 28 characters but it’s afraid you know and then I not just a phrase it changes. I have some uh basically assaulting you know adding some different characters to the beginning and the end to change what the hash looks like. But kind of core does say they’re saying because It’s you know 24 character it’s gonna be really hard to figure out.

[00:51:28] Evan Francen: Yeah absolutely. So there you go there’s there’s the guidance on passwords. Yeah. Other things I wanted to talk about just briefly and then we’ll get to some news because we’re coming up against time. The C. I. S. Sp mentor program, the fr securities free family who hasn’t listened to us before. It’s 100% free. There’s never strings attached. We don’t you can sign up with a bogus you know name. We don’t care right? It’s the ability to help people get prepared for their C. S. SP or just learn more about security. We have tons of people who take this program that never ever take the exam. Well that’s fine.

[00:52:09] Brad Nigh: We’ve had sales people and you know well Renee took it last year. Uh Ceo odds are very high. She will never take the exam but it makes her better at her job so you get a lot of people that that do. Exactly for that reason and I’m all for it.

[00:52:27] Evan Francen: Yeah me too man. So this year as of yesterday morning we were told that there are 4,701 registrations in that program today. That’s very awesome.

[00:52:38] Brad Nigh: Mind boggling. We, at this point we have more this year then all the other years combined.

[00:52:45] Evan Francen: Yeah. Last year was the record at what? 2400 something?

[00:52:48] Brad Nigh: 23, right in that range.

[00:52:51] Evan Francen: Yeah. So it’s really cool. Uh, the instructors are, you know, me, you and brian,

[00:52:57] Brad Nigh: so a lot of moderators, a lot of people helping out behind the scenes. You’ve got, you know, Charles has volunteered to help out this year. You got chad Ryan and Lori that have all done it in the past. Megan’s helped out. Yeah. Patsy I think has helped out as well. So yeah, it’s a team effort.

[00:53:16] Evan Francen: Super cool man. The program keeps off 20 days from today. So that will be the first class. It’ll be april 12th at six I think PM Central daylight time.

[00:53:29] Brad Nigh: I’m not doing security models this year at Ryan’s.

[00:53:33] Evan Francen: Yeah, we’ll see man. I don’t know. We’ll just see how it flips out. But yeah, we’ll give it to Ryan. I know I’m not doing it. I did it the first, You know, 7, 8 years. I don’t, I don’t want to do it again. Uh, so we’re pretty sure we’re gonna top 5000, which is, which was our goal and we’ve got people who have been recruiting, you know, also, you know, I got a couple of nonprofits that have, you know, you brought it up to their membership because it took a long time to get this level of trust with people that like, no, really, it’s free and there are no strings attached.

[00:54:07] Brad Nigh: Yeah. I mean, people asked why and you know, I actually had somebody harassing me almost about trying to monetize the podcast and I was like, no, that’s not the point. Like for me, it’s getting back and helping mentor because I didn’t have that and it would have made my life so much easier. So if I can help somebody else, why wouldn’t I give back? It’s only going to make my job

[00:54:32] Evan Francen: easier in the long run. Exactly when it always goes back to me to about priorities, right. If you focus on the mission, you will make money. If you focus on the money, you will not make the mission. And I just, I always have to keep, because I’m human being, just like everybody else, man, I got things that, Ooh, that’s cool Brent blinky light thing, I’d like to have that, whatever. And if I focus so much and then then I’ll compromise other things. Whereas if I focus on the mission, I find that, oh, I’ve got money for that now or you know what I mean? It’s just like given that just

[00:55:03] Brad Nigh: great, I mean, yeah, do it right and roared will come.

[00:55:08] Evan Francen: It’s absolutely true. Uh, that’s good stuff. And I just want to mention some new things that we’re doing at security studio which is kind of cool. We did uh we developed actually develop this a while back at the was sitting at um with the sea sort of a really really really large multinational company and I asked him what his biggest challenge was and he said it’s accountability and I said let’s talk about that. So we end up white boarding it and we came up with the way to assess risk in these types of organizations and then force accountability back through the pipe is to do nested entities which means instead of a single risk assessment we have many many many risk assessments and they’re all related to each other and how they’re related to each other and all that stuff. So that was finally pushed into production. Uh

[00:56:00] Brad Nigh: All right.

[00:56:01] Evan Francen: Yeah. Yeah that’s kind of cool because I think it’ll really help with the States.

[00:56:06] Brad Nigh: Well I have one multinational company that’s a V. C. Cell that has 40 or 50 offices. Nice, we’re I’m going to be bringing that up to him and saying, hey let’s let’s work on getting these figured out because it’s going to make it make visibility right? I really like you said,

[00:56:26] Evan Francen: yeah when I’m very very very interested to hear your input to as you work through that, you know what I mean? Because now we’ve got to take it to the next level which is you enabling dynamic movement because companies merge you know cos divest pieces of their organization. So being able to almost like you move tiles around on a board. You know being able to move those kinds of relationships around. Yeah. Uh That would be pretty fun. Uh Yes to me instant score actually made that this weekend. That’s pretty cool. So what that is is essentially rather than having to go through the entire assessment you know which it’s not that bad it’s like 10 15 minutes. But people don’t like 10 15 minutes. I like They don’t even like 10/15 for waiting for something. So when you create your account it’s gonna be a user name and I’m sorry first name last name, email address and password to create your account and through all of that will create an s to me instant score based on Probably 20 yourself criteria

[00:57:31] Brad Nigh: have if the email shows up and have been toned if the password shows up in these very cool

[00:57:36] Evan Francen: and stuff and stuff we can scrape from your browser.

[00:57:40] Brad Nigh: Yeah good point.

[00:57:42] Evan Francen: You can find your source type we can tell you based on your source type whether using a VPN or not. Probably uh We can also tell um geo location to some extent. Um And then give you some crime rate information, international threat data. Very cool. Yeah but I tell what operating system you’re running uh not individuals. So if you’re running Windows me that’s gonna knock your score down quite a bit

[00:58:10] Brad Nigh: of an out of date browser.

[00:58:12] Evan Francen: Exactly, yep. So it would be pretty fun. I’ll share that with you. You know, the math for that one and the next two pcs coming

[00:58:19] Brad Nigh: to the game. That’s gonna be awesome.

[00:58:23] Evan Francen: Yeah. And I was talking to the development team this morning about that and they’re like, yeah, you know, because I’ve been pushing them, I’m like, where’s that? You know, these guys need it, they’re ready to go with it. Like, well, you know, we’re, we had to cancel, I think a demo because they weren’t ready and I’m like, well, like that’s gotta stop. Yeah. So, all right, news, I’m gonna hit it really quick. The first one is uh, the title is computer giant Acer Hit by $50 million dollar ransom wear attack. This comes from bleeping computer. Yeah, nobody’s immune. This is our evil thank you. Already, you’re bunch of jerks. Yeah, but I also, uh, so I mean that’s, that’s why it’s newsworthy because I’ve never seen a surrogate hit the ransomware attack before.

[00:59:17] Brad Nigh: That’s big, big company.

[00:59:20] Evan Francen: Yeah. And yesterday I shared one of the things that I’ve been using for a while and I didn’t realize that I said, I sent it to Oscar and he’s like, oh yeah, this is Goldman. I’ve never seen this before. So there’s a link in in the show notes too. A list of amputee groups and their operations, it’s a list that’s maintained by a group of a group of people and uh, it’s some really good quality information there. So, in terms of like, ones originating from china Russia, you know?

[00:59:53] Brad Nigh: Yeah, this is amazing,

[00:59:56] Evan Francen: right? So I figured that clark Exactly, and you can download it to him, you know, And I’m guessing if you wanted to, you know, in your own eye, our work, if you wanted to contribute, you can reach out to one of those, uh well, those folks there and contribute to. Yeah, it’s a good, really, really good resources. I’m trying to figure out, you know, sometimes we’re trying to figure out like who is this group, and I wonder if they’re listing somewhere and what attacks might they be associated with according to, you know, which vendor

[01:00:29] Brad Nigh: it like this exchange where, you know, you can identify a pts groups that are exploiting that known? Well, our IOC is going to be good across all time. What should we be looking for? What type of behavior? So that’s going to be really nice.

[01:00:49] Evan Francen: Yeah, I didn’t realize I didn’t show it. Really. I got that. Alright. I think chris roberts had given that to me a while back.

[01:00:55] Brad Nigh: Fantastic.

[01:00:57] Evan Francen: Yeah. So, anybody who wants that list go out there, It’s it’s a public list, so you can grab a copy if you want. Uh, the next article I’ve got is, and this one takes me off of it because I hate anybody who attacks. I mean, the big thing, the big motivator for everything about security for me is I cannot stand people taking advantage of other people. The worst damn thing ever. When, when you take advantage of the weakest of us, it just gives me that much more anger. And so this one from threat post is critical security bugs fixed in virtual learning software. This is the Netapp application and it affects our kids. Right? So that’s why I get ticked off about it. they were disclosed to net up in December 11 and they weren’t patched until late february. So about, you know, so it’s a couple of months that they sat there sort of open and did anybody know about it, you know, was was are there any breaches associated with it? I don’t know. But the fact that it’s sad their ticks me off. Yeah, two kids. And then then that app software, I think it’s used for controlling your students, uh computer, you know, for the teacher. Right? And this one, the last one is from beta News, three billion spoofed emails sent each day. It’s lower than I expected. Yeah, me too. I think I get probably half of those. What uh the part that takes, this is another thing that just irritates me, you know, we have demarche Denmark has been around for a while now. And the market just a to validate the identity of mail systems and mail servers, you know using DNS and other things that would significantly reduce the number of these emails And I just got a just got a message right now, we just hit 5000 sign ups the CIA’s history Alex just to send the message now. Uh so if you’re not using demark use the mark for crying out line, right, and now I’m gonna go now watch, I’m gonna go do and then let’s look up on our secure and find out we’re not, you better be, we’ll find out.

[01:03:24] Brad Nigh: I’m trying to remember. I know we hadn’t been, we were using what’s the other one? Um

[01:03:31] Evan Francen: Oh yes. Policy

[01:03:34] Brad Nigh: forward. Yeah, so we have that in place. Um and Jeff is, that’s one of the things on the road map. I just don’t know if he’s gotten to it yet.

[01:03:43] Evan Francen: I’m gonna look right now when I look at what we’re done uh because there is a demarche analyzer, if you’re not sure there’s plenty of sites out there that will test your demarche to make sure that it is implemented correctly, so feel free to go do that. Oh my gosh, that’s it. Good talk. Thank you brad. Seriously brother. So good to see your face again. I’m happy that you’re back. Happy that you’re healthy. Uh and thank you to our listeners. You got any shout outs for anybody this week.

[01:04:11] Brad Nigh: Yeah, I actually got a couple. So first um thanks shout out to Ryan for, you know, covering last week. Um shot to my family for putting up with me last week and then shout out to all the people helping with the mentor program behind the scenes. I mentioned some of them but Brandon and Alex and jess and just everybody that if I didn’t mention, you know, I appreciate all the help makes our lives much easier.

[01:04:41] Evan Francen: Absolutely, yeah, I’m just going to give a shout out calm, have a generic one to you know, to all the people sort of behind the scenes that you know, sit behind the keyboard all day long every day trying to fight the good fight during the battles and but you know a lot of times people don’t realize the work that’s going on behind the scenes. You know, certainly you know somebody to get a hospital patient for instance who walks in the front door. Um they just assume that somebody is protecting their identity, protecting their health care information and everything and you know, people are doing their best to try to do that. You know, they will get any accolades, They won’t get any like, hey thanks for protecting my identity. You know, it’s just those people, you know that’s my shut up. Alright, so thank you to our listeners, send us things by email at unsecurity@protonmail.com. I’m gonna go check that mail box soon. Uh if you have, if you’re the social type, you want to socialize with us on twitter. I’m @EvanFrancen, Brad’s @BradNigh, we also have other twitter handle, twitter handles for places where we work on security. Twitter is @UnsecurityP security studio is @StudioSecurity and FRSecure is @FRSecure

It’s nearly Thanksgiving, which means holiday shopping is already in full force. With more online shopping coupled with the fact that most of us are more distracted than ever, attackers could have a field day. It’s important to know how to protect yourself and your family while holiday shopping, so Evan provides some tips for online shopping and security in episode 107 of the UNSECURITY Podcast. Check it out and submit your comments, questions, and feedback to unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey there, thank you for tuning in to this episode of the Unsecurity podcast. This is episode 107. The date is november 24th 2020 and I’m your host. Evan Francen not joining me this morning is mr Brad Nigh. Brad has a few issues going on. Uh One of the things it’s called um labyrinthitis, I’ve never heard of it before, but anyway, he’s uh he’s doing fine, healing up but won’t be joining for the podcast. So you get me all day, all night, all day. It’s only like an hour, but whatever we’ll fight through it together. So uh lots of drama going on with brad on top of that. Uh this is fourth quarter and so if you’re in information security or been in information security for awhile, certainly on the consulting side. Uh this is always a crazy, crazy time of year. Uh We’re just busy. A lot of lot of coal put information security off until the last minute or realize they have budget left over. Um so I’m crazy busy, you know, brad is crazy busy. Uh and so is really all of the FRSecure team and all of the security studio team really running at 100%. So anyway, it’s a terrible time to, to have health issue to deal with. But again, he’s gonna be fine. Uh, well, that with all the craziness going on with Covid and the elections and then, you know, just your normal fourth quarter, it’s, uh, it’s a nuts year. Uh, thanksgiving is this week. So we’re gonna talk a little bit about that, uh, last week on the security shit show if you missed it. It was, uh, it’s really the only time I swear on the show. So on this show, my apologies if you’re offended by that. Um, what we did last week was it did the pocky one chip challenge, allegedly these chips, you get one chip in a box. It’s, uh, 78 bucks. And, you know, after shipping 15, 16 bucks for one chip, the chip tastes like crap. Uh, and it’s allegedly at 1.6 million scoville units. If you know what a scoville unit is, it’s essentially a measurement of heat of spiciness. So both myself and chris roberts, uh, engaged in that challenge online as well as a couple of our listeners are fans on the show. Anyway, We lived, I think, you know, going to brag a little bit. I think I lived little better than chris did. But either way life moves on, it was sort of entertaining. Had a good time. And then we talked about compliance. Uh, that’s, you know, a double edged sword with, you know, the good things about compliance is it does raise awareness about some of the things we’re trying to do. Uh, the other side of that sword um, is it leads to check box security and a whole bunch of, you know, unintended consequences. It was a great discussion last week. If you missed it, go check it out on Youtube. And we also got a whole bunch of new warning stickers. These are sort of cool and, and uh it’s essentially a sticker that you put on a device and says this device and the list off a number of things. The warning sticker like I said, and it says this device is addictive, we’ll lose your information, will steal your data. Listens to all listen to you all the time is going to be used against you is likely burn your house down. Is not your friend. Kind of a funny sticker chris uh, had a suggestion which we didn’t do, which was to go to like best buy and just put stickers on all the electronics. Uh, no good thought. But no, I’m not gonna do it. So anyway, that was the security show last week. That was last thursday. Those every those are live every thursday night at 10 p.m. Central time. So it’s sort of an entertaining thing. I think people belly up with her to just going to listen in to the entertainment. We do enable the live chat so you can chat, you know, while we’re talking and we’re watching the chat and sometimes we’ll address some of the things that go on there, sort of fun. Uh other things going on, uh information security hobbies. So if you’ve never had been, I broke out the raspberry pi again, uh if you don’t know what raspberry pi is, just google it. Uh, but it’s a fun, you know, it’s a great hobby I guess, but you can learn, you know, a bunch of different things. What I’m trying to build is really a home information security device. Uh and I know there are some, you know, on the market, but I’m trying to build one that’s really, really cheap. Uh so I’ve installed raspberry pi installed raspy in which is the operating system for raspberry pi and then uh, set it up as an access point, bought a new are a second antenna for wireless and installed kismet on that uh, for listeners who don’t know kismet K. I. S. M. E. T. If you look it up. Um, it’s a really neat utility. It’s been around for a long time, uh, used to monitor, you know, wireless connections and stuff like that and then probably be throwing essence on there. And um, what else do I get on the pie hole, I suppose. Um, so I’ve been working on that kind of as a side hobby thing in here in Minnesota winter comes early and so I’m not a winter guy. So during the winter is usually when I break out, you know, more hobbies and started playing around rooms. I also broke out my Arduino gonna build a uh led light system for my uh, 16 year old daughter. Uh, so that it’ll go to the music, which is a pretty fun project to, I think we’ll work on that together. So that’s what’s been going on. Um, those were things that I probably would have talked about with brad, had he been here for the quick catch up. Um, I’m just gonna, I’ve been in contact with brad all last week and like I said, he’s doing, he’s going to be fine. It’s just uh, yeah, this time of year with everything else, I feel bad for him. All right, So this week is thanksgiving, um, happy thanksgiving to all the listeners. This is, um, this is a weird sort of thanksgiving, right? There’s Uh, with lockdowns in many of our 50 states and worldwide, um, thanksgiving a lot of the traditions, you know, getting together as a family, you know, have family gatherings and uh, you know, that’s going to be different for a lot of people this year. I know some people won’t follow the rules and I’m not gonna get into that, but it’s sad when, you know, with, coupled with everything else that’s going on this year with just, you know, although it seems like the world has been flipped upside down and then, you know, you’re looking forward to thanksgiving and then we have kind of, the second ways of Covid. Um, and where I live here in Minnesota, uh, you know, our governor, tim walZ issued a, uh, a four week pause, which essentially puts most of everything back in lockdown. And then the guidance to not have, um, family get togethers. So weird. Um, for sure. I don’t know. Um, yeah, just weird. But regardless, you know, thanksgiving is a time of year when you can look back, hopefully take some time to reflect on the year. We’ve all got things. I mean, if you still got breath in your lungs, we’ve all got things to be thankful for. We’ve all got things to be grateful for. For some of us, it’s been really trying year with, not only with Covid, but with the political season that was just, you know, so divided. And then, uh, personally, I lost two family pets this year. Two dogs that, you know, I love loved dearly. Uh, those difficult being sort of isolated was difficult. But then, you know, you look back at some of the other things, um, for our company for FRSecure. It was another record breaking year. Um, believe it or not, sales exceeded, you know, any, anything we’ve had in the past, uh, was the first time that security studio was cash flow positive. Thank God, my family, I have five Children. They’re all healthy. Uh, and they’re all out of the house except for the 16 year old. Um, so when you look back, there are many, many things to be thankful for and I’ll choose that route. Um and then look forward to, you know, some of the hope that’s uh that’s on the horizon. There’s that’s another thing that if you look for it, you know, I believe you can find it, you can find hope. If you’re having trouble finding hope, reach out to a friend that maybe can instill some hope, you know, you know, in you hope is one of those things that keeps you going sometimes. And I know we’ve got of vaccines that are pretty close to um you know, being released that show, you know, great promise. I know that uh the doctor who, I don’t know if he’s a doctor or not, but he’s the person who leads operation warp speed and I don’t want to get political because I know operation warp speed is a trump thing. But um you know, I think it was a couple years ago on CNN that uh we should reach herd humidity when you couple with the infection, couple the infection or list the release of vaccines at their efficacy. We might reach. Well, his prediction is that we would reach uh some level of Herd immunity 70%. But the end of May. So that’s hopeful. You know, if that’s true. Well then we should be coming out of lockdowns. We should be getting back to some semblance of normal, you know, and I know there’s miss among us who will say well but this about that but you know we’ll hold on to that especially you know this time of year. So those are things that I am grateful for. Um this thanksgiving. Uh Lots of things like I said there are way different than they’ve ever been and one of those things that will be different and now I’d like to sort of transition into you know some holiday shopping because holiday shopping is Usually you know the day after thanksgiving marks the official start of the holiday shopping season. Even though when you look at the statistics 30 I’m going to find it too real quick. 38% of people actually start their holiday shopping before the end of October 28% start or 20 an additional 23% start before thanksgiving. So 61% of us, according to the data from statistics to 61% of us start our holiday shopping before thanksgiving, 22% start on or after Thanksgiving 15% in December And 2% believe it or not in January talk about. Uh huh. Well they what do they call it when you’re pro but why wouldn’t you put things off for so long? I forgot the word. Um Yeah whatever 2% in january now if I did my holiday shopping in january I think I catch enough great I’m a december guy. So that’s when I’ll start my holiday shopping. Uh but the point here is, 61% of us have already started our holiday shopping. Um So when we give holiday shopping tips, hopefully the 61% of them have been finished, or maybe they have finished, but hopefully they followed some of the good tips. So I’m gonna give in the show today other things that are changing in terms of holiday shopping. Even without Covid, the trend was very strong for shopping going from brick and mortar to online shopping. That’s increased year after year for the last, well since they started tracking it Last year, the number, or last year, the retail sales for holiday shopping was $730 billion, So let that sink in a little bit. 730 billion now. Uh and I would have thought this next number would have been a little higher of that, $730 billion. 135.35 billion. Again, 135 billion dollars came through online sales or e commerce. So 135 billion of the 730 billion last year, 2019 was online sales, so that’s considerable. Uh We also saw a significant increase last year in mobile retail sales Last year. That number was $71.3 billion. So again, just to recap $71.3 billion dollars from on mobile retail sales, $135 billion E Commerce And $730 billion what’s going to be different this year? The scams, Most of the scams haven’t changed the scams are we give Attackers a lot of credit for being creative. Yeah, I mean if they need to be that, if there’s a good return on investment with old attacks, I. E. Fishing, they keep doing it as long as we keep making it easy for them, meaning we don’t go to multifactor authentication or we don’t take additional steps, create strong passwords. Follow some of the basics. As long as we keep not doing that, they don’t need to get creative. We don’t need to make them get creative. They’re getting a good return on their investment as is. So with thanksgiving this year, lots of the things have changed and I’m going to go through some of that. Lots of things haven’t they’re the same, the same tips. The same advice you got last applies this year. Things haven’t changed much there. So things that have changed. We expect a significant increase in online sales. There’s more of factors for this one is just the trend as it was, had the trend just continued without covid without shutting down retail, you know, brick and mortar or at least making it making that riskier. Uh, we expect the projected sales to increase. And again, this isn’t my data, this is from statist a and in other places that they cite. But we expected sales this year online sales this holiday season To increase by 35.8 Last year. Just to put that into perspective. Last year, the increase was about 19%. So we’re expecting a significant increase in online sales. And that just makes sense. Right. I’m that’s probably not a huge news flash are surprised to anybody. Um, The said that that’s one thing, the second thing about this year, that’s different. The nears past is the human, the person making the sales. They’re different this year. We’re all different. Um, one I guess easier way to be successful in your taxes to distract people. And I can’t think of a time in my life, uh, where we’ve been more distracted during the holiday season than we are this holiday season. So we’re paying less attention than we ever have. People are distracted by 1000 different things that are going on. You’ve got the normal busy busy nous of the holiday season couple, that anxiety of not being able to be with family and friends, worrying potentially about their health. So covid 19 has wreaked havoc here with our attention. What we’re watching, what we’re not watching. Uh, we have the election controversies, you know, I know that the election itself, we’ve already voted here in the United States, but there’s still this ongoing lingering whatever and I’m not going to get political and I’m not going to take sides. But it’s distracting. That’s the point. We’ve also got the social justice issues that are still running rampant throughout the country and even throughout the world. And I’m not gonna, this is another thing I’m not going to take sides on, on the point I’m making is it’s distracting. It’s another thing to distract you from other things. You’ve only got so much attention, you know, that you can pay two things a couple that with online schooling, working from home, uh and the list goes on and on. So here’s the math. The simple math, right? Uh If there’s more opportunity plus um essentially your attention span uh of protection, I must say opportunity plus distraction equals except us for the attacker. So more opportunity. And if the distraction is the same, that should equal more success. It’s amount of opportunity and more distraction. Again, you’d expect more success. If both of those go up, if you’ve got more opportunity and more attraction, Well then you just compound the issue. So we would expect more success. So sadly among this, the things that we that are changed this year, we would expect more scams. We would expect more success in the scams. And so it’s up to us what we’re gonna do, right? What we don’t want any joy that remains. Uh hopefully, like I said, go look for it, it’s there the way that you have in your life today, Don’t let the scammers steal any of it, That’s the that’s the ultimate goal. Um I can’t swear here otherwise, I’d say some swear words because scammers really ticked me off anybody who takes advantage of somebody else takes me off that activity. Uh that’s a big reason why I do security to begin with. So anyway, that’s the point. Hopefully that’s making sense. Uh And the fact that we’re a little bit late to the game, if we know that 61% of holiday shoppers have either already begun their holiday shopping and some probably have already completed their holiday shopping, um we’re a little late to the game in terms of the advice for giving, um some of them may have already been scammed, you know, I don’t I don’t really know that, I don’t know anybody personally who’s been hit, but I hang out with a bunch of security people all the time, so and they’re being a little more disappointed I think in that, so we would expect that this be the most scam filled holiday she’s ever. So here’s some tips for you. Uh Number one, and I think the thing that if you were to boil everything down one thing, it be maintain situational awareness. So let me say that again, maintain situational awareness and what that means is be in this situation you’re in slow down a little bit before you start clicking and clicking and thinking of all the things that you need to go out and buy and all the things you need to install and all that and everything else slow down. Think about where you’re at right now, you’re about ready to buy something, okay, take your time, be aware of the situation, be aware of clicking the links, be aware of that took a little longer than I thought it would or something popped up that I didn’t expect to see, maintain that situational awareness. If something seems out of place, it’s probably out of place, right? We can really reduce the distraction factor just by maintaining situational awareness, right? And I’ll take this to like the physical world, you see it all happen all the time. People have their heads down on their phone while they’re walking down the street, that’s not situational awareness. You’re not aware of your surroundings, you’re not aware of the situation you’re in, That’s why you see people, I mean you’ve seen the videos of people walking into um traffic, people walking into uh you know, big fountains, things like that. Um So maintain your situational awareness. If that was if I had 11 thing to give you, it would be that and that same thing, you can take everywhere with you, you always maintain situational awareness. It’s something that you can learn. So if you think that this is while some people you know they’re just helpless in this area that it’s not true, you can’t teach and you can learn situational awareness. Alright, so that’s number one. Number two, when you think things online ship the things to a secure location, uh we expect and you’ve seen it happen that people are stealing packages off of doorsteps, They’re stealing packages, um, you know, all over the place, so shape to secure location. Uh number one, and these aren’t in any particular order, these are just things and you can make a checklist. Actually, maybe I’ll do that. I’ll create a checklist of these things that when you buy something follow this list. Uh so if you follow up later, we’ll probably publish that at, on my blog Evan francine dot com. We’ll probably publish it to FRSecure and Security Studio as well. I’ll try to get that done today. So ship to secure location to use official retailer apps to shop. So uh, there are so many apps on the app store, especially, you know, and google play, I think google play is up to or google app stores Up to 2.5 million apps. I think Apple’s app stores one point probably about half of that. Uh the ecosystems are different. It’s a little easier to get apps in into Google. But the point here is if you’re going to purchase something, use the app using a fish bowl retailer app first and use like there’s a black friday application on that I have on my phone rather than buying something through that black friday application or another application like it, you know, say for instance Target right? If I go to this black friday application and it shows me all the black friday ads and all the black friday sale. And so I can click on target and see oh right targets got this ad and that ad rather than and I see something I’m interested. I’m going through the app, the black friday app. I would close that app and go to the target app. Let’s spur to what I’m saying. Um Use those official retailer apps don’t save your credit card information on your accounts. So a lot of times when you’re going through the shopping card online you have the option to save your credit card information and it’s a nice convenience but fight that don’t do it. Um Yeah. You know when you saw your credit card information online, your you’re hoping that the retailer has good security and is following proper security best practices. Amazon actually is pretty good with, you know if you save your card information there. Uh But beyond amazon, I wouldn’t personally I wouldn’t share my credit or save my credit card information on any accounts. Um It’s convenient but how hard is it to pull my wallet out. Uh you know put my credit card information in again uh which leads to the next one. Consider using Apple Pay or google pain uh instead of credit cards, uh which is more secure because what’s actually being transferred between you and the retailer isn’t credit card information, it’s, you know, tokenized credit card information. So if the retailer gets preached and you paid with Apple Pay, your account Is probably not also compromised. So using Apple pay or Google pay is a is a good thing. And I know that app, version 14.2, which I think is the latest version of uh my on my phone. Uh you really will keep bugging you if you haven’t set up Apple Pay, which is sort of a nuisance, but um from online shopping use Apple Pay or google pay, so so far ship to secure location, use only official retailer apps. Don’t save your credit card information on your accounts. Use Apple Pay or google pay if you know how to use them and your retailer supports that most of them probably do. Mhm. The next one is don’t buy from unfamiliar retailers without confirming that the retailer is legitimate. Um You know, going to amazon, you know, some of the big box stores amazon walmart best buy uh target, you know, we know those retailers right? We’re familiar with them, but there’s a ton of different places online. I mean there are millions and millions of shopping carts in online retailers, some of those are scammers, some of those don’t have good security best practices, you know, implemented. So if you’re not familiar with the retailer before going and purchasing anything before typing anything like your credit card information or even your name, do some, uh, investigation about it. Uh, you know, your search engine, use google to look up things about the retailer, try to find out where they’re physically located. Do they have, uh, contact information? Um, Most legitimate retailers will have contact information, including a phone number, somebody that you can maybe even talk to. Uh, those things would all make me more comfortable with a retailer I’ve never done business with. Um, yeah, so do that. Don’t buy from unfamiliar retailers without confirming it’s legit. I don’t want to say, don’t buy from unfamiliar retailers altogether because, you know, you’re kind of hurting small business and there are some good deals out there, but just confirm it’s legit. If you don’t know how to do that, reach out to somebody asked you certainly asked me, um, I don’t know how if I’ll be able to respond or not, but ask a friend maybe who’s in information security or knows how to, you know, look these things up, Which leaves it to the next one. Don’t automatically, just go after the lowest price, right? The lowest price. Yeah, that seems awesome. But at what cost, there’s always a cost. So you find something with the lowest price and uh, you find out it’s a scam site where you find out that it is one of those retailers that doesn’t have good security practices in place. So lowest price isn’t always the best thing. And the key word here is jump, don’t jump slow down. Think about it. Plan out if it feels uncomfortable, it feels uncomfortable. There’s a reason for that. Listen to it. Think about it. Uh, the next piece of advice is never make purpose on public wifi. Uh, so I wouldn’t go make purchase bill now. You probably are on lockdown. So you may not have access to public wifi like you did before, but you know, you see a lot of people buying things at least in previous years, uh, sitting at a Starbucks are sitting at a coffee shop or in the airport on public wifi. That’s dangerous. Public wifi is fairly easy in lots of cases to compromise. I mean, a simple ARP poisoning attack would replicate the traffic you’re sending to the router to me as an attacker as well. Or you could always set up. Uh, I mean, from Attackers point of view, you can always set up an access point that looks like happened. Um, other times we don’t, we don’t even realize what wifi were attacked actually attached to. Uh, you know, uh, many of our computers have an automatic uh, yeah, automatic association with wifi that had seen before. Turn that off. So that’s always a good idea. Uh, but the key here is don’t make purchases on public wifi. Now if you have to make purchases on public wifi five meaning you forgot buy stuff and you’re at the airport or something. If you have to make purchases on public wifi. Use a V. P. M. There’s lots and lots of good vpns out there. The one um that I use, you know myself, if you want to check it out, I don’t endorse it or not endorse it but I use proton V. P. M. Uh but there’s lots of good VPN, you know um apps out there that you can song song, your ipad and so on your laptop. Yeah. Uh so use a VPN now if you’re more on the security side, you know you maybe a little uh a lot of us security people are sort of paranoid if you’re that kind of person use VPN for all your purchasing even at home, even when you’re not on public wifi uh you know, it’s just an additional layer of security so so far and I’ll go and I’ll recap this whole list again. I’ll recap it real quick afterwards afterwards through another tip. Use strong passwords. Have you ever heard that before But like seriously use strong passwords? Use a password manager. If you don’t have a password manager, I can tell you the one that I use I use last pass. All pretty good, you know plaice pass dash line, there’s a number of them out there. Uh use a password manager for crying out loud if you’re not using a password manager, I don’t know how you’re doing it, I’m guessing. Well, I’m almost guaranteeing you’re not doing it securely. But password managers make using strong passwords easier. Not easy but easier. So use strong passwords and password management. Sure. Uh if you’ve got the time, the thing you could do is check the policies, you know, on your retailers. So a lot of them should have, well, they’re supposed to have front policies published on their website. No, I don’t like reading policies necessarily. I like reading my policies, but I don’t like reading other people’s policies because they’re long and wordy. But it into that. Check it out if they don’t have a privacy policy on their site. Or usually if you scroll down to the bottom of the page, you’ll see a privacy policy or a link to it. Something like that. If it’s not there, that should be a sign. So maybe even just checking that they have one. It would be a good idea if they do have one and you like reading such things, you know, feel free to do that. Uh, important thing here is another important thing. Never will retailer ask for your social security number. No retailer asks for social security numbers, so don’t ever give out social security numbers, retailers also don’t take payments through gift. Uh they do take payments to gift cards, but they Trying to think what I was going to go on that one anyway. Don’t you don’t give out your social security number anywhere. Another tip. Buy with credit cards says buying with debit cards. Credit cards have additional protections in place. They have a different additional um fraud reimbursement sort of protections in place, misuse protections in place. Plus you get your money back. Uh It doesn’t come right out of like a debit debit account comes right out of your checking account or your savings account which that’s probably money you used to pay bills and live on and all that other good stuff. Tax money money. Whereas credit cards there’s it’s not money money, it will become money money but there’s that time in between. Um Banks are really variable on how long it takes to get debit funds back. Uh So the key areas by with credit cards uh you can also purchase things with prepaid debit cards. What that does is limits your loss. So if I have, you know $100 prepaid debit cards and you know one of those debit card numbers gets scammed. Um I’m limited in that loss to whatever that card held. So if it held 100 bucks, that’s that’s my loss. Uh The last one is after purchasing things and get into the habit of doing this. Check your accounts regularly detection is really important no matter what you do, no matter what you do, you will not be able to prevent uh uh all bad things. Um Sometimes you can follow all the good practices and do all the right things and still find yourself a victim. I was scared. Uh So the next thing, the things you can’t prevent, you need to be able to detect right. And the best way to detect the bad things is by watching your accounts, reviewing your bank statement regularly. Um In our household, we do this daily. My wife just, it’s a daily habit for her. Uh which is awesome because I know almost immediately when there’s some on that account there shouldn’t be right and then we can attend to it right away. Uh Yeah limit the loss. Right? And also, you know, get our money back a little bit quicker. So that’s uh those are my tips for safe say for thanksgiving shopping and I’ll go through them just real quick one more time. Number one is kind of an overarching umbrella for everything else is to maintain situational awareness. That means slow down. Uh Number two shipped to a secure location. Number three used only an official retail are used only official retailer apps. Number four don’t save your credit card information on your accounts. Number five use Apple Pay or google pay. Uh It’s just more secure number six. Don’t buy from unfamiliar retailers without confirmation. I can’t remember the number I’m on now but next one don’t jump at the lowest price. If you see the lowest price. That should be an indicator to do a little more research. Never make purchases on public wifi. Try shopping with VPN. Use a VPN if you don’t have a V. P. M. Uh find one VPNS are always good to have, especially you know, when you’re using public resources. The next is use strong passwords in these word manager. If you’re so inclined to check the policies on your retailers, especially those ones maybe that are there are unfamiliar retailers. A good tip would be uh to check their policies, you know, do they have a privacy policy? Is it look legit, does it look like something just can’t? Uh no retailers again, we’ll ask for your social security numbers. So don’t ever ever give it out by with credit cards just buying with debit cards and if you want to use limit loss, use your user prepaid debit card. Uh and then the last is you know, keep an eye on your accounts after purchasing anything actually regularly just check your accounts. So again, I’ll put that into uh into a list and make it available for people. It’s just a good checklist. Maybe before you shop, you know, if you have a friend, you want to print this out for them, um put it next to your computer and before you shop just review the list. Okay, shipped to a secure location. Use only retailer. You know, official retailer apps. Don’t save my credit card, you know, just go through the list real quick before you shop and maybe that will help you. Especially, uh, some of the people that are newer to online shopping that they could probably use just a little bit more, a little bit more help in that area. All right. So I’m hoping that that helped some people out. I have no brad to bounce things off of so I just didn’t you to keep talking. Now. We’ll get into the news and again from us from me. And I think I speak for brad to and I speak for both of the companies that I represent. We really don’t want to wish you a safe, happy, healthy. Um, thanksgiving. So it’s very important right onto the news. Uh, first one I thought that was kind of interesting was, you know, Tesla, Tesla got hacked. So the Tesla Model X was stolen. So yeah, I’ll just tell you that the article title this is from Zd net and the the title of the article is Tesla Model X hacked and stolen in minutes using new key fob heck. So Tesla has already responded to it and they are rolling out uh, software updates to prevent the attack. So if you are driving a Tesla Model X, you may already be patched for this. But I think what was important note is everything is hackable, everything and it doesn’t, if you, especially if you have physical access to it. It’s just a matter of time. Anything with code as errors has mistakes. It was written by humans. Uh, so your Tesla Model X was this came from a Belgian security researcher who actually overwrote the firmware on the Model X key fobs and that allowed him or maybe it was a her, I don’t even know it allowed the researcher to steal any car that wasn’t, it isn’t running the latest software update. Now. I know some people try to disable, you know, software updates on automatic software updates if you did that on the Model X, which I don’t even know how to do, but if you if it is possible and you did do that, turn that sucker back home again. Uh, and the the attack is really not that. So, I was talking earlier about raspberry pi, the attacker. Uh, the hardware for doing this hack is a raspberry pi a canfield a modified key fob, Niecy you, that’s the controller unit from a salvaged vehicle, which you can find on Ebay for 100 bucks and a battery. So, you know, one of the cool things about raspberry pi is, it’s actually can make it do just about anything. That’s uh, one of the things that was used here. So, anyway, Model X hacked poor Model X drivers. He’ll be okay. Next thing is uh, which I thought was sort of interesting was, and we knew this already. So it’s not really a newsflash, but it’s neat to see somebody actually published something a little more substantial here. Zd net. Again, the title has botnets been silently asked, scanning the internet for Unsecured IAN V files, E N V files are environment files and they’re used by uh, frameworks like dr no Js symphony to Django, whatever and they store environment variables. So it’s kind of a big deal. If you leave any NV file the wrong end the file in the wrong place, we haven’t secured it. Well, the thing here is Attackers have assembled there botnets and have been sort of silently, that’s the keyword, silently standing. The entire internet looking for unsecured IAN V files. Um, and when it’s silent, it means that they’re not aggressively scanning, so it’s not huge, you know, huge influx of traffic, you know, to tip people off. And it’s, and it also means that they haven’t used a lot of them yet, probably, uh, because that would also be another tip off. So this is more of an information gathering exercise, you know, I think for Attackers who are using these Spotnitz. Um, so I would expect results from the Attackers at some point results meaning they they actually used them, I think I thought was interesting this week. And uh, and I won’t spend too much time on it, but last week, November 19. Yeah, that was last week, the senate asked an IOT cybersecurity Improvement Act, so that’s sort of cool. Maybe I haven’t actually read the act yet, but it’s neat to see that our government is starting to be a little more active in helping us secure stuff. So here’s IOT cybersecurity improvement act. It really just is about IOT so internet of things. Um there’s approved by the House of Representatives on in september mid september passed the senate now it needs a signature uh before it becomes law. So if you are part of IOT or you know an IOT manufacturer, whatever you probably already aware, if you’re not already aware uh go go become aware of. It’s just one of the I think the key players or at least somebody who’s influential in this area is brad re brad works at the I. O. X. T. Alliance which security studio is a partner of. Uh and he was quoted in the article, it’s pretty cool to see his quote was it was great to see american leadership in IOT security as the largest economy in the world. We cannot be passive in securing our networks. So it’s cool that he was involved because um it’s probably a better law for it. So good stuff. Last one which you know kind of took everybody. Oh a lot of people were ticked off maybe in our industry was it comes from wired magazine and the title is Faring Christopher Krebs crosses the line even for trump. So Christopher crabs no relation to brian Krebs but Christopher Krebs led the led sisa uh cyber security agency that’s part of the Department of Homeland Security and through you know two crabs is credit. I think he did a really good job. Anything you’re doing in the federal government. Um That’s a it’s a pain in the butt. So the fact that he was able to get done as much as he got done I think is a testament to his abilities and skills. Um and nobody’s without faults. So and and and and anybody who claims to know the whole story dozen. Uh but he was he was fired. Now don’t feel bad for chris because he will definitely find another job. And I don’t know what it means necessarily for our government either. Uh We have a new administration coming in uh eventually to see what happens. But I’m guessing Krebs can probably find a better paying job with more influence with less headache in the private sector. So I don’t feel so bad for him. Um I don’t know what to feel for the country yet. You know what you have to see, you know what what happened since. But anyway, that was big news last week. That’s and that’s all the news I’ve got. I think uh now we’ll transition into just kind of closing out the show. We’ll wrap up with some shout outs. I’m gonna give a shout out to brad. You know, I know he’s uh you know struggling and uh not probably as much today. That’s tough. You know, when you go through some health issues especially with everything else and he still keeping things together. So shout out to him, shout out also to uh FRSecure leadership team there. They’re pretty damn amazing. Led by uh john harmon, the president of FRSsecure uh, just so bought into the mission serving what’s in the best interests of customers over us, which is great. And then uh his two leaders, uh Renee rudder and DNA Pearson. Just awesome. So, shout outs to those guys too. All right, thank you to our listeners. Send things to us by email. We sort of think that meeting, email, uh, whatever we’ll get to get to it eventually. Our email addresses, un security at proton mail dot com. Uh If you’re the social type and you like to socialize, I’m a little more active than brad is. Uh but I’m @EvanFrancen on twitter, brad’s @BradNigh uh the companies we represent, which are pretty cool companies because we’re called people uh security studio is @StudioSecurity and FRSecure @FRSecure. Uh let us know what we can do for you. Uh Yeah, well, the good stuff. That’s it. Happy thanksgiving. And we’ll talk to you all next week.

Have we lost our ability to reason? Evan is joined for the second week in a row for episode 123 of the UNSECURITY Podcast to discuss reason and how it applies to information security and life. The duo also dives into password hygiene—what the importance of passwords is and how they each tackle passwords. Give this episode a watch or listen and let us know what you think or what questions you have at unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the un security podcast. This is episode 1 23 123. The date is March 17th 2021. Joining me again this week, Two consecutive weeks is my good friend, Ryan Cloutier. Welcome.

[00:00:43] Ryan Cloutier: Thanks Evan. Glad to be here again.

[00:00:47] Evan Francen: Yeah, man we’re like friends and stuff. So this is like, this is like easy. You know, I can just talk and people listen and if they don’t like it, they just, you can just click the stop button on the according. Right? It’s cool. I dig it. Uh, so anyway, it’s uh, today is uh Wednesday and it is ST Patrick’s day. So for all the ST Patrick’s Day, people that do that ST Patrick’s day thing. Happy ST Patrick’s day. For those of you who don’t take offense to it. Just happy every day. Be happy today. That’s good. That’s

[00:01:25] Ryan Cloutier: good advice all around. I think that’s just sound advice. Try to be happy.

[00:01:29] Evan Francen: Yeah. Right. Trying to make somebody’s life a little bit better. I know that that’s what, regardless of how much we complain or hold people accountable or other stuff. Don’t confuse that with us being unhappy or confuse that with us not caring about people because honestly that’s the whole reason we do this, right? The security work we do after we care about people.

[00:01:51] Ryan Cloutier: It is it’s well can we say it all the time. Right? It’s not about information, it’s not about security, it’s not about technology, it’s about people, it’s about life skills.

[00:02:01] Evan Francen: Yeah. Yeah, totally man. So this past week I’ve had some really good conversation just like every week man, good experiences, awesome conversations, wonderful people. All these things I think, inspire us to do the best, you know, information security work we can. But they also give us things topics for us to talk about uh because there’s themes and all this stuff. So the topics that we have a really good show I think scheduled today we’re gonna start with talking about reason. You know the value in reasoning the value in logic where maybe it’s I don’t know you could almost like the case that in some places in our society we’ve lost that ability to reason. Um but why is it so important to security? Why is it so important to life? We’re gonna draw the parallels between the two. Um And then we’re gonna talk about passwords. That’s a great topic. Everybody likes talking passwords, right? Lambie loves passwords.

[00:03:07] Ryan Cloutier: I like the game show password. Do you remember that?

[00:03:10] Evan Francen: No, I don’t man.

[00:03:11] Ryan Cloutier: That’s fantastic. Yeah. If you ever find free time which we know you won’t but if you do go find it on the Youtube or on the game show network and the whole point of the game was you had to guess the

[00:03:24] Evan Francen: password. Nice. A bunch of, a bunch of little hackers like

[00:03:30] Ryan Cloutier: It. I’m pretty sure I dated myself. No, this is pre computers. This is like back in the 60s.

[00:03:35] Evan Francen: Right. Right. Nice. We’ll talk about passwords to about because I think a lot of times, you know us and security, we harp on these things. We don’t like them either. I don’t like passwords anymore than the people I talked to about passwords but I think we might miss occasionally why we even have passwords, why they’re important. We miss um what makes a good password versus a password using again, back to reason and logic. There’s a reason for it. Our job is not to make your life more difficult. Our job is to protect you as much as we can. Uh you know from some risks. And then I thought we would talk about what you and I do, you know and protecting our passwords. What habits do we follow? And I’ll be transparent man, I’m a transparent kind of guy. I’m not perfect at this Even 30 years of security. I’m not perfect.

[00:04:33] Ryan Cloutier: No, you’re human. And one of the things we’ll talk about when we get to that part is what are some of the human traits that are inherent that uh make passwords so difficult for us.

[00:04:45] Evan Francen: Exactly. Yeah. So we’ll get to reason, we’ll get through passwords and I mean seriously we can talk about any one of these topics for an entire hour or maybe an entire day, but we’ll move through that stuff pretty quickly and then we’ll talk about some mentions. I just want to mention when we get there about again the fr secure CSP mentor programs coming up about a month from now. So we’ll talk a little bit more about that. I want to talk about some developments about the s to me really exciting things happening with the S. To me, some of our listeners may not even know what the hell I’m talking about. When I say yes to me. You will, if you wait to the end, it’s really cool. And you want to know, uh, no. Close out with two news things. I just got to are, you know, two articles to talk about the news. Um, but that’s our show today. What do you think?

[00:05:35] Ryan Cloutier: Hey, it’s gonna be a good show.

[00:05:37] Evan Francen: Yeah, I think so too. Man, Look at, let’s talk about, let’s talk about reason. Um, this came up in a conversation, You know, like I said earlier, you know, the conversations I have with people get me thinking about,

[00:05:54] Ryan Cloutier: uh, you know,

[00:05:55] Evan Francen: what’s wrong? You know, what’s right, What do we need to do to make things better? And so you know, in our own, in my own backyard 11 Carver county Minnesota, right? Um, and the news this week in this neck of the woods is there’s a new variant of, um, coronavirus. And there’s still this sense of panic, Right? And so it got me thinking about, let’s reason through this. Let’s think through this, right? I’m not pro this or anti that. I’m, if I’m pro anything, I’m pro reason. Put the, put the emotions aside for a minute and let’s think through this together. Uh, that conversation led to this whole thing. Other thing, like I’m talking to another security guy about this and then I’m like, holy crap, this applies perfectly to what we do every day for a job.

[00:06:57] Ryan Cloutier: But you know what I find interesting about the word reason is it’s the root of another word reasonable. And so when you’re, when you’re asking yourself what’s my be, whether it’s information security, whether it’s dealing with this covid reason comes down to two major pieces. What’s my motivation and is my reason reasonable? Because if, if I don’t check my motivation, my reason may be out of line with reality. It may be out of line with what’s good or practical. Um, so for me personally, it’s, it’s checking the motivation for the reason and then it’s checking that reason against what I consider to be reasonable and, and just like in our, in our world of information security reasonable is one of those sticky terms that we throw around a lot, but doesn’t have a clean cut definition. Um, but I think generally speaking, we as a people have agreed that reasonable tends to fall within the middle of the scale, right? So whatever the issue is, there’s there’s going to be the extreme ends on either side. And we see this play out with Covid, we see this plan all right. You have extreme camps on either side. Uh, and then most of us fall in that reasonable place in the middle. So yeah, I think, I think one of the questions we posed is have we lost our ability to reason? And I think because we don’t do the two things that I practice, I think it’s because we’re not checking our motivations first. Mhm. And I don’t think we’re checking to see if our reasons are reasonable. And so I feel a little bit like we have as a, as a, as a, as a whole, you know, being a little bit of a blanket statement here obviously. But I think, I think we have started to lose our ability. And part of that is is, you know, the other piece of reason is debate. We’ve lost our ability to debate. We lose our ability to reason,

[00:09:08] Evan Francen: Right? Well, and I think, you know, in I like you, I’d like to defend people to, you know, I’m going to get why we are where we are. Things move so fast, right? You look at your calendar today, you look at all the stuff you need to take care of, right? And then you’ve got bills to pay, you’ve got, you know, if you have kids, your kids to raise, you have, you know, concerns about their health. I mean there’s just there’s a ton of things going on 10 and so we just jump, you know, we go fast, we jump to things assuming so many things and I think we even assume the route. You mentioned the definition of reason, even the definition of reason. So I’ll give you, you know, I have the I have the advantage of having a computer sitting here right in front of me. So if you’re in your car listening to this, you know, you don’t have this advantage. But the definition of reason is the power of the mind to think, understand informed judgments by a process of logic. So the keywords in that logic, logic is beautiful. I love logic and I think that’s what one of the things that makes security people really good is their ability to use logic because that’s how computers operate. That’s how programs operate. They only do what you tell them to do. They arrived at a conclusion only because something or somebody told it to arrive at that conclusion. So logic is beautiful. It follows a series of steps to get to a conclusion. Even we do that right with our A. D. D. You and I have this common diagnosis of A. D. D. I get to places where I get it may seem random to the person on the other side who’s listening. But I got there through logic, believe it or not, there are a series of steps that got me there, yep.

[00:11:07] Ryan Cloutier: Uh Well and it’s part of that is I think for us as those who have A. D. D. A. D. H. D. S, logic helps build structure right? And structures so important to navigating this in a healthy way and then structure is so important to what we do in our work, right? So we have to have that logic, we have to have and you’re right, those of us that are true practitioners of the craft, Not just those that maybe are in the business or sit in and seats of authority in the business, but true practitioners of the craft. We have to be logical because that’s the only way we make sense of all of this. I’ve got 10,000, you know, pieces of telemetry coming in, which one is an indicator of compromises. So I figured that out. What’s the process behind that? So I think it’s it’s very important and I wonder how many people take the time, especially we’re talking about, You know, I’m gonna pick on c cells, I’m gonna pick out cereals for a second, how many of them truly take the time to go through that logic structure. Go through the rationale behind the decision. How many

[00:12:19] Evan Francen: people, how many of them have the time. Sometimes

[00:12:22] Ryan Cloutier: this is true as well, that’s that’s

[00:12:25] Evan Francen: the that’s what’s also that’s why one of the things, you know, I say it it takes in in our industry become a really, really good security person. Three things because I like simple to write when you can boil down the complex logical things in the simple components. three things it takes to be a good security person. The intangibles, right? If you have the gift or you don’t have the gift, either you’re ethical and dependable or you’re not. Uh So one is the intangibles. The second is experienced, and the third is education. So when you talk about having the time, people that have more experience can process through the logic much quicker than those who have right? I’ve been here before, I’ve seen this before, I know where this goes, I know how this works now. And that’s one of the challenges with csos that don’t have the necessary experience. They haven’t been through this before. They can’t think that quickly because they haven’t seen it. It’s not because they’re dumb because efficiency in the way they process information. You just never processed this information before. This is new. That’s understandable again. And so, and you mentioned also, uh, you know, on the topic of logic, there’s a pendulum. I think so, I’ve always thought of this as being two sided, right? You’ve got logic on one side, I’m making decisions based on pure logic. If you make a decision based solely on logic, I think you miss out, potentially on the emotion piece. By logic and emotions seem to be somewhat opposed to each other. Right? So you’re on this pendulum. If you kind of like imagine it visually logic on one side, emotion on the other swing too far to one side or the other. Like I make a completely emotional decision logic. We got no logic, knee jerk. Right?

[00:14:25] Ryan Cloutier: Done.

[00:14:27] Evan Francen: There might have been a little bit of logic sprinkled in there somewhere because your brain is still you know, you can’t just use one or the other solely. You’re always influenced by one or the other because you can also go solely on the logic side because I have been accused I’m very I like logic but my wife has accused me sometimes of being where’s your emotion? Right? You’re too damn logical. Bring it back a little bit.

[00:14:53] Ryan Cloutier: Well that’s nuance for me. That’s nuanced. The emotional piece is the nuanced piece right? Because because you’re right, human beings aren’t just cut and dry. We don’t just fit into this tight neat little box. Um But I think even to your emotions there’s a certain degree of logic that can be applied. I know for myself as one who you know deals with the mental health aspects of of A. D. H. D. You know I have to ask myself sometimes why do I feel, right? So I have to take that emotion that thought I’m having this emotionally driven and in order to properly process in a healthy way, I do have to put that logic filter on top of it say, is this a reasonable way to feel right now? You know,

[00:15:39] Evan Francen: I don’t

[00:15:40] Ryan Cloutier: feel that way in a couple of days. Is that is that still reasonable?

[00:15:43] Evan Francen: Yeah, this is beautiful because if logic is on one side and emotion is on the other and it’s really not possible without I think a disorder of some sort mental disorder of some quotes, some sort I can’t make purely purely emotional decisions. There is some logic sprinkled in. I also can’t make purely purely logical decisions. There is some emotion sprinkled in. So let’s take that too. This thing we call information security, right? We were having a discussion. I’ve had this discussion many times. Are we secure? Well, what the hell do you mean by that? What do you

[00:16:27] Ryan Cloutier: what’s your definition?

[00:16:29] Evan Francen: Right. And so you know, we’ve we’ve had this conversation with you know, business executives. Well, it’s keep me out of the news. Why translate that in my logical brain to be keep me out of the news meaning eliminate risk. That’s the only way I could keep you out of the news. If there if there was zero risk we’re gonna have a breach. Right? So going back to that pendulum, zero risk not possible.

[00:16:57] Ryan Cloutier: Right. Well it’s it’s not right? There is no, I mean what’s the old adage, the only secure computer is one that’s powered off and put in a chipper shredder buried in concrete dumped in the marianas trench. And even that

[00:17:12] Evan Francen: anyway, you can have zero risk is to not exist,

[00:17:18] Ryan Cloutier: right? And even that, that, that then presents the risk of not existing, right? I mean it’s

[00:17:23] Evan Francen: right.

[00:17:24] Ryan Cloutier: And then the others that also often

[00:17:27] Evan Francen: spectrum to the other side of the spectrum would be infinite risk, also not possible. Right? So define, so we define reason, let’s define risk, risk is the likelihood of something bad happening and the impact if it did right? And so you do this balancing act. And the reason why this is so important is because in our craft in information security, the job is not risk elimination, nope, stop chasing that. It will never happen. And also isn’t just putting your hands up and like assuming that everything is going to go to shit because that also isn’t going to happen. It’s somewhere on that pendulum. So when I’ve had, you know, and I was telling you the story about the CFO who, you know, he was a peer of mine before, you know, when I had a real job. No, I don’t, I have a real job, I just do stuff, but the he would ask me every time, not every time, many times he would ask me Evan, are we secure? I don’t know what that means in my logical mind secure is somewhere on the spectrum, right? Somewhere on the spectrum between infinite risk and um no risk. You’re, you’re asking me for something definitive on where we had on that spectrum

[00:18:52] Ryan Cloutier: well. And I think to there’s a there’s a desire to want to eliminate that risk and by doing that, especially with a lot of the blinky light solutions out there, you end up introducing more risk and the risk you were trying to eliminate because to your point you can’t eliminate it, it’s it’s going to always be there. That’s why we have a term for it, residual risk, right? The risk that’s left over after we’ve done literally everything we can possibly do and we still have that residual risk. But I do think because of a lack of reasoning when we’re doing things like selecting solutions, when we’re deciding how to attack these risks, what are we going to do about it? Um I think because we’re not we’re not applying as much reason and logic to those decisions. I think a lot of times those decisions are more emotionally driven, A great sales call. I really feel good about this call about this product. It made me feel like I’m doing my job well, it makes me feel right. I think a lot of times those purchase decisions are rooted in that, not pragmatic, what does this really do for me organizationally, what does this do for me from a risk management mitigation limitation perspective. I see it all the time.

[00:20:19] Evan Francen: Right? And so you keep them on to my biggest beefs that if we could solve these problems, I think we’ll go a long way to solving lots more problems in our industry. One is our misunderstanding or not understanding what the goal is. The goal is risk management. In order for me to understand risk management, I have to first assess risk, make risk decisions. It feels very mechanical the first time you do it. But going back to the reason for that experience thing, once you become experienced in this and you get over the uncomfortableness of it, it’s second nature, right? When you see things around information security, it’s like that’s probably a risk that I’m not willing to take. Right? You make these risk decisions very quickly. You do assessments very quickly in your mind. Now you have to go through the mechanical peppery Yes, no question. Pain in the butt part. First, before you get there, one is my that’s the goal. Risk management. And people don’t do risk management. The second pet peeve a have or frustration in this industry is the inability to put risk in the context. Right? We see CSOs do this all the time. We see other security practitioners do this all the time. You can eliminate a specific risk. Maybe in the whole grand scheme of risks that you need to manage, Right? I eliminate that one. Risk at the expense of what? Right now, let’s take this. So that’s security stuff. Now, let’s take this to life, eliminate the risk of coronavirus potentially, but I locked myself in my house. I put a mask on by totally isolated. That comes with a cost. You write that. You didn’t put all the other risks in the context or maybe you did mental health issues, substance abuse issues, relationship issues, quality of life issues, on and on and on. The same thing happens insecurity. By the way, you focus on this one vulnerability. This one thing you’re now, you’re no longer focusing on training and awareness. You’re no longer focusing on governance. You’re no longer focusing on, uh, you know, logs, whatever.

[00:22:33] Ryan Cloutier: So, so what you’re telling me is if I focus on patching exchange while becoming blind to everything else, you mean the bad guys might still be doing something bad while my attention is elsewhere. Hey man, shocker

[00:22:47] Evan Francen: right? For us and for us it now with the experience that we have to wait. We can we can clearly say that. But obviously to other people in our industry, it’s not obvious because they make this mistake continually. Because I think when we’re confronted with the risk that we don’t understand, we have usually one of two things that we coat men do. One is we go ignorant, not my problem. I just I don’t care. I’m going to ignore it. I got security people who handle that. All right, well, that’s wrong because this is yours to handle. This is your risk. These are your risk decisions. That’s one thing. And I think another thing that we potentially do when we are confronted with a risk, we make ourselves victims because now I’m manipulated, right? I can be manipulated by fear. I can manipulated by somebody who comes and tells me that they can fix something. Uh, that maybe they can’t, but I don’t know any different because I didn’t take the time to understand what it is that I’m trying to protect myself against. You know what I mean?

[00:23:58] Ryan Cloutier: But you know, and this goes back to my analog human digital world and the incompatibility. I have a theory that we don’t process the intangible risk of the digital world, uh, in the same part of the brain that we process physical risks to your point about experience can help with that, right? Because we’ve seen it. We kind of become those creatures of habit. Oh yeah, Okay. The hot thing is hot, hot is not good. We learned these habits when we get into the digital world. We don’t have this, we don’t seem to have the same ability to look at the risk with our natural inherent risk center, right? As a human being. The reason you’re alive today is because there’s a part inside your brain that says risk. For example, if you’re in a car right now in the semi truck gets too close to you. You’re going to feel that there will be a physiological response to that risk, We don’t have that in the digital world. And I wonder,

[00:25:03] Evan Francen: but I do

[00:25:04] Ryan Cloutier: have a wolf,

[00:25:06] Evan Francen: I do have that in the digital world.

[00:25:08] Ryan Cloutier: Well you do, I do chris does like folks that are kind of fired our way. I think we do feel that. But the average person that I’ve interacted with it or yeah, out of dozens doesn’t see it the same way. And it takes it takes that time to explain it. It takes reasoning with that reason to walk them through this to say, hey, here’s a physical life risk. Yeah, I get that, that makes sense. Now let me do an analogy of a corollary to this digital and then they go, oh okay, ah ha I get it now. But I don’t think naturally it’s there. I think it is something that you have to train. So I wonder if part of being a C. So is you know taking some kind of exam to show that you can contextualize risk. Some, you know, there’s got to be some kind of requirement if you will um to demonstrate that ability. I know if I’m a ceo and I’m hiring a C. So if I knew that that C so couldn’t contextualize risk and I understood that the lack of that ability to put my business in danger, I would want to see. So who could protection lies risk. So I wonder how much of this is. We haven’t set the expectation. We haven’t shown the value around that capability. Uh, you know, because if the system started to know, hey, I have to be able to do that in order to be qualified for my job. I think I think that one kind of self solves that on its own right. But it’s setting that, but we can’t, we haven’t done, we haven’t done the necessary groundwork to have those conversations yet. Most ceos go to your point earlier. Well, I’ve got, I’ve got to see. So for that I’ve got a security guard for that. I’ve got, this is not my problem because I don’t understand that. It’s my problem.

[00:27:04] Evan Francen: Right? Yeah. Yeah. Well, and so you know when you mentioned, you know how the brain functions, it assures me the fact that I do know people that can reason through this. The fact that I do know people who have learned this behavior I wasn’t born with, You know, there’s not something magical. There are certain things for sure that are unique and beautiful and magical in people. But that’s not the things that are making me able to do things that other people can’t with security. What makes it, it’s a learned behavior. I didn’t, you know, fall out of my mother’s woman go, oh, that firewall is configured wrong. Right, right. You had to learn this stuff. And just like I had to learn physical risks, right. I had to learn. I had a parent who told me, don’t put your hand on top of the stove,

[00:27:58] Ryan Cloutier: right? And

[00:27:59] Evan Francen: even then, well, I don’t know if I believe you. So I’m gonna try it anyway and damn that hurt,

[00:28:04] Ryan Cloutier: yep. You know, but, and that’s to come.

[00:28:07] Evan Francen: I grew up in a car in the back seat of my parents car watching them drive. I knew yellow, light, green, light, red light, I knew that. Well then that light turns yellow. I could see my father looking both ways that can, you know, should I go stop with my speed? I mean, you can think through those things. It was a learned behavior and I think we can do that here. I just, we need more people to do it.

[00:28:31] Ryan Cloutier: We do. And it’s, and it is, you know, and I go back to, is your reason reasonable. Um, for myself, you know, we’ll talk on this covid thing for a second, right? So for myself, as you well know, uh, this has been a very challenging year for me, uh, to the point of, of, you know, even maybe spider personality change because of the constant at home and just the shutdown nature of, of the way things are bad around here. And so I took a quick little trip somewhere to get a taste of a life. I used to have and it was so good for me. It was so good for my mental health. It was so good now did I make some risk decisions? Yes, I had to reason through this. I’m going to get on an airplane. Oh my God, this is like the scariest thing ever. Right? And what about other people? I care about other people. It is my decision putting them at risk. And so as I thought through this as well, everybody on the plane made the same risk decision I did. So I don’t feel bad

[00:29:35] Evan Francen: or they’re just really ignorant

[00:29:36] Ryan Cloutier: or there is well let me say it differently. Everyone on that plane decided to get on that plane and with that came inherent risks. One of which could be covid, one of which could be the engines starting on fire in the plane going down. Right? So they inherently we all chose either consciously or subconsciously to accept that risk. Uh huh. But by doing so I traded wall one of of true bad places mentally of going to two levels of depression and other things that are, that are unhealthy or I could put a little bit of my physical health at risk potentially to save by mental health from further deterioration and as you also know, because that was so good for me when I got back, I quickly realized I need some more of that. So I will again be going and getting some of that that I need and again, I’m going to be making trade offs here making these risk decisions. But the reality is, is the risk of my physical health right now is less concerning to me then the risk to my mental health to continue to operate in isolation. You continue to

[00:30:49] Evan Francen: see and you have the ability to put risk in the context, right? Because you understand that physical health, mental health and spiritual are not inseparable, nope, just like information security, privacy and safety are not inseparable.

[00:31:02] Ryan Cloutier: They’re the same thing, Different names, slightly different. They’re very close. They’re all, they’re all say, well, I say it this way, they’re all parts of the same hole,

[00:31:12] Evan Francen: Right? And so because I also went through the same thing and um, and that’s why, you know, when Covid first started broke last year, I spent hours and hours and hours and hours hours. I mean, I’m not a medical professional. I’m not a, you know, I’m not a scientist like that. I’m a data guy. So I’m trying to make sense of this. Where is the reason and why we’re doing what we’re doing, what’s the reason behind because some people will just jump and just think it’s well you are a mass because you don’t get other people sick, you do this thing because you just a lot of people just kind of take what’s fed to them as opposed to let’s use some reason to figure out what’s reasonable like to your plan. And so I did all the, all the math I could think of. You know, I’m not, I’m also not a math genius, but so many of the things that we were doing didn’t make logical sense to me not to say that it wasn’t logical sense behind it. I don’t know. It just didn’t make logical sense to me. I couldn’t make those connections in my brain. Yeah, call me you know, because another thing that I learned that it just drove home so consistently and it still happens today and it’s maybe always happened is people who can’t defend their position do one of two things. They either change the subject or you attack my character. So when I tell you, I don’t understand the logic behind whatever, right? And something that’s as touchy and and fear filled and misunderstood as a coronavirus pandemic that none of us have ever been to before. Instead of engaging me in discussions about, let’s go down the path of talking logically reasonably about this. Normally, what happens is I get attacked, Oh, you’re an anti-vaxxer. I never said I’m an anti-Vaxxer. I plan on getting the vaccine. I’m signed up to get the vaccine. I understand the logic behind getting a vaccine to protect myself from a virus. I get that one right. And so you go forward to where we’re at today after a year and I’m still trying to make sense of things. Certain things I play by the rules, right? Because I do live in a society of rules, right? Society says in the state. I live in there’s a mask mandate. Well this is where I live. I will wear my mask, right? We can talk about the logic and all that other stuff trying to figure that stuff out. But another thing that frustrates me that I can’t, I’m trying to figure out right now is, um, you look at the state of California who did diametrically opposed things to the state of florida, right? Take the politics out of it. Take the emotion out of it as much as you can. Use logic. Use data. Why are the, you know, the rates similar in one state versus the other states, Right. And there’s all kinds of hypotheses and I like those too, right? Because you can, you might say, well, you know, you’ve got greater population density in California than you do in florida. Fine. Let’s go down that path. Let’s understand that. Because I want to make sense of all of this as much as I can so that I’m not driven by fear. So I’m not a sheep who just does what somebody told me because believe it or not, there’s lots and lots and lots and lots of people giving you information that don’t have your best interests at heart. I know that.

[00:35:01] Ryan Cloutier: Yeah. And we see that, you know, to bring the fear aspect for a second back to information security and how that plays a role. You know, a lot of folks today are very afraid of ransom where they are very afraid of being in the news, there’s there’s very much an element of fear and just like with the coronavirus, you know, part of that is the way the media is handling certain things. You know, whenever we hear about cyber attacks and events and a lot of times it’s very inflammatory language, it’s it’s very pumped up and puffed up. Um, and so if these leaders, you know, that’s where they’re getting their take on things, you know, now they’re now they’re in the sphere position. So when a vendor comes in and says I got you right, my thing, he does all the magic. It’s got invisible processes and quantum entangled wizards that will will magically fight the hacker story. Okay, I say to myself man, I’m afraid, and this person is the first person that says something that allowed me to start to anchor back to call

[00:36:10] Evan Francen: and they sound incredible,

[00:36:11] Ryan Cloutier: didn’t and they sound incredible. I need me some of that. And that decision again, because of the fear element back to what we said previously? That’s an emotionally driven decision. That is not a logic based decision logic based decision would be how many threats do I see against my network daily? What are the types of threats? Where are they coming from? Our their commonalities now taking that telemetry, that that fact based logic based data and applying that to this solution, I’m being offered that has, you know, to quote chris numpty. It’s in it. Um you know when I do that I go well that doesn’t actually solve my problem well and there’s the there’s already of this stuff that just gives me more stuff to look at in a busier screen that also alerts. So there’s

[00:37:07] Evan Francen: your keyword problem, what’s the problem

[00:37:10] Ryan Cloutier: correct?

[00:37:11] Evan Francen: Right. So logic would leave me one. Is there a problem if there is a problem? What is the problem? Right. And then the next question for me is is it worth solving? I have other problems, believe it or not. I have lots and lots of problems. Is this the one to solve right now or is this one I can differ for later and then? And this is all part of risk management too. Right. You can make those corollary, those correlations between risk management and the same process. Do I have a problem? Uh What problem if so what problem do I have? Where does it fit with all the other problems and then how would I solve it? Yeah. Right. That’s a logical approach to life mythological approach kind of everything? Right. Versus oh, should I have a problem? I better okay I better without going, do I really have a problem because when you’re driven by here, you expose yourself to that right? When you don’t And where does fear come from? Here comes from failure to understand something I’m not afraid of things I understand,

[00:38:21] Ryan Cloutier: right? Because

[00:38:25] Evan Francen: I don’t want to take that risk. So don’t confuse my avoidance with fear. There’s logic behind the reason I avoided it.

[00:38:32] Ryan Cloutier: Well, there’s logic behind your fear. Fear has kept our species alive until now. I mean, it is, it’s also killed us. It has. But traditionally the fear of unknown. If we go back to our biological roots, the fear of unknown is rooted in something in the bushes made some noise and that something might eat me. So I don’t know what that something was. So I’m going to create distance between me and it until I have a chance to properly assess the situation. Even gave reason

[00:39:03] Evan Francen: understanding, right?

[00:39:04] Ryan Cloutier: Yes. Even cavemen reason. They said, whoa, whoa. Bush’s move. Well, is that dinner or are we dinner? I don’t know. Let’s let’s back up a little bit. Let’s let’s assess the landscape. Oh, that’s a buffalo. Buffalo is good. That’s dinner. Let’s get it. We understand it. Ooh, what is that striping thing that I’ve never seen before. So it just ate my friend. Now we know now we know that’s a tiger. We stay away from those, right? But I think in information security, we’re still at a caveman status. We haven’t yet understood the world. We’re standing inside of enough to know that when the, but when the bushes are rustling? Whether it’s dinner or whether we’re going to be dinner. And I think that’s a core part of why we’re not able to effectively reason Is that we don’t truly understand what we’re standing in the middle of right now. We moved so fast and you and I talked about this all the time. We moved so fast and we built up something, take stock for a second and realized 25 years ago, life was very, very, very different. Mhm. The way we conducted ourselves, we went to the bank on a regular basis because oh yeah, you had to, you know, it was I just watched a documentary about blockbuster Last blockbuster, right? That whole part of life is gone now that that experience that we all shared of going and picking out a movie and going and just that whole process vaporised. Well that didn’t just go away with that so many other things went away and now we’re standing in this new world we’ve created and we don’t fully understand what we’ve done. And those seesaws that are responsible for those companies. Well, they’re just humans to who are also standing in this new world, not fully understanding what we’ve done?

[00:40:58] Evan Francen: Right, Well, and so there’s um you know, well as you’re talking, I’m thinking about how do you fight or how do you build better reason? How do you learn better reason? And I, and I think the way you do it is you question everything, why, why why I have, you know, I was just talking to a really experienced see, so with lots and lots of years of experience, I showed you your resume. This was monday. I show you his resume? He’d be like, damn. He knows what the hell he’s doing. Well. He he wants to leave the organization he’s working at and wants to go somewhere else, right? And and so you know, he’s telling me about this and I’m like, so where do you want to go? What are you looking for? Why? You know? And then I had another conversation that same day. So going back to the these conversations with people lead to these types of discussions. I had another person who I said, you know, he was saying what his goal was in this industry. He’s relatively new. He says I want to be a C. So so I said why? Uh huh. Why do you want to be a seashell?

[00:42:12] Ryan Cloutier: Yeah. Seriously? I mean really? Why why would you want to be

[00:42:17] Evan Francen: Right? And so I shared that discussion and that discussion went on for a long time and I shared that same discussion with another c. So friend of mine at a Fortune 100 company awesome guy. And I, you know I said, you know, did you ever think did you ever question yourself? Like why do you want to be a C. So he’s like, oh my God. Yeah, but it wasn’t until I got here right. You know,

[00:42:41] Ryan Cloutier: and he said I was out when I was really standing in, right?

[00:42:46] Evan Francen: So I think the way you reason through things is it’s okay to question. It’s okay to wonder it’s okay to ask why, why, why why are you telling me I need to do this? Why are you telling, you know, why do I, what do I behave this way? Why am I making this recommendation? Why all those wise it’s healthy do that because that provides a logical, reasonable foundation for why you’re doing the things that you’re doing

[00:43:18] Ryan Cloutier: well. You know, what’s interesting is it’s a skill that you have in your youth that we somehow seem to lose the value of as we keep if you’ve ever met a child Of what a five year old take a five year old. That is a basket of why every other word out of the child’s mouth is why why why? Why? What? Right? Because they’re trying to build understanding of their world and we in information security, I think could learn a lot from having that five year old mentality of curiosity and question because I don’t think we truly understand the world we’re in right now. I think we’ve built it up and it’s so complex and it happened so fast that nobody has really taken the time to step back and take stock and go, whoa! We fundamentally changed everything. That means we move the risk from the physical world into the digital, We’ve created a bridge where physical risk can have digital impacts and digital risks and have physical impacts. Great example is the data center that burned down in France and that was a physical event that has long reaching portal impacts to the companies that didn’t have a good day. Our plants.

[00:44:33] Evan Francen: Well, when I grew up, I grew up through this transition like you did. And so I’ve never been able to logically separate physical security from logical security. I’ve never been able to separate them because when we talk about information security, what we’re trying to protect originally and still today is information. Well, information comes in various forms. It’s always come into physical form. It’s always coming up, you know, not always, but become what I actually has always become in a logical form to through storytelling and things that people would exchange in person to person networking. So I was never able to separate them. I’ve never treated them as separate,

[00:45:12] Ryan Cloutier: you know, but many people do because they didn’t, they, you know, they, so many folks don’t understand how it works. I thought I had a conversation the other day with, uh, with a fairly well educated security person who you didn’t really no near as much as the resume would have led you to believe, right? They were asking some questions that were like, wait a second. I thought you had these accreditations. So how could that still be an open question. Um, and again, it’s that whole rush to do it and everything’s become very niche. I mean, how many times have in our career So we run into a network security guy but I wouldn’t let within 1000 miles of an application. I’ve met an application security guy that I wouldn’t let within a million miles in my infrastructure. Mhm. How many times? And and if you were to ask an outside person, you know? Well they’re both the same security person, right? They they work in information security, they work in I. T. That’s that’s the thing. But those two humans have a vastly different understanding of risk, risk profiles, how risk occurs and you know I I know I’ve run into the network guy that’s so laser focused on the network that it’s well the network you know it’s that where the whole perimeter idea of perimeter security came from and then you know the the ap team just needs to do their job better. It’s not me, it’s them. And then you know then we had to create a whole separate industry devops to deal with that

[00:46:41] Evan Francen: when how often do we feel intimidated to? I mean this is another bridge between information security just everyday life. How often do you feel intimidated by asking why? Right you’re in a meeting. I mean you’re in a meeting and you know someone says they want to do something to the infrastructure or whatever whatever the thing is. Right and it’s going to affect you and affect others and so but you’re in this meeting with your peers and everything and you’re like I gotta save face, right? I don’t want to look like, I don’t know what I’m talking about. I

[00:47:13] Ryan Cloutier: don’t know. We shame curiosity. I don’t know why we shame curiosity, but you’re absolutely right. It’s nobody wants. You wanted to go, hey, I don’t know. Even though the smartest person or by the way is the one that asked the most questions or

[00:47:25] Evan Francen: you are you, there’s this lack of respect to write because I may ask you the question why and you’re you and you take it as me challenging your authority, be challenging your um your decision making when really give me the benefit of the doubt. The reason I’m asking why is because I don’t understand and it’s okay to not understand. It’s not okay to continually not understand, right? But the only way I’m gonna get out of this not understanding bucket that I’m stuck in is to ask why is to question right? Take the same thing to life right? I don’t know if you’ve ever had a discussion with, I was talking this morning to Peter. Yeah. And I was talking about twitter right? How comfortable do you feel about stating an opinion or questioning why? Um on twitter, you know, if somebody says, you know, say something about politics for instance. So you got an anti Trumper or you’ve got an anti biting her, it doesn’t matter which way you go And they’re touting whatever, whatever, whatever. And you ask, why do you feel that way? Why are you saying that? Oh my gosh, you will be ostracized. You might even get banned from twitter for why I don’t understand. I’m not, I’m not trying to spread this information or anything else. I don’t get it. Help me right, that’s twitter. The same thing happens when I talked to friends, potentially if there’s not that mutual respect, right? I’m text and ostracized me if you want. I’m traditionally a pretty conservative guy right now.

[00:49:14] Ryan Cloutier: I would say yeah, but not, not wacky concerned. You know, I’ve known you for for some time and I can I can confidently say that yes, you’re conservative, but you’re not you’re not that wacky type. No.

[00:49:28] Evan Francen: Well and so and I say that because I want to be challenged is my world do incorrect? Am I wrong in the way I’m thinking? Because when I engage with people like, like I don’t use Peter, Peter’s more liberal than me. I love Peter right? We’re not going to let this get in the way of our relationship, I will ask him questions about why you feel the way you feel about certain things. He doesn’t attack me for it. He explains it to me. I’m like, okay, good and I’m not trying to change your mind either. I think if anything I want to make sure that you can defend your position. You are using logic to come to the conclusion that you’ve come to. Right? And so um this stuff has to happen, right? We have to have these conversations whether it be in life or over in information security, why? Why are you asking me to do change my password all the time? Why are you telling me I have to VPN all the time? Why are you you know all these things that we’re doing? Why? To what end? For what reason?

[00:50:36] Ryan Cloutier: Well, and to that before we move on to the password piece, Actually, we’re gonna

[00:50:40] Evan Francen: be passwords next week. I decided when we do passwords next week, is this longer than I expected? Okay. All right. I love by the way.

[00:50:48] Ryan Cloutier: So so you know, we asked the why one thing that I have found is when answering someone’s question about why it needs to be meaningful to them if you want them to understand it. If you give them a why that only has meaning to you. Right? So let’s pick on vendors for a second. So why should I buy your product? Well, let me give you all the reasons I think you should buy my product because my product does this cool thing that I care about. This cool thing that I care about, right? And so the why is coming from that perspective of the things I care. But if I want the person to really understand, I have to give an answer that is meaningful to that human. I use this when I talk to parents. Okay. So, so hey mom, Hey dad, you know, you need to do threat monitoring on your kid. Why? Well, let me explain a couple things first. Your kids more likely to use their school email address to sign up for accounts that you don’t know about. This is a great way to check that. Trust you the event. That’s a great way to stay on top of these things. Uh, if your child’s account gets compromised, their future is potentially jeopardize their ability to get credit, their ability to have an identity that is not flagged on the no fly list because it was used by the drug cartel as a false identity to move drugs around, right? You have to take the time to explain it in a way that matters to them. If you don’t, then I just say, Hey mom and dad, you know, you want to monitor your kids know I want to respect their privacy, right? So if I don’t take the time, you know, and if I just give him my wife, hey the boogeyman, right? If I get my wife, Yeah, Well you know what? There’s a lot of boogie man and I don’t have time for boogie men right now. But if I take time to explain potentially their future is jeopardized, whoa, I’m their parent. The last thing I want is their future jeopardized. I’m now going to do everything in my power to gain understanding on this topic so that I can reason because I want to keep my kids

[00:53:12] Evan Francen: safe.

[00:53:14] Ryan Cloutier: And, and the same is true in information security, you know, and if you are a vendor and you’re selling a product and you can’t help your customer understand why it matters to them. You’re, you’re doing it wrong. You’re part of the problem.

[00:53:31] Evan Francen: Well, I think so jay the advice I would give is, you know, is to ask ask yourself why often get comfortable with that. Get comfortable with. Why am I doing this? Why am I giving this advice? Why am I making this decision? Why am I leading in this way? Because that really opens yourself up for improvement. It does, it makes you a better person. It makes you a better leader. It makes you better security person. Um, it also makes me a better educator, right? I can explain to people why we do the things we do the way we do it. Um, so as as somebody who’s out there doing things question yourself. They also don’t beat yourself up. Right? That’s that’s a slippery slope question yourself. Why why? Why all the time? And also as a, as a questioner? Yeah. Get comfortable asking why now the challenge. There’s two things that I want to give for advice on that. Um, if you’re the person receiving the lie. So I’m taking a stand, whether it be in politics, whether it be in security, whether it be in the coronavirus, Whatever I’m taking a stand on something. Somebody asked me why I become an answerer. Here’s my advice to you. It’s a door opener. It’s not an attack. It’s a door opener. It’s an opportunity for me to share with you. The reason I believe the things I believe the reason why. Reason. There’s reason. Again, the reason why I do what I do. It’s an opportunity to make somebody else’s life better, right? It’s not an attack on me asked me why I asked me why all the damn time. Please. Maybe I don’t even know why the hell I’m doing what I’m doing and then I’m just wanting to like endlessly don’t let me do that. Ask me why. Right? So that’s that’s the answer now on the question or side of things. I know how uncomfortable it can feel to ask somebody a question, especially a touchy subject that you might get your ass beat for it, right? But as a question, I want you to feel like this inside that you are on the right path. It’s okay because people who can’t defend their position with reason, that means that they’re wandering right. They can’t defend themselves in terms of why they believe what they believe, why they’re doing what they’re doing. They respond in one of two ways. Either change the subject, right? So I’m gonna ask I want to talk to you about, why I’ll take something touchy that’s in the news right now, why are the death rates and things in California the same are similar to those in florida right now, that’s a touchy thing. People either change the subject or they’ll attack my character. So when you’re asking that question and somebody does that to, you know, that that’s that’s where it’s at. It’s okay.

[00:56:33] Ryan Cloutier: Well, and I’m going to add to that because I think there’s a way to limit that happening. So if you just asked why without some color around your motivations for asking why, I think you do create a more accusatory type of question. I think if you if you say, uh I would love to gain a deeper understanding of why you believe what you believe and how you got there. Like I’m interested in really understanding this and that’s the motivation behind my why. I’m not questioning your authority. I’m not questioning the decisions you make, that’s not what I’m doing here, I’m not I’m not calling into question you or your decision or saying that it’s right or wrong. I may do that later. But right now I’m simply trying to gain understanding so that we can communicate better. And I think you do need those extra words. I do think you need to, especially if you’re dealing with a personality that you know, is going to be more resistant or maybe they’re just a caustic personality and you know, but you should still, you shouldn’t shy away from asking why. But there’s a the answer of solid ground a little bit.

[00:57:45] Evan Francen: Yeah. And on the answer side of things too, if you do get that question that does seem like it’s challenging ask that right? Instead of just firing back some kind of like, you know, escalating the things you get, Hey, why do you feel that way? And you take that as like, are you questioning my authority? Ask that? Are you asking why? Because you really want to understand why? Or or are you asking why? Because you don’t think I you know, you think there’s some deficiency in me or this is some attack on my character. You can have these discussions when you have this basis of respect, right? I respect people enough to be to engage in this way. Right? And I think especially now in the world we live in, we’re going so damn fast. We don’t how you doing. I’m good thanks. And then off they go, right, let’s let’s get a little more going because we have believe it. I mean where we’re heading if you use logic and our experience that we’ve gained over the years in this industry where we’re heading is a very dark bad bad place.

[00:58:55] Ryan Cloutier: Yeah, it is, it’s quite scary actually.

[00:58:58] Evan Francen: It’s going to make the pandemic look like walk in the candy store

[00:59:03] Ryan Cloutier: just if you can stop using Orwell and Black Mirror as your guide posts for the society that we’re building. That’d be great. Just saying

[00:59:12] Evan Francen: please,

[00:59:13] Ryan Cloutier: if you could just five minutes just back away,

[00:59:16] Evan Francen: you know?

[00:59:18] Ryan Cloutier: Um No, I agree.

[00:59:21] Evan Francen: I’m sorry man, I I need to move forward because I need to get this, you gotta closing thing on that.

[00:59:25] Ryan Cloutier: Uh No, just just to say, I think you know again, you know the reason, what’s your motivation behind it is your reason reasonable. Have you asked enough of the questions why in a respectful manner of yourself and of others?

[00:59:40] Evan Francen: Yeah. And and here’s the thing for me, I mean and this is a closing, its okay to ask me why? Please ask me why? Ask me why about my political position? I don’t care, asked me why, I mean be nice if we knew each other a little bit first, you know, ask me why on, you know, why do security the way I do. Security asked me why I need that to if I’m going to become better so um and maybe we can learn learn that together. Alright, so mentions real quick, I want to mention just the fr security I SSP mentor program that is coming. If you don’t know where to find them, that’s on fr secure site, it’s 100% free, will always be free. Ah It’s awesome this year. You know, we’ve got, I don’t know what the latest number is but I think it’s over 4000 people that are signed up for that three training. Uh I’m an instructor there. You are an instructor there and Brad and I is an instructor there. That will be a lot of fun.

[01:00:37] Ryan Cloutier: Yeah, I’m looking forward to it. It’s a, it’s a great program and uh, if you, you know, are looking to get your CSP take it, if you are just even curious to learn more about, you know, security in general, it’s worth your time, you’ll learn something. Um, yeah, I’m excited to be part of it. I think it’s great and I love seeing all the folks whose lives we’ve, we’ve touched. I think that’s that’s the best part about being an instructor.

[01:01:05] Evan Francen: Amen brother. Well, yeah, and that’s why we’re in this industry, we’re here to serve. I’m here to make life better than what the less the less you fight me, you know, the more you align with me probably the better we’re all gonna be because my heart is in the right place. I don’t have all the answers. But man, I want to help. Yeah, for sure.

[01:01:26] Ryan Cloutier: Well, and to that point as to me, right, so we mentioned for, for us, to me, so for those of you that don’t know one of the many things that we do at security studio and fr secure to help the world be a better place is we provide real resources for people at no charge. And one of those is s to me this is a free personal risk assessment. Won’t take you very much time at all to complete it. A couple of things you’re going to get by taking this assessment, you will gain a better understanding of your own personal risk habits, You will learn how to improve upon those and reduce the risk that you and your family are exposed to at home as well as at work. The other thing that you’re going to get is an amazing benefit is a free threat monitoring. So the email that you used to register for us to me, we will then monitor for you going out onto the dark net and public looking for any data breach where your emails showing up And if we find one we push notification to you, this is a $20 a month value that we give away absolutely free. So I do encourage you to check it out. If you’ve never done it before, do it. And if you’re a leader of an organization or a security leader, it’s a great way to start to assess your talent and see just how at risk your employees are. The companies that have a security culture, are the companies that are least likely to be reached?

[01:02:57] Evan Francen: Yeah, exactly, man. And we we built this, you know, well before the pandemic, uh not really knowing the pandemic was coming obviously, but knowing that people are creatures of habit, you

[01:03:08] Ryan Cloutier: know what, I don’t understand them. I was coming up, I would I would have bought stock in johnson and johnson, Right?

[01:03:14] Evan Francen: Yeah, but it’s uh we built this because we knew that people are creatures of habit, The same security habits you have at all the same ones are bringing to work and vice versa. So, and we know that we have this problem of teaching people, reaching people um about information security, risk management, nobody is responsible for your security at home. Yeah. Oh yeah, ultimately it’s yours, right. You can point fingers and blame everybody else that you want. But you’re the one that installed that IOT device, you’re the one who couldn’t live without google home or Alexa or whatever else you plugged into your network. And even if they were responsible and he wanted to hold them responsible, meaning the people that sold you those things, how do you recover the innocence of a child? You’ve got a safety component here at home that you don’t have anywhere else. Uh you know, if your child’s been preyed upon online or whatever else happens, if you can’t get it back, it’s gone. And so that’s the this is just very, very important. Their life skills. It’s free. It will always be free. Always, always, always be free to you. It’s a risk management tool. It is an assessment, but there are recommendations on how to make things better. If we just told you all the things that are wrong, it didn’t give you any tips to make it better than were useless. Uh, so it’s https colon slash slash s to me dot io. That’s the site. Uh, the exciting thing about us to me is it’s really, really, really exploding in terms of popularity. We talked to a really big telco provider, consumer telco provider yesterday. They want to get, you know, provide this as a standard bundle to all people, All their customers, which is like in the 10s and hundreds of thousands. That’s awesome. We have the state of North Dakota made it available to all their citizens. Uh, that’s awesome. We have, you know, uh, other big, big associations, one that’s, uh, association for people my age and older. Um, you know that we’re, you know, working with to get it out to that population. I just got an email this morning about a fairly large bank that wants to make it available to their customers and then also wants to, you know, take it to their banking association and make it available to all those awesome free do it no strings attached. I don’t want anything. Well, co branded your stuff right? At the cost of it is to just co branded, right? We don’t want to do this to be a moneymaker. We want this to be a problem solver. Right? So I’m preaching. I can preach all day about that because damn it. That’s the whole reason I’m here,

[01:06:12] Ryan Cloutier: I’m not you and we are making a difference. And I can say that with all the confidence in the world that we are making a difference and I hope those of you that are listening that, you know, you’re you’re seeing this and taking it as an inspiration to make your own differences as well.

[01:06:29] Evan Francen: Yeah, I mean you and me and and others of us like us, we’re not, I’m not here for any other reason, then I want to fix this. I hate seeing people taking advantage of, I don’t want you to be taken advantage of anymore, whether it’s a business, whether you’re a customer of a business, whether you’re a consumer, whether you’re a parent, I don’t give two craps and I don’t care how much money I make, I don’t care if I make any money, I would do this for free if I could figure out some way to feed this big body of mine,

[01:06:59] Ryan Cloutier: right?

[01:07:00] Evan Francen: You know, But so that’s our motivation. Get on it. It’s yours, not mine, my responsibility. My responsibility is to give you the tools to try to help you solve some of these issues. It’s your responsibility to use them.

[01:07:16] Ryan Cloutier: Absolutely.

[01:07:18] Evan Francen: Alright, so news, I got two quick news things. One is the Microsoft released, this is from G B hackers dot com. I’m not going to go deep into either one of these. I just want you to be aware, Microsoft released a one click exchange mitigation tool to mitigate recently disclosed proxy log on vulnerabilities. So if you’ve patched uh your exchange server, you probably don’t need the mitigation tool, but go in review uh use the mitigation tool. You know, it’s it’s really really really significant uh very much exposed vulnerability because the thing is you have to expose your mail server, Right? It communicates with other mail servers on the Internet. You can’t close port 25 and expect that thing to work. So you need the mitigation get on it if you haven’t already.

[01:08:10] Ryan Cloutier: uh and uh if you’re 365, give it

[01:08:15] Evan Francen: time. Thank God. Because again, no such thing as risk elimination, it doesn’t matter if you’re in the cloud, it doesn’t matter if you’re in your backyard. Uh do you have risk? So you better understand it? The second one is uh this one ticks me off because again, I hate people taking advantage of other people. And you know, there is, there may not be a more vulnerable market in our industry today than the education market. Uh And this one comes from malware bites the FBI warns of increased, I’m sorry of increase in P. Y. S. A ransomware attacks targeting education. No, so education occurs uh reach out to somebody, reach out to us. Well, if you don’t have the resources, uh we’ll find some. I mean if I have to stay up late and help, you know, whatever I don’t want you to be at risk. I want to make sure that, you know, that you’re well protected against ransomware attacks, we’ve got tons of resources, we’ve got a free ransomware readiness assessment, you might find a little uh over the top. Mhm. But that’s okay, you reach out to us and we’ll give you that but and it’s out there and it’s getting worse.

[01:09:43] Ryan Cloutier: Yeah. And all I’d add to that is, you know, if you are uh there are small business or K- 12 limited resources, Air Gap backup, a good old fashioned, believe it or not cheap. Removable hard drive uh back up your data, back up your system images, store it completely off the network, it’s cheap and it’s a dirty solution, but it is highly effective.

[01:10:11] Evan Francen: Right? It’s always funny how the simple solutions often are the most effective.

[01:10:17] Ryan Cloutier: I mean it’s you know, if you can do proper redundancies, that’s great. But if you’ve got nothing today, go to best buy, go to micro center wherever your local retail or ordered online. Get a removable hard drive for series of them however your data footprint is and move that stuff off the network. You’ll thank yourself later when that ransomware event happens,

[01:10:40] Evan Francen: Right? And I’m a silver lining kind of guy too. So look for opportunities to educate educate your students, right, engage your students and things like this. So uh and I’m just as a hypothetical thrown out an example, let’s see. You do do tape backups, but you don’t have the time to switch out, teach, you don’t have time to do this or do that. Maybe this is an education opportunity. Maybe you can uh you know, talk to the school administration figure out a way that maybe you can do kind of a training program with your students and this is how you use tapes. This is why tapes are important. And then let them do the tapes, let them take the tapes out of the tape device and bring it to the vault and put in your tapes. You know what I mean,

[01:11:23] Ryan Cloutier: engage. And there are, there are districts today that do that with their high school students as part of their education program and some of them actually work part time for the district getting paid. So if anybody has any questions about that, feel free to reach out to me more than happy to put you in touch with schools. I know that are doing this, that can help you figure out what you can do to implement a program like that in your own district.

[01:11:47] Evan Francen: Love it. That’s awesome. Alright, let’s wrap this thing up. We did run a little bit late, but nanny, it’s always such a freaking good conversation. You and I could sit here and talk, I swear for a week straight, right? You have to bring my bacon in. You know, I’d have to get my wife to bring the bacon in. I need to eat. I like you bacon. Uh But let’s wrap up. So any shout outs this week and if you want to give a shout out to

[01:12:14] Ryan Cloutier: uh so the whole security studio team, they’ve they’ve done an amazing job this last week. I mean they always do a great job this last week, they really pulled it together, we just there’s so much stuff going on and everybody is doing a great job of keeping all the spinning plates spinning. So uh definitely want to want to recognize just the team and just the whole team,

[01:12:34] Evan Francen: awesome. I’m gonna give to shout outs actually, man, I’m going to give up three uh shout out to you for, you know, taking care of business last week, you know, while I was out, you know, getting some much needed R and R. You know, you kept the business running uh and improved in many, many places. So big shout out to you man and a shout out for stepping in last couple weeks for brad. I’m

[01:12:58] Ryan Cloutier: happy to, happy to it’s it’s all part of being part of the family.

[01:13:02] Evan Francen: Yeah, and I want to give a shout out to brad. I know that he’s reason he’s not here is not because he chose not to be he uh um he’s just got a lot of things going on right now and I want to give a shout out to him in support. Uh you know, I love the guy and uh I always love the guy, so you know, you’ll you’ll be hearing from him again real soon, and the third shot out I want to give is to, to john harmon. I love the way he’s running the fr secure team and the fr secure group. And I know what it’s like to be a leader, sometimes the top of the, you know, organization. Um, it feels lonely to be that person because nobody else can relate. All right, you got all this stuff going on and you’re like, who do I talk to shout out to him? Because not only is he leading that team amazingly well, but he’s also engaged in a can appear president group that I think is just providing amazing support for him, but you have to be aware enough to know that you need that support to go and get that support. So shout out to him. I got three shots. That was cool. I could keep going on shadows too by the way. But is it

[01:14:19] Ryan Cloutier: enough?

[01:14:21] Evan Francen: Alright, so thank you to our listeners, uh, encourage you to send us stuff that you’d like us to read like us to know about. There were things that we talked about in today’s show that maybe you want more information on, you know, we offered help in a number of different ways. Maybe if you missed. Um, you know, some of that reach out to us by email, we will respond. I’ve gotten better at that. So, um, email us at unsecurity@protonmail.com. If you like to socialize uh give shoutouts, man, spread the word, do whatever you need to do or can do or ask those questions with maybe set a good example on how to interact on social media, but reach out to us on twitter. I’m @EvanFrancen, uh, Ryan is @cloutiersec Brad’s @BradNigh, you can find our companies there as well. That’s all I got man. Good show. Thank you. Yeah,

[01:15:18] Ryan Cloutier: absolutely man, do it again soon. All right brother.

Evan has always been a strong proponent of weaving mental health transparency and help into the information security industry—one that tends to have long hours, stressful moments, and many other challenges that contribute to mental health struggles. With Brad out this week, Evan is joined by Ryan Cloutier for an honest and transparent discussion of mental health in infosec, their own personal mental health challenges, and the Mental Health First Aid certification.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Welcome listeners. Thanks for tuning into this episode of the un security podcast. This is episode 1 22. The date is large 10th 2021 and joining me is somebody new uh Ryan Cloutier.

[00:00:36] Ryan Cloutier: Hey you’re right. Doing good Evan. How about you?

[00:00:38] Evan Francen: Doing well too man, it’s, it’s good to have you on the show again video a couple of times uh, Brad couldn’t join us this week. It’s just got a ton of stuff going on. So I’m happy that you’re here. How you doing

[00:00:50] Ryan Cloutier: doing really great man. Glad to be here. Thanks for having me back. I always, I always enjoy when I get to spend time talking with you and you know hanging out. It’s always always fun and enjoy doing different things with your podcasts and stuff. So glad to be able to be here tonight with you excited. We’re going to talk about,

[00:01:11] Evan Francen: right? And so you mentioned tonight. So this is different. Normally we’re reporting these things on Tuesday mornings, brad and I get up at seven, you’re not a morning guy night, don’t fall that at all. I like to think of it as kind of shift change, right? You work late. I get up early, you kind of got the whole day covered two of us but it is night and it is a Wednesday night as opposed to Tuesday morning uh took us a little while to get ourselves coordinated, but here we are. And I also like talking with you by the way, we do our shit shows every thursday night. So everybody who’s listening thursday night do those lives meet Ryan and chris roberts and we talked about authentic all things tomorrow, we’re talking about uh tool for right, This is where people seem to continue to buy tools that don’t necessarily not to use them. Will be a great conversation tomorrow. You and I are always on that stuff, but this is the first time I think you and I have tag teamed on the on security podcast.

[00:02:16] Ryan Cloutier: Yeah, I think it is, I think what I’ve been on before, I’ve been a guest actually, it kind of takes me back the first time I was on was over a year ago and I think uh yeah, we weren’t even working together at that time. So it’s it’s been fun to watch this developed to, you know, as uh as one who actually, you know, does listen from time to time to the insecurity podcast. It’s it’s kind of cool to be able to do that and you know have it on the Spotify but also get a chance to be on it. Although I will admit, I generally don’t listen to my own

[00:02:49] Evan Francen: episodes. But yeah, I don’t, I’ve never, I can honestly say, I’ve never listened to an episode of the un security podcast. I hate hearing my voice. I don’t know what it is. So there you go. If it, if I sound funny, we’re going to have to tell me. So I’m not going to figure it out myself. Well,

[00:03:10] Ryan Cloutier: usually, you know, usually there’s, there’s some kind of background noise. You, uh, you like to do an adventurous life. So,

[00:03:18] Evan Francen: wow. Well that’s a good segue because right now we do this the first part of the podcast, usually just catching up right now. Today I’m down in uh Daytona For Daytona, five weeks. People don’t know. I love Freddie probably gave it some more wholesome, you know, kind of that culture. And so I’m sitting on the deck. So, and I see the ocean site just over there, you might hear in the background. Uh, probably guys like to love their motorcycles. I don’t have to do that. You might hear that from time to time. But yeah, I’m down here. Just kind of catching up on some rest. You started kicked me out I think for a week I’m not supposed to be working. So that’s what I’m doing down here.

[00:04:07] Ryan Cloutier: Well, you know, the vacations are good, very important.

[00:04:12] Evan Francen: Yeah. So what you’ve been doing since I’ve been done and what’s, what’s been going on in the home front.

[00:04:17] Ryan Cloutier: Uh, you don’t doing, doing a lot of awesome stuff to help the mission and really, um, serve, you know, you know, my passion area. It’s K. 12. And so then strategizing and working with other organizations and companies that are complementary to what we do. Um Looking for opportunities to really help. And actually I had a great conversation today with the partner of ours about scholarship opportunity for K. 12 to try to help them be able to leverage some security help and resources, consulting, advising, you know, different services. Uh And that seems to, that seems to be a concept that’s got a lot of, a lot of traction behind it. So I’m just, you know, I mean man, I like to, I like to help inspire others that we work with to to step up and do more to help out. Um and I’ve done a lot, a lot of that this week. And so it’s been really fulfilling for me.

[00:05:17] Evan Francen: That’s cool with you mentioned the mission, right? And we see all the time around you shouldn’t be four months. Uh and the mission really is to fix the broken industry. What that needs is making security attainable for everyone. Well we all have a role to play in information security. What’s your role? What are you doing? Well there’s as our parents uh you know, eating your Children getting their household whether it’s a school administrator, leaving a school protecting students protecting the community, whether it’s you know a business a little bit. You all have a role even as a child as a kid. What are the rules, What are the things I’m supposed to be doing on my ipad or my iphone, Right? So this mission of ours is, is huge and I love working on it with you because I know in your heart this is what we do, right? It’s all about this.

[00:06:12] Ryan Cloutier: Well it is. And you know, to that 0.1 of the fun things that we’ve been able to work on recently has been building a coalition of folks that are also wanting to help out and putting some structure around that, you know, and we landed on the name and I love it. The Gray matter Society. Um, I’m just, I’m really, really excited about that. I’ve actually spent a lot of time this week thinking about that and starting to make some initial calls to some folks that I wanna wanna invite. Um, it’s just really cool. And so for the listeners, the concept is that, uh, security professionals and non security professionals coming together to focus on and solve some of the most challenging problems and doing it in a way that’s going to promote the highest chance of success. So not trying to focus on too many things at once, but being very narrow in the focus, really working the property completion. And I think that part of it really solidified it from, from just kind of a neat idea. Like, wouldn’t it be nice gift, uh, to something more concrete that really does feel achievable. So I’m pretty stoked about it.

[00:07:27] Evan Francen: Yeah, man, I do it. This is one of the things that came from the should show you came from Probably four or 5 weeks ago. I think I was another, you know, air quotes vacation when I was actually working a lot down there. But it was we talked about a problem in our industry where I think I posed a question, what’s the most significant? What’s the root cause? All security problems? And it led us down this path? Well, it’s people. Well, okay, as sort of a cop out answer, what is it about people? You know, there’s a lot of times in our industry, look at people as those people, right? Not me. I’m not part of the problem. They are right? No, that’s not true. You are also part of problems. So as we got talking to it, I think we realized that the problems really not as difficult. Well, not as complicated to solve as we might think it is, but we don’t do it because I think we have so many competing motives, right? You’ve got money, right? Everybody wants to make a dime. Everybody wants to make money. We’ve got political motives where left or right. You know, I come from this angle and I want you to solve it this way so that it satisfies my constituents as opposed to yours, which I don’t really care about. We want to create this Grey matter society where it’s not about politics. It’s not about money. It’s not about saying it’s about let’s solve the damn problems. Make life better for everyone, right? And that’s that’s important that jazzes me man because we can do this. We just have to come together. We have salt these things together. And I think we can

[00:09:23] Ryan Cloutier: I really do. It’s going to be good. And it really is that coming together piece that’s so important, You know? And and some of this little bill develop as we get into the meat of our topic tonight. But I think it just empathy, right? It’s all rooted in that that empathy, empathy for your fellow human for society. And I think as long as that’s the driver behind folks participating in this, I think it’s going to be wildly successful.

[00:09:53] Evan Francen: Yeah. So for people, um, stay tuned for this, right? You’ll start hearing about it more and more. This might be the first time you’ve ever heard about it, the Great Matter Society. Or maybe you heard us mention you’re somewhere else. Um but this is going to become a thing where we’re going to recruit anybody to participate. Some of the biggest names in our industry will be part of this. As long as they have the right motives, we do have people in our industry. You don’t have the right motives. They won’t be invited. You won’t tolerate that. This is about serving society, not about serving an individual person. Uh, Oh yeah that will be seen. That will be awesome. But you mentioned are topic for tonight. It’s our topic for tonight. We talked about it before. We’ve talked about it on the shit show. We talked about it here on the un security podcast. It’s mental health and specifically the reason why this comes up again is yesterday both you and I and a number of leaders from the companies that we work for. We went through this training. This, it’s called the Mental Health First Aid M. V. H. F. A Certification training. It was four hours of I learned a ton and I wanted to share it with for listeners. I think it’s relevant to the jobs that we do. Um, if you’re a human being, you struggle with this one way or another, right? Whether it’s today, whether it’s tomorrow, sometime in your lifetime, more than half of us will struggle with a mental health disorder. So what are we gonna do about it?

[00:11:38] Ryan Cloutier: And I’d add to that too. For the half that aren’t struggling. You’ll still deal with it because you are going to be interacting with a colleague, a coworker or family member, a loved one spouse etcetera who is going to be struggling with it. And I think that for me was it was awesome. Part of this learning was having some new tools about how to talk about it. And and I guess uh talking about it directly was was the thing that was most eye opening. I think we have a tendency as people to talk around the subject to soften the language to maybe be hesitant to to ask, you know, very blunt and direct respectfully, obviously, but very blunt and direct. How are you doing? And are you having thoughts of suicide? I thought that was a very important call out

[00:12:31] Evan Francen: Got over two men. The quote of the day that I put in the chat was the more you talk about suicide, fewer people die.

[00:12:41] Ryan Cloutier: Yeah, and it’s true, it’s just it’s absolutely true, right? And I think a lot of that is rooted in the stigma aspect. And so, you know, I’m just glad we’re able to talk about this tonight because this is what we do to help fix this or to help create the necessary bridges for people to get the help they need right is by having an open, honest dialogue and not not shrinking away from it, not being afraid to talk and use the word suicide to say, you know, to ask somebody point blank, are you thinking about killing yourself not hurting yourself? And as we learned in our class, those are very different things. They don’t necessarily see the action of killing themselves as being uh an action of hurting themselves. So you have to use the right language. And I think that is just so important and just being honest about how you feel, you know, with yourself. I thought, the self the self care piece is so important for those in our industry. Yeah, I think we all do a better

[00:13:46] Evan Francen: job. The thing that if you were there with me and As we’re but 14, 13 other people. We have 15 people, which was the maximum class size. We had a bunch of people that we had to turn away. So we’ll probably do more training where we work and if our security through studio, we take this up very, very seriously. We don’t want anybody to suffer unnecessarily with any mental health disorder, any struggle in life. We also learn the average time period between somebody struggling with depression or, you know, suicide contemplation is 10 years, Right? There was that 10 year span where people suffer before they either get help or sam lee, they do take their own lives or they do end up getting worse to whether it’s a medical tissue. I mean, it’s worse than it. I mean, just that 10 years of suffering really hit home with me.

[00:14:56] Ryan Cloutier: Yeah. Well, the co morbidity, right? That that jumped out to me is during this this 10 years that there’s that whole co morbidity aspect of mental health that can affect your, you know, her condition, right? You know, we talked about anxiety and panic attacks and how symptom wise if you don’t know what’s going on. It can look and feel a lot like a heart attack externally to people observing it. It can look and appear to be like a heart attack. And the fact is as you go through it, you do experience that accelerated heart rate, that increased blood pressure. Those things that if you are susceptible to heart attack or, or condition could then potentially exacerbated. So it isn’t just strictly mental health. That was a big take away from me as well as this is a key component of overall physical health.

[00:15:50] Evan Francen: Yeah, yeah. Good point enemy. Uh, talked about, you know, suicide, obviously, depression, anxiety was another thing that was talked about panic attacks, how to deal with those things, how to be the person that can be connected to somebody and offer that support that they need at the time, they might need it. Right? Not shying away. Not feeling embarrassed about talking about these things openly fighting the state. And the reason why I think this is really important to us in our industry is it’s easy for us to become isolated. I don’t know if you’ve ever struggled with this, right? Anybody who is not in my shoes doesn’t understand what it’s like being my shoes. And so I feel like nobody gets me, nobody understands what I’m struggling with. And so I can easily uh, retreat, isolate myself. And if I don’t have good friends, if I don’t have somebody there, he’s going to say something to me. Okay, man, are you okay? Can I help you? I care about you. I love you. Uh, we don’t hear that enough in our history. Um, it’s easy to fall down that slope and I don’t want people to do that.

[00:17:11] Ryan Cloutier: Yeah. The, the empathy aspect, the connecting with your fellow human is so important, especially in this industry because you’re absolutely spot on. This is an industry where isolation is, it’s just a certain degree encouraged. We hoard our secrets. We are the keeper of the secrets. And so we have to hide away in our little cubbyholes and you know, put protectors on our screens and everything we do is hush hush. And then, you know, most likely were under one or multiple nds at any given moment. And so you know, we have a culture of silence. We have a culture of, we don’t talk to each other. And then I know myself personally and I’m sure you’ve experienced this as well. And probably the majority of listeners I get stressed out about stuff like why can’t people change your password? Why is this so hard trying to convey the emotional stress that that particular issue can cause me to a non security person. They look at me like I’m on something like really, you’re excited about this. I’m like, you understand like if we don’t change behavior, Things get worse, Things get worse. But this will be something that you will eventually care a lot about. But then it’s too late. The horse has left the barn. So I’m over here waving the flag trying to sound the alarm. And they’re looking at me saying, why, why, why are you feeling that way? So it’s it’s hard to connect to get empathy outside of the industry. If the thing, you know, if one of the major stressors is, you know, the work and the nature of the work we do,

[00:18:49] Evan Francen: Yeah, man. And I get like, yeah, and that’s why I think it’s so important for co workers, you know, other security people who marched down this path with me because my wife doesn’t understand it. My wife doesn’t understand what it’s like to be a security person, but it’s like to care so deeply about somebody protecting themselves, protecting their family. These are things that, you know, I don’t know. I think many of us may be obsessed about. I mean, I have no idea I obsess about, it pains me to see somebody suffered anywhere. I hate people suffering. I hate seeing people take being taken advantage of people don’t get that uh outside of our inch. They don’t get what I’m feeling. So I think having co workers, people like you, people like, you know, the 13 others who took this training with me having them marched on his path with me and be able to hold me accountable or say, hey man something’s off, not what’s going on. You know, that can mean the difference between life and death for people honestly

[00:20:02] Ryan Cloutier: it can and and that was another takeaway from the last was, you know, that little interaction, that small investment of effort can be and is life changing? Yeah. And you never know when somebody needs it. And the nice thing is about this and I would advocate for anyone that’s in a leadership position that has the ability to bring this into your workplace, Please do so. You will, you will learn a lot of things and you will also learn the impact that not managing mental health in your organization ultimately has to your bottom line, it does affect your overall productivity, it affects your throughput, the quality of work that you’re getting from your employees. The longevity of that employee unmanaged mental health generally needs to something not great. Uh, and I know my personal story here in the last few weeks and part of why I’m giving, having so much guff about being on vacation as I started to hit a wall, I started to get to a point mental health wise, where I was starting to go down the slope, I hadn’t started the journey yet, but I sure as heck was right at the edge and I knew that if I didn’t to do some self care if I didn’t prioritize Not worrying about work for a day, not, you know, really just stepping or truly stepping away, not checking that email, I have that bad habit. I’m sure most of us do. The email comes to the phone and it’s 9:00 at night and all. I ain’t really doing much else at the moment digging. It made a noise. I think I can just check it and before I know it, I’ve answered five emails and a three quarters of the way through a slide back that I shouldn’t have been doing while ignoring something else that needed attention at that time.

[00:21:53] Evan Francen: Dude, that’s such a good point in the and I think this is what makes this episode such it’s deeply personal for me because I know the struggles you and I have a great relationship. I I deeply admire you. You know, I love you and I’ve said that many times you say the same thing to me and we’ve sort of stolen that word in our in our society. Like it means something that it’s not what it means is I care about you as much or more than I care about myself. Mhm. I will do whatever I can to help you when you’re struggling with things to see you take that time off meant the world to me and I look forward to the time when you can do that again. You also afforded me that same opportunity. Yeah. You made it known many times, team meetings like Evan is not allowed email. You see an email, you let me know sometimes you have to have that sort of intervention to keep people from burning out to keep people from going off the edge. Because when you burn out, that’s just the beginning of a bunch of really shitty things. Excuse my language, burning out isn’t the bad thing is the beginning of many right out.

[00:23:16] Ryan Cloutier: And it is, and you know, it’s and you saw some signs, you know, this is even before we had the training and I chalk this up to your empathetic nature as a human, you’re just kind of more dialed in that way than than the average bear. And so you could see there was some slippage in the gears, there was a little bit of, you know, not getting the throughput that I could do. You know, there’s a little micro things and and you know, you would make sure to check in and because I’m very in touch with my own mental health, I was very vocal back to, you know, I’m not in a great place, no things are not going now. Another interesting point from yesterday is that at no point did I shirk my accountability, well, dealing with managing mental health, those are not separate things. I’m sorry, they are separate things. They’re not they’re not the same thing here. You you I still must be accountable to the commitments that you’ve made to the things that you said, you, especially in the workplace, you’ve got to deliver what you say, you’re going to deliver now, because I was able to communicate with heaven and have an open dialogue, we were able to work together to find an appropriate time where enough things had been transitioned away that I could step away for that week. And it not be disruptive to my colleagues right now. Had I had a mental health emergency. Well, sorry, got to prioritize myself first, but that’s that’s crisis more. Uh I was just dealing with generalized mental health concern and just you know, I’m an A. D. H. D. Person um have that diagnosis of half for years and with A. D. H. D. Comes uh you know, a bit of anxiety, a bit of depression. These are co co morbidity is if you will of the A. D. H. D. And unfortunately they kind of feed each other so you do have to make that time. But if I didn’t have the support and this is the important point I’m trying to make. If I didn’t have the support, I would not have felt as comfortable stepping away and I would have had a lot of the concerns that most people do well. Is this going to be viewed as weakness? Is it’s going to be viewed as as something against me less than and when we’re in these competitive environments, that that matters, you know, people worry about these things. So when you have a culture that says it’s okay to not be okay, that doesn’t mean it’s ok to not come to work on time, That doesn’t mean it’s not okay to get your work done. Mm But if you can have that dialogue, if you can promote that kind of environment, not only are you going to get better quality output out of your staff? But there’s a loyalty component there. There’s absolutely loyalty component. If you truly care in my moment that I need that care, I’m a less likely to feel alone and therefore continue down a negative slope. I’m more likely to be receptive to help because I’m already taking some from you. So now when you suggest that maybe I might need additional help to manage those issues, I’m more amenable to that. Um, and at the end of the day, I mean, who doesn’t, who doesn’t like when they feel validated and important?

[00:26:36] Evan Francen: Right? No, you didn’t. It’s tough man. This is this is a great conversation because you know, nothing that I struggle with and I don’t know if other people too, but on the workload thing, burnout thing. Um it’s a trust thing to, for me sometimes, you know, I feel like I what if I just, if I just let go for a week for a day for a couple of days, well, stop, fall apart. You know, I mean, can I actually disconnect from my phone from my computer for a period of time and believe that the world will end. I mean that’s a tough, it’s a tough thing for me. I went through with that far, secure uh that company got to a point where it was for sure enough to where I had a management team, but I still remember like it was yesterday, the first time I stepped away for a week and I was I actually had anxiety, had more anxiety not being there than I had when I was there. Because I didn’t I thought it was gonna fall apart and then when I came back, it didn’t fall perfect. I was like, all right, I can actually trust this thing. It isn’t going to fall apart. So then the next time I took this time off, I didn’t have the anxiety no more. Mhm. You know what I mean? It was like, you have to take this sometimes you have to take this leap up straight to bother youth and it’s going to be okay, you know, whatever, okay is I mean, what’s the definition of? Okay, I don’t know what’s the what’s the definition of normal?

[00:28:33] Ryan Cloutier: Depends on who you’re talking to? Uh Yeah, well, it’s interesting that you say that because I’ve always had the philosophy that if it falls apart when I’ve gone away, that’s not good. Nothing should ever be single threaded. You should be able as a, as a, as a healthy company, even if you’re not mature, you should Always be able to weather a 3-5 day window of any given employee, not being around and if you can’t weather

[00:29:04] Evan Francen: that, but then, you know what your mind tells

[00:29:06] Ryan Cloutier: you,

[00:29:07] Evan Francen: this is what my mind tells me. Did I build a good company.

[00:29:12] Ryan Cloutier: You know what my mind tells me, How much mess do I have to clean up when I get back? Because as I came up in the corporate realm, any time I took a vacation I always came back to a steaming pile, there was never, it was like for that week or two weeks of vacation, everybody just went whatever it is that we don’t want to do where they’re signing it to him because he’s not here to say no and we’re not going to do anything that he expected us to do while he was gone. So he still has to deal with that when he gets back. I don’t, I don’t think that was maybe intentional, but that seemed to be the right and anyone I’ve ever talked to talk to them that monday Tuesday after they come back from vacation and they’re like, oh dear God, why did I ever, why did I do this to myself? Right. I think that’s part of our competitive, aggressive workaholic type american work culture um which I also think is a contributor to the opportunity for mental health incidences to get worse. And if you’re not, if you’re not addressing it early on, if you’re not doing that self care, if you’re not taking a few minutes to stretch or get that run in or whatever that thing is you need to do pet the dog, you know, spend a little time with your dog pendants, had to be an amazing stress reliever and and if that’s not working for you, then having a colleague around you who can observe and clearly see a change in behavior and reach out and say, hey, are you okay? Can I help? I’m here to listen. Do you want to grab a bite after work? Not here to solve, but I’m not here to fix. That was one of the really important things we learn. We are not as as certified mental health for say folk, we are not diagnosing, fixing or solving. That’s not our role or purpose. That’s what professionals are for, were there to be a bridge to, to help that person know that they’re not alone. Which is so important, so important, so many of us feel so alone even in groups, so so touching on that, letting them know and in listening with purpose, you know, not listening to respond. Not listening, you know, and just kind of nodding along like a bobblehead, but truly listening. Just that act alone could be the deciding factor that could, that could be all that they needed to get through that moment and say, you know what, I’m grounded again, I’m back to back to a healthy place. Um so the more able you are to identify that I think the quicker you can help people,

[00:31:55] Evan Francen: You love that man. It’s uh I’m talking with you tonight after having that training yesterday, reminds me of things that were mentioned right? As you just mentioned, a really, really, really important point. There are times, it’s not time to fix things. There’s times where it’s just time to listen without judgment. You know, let people lay it on you. And I mean, how much calls and I mean, I know from my own personal, you know, and this is where I want to go next. It’s just personal stuff. Um how how therapeutic it’s been for me, just lay it out. This is what I’m feeling, I’m pissed off, I’m depressed, I’m whatever I’m feeling. And just to have somebody listen in love don’t fix it because you can’t fix it. That’s that’s the thing, You can’t fix it. So you trying to fix it just frustrates me more. Mhm. I just want to hear, I just want you to know, I want you to care. Show me you care. That’s it now, right? And it improves the overall quality

[00:33:13] Ryan Cloutier: of your work place and you know, I I bring this up and Evan and I were talking about this before we started the episode. You know, isolation, right? Uh Most of us have never ever been this home this much. Um the the amount of time, you know that we’re spending working alone. You know, I I’ve I’ve started to do this accountability buddy thing where um you know, I’ll have a a person in chat and we’re just working, we’re both working silently in different parts of wherever we are in the universe, but I know they’re there and they know I’m there and that that helps me to feel more like I’m working in an office setting. Yeah, I was always in my cubicle doing my thing and they were in their cubicle doing their thing, but there was just something about being together. And so with Covid and all the work at home stuff, mental health has never been more important to focus on. More. People today are experiencing their, you know, once, once in a lifetime or or you know, at some point in their lifetime, one in five of us or I’m sorry, one and two of us over the total span of a lifetime will experience a mental health issue entering Covid. Yeah, I would say that maybe is even a little higher, so many people are struggling because of the condition of the environment exacerbating those, those mental health concerns

[00:34:44] Evan Francen: a good point, man, it’s definitely that worse. And I don’t think we realize or willfully realize the impact for quite some time. Uh you know, there were starting to see some studies about teams and, you know, because those are such formative years or you’re forming so many social structures that help to form their identity. Yeah, right. At the age of, I mean, I’m 50 years old, I pretty much have my identity. It’s not going to change much, it’s been four months since, you know, Early 20s the latest, but that generation, sadly uh is lacking a lot of that identity thing because they don’t have that physical interaction with people. You rely on other people, believe it or not, no matter how individualistic you think you are, you rely on other people to form your identity to a large sentence, they tell you things like, oh, you’re good at that, you’re not so good at that, or, wow, I really, really impressed with that. It’s those things that you get feedback from people, health reform, Oh, you said I’m good at this, I’m going to do more of that. Right? Right. Uh yeah, it’s gonna be interesting to see how that’s going to, I think it just stresses more are the importance of fighting the, the uh the stigma talking more openly about it, there’s nothing that I want. Yesterday was there’s this misconception that if I talk about it more, I enable it for. So, if I talk about suicide often, or regular lease, you might think that this is enabling or justifying or maybe pushing towards such a behavior when the opposite is true. Yeah,

[00:36:47] Ryan Cloutier: now that was an eye opening thing, right, Is, yeah, you cannot put the idea in somebody’s head, right, That’s the simplest way to say this. There is no amount of words that you can put together, there is going to put the idea of someone committing suicide. Someone or someone, uh, you know, taking their own life, you you can’t put that in their head. It’s either there or it’s not there. So nice talking about it. You’re not causing it, but you absolutely can prevent it. Yeah, that’s there is no harm, right? It’s a no harm thing. You’re not going to cause anyone to kill themselves by asking them, are you thinking about killing yourself? But you can stop them by helping them to identify that by helping them to, because, you know, until it gets set out loud, sometimes it’s not even real. So by them saying yes, I am thinking about that, that that could be that moment that goes, wow, I’m thinking about that, I need to get help. And so, having that conversation being brave enough, you know, and that’s the other thing too, that we learned. You know, you have to demonstrate some bravery, you have to be brave enough to have the uncomfortable conversation and and you know, maybe we’ll do another thursday night show one of these days about this. But it seems like our lack of uncomfortable conversations has led us to a really weird place.

[00:38:16] Evan Francen: No, I agree that well, and so let’s bring this down, let’s bring this to relevance. So, you know, because we can talk about it all the time, but unless it’s relevant to me, I can discount it, right? Whatever mental health. Yeah, I know it’s a big deal for you, right? But here’s the deal man I combined you and I Have about 45 50 years combined information security experience, yep. And I’m going to tell you, you know, they got on this truth. I have three people four, Excuse Me, People very close to me who are also in this industry who did take their own life and it hurts the world, not a better place. World was a better place when they were in it. Uh They struggled with different things. I struggled personally myself. I’m not I’m not afraid to admit it because I know that if I admit it that people will walk alongside me and help me to be better to be more effective to have this mission, right? This mission means everything to me professionally. I need to I can’t do this by myself. Uh So I’ve struggled myself even recently and uh you know a D. D. S always been a thing for me, squirrels everywhere all the time. I’ve got 50 things right now, 60 things right now on my task list, they’re all somewhere between 10 25% complete. Most people would be driven crazy by that. That’s my happy place, right? It’s weird. Here’s another thing that most people don’t know is I have depression issues from time to time the last. And I don’t I don’t know if it’s a it was just a moment in time or if it’s something deeper or longer. But you know when I was in Kent King who I was in Puerto Vallarta four weeks ago, my wife, My wife asked me, you know one morning did you sleep last night? I said I stop that shit. Just what happened? So I woke up in the middle of the night. I don’t know why but I was crying. I was sad. I was suppressed. I sat on the deck for three hours. All my eyes out and yes, I contemplated suicide. Uh huh. It is what it is. Uh simple. What are you gonna do about it? I said well I’m gonna get there. I don’t want to be here again. Even if I’m fooled into thinking that I will never be here again. I could potentially be here again. And I want to have the tools to be able to combat that. I want to have the phone numbers to call the people to talk to. Because what what would be the next step beyond that that night? I’ve never had it before. I’ve never had it since. And so you know, crap. What’s the next step? The next step would have been to do what it is. I was thinking about doing, right? And I haven’t shared that. I’ve never shared that with you. This is the first time you for.

[00:41:52] Ryan Cloutier: It is the first time I’m here yet. And I first and foremost, thank you. Yeah, thank you, thank you for being brave enough to talk about it, thank you for for you know, not just sharing it with me, but you know, sharing this publicly, it’s yeah, and you, you are doing the right things, right, it is talking to those that can help you and you know, I’m here for you and I will support you up to my ability and then you know, and you know, I’m going to advocate for and now that I know I’m gonna help hold you accountable to making sure that you are getting that in doing that and I can, you know, and I’ve been there, it’s been a very long time when I was a young man, I made an attempt on my own life as a young man had a lot of lot of trauma, lot of demons, trauma by the way, it tends to be a big cause of a lot of this stuff um and we all got some kind of trauma promise, if you’re brave enough to open the closet, you’ll find it, it’s their hiding uh and so I, I, I know what that feels like to be in that moment and I want to share with you that there, that moment can come and happen and go and as long as you’re aware and are doing the necessary things to stay aware of that, another day will come, the sun will rise, things do improve um and you know this on a spiritual level, right? The day will come the day will always come. The next day will always come. And so, um, I love you and I want you to continue to do the right things of, of talking about the seeking health, making sure you know, that you had it. You know, I, I’m just, I’m glad that you said that followed up with and I said, I want to go get the help I need and that’s the important part. That’s the important part. It’s making that effort to do that. The other thing we learned and this is very relevant right now. Yes. Most mental health challenges and issues are resolvable. It’s that they are resolvable very, very,

[00:44:16] Evan Francen: very, very two

[00:44:17] Ryan Cloutier: strategies medications therapies. There’s 101 ways to work through this stuff. And the majority of the time, 80 plus percent of the time, there are long term meaningful recoveries. You know, you can, it’s just like any other illness. That’s the other thing we learned. So talking about stigma for a second, right? It’s not the Evan is broken. That’s not it. Evan has an illness that then who you know, has symptoms and we wouldn’t judge anyone for having cancer. We don’t run around wagging our finger. Cancer patients telling them shame on you and your tumor. You can, you can think your way out of that tumor. You can, you know, you can tough it out, you can push through it and and magically the cancer goes away. We know that’s not how it works. So we don’t even go there. A matter of fact, you probably heard me if you heard me say to a cancer patient, hey, shame on you for having cancer. You will probably all look at me like I was the worst person ever. But we, we do that with mental health. We make people feel that or weak.

[00:45:23] Evan Francen: You say, well, here’s how I feel right now. Number one, I’m grateful for my life. She asked, she asked, seemingly simple push, How did you see last night? What it showed me was that she cared. She asked me because she cared. So I felt comfortable telling that I didn’t sleep up and then she asked me why, right? I felt comfortable because there was a level of trust. Now I have somebody in my life and you, you’re another one, john Herman is another one brad. I will you Young security podcast is another one. I, I, I’m very, very, very, very blessed to have people in my life. But I can share these things with that won’t judge me. That will help me. Right? And the reason why I’m sharing is not because I want anybody simply I don’t care. I don’t want anybody said I have the support. I, I truly do. The reason why I share because this resonates with you call me call Ryan call anybody you the lie is that nobody gives a shit. That’s a lie. There are many, many, many people who do give a shit another why is that? The world will be better off without you. Another lie will will not be better off without shoes. I was going to talk about these four men that I lost in my life in this industry. These are security, but I lost the world is not a better place for them without them. Sorry. You know, one was, you know, Robbie every talk I give, I mentioned rob me, I miss abby. It was the one part in the conversation yesterday in the training where I did start to cry because this is a man who had so much potential use a beautiful, beautiful human being. I have no idea what God was going to do in his life. Had no idea what God was going to, how God was with museum to help other people. What I know is that Robbie had a beautiful art probably was just an amazing person and he bought into the lot somewhere bought in that nobody cared, you bought in that. Nobody would listen. Oh, you know, and then you live with that guilt and I’ll just, I’m gonna get, I’m gonna get faith the with you. But you know, you know me man, that’s cool.

[00:48:05] Ryan Cloutier: Oh yes. All

[00:48:06] Evan Francen: right. So there’s guilt in their shame. I’m sorry guilt and conviction, guilt comes from satan conviction comes from God. The reason why that’s so important for me to remember is guilt tears you down, guilt makes you beat yourself up. So when somebody close to you does take their own life, guilt is the thing that says, well, I couldn’t have done something, you know? Did you miss a sign? Uh no, you might be to blame for this because you didn’t step in when you should have stepped in, those are guilty. Thanks, say that bus the conviction pieces, what can I do to be better? How can I help somebody else? Not knowing what I know now, learning what I’ve learned, is there somebody else that I can walk alongside to improve their life? Is there somebody that I can love that isn’t being loved right now? Can I invest in a relationship with somebody? Because all of this comes down to relationships. When I look at somebody and what I’ve learned in all of this is I want to know your baseline. The only way I’m ever going to know your baseline is if I actually invest in you and learn you Yeah, right. The only I’m gonna learn you because I love, why would I give any time to you? So I want to know what your baseline and when I see a deviation from that baseline, why? Right? Why are you acting different than I remember you? Why are you acting different than what you’ve always acted? Something happened? The feeling sad about something, did you? You know? And when you just asked that question, hey man, what’s different, how are you doing? You know, because and then give them an example, give them an example like normally you kind of behave like this, this is how I see you today. I’m seeing you like this, explain to me why the difference because one that shows that I care two, it shows that you’re gonna have to help explain this to me. You have to give me a logical reason why this is different. You can’t just blow it off and say, well I’m just having a bad day. No man, I’ve seen this for the last week, this isn’t a bad day, Tony warren, you know? And so I don’t know man, I could preach about this because it really does hit home, you know, I lost property uh which you know the world sucks a little bit more without Robbie here. Uh You know my buddy Justin who was a partner at one time with that are secure, took his own life, hung himself in the garage. Uh Yeah man, I mean these are people that we need to do whatever we can I’m not going to live with the guilt. There are going to be more people who are going to commit suicide. It’s just a fact of life, I won’t feel guilty about it, I’ll feel convicted about it. What can I do to help or to love people more, you know, even like everybody chris roberts right? I’m not, I’m not diagnosing you by any means, but I know his baseline now, right? When I see a deviation from his baseline, I’m going to step in. Yeah, there’s a problem.

[00:51:38] Ryan Cloutier: It’s text. I mean, you know, and we and the nice thing is and if anybody listening, if you don’t have this in your life today, reach out okay, reach out. Seriously. The three of us have an accountability system in place. We are all very aware of each other’s mental health, we are all very aware of deviations in that baseline. And this is because we spend time checking in with each other and when we don’t hear from each other for a while, we check in with each other hey, how is it going? And we don’t ask that of each other as a platitude, We ask that of each other because we genuinely want an answer and if we get the blow off answer, I promise you there’s always the follow up text that’s cool. Be more specific. So, you know, and I know having that serves as a bit of an anchor for the three of us. I know it does.

[00:52:38] Evan Francen: Uh Yeah, so two things right to see what happens. two simple things that you brought up, who are you checking in with, who’s checking in with you? Yeah, I mean, how, how far would that though? It’s making life better you and for other people, you know what I mean? Are you checking in with checking with them regularly learn their baseline, what is their baseline invest in them enough to learn their baseline that’s love, right? And then when you check in, if it’s a deviation from that baseline why? Right? There’s a reason things don’t happen without a reason, a computer doesn’t do something, somebody telling you to do something same with people. People don’t do something with something motivated them something changed to make them do something different and they were doing before I have habits right? I have some bad habits. I stay sort of on that plane but there are times when you call me and I’ll be like Mhm absent minded man I’m just not paying attention to what you’re saying. Yeah or you asked me how I’m doing and I say fine but it’s not like you don’t do fine it’s more like fine.

[00:54:04] Ryan Cloutier: Yeah. And there’s and there’s times when I know just because I also live with the A. D. H. D. I know because of knowing your baseline. There are times when I know it’s just A. D. H. D. Rearing its ugly head and it’s not it’s not anything bigger than that. There are other times when you know and and in our relationship I’ve tried very hard not to be afraid of holding you accountable to better behaviors to checking in on that and keeping a check valve on right? And I’m going to continue to do that because I care right? Um, because that part is so important. And when we’re talking about mental health in the workplace, it’s, you know, I know you’re probably not going to get to spend the amount of quality time with, with most of your co workers and employees as the three of us get to spend with each other, um, as friends, but you can still spend some time, you know, I think of, I was in that training and I thought of a coworker of ours who shall remain nameless, who I know her and I have had multiple conversations over the time. I’ve been with the organization about that very thing. How are you doing? Really? And, and we’ve gone out and had some lunch is where if you were to eavesdrops on the conversation, you just wow heavy stuff they’re talking about over there. But it was good for both of us and it was, it was a chance to just to connect on that that level and you know, do I spend a lot of time with this person? No, but the time I do spend, I make it a point to make that time meaningful and, and not just surface bs, not just, you know, Yeah,

[00:56:01] Evan Francen: everything’s good. Uh,

[00:56:03] Ryan Cloutier: you know, so one thing I want to make sure we, we call out, get your pens and papers ready because you want this phone number. This is the national suicide prevention lifeline And it’s 1 800 273 8255 1 800 2738255. You’re not alone. If you can’t get a hold of anybody call that number someone will answer. They want to hear from you. They are interested in what you’re dealing with and they will help you to get the resources you need to make it through that mental health challenge and get up and and fight another day.

[00:56:51] Evan Francen: Awesome man. I love that. And their trains are specifically trained to help.

[00:56:57] Ryan Cloutier: Mhm. Yeah, absolutely.

[00:56:59] Evan Francen: So and I want to encourage people to oh uh huh. One put that phone number in your contact list right on your mobile phone so get out your mobile phone and positive you have to a particular over the time to do that. But put this you know call it whatever suicide hotline called hotline, call it whatever you want to call it, put that as a speed dial so it’s handy when you need it. So do that and then writes a that number one more time speaking.

[00:57:37] Ryan Cloutier: It’s up 1 800 2738255.

[00:57:47] Evan Francen: So yeah And truly do you help if we save one life through all of this? You’re talking through being open honest transparent with all of this. My God. Is that not worth the world?

[00:58:03] Ryan Cloutier: Absolutely. Is

[00:58:05] Evan Francen: how much how much revenue do you need to make to make up for that? Yeah,

[00:58:10] Ryan Cloutier: I don’t know you can put a number on

[00:58:12] Evan Francen: it. Exactly, bingo. And I remember when kevin, you know, get a lot of faith, right, Kevin who was a partner at fr secure, uh we’ve had a lot of conversations, but I remember the day he said to me, Evan, I’ve given my life to christ I was like one. So then I remember praying this uh huh. That was the point of all of this. Great, who’s the business? How much, how many dollars would are secure have to make? How many dollars would security studio have to make to pay for kevin soul? Mhm.

[00:58:54] Ryan Cloutier: It’s not there’s not enough dollars.

[00:58:57] Evan Francen: Great. So that was the point. It helps you to put things into perspective. The same thing happens with mental health, right? It’s dollars and cents grades. We use those things to do certain things. But at the end of the day, what’s really important is the person behind a human being. It’s a human being has dreams that has desires, that has hobbies, that has motivations, whatever they have the best time in those people. You know, it makes a difference society, I could preach all day about that subject. This has been awesome. This conversation with you because you and I have this level of I think relationship um we’re it’s more meaningful than just to talk about mental health, right? Yeah. Well, I mean, you know podcast inside your good friend of mine and I,

[00:59:55] Ryan Cloutier: you know, I value, I value real talk, right? Is as one who has dealt with mental health challenges before they were as acceptable as they are now and we still have lots of room to go. Um I I just it’s the genuineness and authenticity. And if there’s anything that is enviable or replicate herbal about anything you heard tonight, I hope it is the authenticity. It is the is the empathy your fellow human. You know, if you’re not there today, you will be at some point. So golden golden rule. Pay it forward however you want to say it. But taking that small moment to check in with somebody when you can clearly see their face says, I’m struggling here. I’m dealing with something, you know, strain paying whatever. That is a simple check in 30 seconds of your time could literally change their entire life and who knows what they go on to do, who knows what? You know, maybe they want to have a great kid that immense to cure for covid. So let’s let’s do everything we can to keep our fellow humans here with us.

[01:01:09] Evan Francen: I love it, man. And so to other things that I want to leave people. So we have you mentioned the phone number, get that into, if you have to rewind and go back, add that into even if you never use it, having it there when you need, it is super important. So adding the suicide, not lying to your phone. It’s a really important thing. Also check with your work. What is our employee assistance program? What is the mental health component in that? Is there something? Should there be something? Go check so check call HR Right we’ll talk to HR What do we have? You know if I wanted to go get uh therapy if I want to talk to a therapist, how much is that going to be out of pocket for me? Can I afford it? Get that stuff out of the way now so that when you need it, you know it? Right. Right. So that’s another thing I would encourage you to do. The third thing that I would encourage you to do is to go check out the mental health. Oh first aid program. Bring it up to your HR bring it up to leadership in your organization. We spend so much time at work all the time. You know uh more time at work probably than we do at home. In many cases I that means that I interact with people there. Right? I need their help. I need them If if anybody is going to know the baseline of me outside of my wife. Depending on my relationship. My wife with my wife is going to be my co workers. So encourage them encouraged management to go check out the mental health first aid certification. It was four hours very very very well spent for me personally. So there’s three things that I’m asking you to do. Yeah. So that’s that, uh, anything else said about myself before I get to just kind of will brush the news super quick. I don’t want to spend any time really on them. I just want them to know that we know. And uh, you don’t find out one.

[01:03:28] Ryan Cloutier: Yeah. The last thing I’ll say about mental health is the majority of time. It is a recoverable thing. So don’t think you’re beyond help.

[01:03:37] Evan Francen: Never as long as you got breath in your lungs, you know, a pulse in your heart. You’re not being home. There’s time, Right? Somebody can help in somewhere. All right. So, let’s get to some news real quick. Uh, find the real here I’m on I’m on my ipad. So here, what you get, The first thing I’ve got is from the register. So the title is activists reached burqa to In view of 150,000 CTV camps and hospitals, prisons a testicle factory, even clouds flare. HQ. Uh, So, did you see this

[01:04:20] Ryan Cloutier: brian? I did, you know, and uh, I, what I found interesting in this is that, you know, once again, a super admin credential, what appears to be belonging to a disgruntled employee was not properly disabled, which then led to this. I didn’t see anything in this, that that was a sophisticated attack or any kind of novel technique or anything like that. It really was credential base. So once again, the fundamentals get us uh

[01:04:53] Evan Francen: Right. The basic and it’s always the basis and I and I agree that it’s not this is not sophisticated at all. This is default stuff

[01:05:02] Ryan Cloutier: truly. I mean they hijacked, you know, I mean if you’re going to have a super admin account, please use privileged access management for it.

[01:05:14] Evan Francen: Right? Or how about we do security by design and we force you before you that as soon as you turn this thing on, you have to change this.

[01:05:25] Ryan Cloutier: Well, yeah, the issue that I saw was that it was, you know, it was the admin console that they used to manage these devices on behalf of these clients. Uh and it didn’t seem like they had really good privileged access controls around those accounts and making sure that, you know, when that what may have been a shared account? I don’t know that part hasn’t come out yet, but clearly was a account that had not been deactivated after an employee termination. I mean, that kind of stuff that’s really important to do that.

[01:06:02] Evan Francen: And the reason why this is a big deal is this is great. So one we’ve got numerous privacy violation. So imagine you being in the hospital and having a camera and having other people view these camera images of what you’re doing in the hospital or why are there the time that you’re there? What wing of the hospital you’re in, you can produce all sorts of things. It’s a great intelligence gathering piece for future attacks. So this isn’t like, Oh well, so yes, it’s not a big deal. It is a big deal. Uh, we need to do better than this.

[01:06:37] Ryan Cloutier: Yeah, absolutely. We do. And you know, we’ll see what the hippo lawsuit spring, but

[01:06:44] Evan Francen: you know, like Ocr ocr is so damn slow man. Uh five years, 6 years maybe

[01:06:54] Ryan Cloutier: they’ll get to it eventually. We

[01:06:56] Evan Francen: help at the second one I’ve got is from first post. This is a title is at least 10 hacking groups using Microsoft software flaw. Yeah, So 10 different groups are using uh, the flaw in exchange. So these are 10 different hats. These are 10 different hacking groups. Many, many, many, many, many uh, excellent tax here.

[01:07:28] Ryan Cloutier: Oh yeah, this is, I’m chalking this up to the ever growing what I’m coining the Microsoft mess. Uh, I think, you know, we see this happening and I’ve heard some pretty large and scary numbers about potentially number of impacted, you know, exchange servers worldwide. Uh, I think we’re going to keep seeing this. I mean, Microsoft had acknowledged a few weeks ago, their source code had been viewed um, potentially in its entirety. And so

[01:08:04] Evan Francen: waiting to see this Fran smith said that wasn’t a big deal.

[01:08:10] Ryan Cloutier: Oh well, you know, funny thing about cyber criminals and finding exploits in the source code that you can then

[01:08:18] Evan Francen: leverage. Right.

[01:08:20] Ryan Cloutier: Yeah, I think this one I think stays with us for a while. I don’t think they’re going to be able to get rid of this as quick as they want. I think they’re mainly because a lot of the organizations affected don’t even have fundamental patch management structure in place so to be able to react and respond I think is limited. You know, what’s interesting is this article mentions, you know that Norway’s parliament announced that they were, you know, had data extracted in a breach. They haven’t exactly said what that date is yet, but you know what, what I’m waiting to see what happens here is big governments have now been impacted by this, what’s what’s going to be the repercussion from this if any

[01:09:07] Evan Francen: wrong I guess, you know, kind of my thoughts, you know along those same lines is uh don’t think for a minute that this isn’t and there isn’t a line to be drawn between this and solar winds and others very much interacted right. There is a correlation here and we don’t know the exact details because there’s not that level of transparency breach notifications and things in our, in our country. That’s one thing. The second thing is, you know, I mentioned before in the senate testimony that was given in front of the intelligence committee a few weeks ago. Um mm I hope we don’t go down this path of how on more crap on top of this. Let’s actually try to address the problem. The problem is over complexity and so many different areas but yeah, come with them. This is not good. Uh huh. Last one I’ve got is kind of one of the same lines. It’s from Schneier on security And you know, I’m not really too much kind of maybe I am a sand boy. Yes, like the number one quote that I use which is complexity is the worst enemy of security so tons of respect for Bruce schneier but on his blog he says you know the title is more on the Chinese zero day exchange might start to change tack a great read. I’m not going to go into right now. It’s kind of along the same lines what we’ve been talking about.

[01:10:52] Ryan Cloutier: Yeah. You know my main takeaway from this one is zero days, right? The z I think zero days are going to keep rolling out a more aggressive pitch now than they have. I think coming up to this time and organizations, what I hope organizations take away from all this news coverage if you will is that things are speeding up the attacks are becoming deeper in the environment, easier to execute broader and scale nation state, yada yada yada. And the number one defense is still the number one defense the better you know your environment, the better you know what’s going on, the faster you can cut off the bleed, the less likely you are experienced catastrophes, businesses need to refocus back in on those basics, Are we controlling privilege access. Do we even know what’s on the network last time something was patched. If you spend all the money that you’re spending everywhere else, just those activities, you’d reduce your risk footprint by over 50%.

[01:11:58] Evan Francen: Hey man, preacher, blah blah,

[01:12:01] Ryan Cloutier: whoa.

[01:12:03] Evan Francen: Book. All right, well that’s good. We’re gonna wrap it up seriously great talk man. This was the, almost like it was all day. This was the right time for us to have this talk. Uh, and I’m hoping that there are, there’s a listener out there, gets the, I needed to hear this or I know somebody might be struggling. I can help. I can step up. I don’t have to feel intimidated about talking about difficult subjects. So awesome. Couldn’t have been better in my opinion. Thank you.

[01:12:39] Ryan Cloutier: Well, thanks for having me on

[01:12:41] Evan Francen: Danny shout outs to the sleep. Normally we do shout outs at the end of the show. Anybody who comes to mind right away. I want to give a shout out to,

[01:12:49] Ryan Cloutier: I want to give a shout out to brad. I know I know busy, I know he’s busy doing this thing, but I want to give him a shout out, give a shout out to my buddy bob.

[01:13:03] Evan Francen: Nice. I have a funny, I’m going to send you pictures tomorrow. I bought two t shirts actually bob butter t shirts and I bought a t shirt and I’m gonna send you a picture of it? I think you’ll find find it funny.

[01:13:18] Ryan Cloutier: Nice t shirts when you get back. I still have your christmas, I have.

[01:13:27] Evan Francen: That’s funny you

[01:13:28] Ryan Cloutier: into your christmas in july at this point, jeez

[01:13:31] Evan Francen: right when I have a shout out or I’m going to give a shout out to the security studio team, I’m never shout out to you for stepping up, taking care of things being accountable. You know, holding me accountable, that’s very, very important. I need that. You know, every leader, I don’t give a shit change my way, which I don’t care how tough, how powerful, How strong are smart you are is I’ve conquered many mouths, huh? You still need somebody to hold you accountable. The only way they’re going to be able to do that is if you’re transparent, if you’re vulnerable, so go ahead and the marble. So I want to give a shout out to you and I also want to give a shout out to, you know, just, you know, I give it, just shut up to Justin Gilbert. Uh, he’s somebody at security studio who how’s the phones all the time. You know, such a great advocate for our partners Bought him 100% mission. Just had a really good, I think victory today. Uh, so shout out to him. I really did.

[01:14:43] Ryan Cloutier: Absolutely. He’s, he’s doing really good.

[01:14:47] Evan Francen: Yeah, so much love to that dude closing. So thank you to all listeners, send us thanks by email if you feel so inclined. Un security of proton mail dot com. Honestly, you can check it once every couple weeks. But that’s Branson. Not mine did you say? Uh, otherwise socialized with us on twitter. I’m @EvanFrancen Brad is @BradNigh uh Ryan is @cloutiersec.

[01:15:27] Ryan Cloutier: You did. You spelled it right.

[01:15:29] Evan Francen: Hell yeah. And it’s almost one o’clock in the morning here. So thank you Evan other twitter twitter handle handles. We always struggle with the post. Honestly, every single time other twitter handles where you can find some of the stuff we do. Un security obviously is @UnsecurityP security studio is @StudioSecurity and @FRSecure. That’s it. We’ll talk to you next week. Thanks

In light of the SolarWinds cyber attack (which you’ve more than likely heard of by now), the US Senate met about the events surrounding the attack and what can be done to prevent (or at least reduce the likelihood of) similar events in the future. There were some very interesting witness testimonials, but not all good. If policymakers draft policy based solely on what these witnesses said, we might be in some serious trouble! Evan and Brad recount the hearing and discuss their thoughts on the attacks, the witnesses, the hearing itself, and more.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 121 to date is March 2nd 2021 20 once. Uh, joining me as usual is my good friend Brad. My good morning Brad

[00:00:37] Brad Nigh: morning Evan.

[00:00:38] Evan Francen: How you doing man?

[00:00:40] Brad Nigh: Not bad. I’m excited. It’s going to warm up. I saw that we might not have snow uh cover by this time next week.

[00:00:52] Evan Francen: that’s cool man.

[00:00:53] Brad Nigh: I did. Yeah,

[00:00:57] Evan Francen: I uh, you know, I’m heading for Daytona bike week on third thursday friday,

[00:01:04] Brad Nigh: whatever.

[00:01:06] Evan Francen: Yeah. Uh, so down in Daytona beach and I booked my Airbnb back in december and got a notice from the owner yesterday morning that she canceled my reservation. Well, I know. So I’m like, what the hell? How could And there’s no recourse you can’t do anything they give, you know, you get your money back. But yeah, but there’s a reason why I booked in december because now it’s all going to be booked up

[00:01:43] Brad Nigh: right and anything else is gonna be more expensive. Right? Report that that it seems shady.

[00:01:51] Evan Francen: Well, I am going to report that. I’m actually gonna send her a bill to for, I got the basically the same resort. Um, But I, it took me, I spent $5 trying to find a new place to stay because you know there’s like 500,000 to a million people that go to this thing. And so I’m trying to figure out, you know I’m checking everything and I finally found a place It’s going to cost me like $3300. And the one that I had had before it was like 20 500

[00:02:25] Brad Nigh: wow.

[00:02:27] Evan Francen: Right? And so it’s like Crap man. I mean that’s 800 bucks. and uh And it takes like five days for them to reverse you know for them to replace you. So I’m not like you know it’s like because I don’t take like I don’t take like big time money out of the company. You know what I mean? I try to live on a on a salary like everybody else. Right? Yeah. Yeah that makes things tight.

[00:03:00] Brad Nigh: That’s real money.

[00:03:02] Evan Francen: Yeah. So I was yesterday but you know it’s going to be like 70 something down there so and I guess I’m not gonna complain.

[00:03:09] Brad Nigh: No wow that’s that’s all we had a better experience last year we were going to go down to the Fort Myers area for spring break and Covid hit everything got shut down and so we Received out and the owner refunded the money and turned it around like within 24 hours.

[00:03:32] Evan Francen: Nice.

[00:03:32] Brad Nigh: So definitely we had that bookmark next time we get to go we’re gonna use them again. I mean that’s good customer service.

[00:03:41] Evan Francen: Yeah for sure man the cost This cost 800 bucks And you know, we got like seven people going and I’m not going to I’m not going to church that more. I’m gonna tell him. Yeah. They only distress it. So my thoughts. Yeah. I pissed away five hours this day and you know, I don’t really have five hours to piss away.

[00:04:06] Brad Nigh: No. No, I’ve seen your calendar.

[00:04:10] Evan Francen: Yeah I was. Yeah. I should see the messages I was sending back and forth because anyway, I’m not going to get you too much about it. So we’re working on a bunch of stuff here. You know, I know you are. I am one of the things I’ve been working on is I still have been working on the book and I finally put on my calendar. So now we’re gonna get, we’re gonna see some acceleration good um on the V. C. So handbook Blocks three hours every morning. The flower. Well you have to get this up on amount of, if any of the listeners have written a book before. But um if you just kind of like do it when you have free time, you never have free time,

[00:04:54] Brad Nigh: right? Yeah you do. Well I think that’s with a lot of this stuff we work on its, I know if I don’t block it on my calendar, things happen, things come up, I forget about it because other stuff is happening. So.

[00:05:10] Evan Francen: Yeah so we’ll see some acceleration on that. I’ve been working on S. Two or G. R. Three using the new C. I. S. Controls Version eight. I’m hoping they don’t like totally changed because they’re not like released released yet they’re in the workbench. So if you go to CIA any listeners want to participate anybody can go the CIA’s you know go to their website and sign up for the workbench and there you can see kind of the discussions that are ongoing about the latest version of used to Way back when used to be the sands top 20 and then it became the CIA stopped 20 then it became the CIA’s controls. So it’s going to be looks like 18 controls this year but I’m breaking it down you know for consumption right In the S. two orig tool so this will be revision three of our content and I think I’m like 140 controls in and I think I just finished uh number eight.

[00:06:22] Brad Nigh: Yeah I’ve got Whatever 300 something for the C. M. M. C.

[00:06:31] Evan Francen: Uh So I thought the hardest part was going to be doing this first part where we take the core you know control frameworks and sort of uh it’s gonna be harder to push them together isn’t it?

[00:06:43] Brad Nigh: Yeah I totally I was looking at the notes that I. R. S husband is 300 something. The cumin seeds like 175 176 something like that. But yeah it’s gonna be interesting because well I mean C. I. S. Is not holistic look it’s good don’t get me wrong but it’s focused on very much of the technology for really outward facing right? Um

[00:07:14] Evan Francen: Well the new the new controls in eight it uh it gets it gets tougher for him.

[00:07:21] Brad Nigh: That’s good. And again I like the C. I. S. Don’t I don’t want to sound like I’m being negative but it’s not, the current version is not holistic but I don’t think it ever claimed to be. Uh But then you’ve got you know cmn see that has a completely different set of requirements to pass. It’s not really true false. It’s do you have two of these three things the different levels have different requirements around it. So it’s gonna be really interesting to see how this turns up. It turns out okay. And see the different people’s take on it. I’ll say I was really happy I’ve been working with consulting team, the VC. So team and they sit over there kind of their wish list and contribution to it. So I stayed out of the process with them. So I didn’t have anything like I didn’t have any influence, this is all of them but I was helping like kind of guide Megan and until them in terms of you know what to do and things. So I was really happy to see that come over.

[00:08:32] Evan Francen: I was happy to see that come over to until I realized it’s more work for me to do.

[00:08:37] Brad Nigh: Well there is a

[00:08:38] Evan Francen: mhm I did like it too though. It was really cool. It’s uh what I got I got it open here maybe six pages of just you know, suggestions and ordering of controls and such like that.

[00:08:53] Brad Nigh: Well and what’s nice is it kind of but it’s like suggestions by the people that by far have done the most of these. Right? It’s right

[00:09:04] Evan Francen: yeah it’s good. It’s definitely good advice. These are things you know, you you only wish you had, you know until you have them. Doesn’t kind of like wish you didn’t because it does make more work but it makes it makes it makes it so much better man. I mean and certainly the end result, people receiving the assessments are it’s night and day. So I’m excited to work through that. That’s good. You’ve been working on an IR assessment, an incident response assessment,

[00:09:35] Brad Nigh: maturity assessment. So it’s pretty much done except for that final scoring piece too. Make it into the to score uh And then some like figuring out math around retention times and how that factors into the score and but the most part it’s true false with like, hey how long do you keep your backups? There are three months 3 to 6 60 12, 12 plus and so yeah well plus gets a full credit and then you get progressively less as it goes down. But it’s for the moment, I mean it’s completely functional. Just you don’t have that final score at this point, but Mhm.

[00:10:20] Evan Francen: Very cool man. I’m excited to see that. And uh now you if you guys is the team already taken that and applied it or used it a couple of times, at least the content, Right?

[00:10:29] Brad Nigh: Yeah. Yeah. So the first time we did it on ourselves, so the I. R. K. And interviewed me uh for as a fr secure representative, which was interesting considering helped create it. But it was in that that we realized that how we had things worded and kind of the ordering was it needed some tweaking. So it’s that’s always good. You never know those things until you’ve done it. Yeah. And then we’ve done it on with those changes done and to customers hustle.

[00:11:06] Evan Francen: Yeah, awesome, awesome. Did I tell you anything about the great Matter society?

[00:11:10] Brad Nigh: You know, I was like what is that?

[00:11:12] Evan Francen: What is that? It’s another one of Evan’s hair brained ideas. It. Uh so you know, on the on the shoot show that we do every thursday night we talked about kind of some deep stuff sometimes and one of the questions I have posed, we might even talked about here briefly was you know what’s at the root of all information security industry problems. Right? So that’s a good question. You know, to drive a whole bunch of conversation and through all that conversation, we had a bunch of really good ideas. Like, first of all, we just assume that there is a problem. Well, depending on how good perspective you look at it, it may not be a problem at all. Right. If you’re, if you’re a vendor who was selling security stuff, I mean acrimonious was just I think valued at $1.2 billion dollars yesterday, it’s like, well day, nothing broken here, brother. You know, we’re to one fine.

[00:12:06] Brad Nigh: Yeah.

[00:12:08] Evan Francen: You know, so, but anyway, that that whole discussion and then we realized that we had some really good ideas on how to fix things, certain things. Yeah. But what we don’t have is a good place, a good forum where we can talk about solutions to difficult problems and then vote on those things and really have a voice together. Um, you know, because I’m one voice man. You’re one voice. You know, you get 1000 of our voices then maybe we can affect some change instead of maybe the Senate hearing, which we’re going to talk about today. Uh, you can go to this place and say, well this is how we should do policy. You know, what have you? So really a think tank, I think.

[00:13:00] Brad Nigh: Okay. Yeah, I know you’ve, we’ve talked about that before. I didn’t, I didn’t know what when I thought at the buddhist. Yeah, really, there’s definitely room for something like that.

[00:13:17] Evan Francen: Yeah. And we, and we’re gonna stick to, you know, just like we do at, you know, the companies you and I work for where you stick to the mission and we’re gonna have strong core values and we’re not going to deviate from those core values. So if you can’t if you’re coming to participate in this think tank, because you know, you want to make a big name for yourself and make a bunch of money or influence decisions on behalf of some certain technology that your company sells. No, that’s not gonna work.

[00:13:46] Brad Nigh: Yeah. Oh and uh people based on our experience, uh it was kind of self police itself itself, moderate uh a good extent because that so many people are just tired of constantly being sold to. Right? Just that’s not that’s not the point.

[00:14:09] Evan Francen: No. Exactly. And and oftentimes you’re either being sold a bill of goods, you know, uh we joke about it, you know, ai everybody’s got a I but nobody’s got a I you know, so either being sold a bill of goods being sold products, they can’t do what they promise that they will do, or the products that you can’t use anyway because you don’t know how to or you don’t have the manpower for it.

[00:14:38] Brad Nigh: I think that’s probably the bigger, more common issue. Buy something that, in theory would be great, but it’s not configured properly. I mean, how many times in an I r have we heard, wow, I thought we we spent all this money and we have all this technology. How did this happen? How did we not know? Right because it wasn’t properly not catching everything

[00:15:03] Evan Francen: well. Right. And what people don’t realize is when you do those things you actually make things more vulnerable because now you’ve got another product in your product stack or you’ve got another set of applications that you need to patch and you don’t even know how, you know, you don’t want to configure. Well, vulnerabilities typically come in two flavors, right? It’s missing updates and patches or meaning that there’s a software flaw or you didn’t configure it well.

[00:15:29] Brad Nigh: Well and I think the yes there is that security peace but also the bigger issue to me is it gives people a false sense of security and they stop paying attention. They’re like well we’ve got this in place, I don’t have to be as vigilant, it will alert me and that’s not the case.

[00:15:48] Evan Francen: Yeah. Very true. Good point man. Yeah. All right. To anything. Oh it’s your week next week if you can think of a guest, I don’t know, we got to guests are kind of fun because it makes things up a little bit just a little bit different.

[00:16:03] Brad Nigh: I’ll think about that. Yeah I like having the best because exactly, it does give a different voice and perspective.

[00:16:11] Evan Francen: Yeah. So do that? Anything? Anything else do that fr security security studio I think exciting.

[00:16:20] Brad Nigh: Just I mean it’s crazy busy good. Um So yeah I’m working on the S. Two R. C. M. M. C. Stuff. The IR assessment is pretty much wrapped up and then uh doing a miss maturity update uh kind of re redoing that based on them some new guidance that we’ve seen come out on how it should be done. So um kind of combining the uh uh I saw a five step people process and technology with the nist for levels of maturity. Okay. Writing controls and scoring and all that fun stuff.

[00:17:07] Evan Francen: Nice. The one that’s the one for bluegrass. Yeah

[00:17:11] Brad Nigh: that’s what’s driving it but I’m doing it in a way. It it’ll be that useful for anyone. We’ve had you know multiple larger clients say I want a maturity assessment not the risk assessment which is like whatever. I don’t necessarily always agree with it but you know if if that’s what they want it is a valid thing. It’s just you know we always the fun part is we always map that back to the S two given the score and and whatever that happens are always like I love this. Yeah you’re not just doing this. Yeah

[00:17:47] Evan Francen: exactly. Yeah that’s correct.

[00:17:51] Brad Nigh: You know if they’re being required to do it in a certain way. All right

[00:17:57] Evan Francen: but that’s kind of the point right? I mean in our industry anyway we’re so just shoveled in the way we talk about security. The way we talk the way we quantify risk. The way we do assessments the way we mean. We talked about see MMC we talked about CIA’s you think talking about NST you know whether it’s one of the special publications Sp 853 or the C. R. Assistant CSF you talk about cool bit you talk about so I mean it’s like my God, you know, let’s just figure out a way perfect because it will never be perfect. Right?

[00:18:33] Brad Nigh: But at the end of the day, I mean if you look at all of those There what they’ve got to be 90 at the end of the day. The same.

[00:18:43] Evan Francen: I know right.

[00:18:44] Brad Nigh: But it’s just different approaches to how they’re looking at the exact same controls and what the you know, recommendations are are different. Right.

[00:18:56] Evan Francen: Right. And I think we get a rapture on the accident a lot. Just certain. I mean I’m finding myself do it every time I work with controls. You know, I’m finding myself do it with the C. S. You know controls. You take the CIA’s wording and then you make essentially refined controls. Because their wording sometimes is somewhat The lump like a whole bunch of like three or four controls into one statement. It’s like that should be 34 statements right there.

[00:19:24] Brad Nigh: Yeah. I will say the nice thing with CMC is is it is pretty clear um and they have good guidance on those. So it’s just a lot of work kind of pulling all this stuff together and clarifying and you know, hey, here’s they have this recommendation that doesn’t necessarily Yeah, you’re just rewarding stuff. So yeah.

[00:19:50] Evan Francen: Uh reminds me one more thing I’m reaching out to uh I’m gonna reach out to some colleges here, it’s not like number one priority, but reach out to some colleges to put together that, you know, I talked about, you know, how we secure critical infrastructure. You know, I take like water, you know, treatment facilities for instance, Just give them two things, identify your externally exposed systems, iP addresses, either close them down or secure them with multifactor authentication. If we just did those two things Say in the next 12 months across the entire country, how much better off would we be? And so I’m reaching up to the University of Minnesota, their Technology Institute, their Master’s Program for Security, and a few others try to get some what a great project it could be, you know, to work with other students from other universities and colleges in get to work on this, go solve this thing.

[00:20:56] Brad Nigh: Yeah, that would be cool.

[00:21:00] Evan Francen: Yeah, so that’s coming too. But it was just too much stuff. I gotta stop being that. I wish I sometimes, you know, uh a D. D. Is like a superpower. Sure, sometimes a D d will put you into an early grave man, I’m kind of like, I’m on the edge right now, so I gotta get back to be like, hey I’m just gonna focus on something now.

[00:21:20] Brad Nigh: Yeah.

[00:21:22] Evan Francen: Funny. Mhm. All right. So let’s talk about the last week. Yes. You know, I’m not sure how many people realized, you know, even in our industry that there was an open hearing on Capitol hill, the senate held an open hearing and the hearing it was titled hearing on the hack of US networks by a foreign adversary. And really this was about or came about from, you know, the solar winds attacks of you know, late last year and you know, still on still ongoing uh today. And part of this was so you have this committee, the intelligence committee and then you had in the link, if you want to find it is, you know, on the show notes the website, they had four witnesses. They had invited five but one declined. So kevin Mandia, the ceo of fire, I was one mhm. Suit to the car I think Rama krishna the ceo of solar winds, brad smith, the president of Microsoft and George kurtz the president and ceo of crowdstrike. So you got some pretty heavy hitters, you know, in this committee. Uh the one who declined, which I thought was really interesting. I don’t know why you would make this decision because they were called out at least what? 567 times. Making 10 times.

[00:23:03] Brad Nigh: Yeah, it was like one person started it and then everyone else was like, I’d like to add my support wondering why this didn’t happen. So pretty much every, I think almost every senator on that committee called him out.

[00:23:16] Evan Francen: Yeah, so amazon web services didn’t show up. They were invited, they didn’t show up. Uh It didn’t seem like any of the committee members knew why it was just declined, which is really kind of crappy because w S was used in carrying out the attack. Aws. Um amazon has not been forthcoming. So there’s some articles that are linked to also that that sort of cover what amazon role is in any of this, but it’s a really, really important role, Their infrastructure played a huge role in this.

[00:23:55] Brad Nigh: Yeah, I get it. It’s a tough spot for them because how would they have known this? Right, nobody else. So I get them going, what do you want us to do? Nobody else knew about it, but at the same time you typically don’t want to piss off senators.

[00:24:14] Evan Francen: Well, in this was this was a committee hearing wasn’t, you know, hearing to put blame, so amazon not showing up almost makes them exposed for blame.

[00:24:26] Brad Nigh: Oh, it’s like like I said, they definitely did not put themselves in a good light. Well

[00:24:34] Evan Francen: no, so if our listeners, if you wanted to go uh watch or listen to um the committee hearing, it was about 2.5 hours long.

[00:24:46] Brad Nigh: It was it was long. There was really a lot of the interesting stuff said and a lot of things that I did agree with, especially from the the witnesses, which probably isn’t surprising but since I was kind of validated our thought process and how we do things to hear, hey, this is what you should be doing were like yes, we’ve been preaching that for years,

[00:25:10] Evan Francen: right? Well one of the things that’s good about being on, you know, us working together, not just you know, here on the podcast, but you know, in other work, it’s just the different perspectives because I think I was disappointed in a lot of what they said. I was also also you know, there was there were valid points for sure. But the one part that in the middle of the the hearing or about Now or 22 minutes in is that exchange with Senator Wyden? Yeah, he’s a democrat out of Oregon I think. Thanks. So where essentially he’s like, okay, first of all Orion doesn’t need internet connectivity to operate. He picked up on that or somebody advised him on that, which was like there you go. So we valid invalidated the least privileged principle for sure because you know, people weren’t the Irs of all places believe it or not was blocking uh internet access, you know from the Orion system and they didn’t have any issues.

[00:26:24] Brad Nigh: Right, Well, you know, so one of the interesting things I think just kind of ties into that is I didn’t realize that there was that information sharing block in place between the different agencies, right? Like uh what? Yeah, it feels like everyone should have been doing like the same thing and not, they’re not changes, he’s doing it their own way, which really surprised me, but it probably shouldn’t have, but

[00:26:55] Evan Francen: it’s crazy man, will the government has become so big, so complex, you know, I think that was a big reason around, you know, maybe Fisma and some of the other types of things they’re trying to do at the federal level to try to get them to play by the same rules. Yeah, we’re not doing that for the most part,

[00:27:16] Brad Nigh: but yeah, going back there, he widened definitely had a good point and said, you know, iris had it where it wasn’t connected or it was blocked so it couldn’t communicate, so they didn’t get reached. Right? Why didn’t everyone do that?

[00:27:31] Evan Francen: Yeah, well, and that’s the thing, man, I mean, you have a tool, right, no matter what tools you’re using, right, take like construction, you have a saw, right? You used us all correctly. Hey, there’s, you know what materials you can go through cut through, you know, you wear your safety stuff and I mean you use it correctly, right, in the digital world, you have a firewall, the firewall that’s used correctly is a really effective tool and what it’s designed for. So his question was essentially, you know, Orion doesn’t need any internet connectivity period to operate. Uh so if it was isolated, it would not have there have been no communication back to uh you know, the perpetrators in this attack. Mhm. So there would be no command in control because there would be no communication. So that point was really well taken and then he went down the path and so he confirmed that first with, you know, Mr Rama Krishna solar rents. And then the second thing he said was, you know, we have these things, these standards basically NSA recommends that organizations only allowed traffic that’s necessary for operation. And I ask you, you know, that’s the same sort of thing. So we’ve got, you know, going back to all this craps or that we we were talking about, you’ve done all these standards right? Here is definitely a place where there’s overlap. You only allows a goat with default deny. Now the old way we used to say it for people who speak the old language blacklist, right? We’re blacklist and whitelist, so you white list meaning you only permit the traffic that’s authorized, right? It’s zero trusting, but like the real zero trust, not some crap I’m trying to sell you

[00:29:26] Brad Nigh: right? Yeah. You know, I liked Yeah, well I like uh and his answer in that you’re

[00:29:40] Evan Francen: not gonna just that’s cool,

[00:29:41] Brad Nigh: but it comes, it brings about a bigger issue, right? So his answer was depends, right? In theory it’s the sound thing, but it’s academic and practices operationally cumbersome, which means the businesses aren’t willing to do what’s right because they’re like, well that’s just too much work and it might cause slowdown. So we’re not going to do the right thing. And that’s to me the bigger issue and I agree, I think, you know, reading it, I kind of a think he was a agreeing but saying yeah, yeah, that’s great. But nobody actually does it. It’s not practical and that’s the problem. Right?

[00:30:24] Evan Francen: Well, the thing that, so you know, Senator Wyden had asked, you know, basically have these standards and you do the default deny would that have essentially mitigated the attack. And he asked the question and he used a lot, a lot more words than that, but that’s what this question was. And then he asked each one of the uh witnesses to give a yes or no question, right? And and so then, you know, kevin Mandia is the first one to answer. And first, you know, I get his where he’s coming from for sure, but he says it depends. Well that was that wasn’t one of your options first of all, yes, yes or no. And and one of the things that irritates me just about people in general, man and maybe I’m just getting old and you know, grumpy and it’s time to put me out to pasture. But mhm follow instructions, you were given the instruction, yes or no give answer. Yes or no. So if it depends, well then it’s a no trip. Yeah, because what the question was is a properly configured firewall one that’s set up with default deny only permitting traffic that’s required for operation and authorized. Would that would that have mitigated the attack? Yeah. So kevin, so kevin inserted the subjectivity by saying it depends that wasn’t the question. What you’re saying, depends for is because you’re you’re you’re interpreting this question as a firewall of firewall, not a properly configured firewall Because the answer is absolutely 100 yes.

[00:32:10] Brad Nigh: Well, right, I agree. But I can I can see based on experience of going Yeah, I would, but nobody does it. So it’s

[00:32:23] Evan Francen: that’s another question. Right? It’s not a question,

[00:32:27] Brad Nigh: but it gets a it was a good point to bring up.

[00:32:31] Evan Francen: I agree. And if you if you want, if you would have said so, the question was, what are properly configured firewall have mitigated this attack? The answer is yes. But

[00:32:43] Brad Nigh: yeah, I think maybe uh Mr kurtz’s answer was reading through it, uh may have been a better response. Uh and he had the benefit of not going first. Right, So you got to hear what the other people said and the senators reaction, but you know, he said yes and I would say firewalls help but are insufficient. There isn’t a brief, we’ve investigated the company didn’t have a firewall or in a virus

[00:33:07] Evan Francen: but again, he didn’t answer the question. The question wasn’t a firewall. The question was a properly configured firewall,

[00:33:15] Brad Nigh: but I think, well how

[00:33:17] Evan Francen: often have you gone into a properly configured firewall?

[00:33:20] Brad Nigh: The problem, Right,

[00:33:22] Evan Francen: bingo, That’s where, but that’s where we should have focused. That’s where it would have been nice to take. This is why don’t people have properly configured firewalls?

[00:33:32] Brad Nigh: Oh, 100%. I’m like we

[00:33:35] Evan Francen: have the technology, what we don’t need is more damn technology,

[00:33:39] Brad Nigh: right?

[00:33:40] Evan Francen: You already have the tool, learn how to use the tool.

[00:33:43] Brad Nigh: And I think that’s the point that Mandia and kurtz was making, is there there? But nobody’s using them properly? I

[00:33:52] Evan Francen: don’t even, I don’t even think that’s the point they were making because that was the point you were making, you would have said yes, but rather than it depends and then go on to say the bottom line is this we do over 600 red teams a year. Firewalls have never stopped one of them.

[00:34:08] Brad Nigh: Well and and that that was uh yeah, I didn’t think he went, he missed the point on that one for sure because it wasn’t about getting in. He was saying, hey, if they had an egress traffic filtering enabled, would that have stopped it and that wouldn’t stop somebody from getting necessarily in, but it would stop it from communicating back out and continuing. So I agree. I think he missed the point on that statement for sure.

[00:34:38] Evan Francen: I didn’t like his analogy about a gate guard outside the new york city apartment building blah blah blah because what you did is you distracted from the root of the problem. You finally got to it sort of at the end but not in a clear enough manner that anybody. I think most people probably didn’t catch it. Yeah.

[00:34:55] Brad Nigh: Yeah I can I can see that. I don’t yeah. I don’t know.

[00:35:00] Evan Francen: I don’t want another damn tool. I know the tool that works.

[00:35:05] Brad Nigh: Yeah. Like I said the way I took both his and and chris was was to say that yeah the technology is there but it’s not being used properly. No, they didn’t they didn’t say it. If they had said that specifically. Yes I would have helped but nobody does it. That would have been the right answer.

[00:35:24] Evan Francen: Well knowing knowing ceos of very large multibillion dollar companies that just love the money. There’s a reason why they didn’t answer the way as clearly as you and I would have answered it because the answer was the question is yes or no. Yes absolutely. A properly configured firewall according to what the N. S. A. And the N. S. To put out as guidance meaning a default deny would have mitigated this particular attack. Could you have potentially gotten around it? It would be a lot more difficult.

[00:35:56] Brad Nigh: You know this is what I love doing this because it does make you look at things in a different way. And it’s interesting that? Now looking at it and having some time to chew through it. The only one of the four witnesses that, you know was very straightforward is the non security company.

[00:36:16] Evan Francen: Exactly. Rama Krishna was like, yeah, the

[00:36:21] Brad Nigh: standard help. Yes.

[00:36:23] Evan Francen: Yeah. Thank you.

[00:36:26] Brad Nigh: Where is? Yeah, I get that.

[00:36:30] Evan Francen: Yeah. I grew up in a military family where my father gave me that you have an option to options Evan yes or no. I answered yes or no.

[00:36:41] Brad Nigh: Right.

[00:36:44] Evan Francen: Yeah. That’s a, that’s a very simple binary. Uh, you know,

[00:36:48] Brad Nigh: and you know, the one that I didn’t like was bride smith’s answer. God, he’s like, yeah, it depends because what he said, he didn’t even and any justification, right? Yeah. At least Mandia and, and kurt’s were gave, you know, some justification for their thought process. Why did they say this? So, I mean, I give them credit for that. Even if they answered it wrong, at least they, you know, put something out there. Right?

[00:37:22] Evan Francen: Right. Yeah. So I would have, I mean, I, there was a lot of that sort of innuendo sort of stuff in the testimony where when we have the opportunity to and Jack a pr thing or a sales pitch almost they took that, it seemed like they, a lot of times they took that opportunity.

[00:37:48] Brad Nigh: Oh yeah. I didn’t think, uh, brian smith was the worst that they did that by far the most pushing, well, we’ve said everyone needs to go to the cloud and get rid of their on prim yeah, because you want to charge a subscription,

[00:38:04] Evan Francen: right? Yeah. Would you tell me how that has anything to do with mitigating attacks? Right? This type of attack

[00:38:15] Brad Nigh: now? I will Yeah, true because they didn’t catch it either. Right? But and I will say this there is a benefit for using cloud hosting because I guarantee you Microsoft has more resources to look for this stuff and be aware of it then most companies but at the same time your that’s the that Bruce transfer, are you willing to put all your trust in them? Because at that point you don’t have a lot of the control anymore. So

[00:38:51] Evan Francen: you and the way in the way that stuff Mhm. Like my stuff in my world is everything to me, my stuff in somebody else’s world is a very insignificant part of their world. So you know, Yeah. You know I’m a you know take a bunch of marbles and put them in a bin. I’m just one of those marbles in my world, that marble is all I am right, this is me this, I’m going to protect this thing as much as I can. At least I care about it. I mean I know how to protect it, but I care about this thing when you put it into a you know a big bucket like Microsoft and one of the one of the marvels falls out of the body in that context. It’s like a big deal. They have all these resources and everything but that marble that happened to fallout was my marble.

[00:39:41] Brad Nigh: Well, and you know, how many times have we seen a data breach where it was a MIs configured, you know? Mhm cloud based solution either hosted by as your AWS and you know, you’re still responsible, but now you’re putting it somewhere where maybe you don’t have the expertise to make sure that it’s done correctly versus on prim where Yeah, you can put a firewall in place and isolated, make sure you can talk to the internet as opposed to we have to have it open to the internet to be able to communicate.

[00:40:20] Evan Francen: Yeah, one of the wisest pieces of advice and I’ll keep living with it, man, this that’s it, it will always hold true, you know, the worst enemy of security is complexity. Mm right, You know, and so the last thing I want to do is add more stuff to it already have tools, if anything I want to remove tools from my environment.

[00:40:44] Brad Nigh: Yeah, yeah, simplify Well, you know, that’s again, not to say that there isn’t a use case for it, like they’re 100%, but do people truly understand the risks when they’re doing that and I don’t think the majority of people do and you know, that that leads me to one other thing I wanted to say was, uh, it was interesting listening to this, you know, senators talk and some of them, I mean they were clearly well prepped by their staff, but you could tell they didn’t really get some of the answers just by the way they were asking follow ups or, you know, their responses, right. Um, but overall I thought all the witnesses actually did a fairly good job of not talking over them with, you know, super technical to speak. It was understandable. Mhm. Which is a pretty impressive thing when you’re talking about something this complex,

[00:41:50] Evan Francen: Right? one of the things that, that’s frustrating to is when you talk about, you know, how, how seriously people take security. One of the first things they go to is how much money they spent. So you know, and white and hit on it and they were hitting on it numerous times in the committee and you’ve seen calls all over the place, we need more funding, need more money, need more money, need more money for cybersecurity and they don’t, what you need to do is to need, you need to learn to use the shit that you already have. Well,

[00:42:24] Brad Nigh: yeah,

[00:42:25] Evan Francen: The manual, the one RTF RTF.

[00:42:28] Brad Nigh: Yes, who does that? Um, I would say the one thing that I like I did it and this is obviously another could go down a whole another rabbit hole, but was bright smith saying we need more, we need to invest in colleges and technical colleges, getting more security people out there, we’re outnumbered and have to, you know, are constrained, We talked about this. We have to play by the rules. The Attackers don’t, they don’t care, you know? And so yeah, we need more people. And I liked that call and getting that kind of, the way it was phrased. I don’t remember how it was, but like investing in college programs to get, get something, get more people, get more access for people to do this,

[00:43:22] Evan Francen: you know? And well, yeah, and I think it’s, I don’t know, man, I’m not a big, I mean, I get that and I am a big fan of, there are so many college programs anyway. Most lot of people can’t afford them. I think you’ve got to go all the way back to, you know, K 12. This is a life skill.

[00:43:39] Brad Nigh: Yeah. Well, and yeah, take it a step further, right? Like let’s get this type of stuff going into school,

[00:43:48] Evan Francen: right? Don’t they say like rising water raises all ships or whatever.

[00:43:53] Brad Nigh: Uh, I don’t know. I don’t like that.

[00:43:57] Evan Francen: Well, so like if you take an entire population and you improve their skill level, it raises

[00:44:03] Brad Nigh: everything that makes sense

[00:44:06] Evan Francen: because right now in, in the general population, there’s so, I mean there’s just so much ignorance. So, you know, and we did something with, uh, well, and obviously I’m telling my own, our, our own idea right with yes to me, but if everybody did just that or do something, I don’t care. It could be ours, it could be whatever. I mean ours is pretty so there’s no motive to it, it’s just whatever. If everybody had an s to score to just start up, how much would that raise the awareness of security in our country. And let’s say we tied some sort of, you know, because people like their gratification, they like their rewards, they like something sadly too often I like something for nothing. Um But you know, I mean I think it’s something like that that needs to elevate everybody right? Because lot of the things that they’re teaching in colleges, I was I was telling you about University of Minnesota lot of the things are teaching you in like the curriculum is like stuff that a lot of that you probably should have already known before you even got

[00:45:27] Brad Nigh: Yeah. Yeah. Yeah, unfortunately that’s not the case.

[00:45:32] Evan Francen: Yeah. So I think I agree with, you know what brad smith said, we do need to invest in more security people in our industry, but I think you’ve got to start like we gotta get everybody

[00:45:43] Brad Nigh: better. Yeah. Well I mean it makes sense because I mean look at all the kids now have an ipad or a Chromebook or something. I mean kindergartners. Uh there needs to be something starting at in kindergarten even. Yeah, for sure and then that goes back to, you know, the teachers that maybe don’t understand it. So how do we educate them? So they can provide good content and yeah, it’s a, there’s a lot of work to be done

[00:46:18] Evan Francen: and parents, because parents also don’t know a lot of these things, right? I didn’t grow up with computers, but I was in kindergarten, I didn’t have a computer.

[00:46:26] Brad Nigh: No,

[00:46:27] Evan Francen: she saw, you know, this is all new to me. So I think I understand what my kindergarten is going through when they’re working with a computer, but I didn’t live that, right, You know? And I may not even, I mean I may have a blue collar job, but I don’t work, I don’t work a lot with technology then what, you know, now my kids probably had a disadvantage, you know? Yeah, like you said.

[00:46:53] Brad Nigh: Yeah, So uh, here, here’s my going off on a tangent, but I was looking through it. Uh, one of the things that’s about was what was the process for uh Sudhakar Ramakrishna, like when did he get offered the job? Did he take it knowing that could happen? I was trying to find that and I couldn’t find it, but I mean, he started in january, so that’s a, you’re taking on a lot as stepping into Ceo with all that going on,

[00:47:25] Evan Francen: you know what a great opportunity because one, you can point blame it, They, I mean there’s going, even if you don’t point, oh, there’s this, there’s this implied like, yeah, that’s that was he did that I’m here

[00:47:37] Brad Nigh: to fix this, right? Yeah. He definitely has a phenomenal opportunity. But at the same time it’s a, I mean, they had,

[00:47:48] Evan Francen: and I would have negotiated a healthy race are healthy, you know, bonus structure or something.

[00:47:53] Brad Nigh: Oh, I’m sure Saltman, please,

[00:47:57] Evan Francen: I’ll take the job sure. But you know, whatever we had for a bonus, let’s double that.

[00:48:03] Brad Nigh: Yeah, Yeah. I would assume something that the higher profile was not a last minute thing that had been in the works for a while, right?

[00:48:17] Evan Francen: He hasn’t even updated his linkedin profile yet. It still says

[00:48:21] Brad Nigh: the whole

[00:48:23] Evan Francen: secure.

[00:48:24] Brad Nigh: That’s funny. Yeah. Because that not broken. Broken like december, right? Yeah. So like three weeks before he started the job, there’s no way he knew prior to accepting it. You don’t ceos don’t take a good gift to his notice. Alright. People a little bit longer of a transition.

[00:48:48] Evan Francen: Yeah. Yeah. But I did like I like this testimony probably the best because he came off as very honest. Um, he took instruction extremely well. I just thought it was, I liked, I didn’t feel like there was another agenda with them,

[00:49:04] Brad Nigh: I think. Yeah, exactly. What I think realistically, I mean, he had the most at stake. It was their company’s product that got breached the rest of those people found it and we’re impacted by it. But it was there things. So yeah, yeah, I think he did a really good job of, okay, here’s some of the things, here’s some of the changes we’ve already made. What,

[00:49:27] Evan Francen: But I think I found it interesting too, that this was in the fire, white fire eyes environment for a while before they, before they noticed it months. All right. Because I think, you know, I I think there was a fire is a great company. I don’t want it to come off this way, but I’m also not enamored by, well, you know, I’m not easily like wowed in a lot of these things. Uh, because I still believe until until there’s kind of something to take us somewhere else. Fireeye sort of stumbled on it.

[00:50:03] Brad Nigh: Oh, yeah.

[00:50:04] Evan Francen: Or when they stumbled on it, it I still believe that it was on purpose. The Russians or whoever’s behind it. It’s the Russians, we should just say it. I don’t know why we keep playing that game. I know, but they’re not saying it in the in the federal government, you know, with the Senate hearing and all that stuff. Remember they were like,

[00:50:25] Brad Nigh: no, they said it was the Russians, they were arguing about how to classify it. They didn’t say it was Russia, right. You know? Yeah. Well, I think that this goes to show it could, this is what we talked about, it can happen to anyone. It’s not a matter of if it’s a matter of when if people are really wanting to get in, they’re going to get in, right, and you know, there’s there’s nothing you can do to, you know, you can do as much as you can to push it out and minimize the impact. But if you have a nation state coming after you, it’s just a matter of time,

[00:51:06] Evan Francen: Right? No, for sure, because it may not be technological either. Let’s say you did have that properly configured firewall with and there was no communication vector back to an attacker in Russia. Well then I’ll come physically or they’ll get something uh figure out they’re very crafty. Right? It’s just like the same thing we did with stuxnet, that was a very difficult environment to get malware into, you know, and if you if you if you watched or read the story about how that happened, I mean they recruited quite a few people, finagle its way into that environment,

[00:51:45] Brad Nigh: right? Yeah, I mean it that was a really good uh example of being extremely crafty changing the speed without changing the display. How do you catch that? Like you don’t until you go, what is going on? Why does this keep failing?

[00:52:10] Evan Francen: Well, I, I do think that this was certainly a sophisticated attack too, but I don’t think it was super ultra, I mean sophisticated, they had, they had time on their side, they were patient, they were like any really good attacker that was focused on a specific mission and operation, you know, take your time. We’re in no rush.

[00:52:32] Brad Nigh: Well, and I thought, I think it was uh, kevin India that was saying it because some of the senators were like, well why didn’t they just burn it down and get out or why did they keep staying in? Well, because that wasn’t what they want. They didn’t want to burn it down. They wanted persistence, they wanted to continue siphoning data. So why would they didn’t want, yeah, they didn’t want to make a big star.

[00:52:59] Evan Francen: Well, I think this is chess playing out on a world stage two. I think, I think the Russians, you know, did play this out? And they, they still have footholds in many, many, many, many, many, many places. So don’t think that they’re like then they’re out right? That that, you know, this was their only attack vector. But the way the right, I mean they’re chess players, man. I mean who in the world is better at playing chess than the Russians? Well, it’s no coincidence that fire. I found this attack and I’m sure the Russians are really taking note of how we’re responding to it, right? Which which person got mobilized? Where how are they doing it? What are they saying? What? You know, I’m sure they had many, many people who watched the Senate of the same center here in you and I watched,

[00:53:49] Brad Nigh: Oh, for sure. Well, I mean I would agree with based on on the complexity and the scope of this, you know, Microsoft saying, Yeah, we figured there’s got to be at least 1000 engineers working on this. I mean, this is not again, if they want to get in, they’re going to get in there, putting the resources to do this stuff. Um, I did like, I couldn’t, I don’t remember who it was. I don’t remember if it was Senator Wyden or Senator Warner, I don’t remember who it was, but they brought up, you know, hey, maybe we need to have rules of engagement, you know, in a war. You don’t bomb the red cross, the ambulance to the hospital. Mhm. Do we how do we get some sort of an international agreement that, hey, you don’t do these things because

[00:54:40] Evan Francen: but it won’t work. I mean, they’re attacking hospitals now.

[00:54:48] Brad Nigh: That’s what I’m saying. If you can get, you know, is there a way to do that? Right? Come to us?

[00:54:54] Evan Francen: How how? Because, well, it’s not the Russians, it’s a it’s a it’s a criminal gang that the Russians allowed to operate on their

[00:55:02] Brad Nigh: soil. It’s the government.

[00:55:07] Evan Francen: Well, right, that’s what I’m saying. It’s they allow them to operate on their soil. As long as, you know, the way the Russians approach. It is. Yeah. You can go do criminal activity just don’t attack us. Don’t attack our resources, Otherwise you’ll be in trouble.

[00:55:21] Brad Nigh: Oh, I think there’s definitely a lot of that, but I think this was actually that state sponsored, not

[00:55:29] Evan Francen: what I’m, what I’m saying, what I’m saying is in this battlefield if you’re gonna so can’t attack hospitals. Well, big deal.

[00:55:39] Brad Nigh: Well yeah, there’s gotta there’s gotta be something Uh

[00:55:45] Evan Francen: huh But I think now, so here on this one particular point because there’s many points, but I think on this one particular point where Mr Wyden said properly configured firewall, Mr Mandia said it depends. But then the key point is what he said, you know, towards the end of that Yeah, statement because what he said was um in theory it’s a sound thing but it’s academic and practice, it’s operationally cumbersome.

[00:56:17] Brad Nigh: Right. Which means like you were found that businesses just aren’t willing to take the time and effort mm to properly configure it because oh well that’s a, you know, it’s a negative or or an impact on the business, they’re like, well it’s not worth it.

[00:56:38] Evan Francen: So it’s operationally cumbersome but that’s that’s I think the point to solve it properly configured firewall yes, would have mitigated this attack. However, nobody are very few people actually configure the firewalls properly.

[00:56:54] Brad Nigh: Mhm

[00:56:56] Evan Francen: And why do they not configure their firewalls properly? Well in many cases it’s operational cumbersome, which like you can interpret that to be either because I think sometimes who say it’s operational and cumbersome because it’s work. Thank you because I have to work. Well you get paid for it. So I figured out

[00:57:16] Brad Nigh: well, and here’s the thing how many servers and server software need internet access? Very few. Right like or they only need specific porters to, you know, specific cloud hosted, you know, updates, you know, for they think like your your endpoint protection, you know, when to update, sort, patch management, things like that. Good. You don’t need DNS and internet or anything. You don’t need external access for what I would estimate 99% of the software and servers that are out there, right? Or at least yeah, it would be very targeted.

[00:58:08] Evan Francen: And then I love this. I agree completely. The center what Wyden guys become uh endearing to me because I’m a network I I grew up a network guy, right? Let’s just go back in the nineties and man, I love networks, I love how they work. Just the beautiful but the hell said this, you know after talking with you know, in the in the statement he goes, yeah, it just seems to me what I’m asking about is network security one oh one. Any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world. And you basically said almost the same thing. So And he that’s strong man because it is this is Network Security one on 1.

[00:58:54] Brad Nigh: Yeah, he’s he seems to be uh probably the most like aware like knowledgeable I guess of that stuff. I don’t know if it’s to staff that hope the l hooked him up or if he’s he went and did the research but he I think he had the most relevant pointed questions. There was a lot of explain this to me, explain this to me. You know how did this happen? But I thought his were we’re really spot on

[00:59:27] Evan Francen: but I love what we said do it. So it is network security one on one. He’s right about the firewall and then it’s any responsible organization wouldn’t allow software with this so that I would love to see legislative Legislate that you need to you know that you need to allow default deny. I don’t care if it’s operationally cumbersome. So is you know sort of 90% of the regulations out there anyway. At least this one would be effective and two if you have software with certain levels of access nobody who’s responsible would ever allow this connection with the outside world.

[01:00:05] Brad Nigh: Yeah. Yeah. You know let’s see I’m going to try and find this

[01:00:11] Evan Francen: does that. I’d love to see so many I’d love to see I’d love to see companies like cos then release guidance that said this system does not need to communicate with the outside world. You know so you have some accountability on the side of the software maker developer because to get them to write 100% bug free code Ain’t gonna happen any time soon but you can have them say that this communicates with the outside world or this doesn’t need communication with the outside world? Please block all traffic And this is how you do it as part of the implementation guide.

[01:00:48] Brad Nigh: Mm. Yeah. Well, and so I was looking for this uh couple, I guess it’s been about three weeks last week. I’m sorry. Um Laurie posted that she heard from a client that their insurance broker Is saying that 80% of insurance companies will deny companies coverage if they don’t have M. F. A.

[01:01:09] Evan Francen: And the other March.

[01:01:10] Brad Nigh: Yeah. Charge enormous amounts if you don’t. And so you’re starting to see that happened and we’ve heard rumblings from other uh interest companies and brokers that a lot of these companies, interest companies are considering just getting out splashing Whoa, this is huge. We were going to lose everything on this. I think you’re gonna start, it almost is gonna, I wonder if it becomes almost self regulating to some extent that that we don’t need it. But hey, if you don’t do these things, you’re not going to be able to operate, you’re not to get insurance, you’re not going to be able to do these things, People are going to work with you. So you got to start doing them

[01:01:56] Evan Francen: well there’s maybe, but doing what, that’s that’s the thing that we keep doing the overwhelmed, we overwhelmed businesses, but here’s an ice tea CSF. Here’s so here’s this. So what do they do? They don’t, they don’t have the time. they’re not in business for that. They don’t have time to read through all this stuff and do all this. Give Me two Things. Give Me three Things To Do.

[01:02:20] Brad Nigh: I thought that was good. Right? M F A N X on remote access. Perfect. Right. Hey, you need to do this and you need to do these other proof that you’re doing these other two things and be specific about it. Right? I think you have to on everything and you have a good centrally managed antivirus and a patch management solution. You don’t do those things were not going to insure you

[01:02:45] Evan Francen: well. And even that is, you know, I mean even it’s like I wouldn’t teach a baby how to drive a car. Right? I mean you have to get them there. It’s gonna have to take time we have to back up on a lot of the things that we’re doing in this industry rather than throwing more stuff at it, throwing more stuff at it. Because something insecure at the court will always be insecure. We have to step back and say, all right, Do these two things and then we’re gonna take this as a journey that we’re gonna do these next two or three things and on and on, you know?

[01:03:17] Brad Nigh: Well, but I think that’s where from a consultant’s perfect perspective, that’s where we can help. But I think rate these insurance companies are information, security companies right there getting the things and say, hey look, we know

[01:03:32] Evan Francen: you’re talking insurance, I thought we were still talking about the fixing the problem thing. Oh

[01:03:36] Brad Nigh: no, I mean it all comes from that injury dictating, hey, you need N. F. A. They’re they’re listening to the experts saying, hey, this is gonna be the biggest thing you can do to reduce risk. So they’re saying all right, you need to do anything. They’re not agree. They’re not going to be the ones saying how they should do it. But those companies that need to come and find people that can help them do the right thing, right? So I think it’s going to be layered approach, right? Somebody’s got to dictate, hey, you’ve got to start doing these things and then somebody else has to come in and say, ok, here’s how here’s how we can get you to do the things you need to do.

[01:04:19] Evan Francen: Alright? We’re coming up towards the end. Uh yeah, we can talk about this for a while. It’s it’s really good food for thought man. And we can tell that we started getting a little Anthony and animated, animated uh

[01:04:33] Brad Nigh: passionate about what we do. Hell

[01:04:36] Evan Francen: yeah, when it pisses me off because I think these problems are very much solvable the problem, you know, and it’s a because, you know, I was following along in your thought process and I’m trying to figure out, you know what people say and how you attack these types of ideas. So you say M. F. A. There’s still certain we have a lot to do in this industry because I think a lot of people, you know there’s a certain population I would say. Well yeah but you can hack M. F. A. O. K. But that’s not the point. Stay focused on the point. I think a lot of times we don’t even know what the hell the point is in this industry. You know, the point is not to never have another uh solar once again. Right. Right. Yeah. You’re going to say the same thing man reduced, produce the likelihood of this stuff happening and make it make it get better at responding to it quicker. Yeah. And you’re not gonna do that if you keep adding more stuff to it because you keep changing the goal posts so you’re not, who knows? Right. It’s just nuts. Yeah, a lot of work, you know. Yeah. So news stories I had and we’re not gonna cover them today. But if you want to see them uh Yeah they’re on my they’re on the show notes. Hackers released a new jailbreak tool for almost every iPhone except for the latest version 14.4. So we running that chinese businessman plotted the ge insider to steal transistor secrets. This is not something new either. And I think it’s something that flies into the radar quite a bit is you know the industrial espionage state sponsored industrial espionage. It happens all over the place. And then NSA embraced the zero trust security model. Which awesome. I guess. You know, it’s, it’s not, no man. This is not anything new. Right? Just, we just called it something else and put a pretty sticker on it. And then now people are out there selling crap like crowdstrike. For instance, their definition of zero trustees ain’t nothing like the real definition. Right? What am I gonna do brand

[01:06:51] Brad Nigh: that’s Keep up in one company at a time.

[01:06:54] Evan Francen: That’s right brother. I love working this will work in this battle with you man. It’s uh, it’s nice to have somebody and I like the fact that we don’t see if things exactly the same way, but our hearts are in the right place. We love helping people. We want to solve these problems.

[01:07:11] Brad Nigh: Yeah. The end goal is the same for both of us. It’s just how, how we see getting there is going to be a little different. That’s what makes it fun.

[01:07:20] Evan Francen: It does make it fun because I totally respect your way of getting there. I think when you have this mutual respect, it’s like you have a great point. Can I fit that in with my point or do I need to change my point? You know what I mean? You figure out the solution that if we both do these things right? It makes a little bit of, I

[01:07:38] Brad Nigh: mean you saw it today with uh, me realizing, oh yeah, the only non security company had the best dance. Oh yeah, okay, we have had that realization, if we haven’t had that conversation we did. So I thought them

[01:07:56] Evan Francen: it is awesome, right? And shout out quick this week.

[01:07:59] Brad Nigh: Yeah, yeah, I’m gonna give a shout out to Renee uh working out and having a bad day and she just I don’t think she even knew she had uh what she said made such a positive in fact, but it really just completely made my day and just yeah, I took a lot of like, I was like, thank goodness, okay, and relieved all that stress and I didn’t, I realized I was kind of carrying, so that’s her name,

[01:08:30] Evan Francen: that’s cool man. Yeah, there’s always so many people to give shoutouts student, I’m going to give a shout out actually uh to you brad. I’ve seen you doing some really cool stuff and they seem to be just kind of, you know, in a in a really good season where you’re creating cool things and I have every interaction I’ve had with you in the last couple of weeks has been cool, really cool. So yeah, I know you’ve been through some Mhm. You know, we? Ve uh rough waters, this kind of thing, you know, and uh you’re staying strong man, I’m really proud of you, I’m excited to get this, get back to this book with you. So thank you, Shut up

[01:09:10] Brad Nigh: to appreciate

[01:09:11] Evan Francen: that. Alright, so thank you to all our listeners. Send things to us by email at insecurity at proton mail dot com. If you’re the social type socialize with us on Twitter, I’m @EvanFrancen Brad’s @BradNigh. Just our names, no spaces. Our twitter handles, other twitter handles. You can just follow and find stuff that we’re doing is un security is @UnsecurityP. security studio is @StudioSecurity and fr securities @FRSecure. Get people signed up for that sea ice experimental program.

[01:09:47] Brad Nigh: I think we’re like 3800, 373,800. Right in that range. That’s beautiful. That’s insane.

[01:09:56] Evan Francen: I love it. And it’s awesome. People were helping. All right. So I take we’ll talk to you again next

The UNSECURITY Podcast welcomes special guest Tony Alsleben this week. Tony is the head of security for CentraCare. With Brad and Evan, Tony discusses his career and current role, what being a CISO (and similar positions) in healthcare is like, cyber attacks on healthcare, some of the industry’s biggest security challenges, and advice for healthcare security colleagues. The three of them also touch on the vCISO Handbook, the CISSP Mentor Program, and some industry news. Give this episode a listen or watch, and send comments, questions, and feedback to unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning and welcome to another episode of the unsecurity podcast. This is episode 120 the date is february 23rd 2021. I’m your host, Brad Nigh and joining me as always, is my good friend and co host Evan Francen. Evan how are you doing?

[00:00:37] Evan Francen: I’m doing well man. I think it’s Tuesday already.

[00:00:41] Brad Nigh: Uh, it’s already the end of february shit.

[00:00:45] Evan Francen: I was on a call late last night till about midnight and I was like, holy crap, this is just monday. Uh huh. Yeah, I’m really ready for a nap. Yeah.

[00:00:56] Brad Nigh: Yeah. And I’m gonna guess you have a full day meeting, so that’s not going to be something that happens.

[00:01:03] Evan Francen: Yeah, I had a meeting at 4:30 this morning and I actually, and I postponed it because it’s like there’s no way of making it.

[00:01:10] Brad Nigh: Yeah, yep. Yeah, he catches up to you.

[00:01:16] Evan Francen: It sure does man. How you doing

[00:01:18] Brad Nigh: overall? Pretty good, pretty good. Working on that. I, our maturity assessment. Really happy with how that’s going. Hello. It does give me a whole new level of respect around all the work that went into us to try to figure out weightings and scoring and how it’s all laid out and I probably reorganized it. I don’t know 10 times as I’m working through it. Yeah, we did the first one, we was just gonna dump everything and then organized the first time and then we went through it and actually did the assessment on ourselves and was like, oh yeah, no, we ask things, these questions that were true false instead of just saying statements way to go through and rewrite and rewrite every control, which wasn’t bad. But it just changes the tents right

[00:02:09] Evan Francen: right

[00:02:10] Brad Nigh: there. And it’s instead of saying like, is there this, there is a whatever and uh, yeah, organizing it and then working through this, the waiting and it’s rolling up, going to shoot, I need to do this here and do this. And uh, Yeah, whole new level for where that as two is.

[00:02:33] Evan Francen: Well, it’s funny because I don’t work in that, you know, every day it was different when I was in it every day. So when you reached out to me last week and asked me how the math works, I was like, crap. I can’t remember all of it. So, you know, I had to dig in? And I’m like, yeah, okay, here it is. And yeah, once in a while, you know, you’re looking, uh, you kind of surprised yourself like how the hell did I get there?

[00:02:58] Brad Nigh: Yeah.

[00:02:59] Evan Francen: But uh, yeah, I’m excited that, you know, we’re working on Revision three of the best words. Yeah, yeah, that’ll be a lot of fun because, you know, up until now it’s, there’s been little sprinkles of, you know, I think helping content and things like that. But now the teams always stepped up taking ownership. I mean last week, Megan, you know, emailed me with the, you know, the s to audit, you know, piece that was really, really cool. I’m excited to look at that. And I saw your follow up.

[00:03:31] Brad Nigh: Yeah, I think I would make it so much easier to get in the tool.

[00:03:37] Evan Francen: Right, Who’s this other guy? What the hell is he

[00:03:40] Brad Nigh: doing? Some some guy with another beard?

[00:03:44] Evan Francen: Yeah. Who is he going to work out? He’s going to work out a little bit.

[00:03:48] Tony Alsleben: Yeah. Shave it too often.

[00:03:50] Brad Nigh: He keeps it clean. So yeah, this is uh told me, Oh, as well been like, how do you say your last name? I’m sorry If

[00:03:58] Tony Alsleben: my wife was here, she would phonetically spell it out for you all slay Ben. I’ll save it. Ok.

[00:04:04] Brad Nigh: We’ve talked, I don’t know how many times and I don’t think I’ve ever had to say your last day before. So I apologize.

[00:04:11] Evan Francen: I have to play back that audio. I’m gonna start,

[00:04:14] Brad Nigh: Oh no,

[00:04:16] Evan Francen: I’m gonna start calling him that.

[00:04:18] Brad Nigh: So Tony is the seat. So for centric hair, which is the one of the larger integrated health systems here in Minnesota. So welcome Tommy. How are you doing?

[00:04:30] Tony Alsleben: I’m good. And uh, the first thing we should probably cover is my title is not see, so, so I noticed in the notes we have in a few places. I do the job of the sea. So I am Head of security for centric care um centric care does Cover about 50% of rural healthcare in Minnesota. So we also um cares health is part of our organization cares health just started a new hospital down in Redwood Falls this week just open the doors on it. So brand new facility down there. Pretty cool. Um and then you know the thing about that some of the notes I see you have here. I mean those are our facilities we provide um the EMR electronic medical record for a lot of other facilities in rural Minnesota. So we have other other locations like in alexandria where they use epic. Um and we supply that to them. So I mean they’re considered affiliates of ours. So you know, there’s a lot, a lot to worry about when it comes to not just our data and our patients, but I think there’s something like almost, I think we’re just under a million lives that were responsible for in the state of Minnesota, wow,

[00:05:44] Brad Nigh: no pressure.

[00:05:46] Tony Alsleben: Yeah, no pressure is all right.

[00:05:48] Evan Francen: You took time out to come hang out with us.

[00:05:51] Tony Alsleben: Of course. Any time every

[00:05:54] Evan Francen: day. Well, okay and how many employees in center care roughly?

[00:06:00] Tony Alsleben: So centric care has? Right around 13.5, 14,000 employees. Um when you look at our active directory structure with all the facilities that we have, we have almost 30,000 users. So I know brad brad probably remembers that we were giving you guys some headaches when we were Um doing the 80 health check because of the number of users that had to turn through the number of pieces of equipment we have.

[00:06:29] Brad Nigh: Yeah, it was choking up on some of the share brandishes because there were so many users that they had to try and turn through. Yeah, we got to figure that out.

[00:06:43] Evan Francen: That’s right. So big health care. And so you said your title is not officially. See, so what is your title?

[00:06:50] Tony Alsleben: Senior Director Information Services. Okay.

[00:06:56] Evan Francen: So you don’t have security in your title, but yeah, you’re responsible.

[00:06:59] Tony Alsleben: Uh well, wait Senior Director Information Security.

[00:07:03] Evan Francen: Okay. Okay. Sorry. It’s the saving. How would I know,

[00:07:08] Tony Alsleben: you know, the title of our group is information services. And how often do you have to tell somebody this is this is what I am. This is what I do.

[00:07:18] Brad Nigh: So funny we were talking because they uh here we realigned and kind of give people better titles that are more accurate and internally it’s like whatever. I don’t care. All right. Everybody knows what everyone does, but you know, it’s it’s that external piece. So yeah, I get get where you’re coming from. I was like, yeah, what is it?

[00:07:42] Tony Alsleben: Well, some people get really hung up on titles and I don’t so much right. Like I know my job, I know what I have to do. Um for me, it’s not, I’m at a point in my career, it’s not about what they pay me. I mean, hopefully my boss doesn’t listen to this, but you know, it’s it’s money is just putting food on the table and supporting the family, Right? Evan? I know I’ve heard you say this before, but my somehow work is just an extension of who I am, right. Like, I love this thing I do. Um and every day I get up and I don’t really look at this like work. So even now with Covid, right? Like I come down here early in the morning and get on probably my best hours early in the morning when I’m all by myself just pounding away at this stuff. So it’s good.

[00:08:32] Brad Nigh: Yeah, I’m with you.

[00:08:33] Evan Francen: It is kind of, I mean, it is such a privilege and an honor to do what we do for a living. And I think the loose sight of that sometimes, if you don’t feel, you know, if you don’t feel some semblance of what you just described, maybe you’re not doing the right thing. You know, I mean, because you think about, like in your job Tony, you mentioned a million lives, but you’re making decisions about information that isn’t yours, but has the ability to affect a million different people. Uh and they don’t even know that, right? You do this job thankless job, you feel the weight, but we love it. Right,

[00:09:14] Brad Nigh: yep, it’s one of those jobs where, you know, it’s like, well, what are they doing unless something goes wrong? And it’s like, what were you doing? So, you know, there’s very little, a lot of times there’s very little praise about it or, you know, appreciation, but if anything goes wrong, man, you’re right in the firing line there. Mhm.

[00:09:38] Evan Francen: Well, at least in 2021, it’s it’s it’s a it’s in vogue to blame other people. So, you know, you have that on your side.

[00:09:47] Tony Alsleben: Yeah, I don’t do

[00:09:47] Evan Francen: that, because when you look at your face,

[00:09:51] Brad Nigh: mm

[00:09:53] Tony Alsleben: So no one of my golden rules for my kids is own it. And I hate excuses. So, I mean, if you’re going to pass the buck somewhere else, it’s not the right thing. So, and we can’t fix things if we’re not going to actually focus on the problems and what the issue is. So you’re not going to get very far with security, if you’re just trying to pass the buck and make it somebody else’s fault.

[00:10:16] Brad Nigh: Yeah, very true.

[00:10:17] Evan Francen: Well, that’s so for our listeners, I mean, that’s a great tip. Right? I mean, that’s a really good thing to have as a c settle or as a senior director of information security, is that like, no, the buck stops here, I make decisions, not because I’m authoritarian, but because somebody has to be accountable for this. Mhm.

[00:10:38] Brad Nigh: Yeah and always you know if something goes wrong, don’t just go and say well what are you gonna do? Try and figure out a solution and say, hey this happened, here’s what we gotta do to fix it. Yeah, like all too often it’s yeah, like you said the blame game of this happened that it’s so and so’s fault or whatever. Yeah.

[00:11:00] Evan Francen: Yeah. Yeah. Master Tony. How did how did you get to become you?

[00:11:05] Tony Alsleben: How did I get to become me? Yeah, we only have an hour. Right. Right.

[00:11:13] Evan Francen: Yeah. Oh, meaning like like in your position, how did you get to become one of the questions we get, I don’t know, brad you get a lot too is how how do you become a C. So how do you become somebody who’s in charge of information security for a 14,000 Airplay Company?

[00:11:34] Tony Alsleben: Yeah, well not very many people are going to have the path that I had to get here because my job prior to this one was Chief information Officer. So you know to some people that would be a step backwards for me it was a lateral move, right? Um However, I am going to say that I in my I. T. Career. So I’ve been in I. T. I think roughly 22 years now and in about 12 years of that it’s been in management mostly in health care management, right? So but I started at the bottom I started on the help desk like any other I. T. Guy right taking calls, working night shift doing the things that led to being assist admin. Um You know I used to make the images that we put on computers and deploy them and package the software and you know I did all the stuff that you have to do to put your chops in. So um I was even an internal auditor once upon a time which is what really kind of some days helps me with this security thing, right? Yeah. And the reason it was kind of funny because the first time I dabbled in this when I was an internal audit um the thing that drove me nuts is that I phoned issues but I couldn’t fix them. I presented them and they did exactly what we do right? Like they either mitigate it or they accept the risk and they move on and it drove me nuts when they would say yeah we’re going to accept the risk on that one. And I’m like but but but I just I just showed you this thing here like you need to fix this. It’s really important. I spent all this time. Yeah no it’s not that big a deal to us so that I was like all right, I can’t do this anymore. I need to go back to you fixing things right? And now I’m at a different point in my life right? Like there’s there uh probably after going back to school and getting my Master’s degree and you know, that probably helped a lot with the business acumen side of it that you understand the business side of accepting risk. Right? And so that’s really at the end of the day, even though we’re covering a million lives, right? We’re running a business, right? And there’s certain things that business has to do this stay afloat and some of those things are things people just don’t, I understand right? When they see you do something and they’re like, what do you, what do you mean you’re doing that? Well I’m sorry, but this is what we have to do to stay afloat and to be able to continue to care for people. So um at any rate, so that that was kind of ultimately um A lot of my time was spent manufacturing. I used to work for Hutchinson technology, incorporated 14 years. Um I spent most of my tech life at the beginning there and then ended up Glencoe Regional Health Services as their I. T. Director from there, I went to affiliated community medical centers where I became the Ceo and we merged with Rice Hospital degree cares Health which was purchased by emerged into centric care. Um And you know, you know how integration goes right? Like we only need one c I o ultimately, you know, work with Amy poor, Well who’s my boss, C I o of centric care. She’s a huge job. Um And the security role at Century Care hadn’t been filled in a long time and they needed somebody to step up and say they do it. And I’m like and I was kind of looking at how we were going to go about filling it and we were going to grab somebody from inside potentially because we weren’t able to find the right candidate externally. And I was like, you know what, I can do that job, I’ll do it and you know, I’m so happy that I did because it’s it’s great. Um One of my favorite things is leading people and to watch these people who have kind of known where they wanted things to go for a long time. Um You know, kind of rally behind me as a as a new leader and be like yeah yeah finally we’re going to do some of this stuff. Yeah. We’re going to turn on power shell logging, we wanted to do that years ago, right? Like it’s just that’s that’s kind of some of the fun stuff. But you see it the hard part about it is a lot of the things that we need to work on. They’ve been harping on people for so long that they’re kind of deflated, right? And like I’m just another guy, the next guy to tell them we’re going to do it. And so at this point I think they’re like yeah, I don’t really think he can get it done. So it’s all about getting it done now. Right? Yeah.

[00:16:17] Brad Nigh: That’s that’s a fun challenge race because they’ve been hearing it. And then now if you get to actually get it done, it’s a pretty nice feather in your cap.

[00:16:26] Tony Alsleben: Yeah, it is. But you know,

[00:16:30] Evan Francen: well, selfishly Tony. I’m glad you took the job too. Because that was about the same time we reached out to me. You know what I mean? And we have these early morning coffees because uh yeah. And then I think we fostered it really, in my opinion, really solid friendship, you know, from, because the first time we met was way back when you were in Glencoe. And that was what, eight years ago? nine years ago? I mean, that was wild.

[00:16:52] Tony Alsleben: Hank. It might have been almost 11 years ago. It was right when you were starting fr secure and you and Kevin and Steve rolled into my office together at that point.

[00:17:02] Evan Francen: Yeah. Early days, man. It’s good stuff.

[00:17:06] Tony Alsleben: Yeah. I was thinking about that too. It’s almost exactly a year since I reached out to you and you and I started uh started having coffee and talking again. And then it seems like it seems like years ago and already everything that we did in the last year, even with Covid. Yeah.

[00:17:30] Evan Francen: Yeah. Good memories, man. I love it. And I and as an added bonus, the fact that you like to ride motorcycles. It’s like security guy who lost to ride motorcycles. Yeah, sign me up.

[00:17:41] Brad Nigh: Mhm.

[00:17:43] Tony Alsleben: Yeah, I can’t wait. I was just in the shed last night working actually. I was I downloaded 3-4 of your last podcast and I threw him on in the shed. And I was listening to those while I was working on stuff. But I was looking at the bike going And 30 days, 30 days and we’re gonna be out riding. Maybe

[00:18:02] Brad Nigh: hopefully

[00:18:03] Evan Francen: you have to get brad on a bike support.

[00:18:07] Brad Nigh: You know, I’ve written in the past, and uh you know, in Virginia, you have to get a specific motorcycle license and go through a you have to go through a state uh drivers class on a motorcycle. And gave me was like, no, because she was, I think she was probably pregnant with happier, I don’t remember. And that she was like, nope, you’re not writing was like, all right, fine, that’s not a fight. I’m well, you know, pick your

[00:18:38] Evan Francen: battles.

[00:18:40] Tony Alsleben: You’re a wise man. I didn’t think I’d ever probably right again. Um when my kids were little, my my wife, I think I had gotten rid of my bike before I met her and I’ve hadn’t have old cars, right. So I’ve had this one old car since before I met her too. And where there was always this agreement between us. You can keep the old cars. We’re not going to have any motorcycles. Well, about two years ago that broke down. I was like, gosh, I’d really like to get a bike and she let me get a bike. And then she got on the bike with me. I never thought she would ride with me. So

[00:19:17] Brad Nigh: that’s cool. Yeah. Maybe when the kids are older is yeah, this is in kindergarten now. So yeah, it’ll be a little while, but maybe right. Yeah. Anyway, um So You mentioned you spent, it won’t roughly what, 10, 12 years in health care where security gone in the, in that time? Where was it when you started? Where, where do you see it now? What are some of the challenges have they changed?

[00:19:51] Tony Alsleben: uh so that’s a loaded question for me because I often, so if I if I look back to 2009 was my transition out of manufacturing and into health care. Right? And I distinctly remember it because, you know, having been an internal auditor, having been somebody who got to understand inside and out what Sarbanes Oxley was and how it drove the auditing and what you had to do as a public traded company when it came to audits And every year you were audited, then take that guy who’s been working in that environment and drop them in health care and go like, so when are they coming to audit us? Oh, um never.

[00:20:38] Brad Nigh: Great.

[00:20:39] Evan Francen: It’s

[00:20:41] Tony Alsleben: on your shoulders to do the right things all the time and don’t screw up because when we screw up, that’s when the auditors show up, they’ll come and look after you’ve actually done something wrong after somebody’s information has gotten out there. So from my perspective, yeah, I still don’t see that having changed a lot, right? Like, so some of these things that have been out in the news, right? The big breaches, the things that have happened that has brought an awareness to it, but I still don’t think our federal government is that much better at auditing, right? Like we still only do it and we still only show up when something’s happened. And I shouldn’t say that either because there are cases where they’re going to come out and just generally audit you and I’m sure we’ve just been lucky, but you know, I think the problem too often in health care is we feel like we don’t need to do anything until something’s happened and even getting funding makes it hard to do that right? Like the other day I was like, we need to, we need to lock down our VPN tunnel more right? When you transition from one network to the next, it shouldn’t just auto join back and leave the VPN tunnel in place. Right? And they’re like, well why has it gotta change? Nothing’s happened when, when have we ever had a laptop stolen? I don’t know. The thief’s didn’t call me up and tell me they stole it.

[00:21:59] Evan Francen: Right. Right.

[00:22:01] Tony Alsleben: You know? So I think the answer to your question brad is some of that um some of those things haven’t changed. Um However, one of the biggest things I saw it happen this last year is that healthcare scare we had, right? Like there’s this ransomware that’s going to shut everything down in however many days and avenue and I we we were we were going back and forth on this thing, right? Like, hey, there’s this thing I hear it’s out there just ahead, blah, blah, blah. And so there’s like, it’s like you think Armageddon is about to happen and it never does, right? But it allows people like fr secure companies. Finally, you guys are being heard right? Like what are the things you should do? So we’ll do the basics, right? Air gap, your backups, um, you know, do you know where all your assets are visibility and control, right? Can you see it? So, and that’s and I know one of your questions for me to brad is what, what’s one of the greatest challenges and that’s it? Right. Right. Right now for me is seeing everything right and probably our biggest offenders, some of our medical devices, those devices, the last thing you want is for a bad actor to take over cT scanning machine or an MRI well you’ve got a patient in there or something like that. Right. Well,

[00:23:24] Brad Nigh: and I can speak from experience when the def con last year. One of the things was the bio hacking village that we did which was hacking medical devices and it was disturbingly easy like I am in no means a, you know, a good pin tester and I was able to do things to, you know uh huh pumps and all this other stuff that it’s like, oh my God if somebody were to get in and do it, it wouldn’t take a whole lot for you know like erIC or one of those guys, they were crushing those things and it’s disturbing.

[00:24:02] Tony Alsleben: Well a lot of those things, they’re not, they don’t mean they’ll do the whole password password thing on there, right? I mean there was a Philips, there was one of the phillips vulnerability releases this last year, that that’s what it was, right, like you had to get a hold of them and have them change the password on your device because they come and set it up and then they just leave it as default.

[00:24:24] Brad Nigh: Mhm Yeah, that was one of the things that was that we did was like, hey here it is, it’s an open ftp to update or whatever it was and it literally was like default password for device. Yeah,

[00:24:40] Tony Alsleben: yep. And so one of the best things I saw this last year that I thought was really cool um that that they’re finally starting to think about it is, I can’t remember the name of the software right now at the top of my head but we have this new backup software that we’re installing right for for backing up all of our data from our arrays. And when they install that software and it goes through the setup it forces them to change the admin password So you can’t leave it as admin admin or admin 1234 whatever it is it’s just not possible for it to be left as standard anymore. And that stuff should have happened a long time ago right? Like people’s home routers should change the day they set it up

[00:25:23] Evan Francen: and that stuff is so easy to script you know as part of the setup.

[00:25:27] Brad Nigh: Oh yeah

[00:25:28] Evan Francen: you know your first log I mean you do that stuff all the time when you reset somebody’s log in you force them to change it right And that’s so easy and yeah just such an oversight for so many years.

[00:25:40] Brad Nigh: You know it’s crazy. You mentioned earlier about how the government isn’t auditing but it’s really around like in health care. That’s surprising because you do have the zero cc. And the F. F. I. C. For banking that go out and you have you know Finra and I can’t think of the insurance one But you know having worked in those industries yet you have yeah leave every couple of years. They’re out. Healthcare is like well we’ll come drop the hammer on you after. It’s too late which is crazy.

[00:26:15] Evan Francen: Well those two yards went, started going down this path, right? Even went so far as to build an audit protocol and I don’t know how many it was. One of the big four accounting firms remember was a Pricewaterhouse. I don’t think you think Pwc, they went out and actually audited 100 some odd entities and then develop the honoured protocol and we’re thinking, okay, good, we’re kind of going down this path. Because I think a lot of Csos would also like the guidance, right? Show me places where I can improve because maybe I don’t have um you know, centric, there’s a large healthcare entity. There’s a lot of them that aren’t a lot of the rural hospitals don’t have any money. You know, they just, it’s always the government has to be healthier. It’s actually a good thing sometimes.

[00:27:03] Brad Nigh: Well, I mean, even for a centric care, anyone getting an independent set of eyes on things because when you’re in their working day to day, it’s so easy to just, I kind of miss things, right? Because you’re, you just, they this is how it works and getting that third party to come in and say, hey, did you notice that you’re like, oh no, yeah, I should fix that. I mean, it’s very helpful.

[00:27:30] Evan Francen: Do you guys know why, I mean, I’ve never really actually dug in and and or heard why the OcR dropped, it was,

[00:27:39] Brad Nigh: It was right at the transition for the from the live in 2016 from the Obama to trump. There was a, during that transition and just kind of went away.

[00:27:49] Evan Francen: Mhm. Because that’s how they operate today too. Right? It’s they only do investigations, they don’t do audits, they do investigations and when they come knocking, there’s two things that are guaranteed corrective action plan and some kind of monetary fine.

[00:28:04] Brad Nigh: Well you’re gonna have a bad day.

[00:28:08] Evan Francen: Right? Well and and it’s funny because I’ve talked and I’ve worked with enough hospitals or health care organizations to go through this if you want to reduce, you know the fine and make that corrective action plan is I think manageable as possible. Just be really nice.

[00:28:25] Tony Alsleben: Oh and comply.

[00:28:27] Brad Nigh: Yeah. Make the auditors life as easy as possible. That is always the rule no matter what.

[00:28:32] Evan Francen: So it doesn’t even come down to security like it’s just like yes sir. Yeah, let me go get that for you. Hold on. Yeah. You know, because I’ve seen it the other way to I’ve seen people that have a lot of pride that you know, kind of stand up to the OcR it doesn’t go well

[00:28:48] Brad Nigh: usually doesn’t when you yeah. Yeah auditors don’t tend to have a good sense of humor in my in my experience.

[00:28:57] Evan Francen: Well they have their own sense of humor. Just like lawyers, they have, I can never understand what that you can understand what they’re laughing at, you know, and I want to be so much of the group, you know especially when you’re working on like a big data breach but I feel like you’re like yeah man routine here and they make a joke and I have no idea what they’re all laughing, I have no idea what the hell they’re saying. But then I wanna be I wanna be part of the group so bad that I’ll see a joke that I thought was funny and they look at me like I’m an idiot

[00:29:25] Brad Nigh: who

[00:29:27] Tony Alsleben: invited this guy.

[00:29:28] Evan Francen: Yeah security guy put him in the corner somewhere.

[00:29:31] Brad Nigh: I’ve been there with the ocr auditors have made a joke that I thought was pretty good. They just dead silence you’re like oh okay

[00:29:42] Evan Francen: yeah I got to the bathroom, see you

[00:29:43] Brad Nigh: later. Yeah oh my phone’s ringing. Got to step out.

[00:29:48] Evan Francen: Yeah. Crazy man. So that is that the thing that keeps you up at night? Tony is it is it or is there anything I guess there may not be anything.

[00:29:58] Tony Alsleben: Yeah. You know you through that question out there there isn’t I don’t have any problems sleeping. And I if anything keeps me up at night it’s because I fell asleep on the couch and I transition from one place to the next and I started thinking about my car and what I’ve I’ve got to do on that or work, you know? But however I did think about it right like so what’s my biggest concern and it’s that one hole we haven’t found, right. That that one thing, that device that’s not patched things that are currently out of my control, but that I need to find an answer to, right. And I think about this like just last week, um my endpoint guy was called me up and he was like, hey, I got this call and they want to set this New system up and they want access to it from the outside. And they’ve been, they’ve they’ve got 20 devices in our facility already. So it starts out like this colic, it’s this new thing, but oh, by the way, there’s already 20 of the month there, we’ve already punched 20 holes. And the reason why I’m calling you is it’s this IOT device and it’s a Windows based IOT device and they don’t turn automatic patching on on it. And so they basically patch it up to snuff and then they leave it and they walk away and they don’t patch it again until somebody calls and says they have to do something. And I’m like, and he’s like, and he’s calling me now because hey, finally we’ve got a security guy, so he’s like, hey, we don’t support that. Right? I’m like, yeah, I know, what do I tell them tell them it can’t be on our network. Well we don’t really have a policy that states that you’re right, we don’t really have a policy that states that, but we do have a policy that states that we patch stuff so we can hold them at least to our own standard. So well, you know, we can’t turn these devices off. I said I get it right. So we we need to work with them on what we’re gonna do. Well they want they want to continue to have remote access. Yeah, not happening. They’re going to go through secure like right like they’re going to then you get on the you get on the phone, the vendor and they’re like yeah yeah we have other places asking for this thing to write. Well we’ll see if we can get secure link to work. We’re having issues. No, you can get secure link to work even if we have to just stand up in RTP station that you secure link into to connect to your devices, we can make it work so but it’s it’s really those things, right? So it starts with that and then you then you you look at supply chain, we all know the big supply chain issue, right? We do have solar winds internally. We’re lucky. And and my my uh one of my right hand guys would Justin would say, you know, I’m saying we got lucky. He goes well we think we got lucky because you don’t really ever know until you know right, but we didn’t install one of the bad patches, we don’t have any IOC s that we found internally, you know, we’ve done all the right things. We we locked down our solar winds environment. So it doesn’t have access to the internet. We’ve been staying on top of all the latest patches lately, but it really makes you look around and go, well, gee how are we evaluating those vendors who’s been looking at that? Right. And so right now I’m looking at, I just bought that site, we’re standing that up Evan and I have talked about this um I’m using as to vendor um not not not hog wild yet, but I’ve been putting companies in S two vendor and and I’m getting to the point where people are sending me a request when they get a new vendor and saying, hey, how can I get them in there? How can we send this to them? So, um but then it’s kind of using those two products hand in hand, right? Because that’s to vendor is a self assessment and it’s only as good as the word they give you and what they sign off on. So, you know, when, when I get an 8 50 it comes back and I’m like, really, you’re that good? Huh? Well, gosh, I’m so glad to be working with somebody. That’s perfect. Well, no, there,

[00:33:59] Evan Francen: you know, we’re going to do, I just thought of a marketing piece when when that integration gets completed, right? Because security studios like we’re like the neutral party, right? We want to consume data from different places to give you a better picture. And uh the marketing piece is going to be vendors lie with the big stamp.

[00:34:20] Brad Nigh: I mean, everybody always gives himself

[00:34:22] Evan Francen: because there’s no way in hell you can tell me that you’ve got this stuff. Even if you say you didn’t understand the question.

[00:34:29] Brad Nigh: Well, yeah. What do you mean? You require domain admin to run your application.

[00:34:35] Tony Alsleben: My favorite was right. Like, so You send them the security suit and you guys know there’s like 400 questions in there, right? I sent one of those off and I got it back in an hour and a half and I’m like, hmm,

[00:34:49] Brad Nigh: I mean, I’m probably about as familiar with that as possible as anyone. And it still took me, I should probably 2.5 hours to go through it. Yeah. Mhm.

[00:35:03] Evan Francen: Well, and you mentioned you’re not supply chain because you still have a blind spot too right? You have a blind spied it wouldn’t do no matter what due diligence you did. You wouldn’t have caught the solar winds because I came in an authorized catchment. How would, you know, you don’t have the ability to check every single patch to see if there’s a back door in that patch. You can’t static code analysis. I mean as a consumer and as a C so you’re stuck with, like there’s always that try, I have to take what I got,

[00:35:34] Tony Alsleben: you know? Yeah, there’s, there’s no way you would know. However, the interesting thing is that when you look at uh bit site trends, these things and you look at their bit site score, it fell off right about the time they got infected. So I mean really it kind of is measuring that some of their security awareness took a nosedive and when it did that made them susceptible. So if you’re watching some of that stuff, you can kind of have an indication, you know, if there’s, if there’s bad actors out there, the odds of them breaking down somebody who’s got good security versus somebody who’s got bad security are pretty good. So I have a have a close vendor. I’m not going to name their name on here, but I know Evans got a story with this vendor to local vendor that we work really closely with and I dropped them in bit site and their their security score just as of like this last month took a nose dive. So it’s got my ears perked and going, well man, what do we all have open to them? Right. And and it looks like some of their stuff took a nosedive because of some of the things they have hosted, but that’s even worse yet, right? Like these are things they’re hosting for other people. So um I I don’t know, I think some of those tools, I’m not into the blinky lights like Evans says often, but there are some tools that are out there that are, are pretty easy to stand up and start using right away. Right. Um, some of the things that you guys have, uh, things like bit site where you know, you stand it up and you can feed in a whole bunch of vendors and you can look at a cross section of them today. So I mean I support stuff like that and not only that, but I think they’re getting some of their pricing model figured out, right. And it’s not so expensive. There’s other things that we have to do that are really expensive, but that still doesn’t mean we don’t do them.

[00:37:25] Evan Francen: So when I think the point is, is as a C. So you recognize where you still have those gaps and then you devise mitigating controls, right? This has never been like one thing solves everything. It’s where I’ve still got a gap is because you mentioned IOC’s right. You mentioned IOC so in a there’s always some sort of signature. So in the solar winds attack there was a call home, right? There were beginning things happening. How many organizations have their egress filtering worth a crap.

[00:37:55] Brad Nigh: Very little.

[00:37:56] Evan Francen: Right? So if you really truly understood your environment really well and I know that this is where you’re going, I would know my data flows, I would know what’s legitimate traffic and what’s not legitimate traffic. So if I see something because it could even happen in a 14,000 complex environment like yours, you can get to understand how things are supposed to be working and you see those beacons, that would be a red flag. Right? And that is unusual because you haven’t seen it before. Mhm. So I didn’t get into that point is it’s Nirvana, but that’s the, I would assume that’s the goal.

[00:38:30] Tony Alsleben: Well, and that’s where like one of the other things because there’s a lot of things like you said, you can’t, there’s so many things, which one do I pick on any given day? Which one? All these balls in the air? Which one am I grabbing today? Right. And so you stand around and looking and we use in four blocks for our DNS. And so in four blocks has a product that is there, it’s DNS security. Right? So, enhanced DNS security, we are currently P. O. Seeing that. And realistically that does exactly what you’re talking about Evan, right? Like they’re watching um what’s going on out there? If it’s a newly created domain, it’ll sink hole it right now, just because it’s not seeing it out there before, until we can authorize it. Right? So it’s not zero trust. Um but you know, it’s it’s getting one step closer to just not like trust, then verify. So um uh at any rate right now and those tools, they’re not, you know, you, there is no tool, you just buy it and stand it up. Right? So that’s part of the proof of concept right now. What do you mean? We’ve got all these logs to look through yet. What do you mean? And then and then you’ve got stuff like the whole D. O. H. And D. O. T. Stuff going on where it can go straight out through that app and completely bypass your internal DNS. So um you know first you’re thinking you’re going to buy this tool and then you’ll be sitting pretty but it’s not really the case right now we’ve got stuff we’ve got to do on our checkpoint firewall and we’ve got to figure out how to break down that um that encryption, look inside that packet and stop that D. O. H. Traffic and bot traffic and send it back through the internal DNS. So really that that’s the type of stuff right now I’m trying to stay focused on because how can I quickly protect all of these devices and it’s in the traffic, right? One of the if something gets in the first thing it does is call out right? That’s where we need to stop it, we need to stop it from talking and then we can find it and then we can kill it um that’s the best we can do right now as we’re getting everything else in order.

[00:40:44] Brad Nigh: Well you mentioned like you know, you’re not saying other blinky lights but there are good tools and I think that’s a really important part statement? Yeah, yeah. Don’t buy something just because it’s got a blinky light, but if you’re going to buy something, utilize it correctly and there are some really good tools out there. Yeah,

[00:41:06] Tony Alsleben: yep, true story. And and that’s the other great thing about my organization. They did make some investments and some tools that we haven’t fully and stood up yet, Right? But uh it’s just investigating which ones we keep, but you know, internally we uh we use Cisco, we’ve got Cisco’s ice product, we haven’t fully installed it. Um you know, we need to get 8021 x stood up um because that’s important part of using ice, we have stealth watch. So I mean we’ve got tools that we already own, we just need to get to a better capacity of utilizing them.

[00:41:40] Evan Francen: Uh Yeah, sure. Yeah. Well that’s one thing I think that makes you a good c so to our director of information, I’m just gonna call, you see, so, so if people get offended with that, it’s easier for me to say. And you serve the role anyway,

[00:41:55] Tony Alsleben: ah and you can do that. I just wanted to call it out so people don’t think I’m running around calling myself something, I’m not.

[00:42:02] Evan Francen: There you go, genuine. I love it. One of the things that Cisco is, is being able to put together this jigsaw possible, right? You’ve got all these different tools, all these different people, you know, your network infrastructure looks like this. How do you fit together the jigsaw puzzles that you started addressing those gaps. Being able to look and see a I’m missing a piece here and then go out and find the tool if you don’t have, you know what I mean? It’s just, it’s cool to watch you work through that because it’s, you know, a central care. I think it’s been about a year.

[00:42:34] Tony Alsleben: Yeah. March 16 will be when I actually first came into the role. Yeah.

[00:42:40] Evan Francen: And you make tremendous progress just in our own conversations in that year. It’s really cool to see. Yeah. Yes patients. Well,

[00:42:52] Tony Alsleben: yeah, I think it’s, I think it’s going good right now. I’m working on um my strategy, right. What is, what is my strategy going forward and so kind of creating that roadmap um and truth be told. I mean the first thing I’ve got to focus on here, there’s some of the basics we need to nail first. Right. We need to do better at our asset management Already found out internally. We can’t continue to call it assets right. They want to use the Iittle term. It’s really the configured items we’re looking for, which is true, right. I mean that’s what we’re after insecurity is the configured items we don’t really care whether or not there’s an asset dollar value attached to it. So I mean realistically we need both. But its asset management data classification, I need that asset management to be able to do better vulnerability management really, vulnerability management is something we need to work on. But as I’ve been picking apart vulnerability management, you don’t have a really good vulnerability management program unless you’ve got good asset management. So and as part of that asset management program, data classification is going to be huge for us. So and especially being healthcare um how long does that data got to live? Um is it how is it classified? Right. Is it public information? Is it confidential information? Um is it financial information? So you know, we need to get that done. We have I’m going to say this tongue in cheek, we have a pretty good change management program and I say that because people are using it right? That’s part of the reason why we were able to track down whether or not we had a solar winds problem because um the version changes had been logged in our change management system and we were able to walk that back. Um However we don’t have a good change management policy that everybody follows to a T. Right. And so that’s kind of the next step, right? Is making sure everybody um knows the policy, making sure that policy aligns throughout all of is and then maybe the greater organization after that. Um but those are kind of the things that are going to be on my strategy For the next year for the next three years.

[00:45:12] Evan Francen: it’s not cool. Mhm.

[00:45:14] Brad Nigh: I mean, yeah, it’s great to hear you mention those things and be aware of some of those uh maybe less mature areas and focusing on them because you’re you’re absolutely right, it all builds on itself. Mhm,

[00:45:33] Evan Francen: totally. Well speaking of hospitals, man, we got a whole bunch of, we don’t have to go through them all because I know that, you know, we’re getting short on time, but in the notes, you know, I just put that was just the last I did with google healthcare breach.

[00:45:49] Brad Nigh: Yeah, I’m sure

[00:45:52] Evan Francen: This is page one

[00:45:53] Brad Nigh: yeah, Mhm.

[00:45:56] Evan Francen: Page one in the news and the 427 that I alluded to, but you know, totally sort of alluded to it as well. It was last summer we had, you know, there was a series of events that took place, you know, I was called in on a breach, called myself on a three am I’m not, you know, your incident response plan, didn’t say to do that, but that’s what happened. So I get called into that and then we start a threat hunting exercise at another healthcare entity, You know, kind of in all of this and Brad, you know about that one. And then, you know, brian Krebs calls and says, hey, you know, you don’t normally get calls from brian Krebs and they don’t like calls from brian Krebs, so We got on the phone with him and you know, found out 427 hospitals. They’re supposed to be hit next week. Maybe it’s like, oh shit, really? At the same time we got to get the word out. So are one, is it true? Right? True to this at all because we’re not going to cause panic if there’s not and two it is, we got to get the word out. So that whole thing led to this thing. But I think one of the things we learned in that is the health care sector. So there’s 16 critical infrastructure sectors in the United States as called out by President Obama back whenever he issued that directive and then on and on one of those sectors is health care. Another sector is water, right? We talked about the water act, Oldsmar In Florida. Another one is dams, another one is on and on right. There’s 16 of them. One of the things that was painfully obvious in that 427, I just called the 427 because I still, I still might be bullshit. To be honest, I have no idea. But one of the things that really raised an alarm with me and and if there was something to keep me up and I sleep well. But if there’s something Is the fact that if that had been true, if 427 hospitals had been hit at roughly the same time with ransomware, we would be screwed. This country does not have the ability to respond to that appropriately,

[00:48:06] Brad Nigh: You know? Yeah, 100%. Yeah.

[00:48:09] Evan Francen: So sorry, I got preaching there, that’s got to be fixed and so on. Another thing we are working on stuff like that because if, if Tony’s get, you know, getting hit with something earlier, let’s say, you know, there’s an incident response in texas, but the hospital’s got hit by ransomware and they’re part of a something where there’s a better information sharing. I know we’ve got messy sack and all these other things, but those things aren’t effective because you don’t share IOC’s on things that are happening right now. I would have no idea of knowing that this hospital and texas is getting hit. But Tony would sure like to know because if his hospital start to see some of those same FCS before something activates before it does cause potential death. Right? Good to know that shit. Since my language,

[00:48:57] Brad Nigh: you know, one of the, I think one of the try to be positive, one of the good things that did come out of this Orion breaches, how open, you know, Microsoft and fireeye and all the more with the IOC’s they were finding, hey, here’s what we’re seeing here is what to look for and hopefully that maybe he starts a new trend of being more public with some of these IOC’s, it’s not like what’s the negative of saying, hey, here’s some hashes you should be looking for

[00:49:30] Evan Francen: right

[00:49:31] Tony Alsleben: health care. They don’t do it though. I mean I just watched one of these things happen because we were helping somebody else through it. I’m not going to say too much about it but we couldn’t get the IOC’s from them right? Even knowing that our infrastructure potentially was connected to this. They wouldn’t give up the I. O. C. S. And why? Because the lawyers get involved and you can’t say too much and if you say too much then you might be telling them something you shouldn’t be telling them. And so even now you know later on you watch what things are going on from afar, they’re still having problems and you’re like so do you have forensic images? Can you hand them over? Can you give them to us so that we can do our own investigation? Well no we don’t have that for everything. You know? And how do you get you know, ultimately in the end they give you some, yeah we can see they were here and they were that and it was our evil and I mean but it’s two or three months later and you guys know as well as I do it’s all about time. It’s all about time. The faster you can do it, the quicker you can squash it.

[00:50:42] Brad Nigh: One of the interesting fallout from the Capitol was the capital one and fireeye that they they got sued and or and they had to turn over their I. R. Report because they had the same 11 of the interesting thoughts and that is now for incidents they don’t want reports.

[00:51:03] Evan Francen: No because they’re discoverable, yep.

[00:51:06] Brad Nigh: And we used to be you had to write up the whole they wanted a full report and knowing exactly what happened and now they’re like now just we’re good.

[00:51:14] Evan Francen: We see that used to be one of the things, you know it was there was always that debate who’s the first person you call in a breach right then you know some people would call the police. I still saw that. I mean one of these breaches here I think it was I don’t know maybe one of them the first call was the Sheriff’s department. No that’s not right. When I got when I got called in that breach that led to the you know uh understanding the 427 when I when I arrived on site, Department of Homeland Security was on the phone, the FBI was on the phone, the local sheriff’s department was there and another incident response firm was there and it was all just like chaos and so you walk in the room you like the hell is going on, what are you guys doing? What’s what’s the direction here? But one of the things that people would say and I still you know maybe is called your lawyer first and the reason why they would do that was so that you’d have attorney client privilege. So my discussions with the lawyer and they’re still protected. But the reports and things. The work products and things are not necessarily. So it changes things a little bit.

[00:52:28] Brad Nigh: I mean as a respondent makes our lives a lot easier because the report writing is the worst part.

[00:52:35] Evan Francen: Right? Yeah. Just just passed my to do the investigation. That’s the fun part.

[00:52:40] Brad Nigh: Right? I mean we still have all of our notes and you know still keep all that information but you don’t need me to organize it into a readable format that everyone can understand. Cool saves me 68 hours. Oh

[00:53:01] Tony Alsleben: yeah it looks like Evan frozen.

[00:53:04] Brad Nigh: He’s deep in thought.

[00:53:06] Tony Alsleben: Yeah at least in. Oh he’s back.

[00:53:11] Evan Francen: Yeah it’s my VPN. It always does that. Even at home I used the piano. My iphone security guy. What do I do? Yeah but the 4 27. So we talk about sharing I. O. C. S. For anybody listening. There’s no really there’s no confidential information in an IOC. No there’s no intellectual property in an IOC. There’s no really incriminating evidence in an IOC. It’s an aisle seat.

[00:53:41] Brad Nigh: I mean even if there was a central repository where you can submit anonymously. There just isn’t anything really out there. I mean you’ve got like you know the virus totals and hybrid analysis and things like that. But you have to know what you’re looking for to see if it’s a problem

[00:53:59] Tony Alsleben: so I agree with you. I agree with you guys. The problem. But the crux of the issue there though is they they have to admit, right, they have to admit that this thing happened and here are the IOC is you need to look out for. And that’s the hardest thing is people just admitting it

[00:54:17] Evan Francen: and I’m okay. I mean I get that but we’re dealing with people’s lives and we need faster response. Right? So maybe you do something where you’ve got some immunity for sharing your IOC’s right. IOC specifically can’t be used two prosecutors, whatever, whatever you have to do. But in health care we have a bunch of incident responders who are not qualified to do instant response. They’re not all doing incident response the same way, they’re not sharing information about the incident response. So health care as a sector is so fragmented and so screwed when it comes to one incident that affects a wide population, which by the way is the scariest thing for uh insurance companies to begin. Well, I’ve got cyber insurance. Great. That’s one way they gotta businesses when you have one event that affects the white population. You

[00:55:08] Brad Nigh: know, interesting enough. I was talking with a healthcare customer last week and they had reached out to their insurance company around their cyber insurance and they go through one of the big players and they were told, yeah, we’re strongly considering just getting out of it and apparently that’s, that’s something that all the big ones are going, yeah, the supply chain thing is way worse than we could have expected were. It’s just we’re gonna lose our s gonna do it. Cyber insurance may become,

[00:55:42] Evan Francen: especially when you set the precedent, they’re just gonna pay these people that was, you know, in my little world, that’s okay. There might be a good decision, but in the big picture, that’s disastrous. But you know, that’s another thing that I think, you know, we can work on is how do we solve that problem? There is an insurance play here, but not the way they do it.

[00:56:02] Tony Alsleben: Well, and I was under the understanding that the FBI was telling people that you’re going to get in trouble if you pay money, right?

[00:56:10] Brad Nigh: We’re not incidents where the FBI came in and said, no, you cannot pay them. They’re a terrorist organization.

[00:56:16] Tony Alsleben: And that’s that’s the key right there brad, Right? Um, we just out of a lawyer’s mouth the other day, right? If they’re not a deemed terrorist organization, if they’re not on the FBI’s list of terrorist organisations, well then it might be easier to pay them. So we’ll do that. Right? So I’m like, there’s this discrepancy why? So instead they’re a U. S. Based terrorist organization. I mean, I don’t know. To me, it’s all the same thing,

[00:56:45] Brad Nigh: right?

[00:56:47] Evan Francen: But at the end of the and at the end of the day, you bring all this stuff back. It’s like the, the hospitals purpose is to serve the patients right to help people. And you’ve got all this other stuff that’s going on. It’s so distracting. It’s just anyway, I’m gonna preach smart. I don’t want to do it.

[00:57:04] Brad Nigh: So, uh, well yeah, Gosh, we’re now thank you Tony before because I know you have a hard stop here. So thank you very much for

[00:57:11] Tony Alsleben: joining change management meeting. Yeah.

[00:57:16] Brad Nigh: You sure you don’t want to say, oh, this this other one went wrong.

[00:57:19] Tony Alsleben: Yeah.

[00:57:22] Brad Nigh: Thank you very much. I appreciate you coming on and talking to us.

[00:57:27] Tony Alsleben: Sure. Anytime. Thanks for the invite.

[00:57:30] Evan Francen: It was a good talk. Yeah.

[00:57:33] Brad Nigh: Uh, so yeah, I know you have to drop that. You can stay as long as you want. But Evan, what’s going on with the BC fell handbook?

[00:57:40] Evan Francen: Oh, this is so I’m like, yeah, we’ll be, we’ll be quick. You can get through this in six minutes.

[00:57:43] Brad Nigh: Oh yeah.

[00:57:45] Evan Francen: Well, one of the first of all, I appreciate your patience brad. I’ve been pulled in like a whole bunch of different directions. I need to get back on that book. But we talked about, uh, you know how we’re gonna segment and how we’re going to break it up. And I think we’ve got some big players who might just insert some things into the book because I think they want to use it to set a standard for this is how BC. So stuff gets done. You know Tony has gotten part of that you know because I think central Care used to be you know CBC’s are like version one with uh you know fr secure. Um There’s so much further to go than that, right? There’s so many more operational things, you know to drive a security program versus just be a resource. Right? Lots of different stuff that’s uh I’m really excited about that book but right now I need to get in the next four days I need to get to a point where I just hand stuff you know, here’s your here’s your chapter we talked about that. I just didn’t get that.

[00:58:46] Brad Nigh: I was glad to see you go. You said something about it, you’re running late because I was like what did I miss it? I miss his email were ok, good. Sorry we’ve all been super busy. I would honestly I haven’t had wouldn’t have had time to really do anything with it anyway with our three and yeah. CNN

[00:59:05] Evan Francen: C Yeah

[00:59:09] Brad Nigh: you

[00:59:10] Tony Alsleben: guys need somebody to do a read over of that from the shoes of somebody that needs that. Send it my way,

[00:59:17] Evan Francen: look at this. Uh huh. That’s cool. Right. Oh

[00:59:25] Brad Nigh: man. All right. Um Next thing registration for the C. S sp mentor program. Go to our website last I heard yesterday morning we had almost 3500 people signed up like 34 50 something I think.

[00:59:41] Evan Francen: So cool

[00:59:42] Tony Alsleben: so I better go sign up again quick even though I attended last year, uh I still haven’t taken my test. And so last year I was I meant to read the book before I got to the class and I didn’t make it through there. So I was thinking this year I might try and make it through the book one more time and then use it as a brush up before I take the test.

[01:00:03] Brad Nigh: Yeah, I think it’s a good approach.

[01:00:06] Evan Francen: Absolutely. And Heckman, you look close enough to me, you can just hang out with me, we’ll do it.

[01:00:12] Tony Alsleben: Absolutely.

[01:00:14] Evan Francen: Yeah, that’s 35 point. That’s crazy. So last year was 20 Last, little less than 2500. So

[01:00:21] Brad Nigh: 24th,

[01:00:22] Evan Francen: we’ve beaten the crap out of that and I think we’ll get over 5000. I haven’t really done much in terms of socializing other than maybe just a couple of posts here and there. But

[01:00:32] Brad Nigh: I mean, reality is we could possibly have more this year than the previous, But eight years combined. Mhm. Yeah. A little nerve racking. Uh but exciting.

[01:00:45] Evan Francen: Mhm.

[01:00:47] Brad Nigh: Yeah. Yeah. Go to the fr secure dot com and under I think it’s community, can sign up for the mentor program. Totally free

[01:00:57] Tony Alsleben: Evan, you’re a geek with numbers, I’d love to see what that looks like on a graph, right? Because you’re definitely almost doubling year Over year, right? Mhm. Yes, probably have. Is it charted

[01:01:07] Evan Francen: already?

[01:01:10] Brad Nigh: Okay. This will be my fourth year. The first year we had oh gosh, maybe 125 or so that I did it with you. We’ve gone from like 100 and we’ll say 100 and 50 to 3500 and four years. That’s a pretty significant growth.

[01:01:30] Evan Francen: Yeah. When there’s bigger plans ahead, man, I’ve been talking to some other nonprofits, there’s one out of SAn Diego I think uh this is a community thing, right? There will, there will probably probably be a time and we’ll just take the fr secure name off of it, make it truly a community thing will always be that history and always be that tied to it. I want this to be perpetual. I want to do it year round and want others to come and teach and share.

[01:02:04] Brad Nigh: No, I mean it kind of goes in language kind of the fr secure university thing that, you know, we’re with all the content that we’re putting out training, so yeah, getting others to help out would be awesome.

[01:02:19] Evan Francen: For sure man. Yeah.

[01:02:21] Brad Nigh: All right. Yeah. Uh you had a couple of news items I would say, you know,

[01:02:27] Evan Francen: there’s no news.

[01:02:28] Brad Nigh: Go read it on the blog.

[01:02:30] Evan Francen: There’s no news, nothing’s happening, you know, just keep your face, you know, right on the computer, you’ll be fine. Nothing else happening.

[01:02:39] Brad Nigh: So thank you again, Tony appreciate it and will definitely be interaction. You can be the first victim of reading reading a copy.

[01:02:51] Tony Alsleben: Absolutely send it my way, ma’am. And thank you guys,

[01:02:54] Evan Francen: Tony give me shout outs,

[01:02:56] Tony Alsleben: you know, I do and it’s going to be to my wife because I wouldn’t be the man I am today without my wife. So, um her name is Anna and I love her dearly. She she definitely has kept me on the straight and narrow, so that’s mine.

[01:03:16] Evan Francen: Very cool.

[01:03:17] Brad Nigh: I thought

[01:03:18] Evan Francen: you had a dog.

[01:03:19] Brad Nigh: It’s

[01:03:21] Evan Francen: yeah, I’m gonna give a shout out to my dog. She’s a sweetheart. I love her. That’s violet that you’re outside my office store. She sits right here, right next, right behind me and uh yells at me regularly. But she’s kind of my co worker. Now

[01:03:38] Brad Nigh: we have a shepherd mix who shepherds. I don’t know if you know that they talked, they don’t, they bark, but they come up and they’re like and mine will come up and sas and talk back to you.

[01:03:51] Tony Alsleben: We have a Chesapeake and she she does, it’s more of a roof, right? She’ll like rue at you. And so especially if you can get her between two people show back into one person and she’ll start talking to the other person

[01:04:02] Brad Nigh: funny, I’ll just so goofy, I’ll give a shout out to first responders and the job that they do and everything that you know. Absolutely. Especially during the pandemic and putting themselves at risk. So all right, well, in closing, thank you to all our listeners, uh sort of stuff by email at insecurity of proton mail dot com. You’re the social type. You can socialize with us on twitter. I’m @BradNigh and heaven is @EvanFrancen Tony. How can people get a hold of you?

[01:04:35] Tony Alsleben: Uh Probably linked in is the best place. Uh so it would be under Anthony, all slave. And if you’re looking for me out there attached to centric care

[01:04:44] Brad Nigh: you go uh other twitter twitter twitter twitter handles where you can find some stuff that we do is the podcast is @UnsecurityP security studio is @StudioSecurity. And FRSecure @FRSecure and that is it. Talked to everyone again next week.

Episode 119 of the UNSECURITY podcast is jam-packed with a number of current events topics Evan and Brad have been following. The discussion includes a super useful and free “Legal Guide to Privacy and Data Security” written by a friend, a novel supply chain cyber attack of some big tech players, and more on the water facility attack from last week and what that might mean for our national infrastructure as a whole. Give this episode a listen or watch, and as always, send us your questions, comments, and feedback to unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Hey there. Thank you for tuning in to this episode of the unsecurity podcast. This is episode 119. The date is february 17th 2021. And I’m your host Evan Francen. Joining me is my good friend as pretty much always. I mean, I think we’ve been together for the last God knows how many podcasts, but he’s Brad.

[00:00:46] Brad Nigh: Good morning Evan.

[00:00:48] Evan Francen: How’s it going today?

[00:00:49] Brad Nigh: Good, good disease.

[00:00:52] Evan Francen: Yeah. Right. Yeah. I was up until, I don’t know what time last night and whatever. I’m not gonna complain. It were security people and we often work long hours.

[00:01:04] Brad Nigh: Yeah, it does. It does eventually, you know, kind of catch up to you and you have to reset.

[00:01:11] Evan Francen: But right. Yeah. Yeah. I was going to have to say some jokes, but they’re inappropriate and I’m not sure if we’re in cancel culture or not. So I’m not going to say stuff. I want to offend anybody. But the, Okay, episode 1, 19, uh, things to talk about today, things that I wanted to talk about today. There’s uh, serving unusual itself. Um, naked security, you know, had published uh, an article and actually did a podcast on it too. But how one man, silently infiltrated dozens of high tech network works. And I thought the attack vector was pretty Malval because it’s, you know, I guess I didn’t think about it that way. Um, but it was very effective. Right? It didn’t require him to crack any passwords, often require him to really, you know, do much, you know, to break in. It’s just sort of a back door that I think a lot of people don’t realize is there. Yeah, so a little scary because you know that yeah, the way we develop software today, it’s not like everything is developed in house. We’re pulling libraries from all over the damn place. And anyway, that’s uh that’s pretty scary.

[00:02:33] Brad Nigh: There’s a lot of implied trust there

[00:02:37] Evan Francen: totally, man. And I, yeah, we’ve got, we’re going to have to do something about it because it’s, it’s another sort of attack factor. That’s not all that. I mean, it’s different than what we saw with solar winds and the whole that whole debacle. But there’s some similarities between the attack factors and um yeah, now it’s been published, so if any of the Attackers hadn’t been thinking this way, well, it’s right there in front of, you know, Yeah, I want to talk about that. I wanted to talk about my a good friend Michael Cohen from GPM, he’s a lawyer. Uh he just released a new uh, it’s called the legal guide to private data. The legal guide to privacy and data security. The reason why I wanted to announce that. I said, I think it’s a great reference. It’s completely free. Uh the legal landscape of for information security and privacy in the United States is all over the map. And uh I think it’s a good free reference, you know, written by a guy who knows what he’s talking about.

[00:03:47] Brad Nigh: Yeah, yeah. He’s uh like talking to him.

[00:03:50] Evan Francen: Yeah. Right. He’s got that dry sense of humor too. All right. I sort of get it.

[00:03:56] Brad Nigh: That was probably one of the few times I think I’ve ever said that about a lawyer.

[00:04:00] Evan Francen: Right? Yeah, we can do all kinds of lawyer jokes. He’s probably got some good bladder jokes to maybe we’ll have him on as a guest sometime. Uh so I figured we talk about that. And then just before we started the show, we were talking about uh you know, it’s not old old news, but you know, things move really fast around here. But the, you know, the old mar water attack, we can talk about that again briefly before we roll into some news stuff. So I think that’s the that’s the agenda. But before we dive in too deep. How you doing? How’s how’s uh how’s things

[00:04:38] Brad Nigh: good? Yeah, yeah, Oldest turned 15 on Monday and got her learner’s permit. That’s terrifying.

[00:04:46] Evan Francen: You know, I’m looking at your beard right now. I don’t see any grey hairs in there, man.

[00:04:49] Brad Nigh: Well there, over on the side,

[00:04:51] Evan Francen: okay. If you look at mine, they’re like

[00:04:55] Brad Nigh: all over

[00:04:56] Evan Francen: right on from

[00:04:57] Brad Nigh: now. The kid driving so I’m sure it’ll turn great pretty quickly. But yeah, it’s fun. She’s so excited about it so kind of something nice and right uplifting positive and the crap that has been the last year. Yeah.

[00:05:17] Evan Francen: Uh Yeah I got back, well you know I was got back from part of my aorta. Mhm. Last week I came back to this 2020 plus 10 below zero. Are you kidding me?

[00:05:31] Brad Nigh: I think we went from like thursday until yesterday where we didn’t get above zero. Uh huh I don’t know if it’s frozen or farm frozen.

[00:05:51] Evan Francen: Yeah it’s my VPN man, I’m always on VPN so sometimes VPN kind of gets chunky for me

[00:06:00] Brad Nigh: okay. Yeah it froze up there was like oh

[00:06:03] Evan Francen: like it turned my VPN off. I am on my home, my own home network but I’m a security guy.

[00:06:11] Brad Nigh: Yeah. Anyway, so I missed you so you got home and I said it hadn’t been above zero since from thursday until yesterday and then your friends up so I didn’t hear what you said.

[00:06:22] Evan Francen: Oh it’s just the whole country is frozen.

[00:06:26] Brad Nigh: Yeah, so I know we’ve been talking to talking with Oscar and like they’ve gotten a cat inch of ice down there and you see the stories about texas where those buildings aren’t built and insulated for single digits and pipes bursting and the electricity being out, You know you’re seeing pictures and apartments in the houses that are like 30° inside and it’s not like appear where you’ve got snow gear and you know, you’re used to these things, but it’s been, it’s crazy

[00:07:07] Evan Francen: when I got friends down in texas and they’re all without power. Yeah.

[00:07:12] Brad Nigh: Mhm Yeah, and who knows when it’s gonna come back.

[00:07:16] Evan Francen: Right. And that, you know, we take that stuff, I don’t know, I sort of take that stuff for granted sometimes, you know, you get up in the morning and you turn on the light, you know, you’ve got a nice warm shower, you got heat in the house, you know, it’s just we take those that stuff for grant. I can’t imagine going through 20 some odd below here in Minnesota without hunger,

[00:07:38] Brad Nigh: you know, that would be, I don’t think, I don’t know how you could

[00:07:43] Evan Francen: Right, do you have a generator?

[00:07:45] Brad Nigh: I don’t, we actually looked very hard at when we have to have our roof replaced due to hail damage at doing solar roof. Mhm. Right. It was just, it was too much at the time.

[00:07:58] Evan Francen: What do you what do you do with a solar roof in the winter in Minnesota when there’s snow and stuff that will it Okay.

[00:08:08] Brad Nigh: Yeah, because you get is a slide off that’s at an angle. Okay. And it’s, you know, so, but yeah, we are houses the back of the house is facing and based on the googles solar project, it would cover 99% of our electricity use,

[00:08:29] Evan Francen: you know, my mother lives in Ohio and she’s got, you know, she bought a farm down there after retirement and yes, she uses solar power and actually sells a good amount of power back to the power company. Yeah, yeah. So she actually gets negative power I guess. Yeah,

[00:08:55] Brad Nigh: his credit.

[00:08:56] Evan Francen: Yeah. And they, we hear, you know, I’ve got a gas, I’ve got a couple of actually a couple of, You know, gas generators. Um my house was built in 1872, so you just never know what’s going on around here. Uh the power has been very stable, so I’ve only had to use them, you know, a couple of times, but we thought about getting a natural gas, you know, generator, those are really nice. You’ve seen those?

[00:09:23] Brad Nigh: No.

[00:09:25] Evan Francen: Yeah, basically they, it’s a big generator, it’s usually a whole house generator and it hooks up to your natural gas and some of them are built with, with automatic transfer switches. So when power goes out it will just automatically kick on and they’re pretty quiet, you know, so you have to go out there and start it or anything interesting. Yeah, I think Home Depot has some lows has them. Uh you can find them online. I thought about that. Yeah,

[00:09:56] Brad Nigh: yeah, natural gas, uh might not be a bad idea.

[00:10:00] Evan Francen: Yeah. You know, there’s sort of expensive, but you know, when you need them, you don’t really think about the expense.

[00:10:07] Brad Nigh: Right, right. Yeah, Yeah that’s very true luckily you know not going to live with that very little power issues up in Minnesota period. So.

[00:10:21] Evan Francen: Well it’s funny how the power grid sort of works here because you live what maybe 10 less than 10 miles from me and your power might be really stable because you also live in a newer neighborhood. I live in a downtown small town where it’s an old neighbourhood, older infrastructure. It’s not uncommon. I would say once a year, maybe twice a year we’ll lose power here. Hm. Um And I’ve run my generators before I actually borrowed or lent one of my generators to a friend and then the generator I had running in my garage and I ran there were extension cords going to three other houses because they didn’t have generators.

[00:11:03] Brad Nigh: That’s funny.

[00:11:04] Evan Francen: Yeah. So I was running you know my neighborhood to the back was running his refrigerator. The neighbor over here, I was running his uh his freezer, you know he’s got one of those chest freezers, he didn’t want to lose all his meat and everything and then I had you know my own, it was funny

[00:11:22] Brad Nigh: that is Oh you know now if it if if power goes out in the winter and it’s gonna be out for an extended period you just put your stuff out in the garage. Like I think our garage yesterday was like 15°.

[00:11:35] Evan Francen: Yeah. Yeah man. I mean it’s it’s not how fast to the that cold? Just sort of sneaks up on you when you go outside. You know, at first like it’s not so cold and then next thing you know, you can’t your fingers are stinging and your face is falling off.

[00:11:52] Brad Nigh: Oh just you know at the bus stop, we wait in the car till the bus comes around the corner. Then I get out and help kindergarten get his backpack and stuff because he’s got all the snow gear, walk to the bus like we’re at the intersection right? So I walked to the busing wait for it to leave because every all the parents have to wait because your kids get upset if you don’t. And my moustache is like frozen solid. It’s got icicles just from breathing, it’s so cold.

[00:12:23] Evan Francen: Yeah. You have a friend of mine who’s down in Austin he ted was texting me, you know, he showed me the temperature and he’s like, you know, I don’t expect any sympathy but you know, I’m like, well actually I’ll give you sympathy man, I don’t I feel bad about Oh, you know, just because it gets down to 23:30 below zero here doesn’t mean I don’t feel bad for somebody who’s mm and in other parts of the country man,

[00:12:51] Brad Nigh: they’re not gonna typically going to have the right gear to get through that because it’s not normal, why would you get heavy gear and still pants and boots and all that stuff if this happens what once a decade?

[00:13:09] Evan Francen: Right. Right.

[00:13:11] Brad Nigh: Even if it’s once a year, it’s probably not worth it.

[00:13:15] Evan Francen: Yeah. Very true. Very, very true. All right. Let’s go to uh this article this, you know from naked Security. The guy’s name is uh person, I can’t remember his last name. Person, Alex Burson. So Alex person did a paper, wanted to do a research study and what he wanted to do was uh you know, there are bug bounties everywhere. So he didn’t he didn’t break any laws or anything. He followed the rules and in that he he capitalized on the fact that many of our software programs are not all container contained, you know, to a single development shop. Right. You call libraries and things that other people have written because it makes your code more efficient. Uh Some of these libraries, I mean they do functions that it would take you years to develop. Right,

[00:14:16] Brad Nigh: Well, why we reinvent the wheel with some of this stuff? Because I think he said at this these things can take a long time.

[00:14:24] Evan Francen: Yeah. So, you know, I mean to take like uh you know, in the article, you know, 11 example is, you know, decrypt that dll, you know, which is for encryption obviously uh it’s simple to call that function, you know, be crypt. GN random and encrypt whatever it is you want to encrypt versus right. The entire I guess library to perform all that, all those functions. Um Mhm. So that’s the good thing is it makes our code much more efficient. And the bad thing is we’re pulling libraries and trusting a bunch of different people, you know, some open source many, many times outside of our own organization. We’re trusting their development, they’re testing their security when we’re pulling in those things in their own somewhere and nobody’s really immune to this. I mean, security studio is a software development shop where they’re doing all kinds of things. They didn’t write every single line of code. Right. I mean, you just you almost can’t nowadays, you know, it become so dependent upon re using code across organizations. Also understanding that ah you know, he went down the path of trying to figure out what, because you know, take Microsoft, for instance, Microsoft will have their, you know, they do keep things somewhat containerized so they may write a piece of code and then start internally. Um and then just call that code internally. Right. Right. Yeah. Now, if you can figure out the name of the library that’s being called, you could potentially uh create a new library outside of that. So yeah. Well

[00:16:27] Brad Nigh: even then like they have a good example there of uh you know, face neck Well that you’re you’re dependent on you use it. So you’re depending on that. But then you look and just at a high level there’s like 15 libraries that face that depends on because it stacks. Right? So, you know, cases depending on in the example chinese whispers. Chinese whispers needs Js network acts, which they needs uh will run time which needs regenerator on time, you know? So it it just stacks and yeah, it makes your life a lot easier. But it’s not it’s complex behind the scenes.

[00:17:07] Evan Francen: Super complex because you know, you go down through the layers, it’s like following the branch of a tree, the branches out and branches out and branches out. So yeah, facing it calls, you know, at types slash N N D R A or N N D array art parse blessed, blessed. Con Trib bro, log canvas, chinese whispers, chinese whispers. Then calls, Js networks came enough shuffle num Js, Js networks that will run time. Low dash on and on and on. And so one little call might actually be, you know, you think it’s just one call to one library but actually it might be A call. 200 different libraries. 1000 different libraries. I mean the rabbit hole can go really, really deep. What

[00:18:00] Brad Nigh: do we say about complexity?

[00:18:02] Evan Francen: Oh my God. Right. It gets super complex. And so security. Right. And we call those dependencies. Right? I mean one piece of code is dependent upon another piece of coach dependent on another piece of code and on and on and on. And so we have, you know, understanding that this gets really complex. So we need to automate the updated because that’s another thing. Right? You need to patch every line of code beyond I would say hello world. Mm probably has an error in it somewhere. Right. Or a vulnerability that may be the developer didn’t realize at the time. Technology has changed. I mean there’s just a ton of different reasons and why you need to keep your code up to date. Yeah. So recognizing that that’s a big issue. You know, we we have things like pipe, I write for python, ruby gems for ruby and PM for no Js these are package management tools that essentially figure out or try to manage the dependency complexity and go and get all of these updates automatically so your coat. So you don’t have to keep track of what I need to update this and look at that. Look at this, all that stuff sort of through the chain ends up kind of getting updated automatically for you huge convenience. Plus I think it’s a good security thing. But what happens, you know, if um, you can Essentially trick one of these package management tools, the update code with your code versus the code I was supposed to be updating with. Yeah. And so in that, uh, it’s sort of what bursts um, um, took advantage of or you know, sort of pointed out that this is an issue. So big vendors, you know, and what’s mentioned in the articles Apple Microsoft. Tesla, Uber. Yelp many many others, they have their dependencies, but some of those dependencies are also internal. Right, right. So we can have dependencies where we’re calling some sort of, you know, shared public sort of library, uh some open source thing. We’ve also got internal dependencies.

[00:20:18] Brad Nigh: Yeah, Which makes sense because you’re, you know, every organization would be different, has different needs. You build your custom code that calls the public libraries, you’re not rewriting everything.

[00:20:30] Evan Francen: Yeah, yeah. And some of that code you want to keep proprietary, some of that code you invested a lot of time in. So maybe your some of your libraries are internal. Mhm. We want to keep them uh you know, internal. So, um organizations who keep those things internal. What he was curious about is if he could collect a list or find a list of unique package names from these big players and and then change or essentially create the same package that are not the same package, not the same code, but the same package name, essentially would one of these package management tools automatically update with his code versus the internal

[00:21:20] Brad Nigh: based on name

[00:21:22] Evan Francen: based on name, yep. And so, you know, he went about that now finding the unique package of unique package names of some of the cook uh you know, the big players, you can oftentimes you find that in the code itself. Right,

[00:21:39] Brad Nigh: which isn’t, you know, it’s that’s necessarily secret right there, publishing out to make a website work. Well then it’s public.

[00:21:49] Evan Francen: Right? Right. So then taking those internal names, putting them into open package, open source package repositories um with the same names and then publishing those and then basically sitting back and watching and seeing what calls home, he didn’t insert any malicious code malware was

[00:22:14] Brad Nigh: just that call home functionality. That verification.

[00:22:17] Evan Francen: Right. Right. And you know, essentially waited and many dozens of them ended up uh going home, you know, so probably surprising maybe, I mean, I can just imagine when he’s sitting there like yeah, they’re calling home, so that’s a big issue, Right? If we can trick essentially trick software trick an application to use my library instead of the one that you intended it to use.

[00:22:53] Brad Nigh: Right. Yeah. It’s like you have full remote code execution at that point,

[00:23:01] Evan Francen: but yeah, when he wants to stop you. Yeah.

[00:23:05] Brad Nigh: Uh huh.

[00:23:07] Evan Francen: So that the sort of the scary thing about this is this has been this way for a long time.

[00:23:15] Brad Nigh: Mhm. Yeah, I wonder how many attacks we’re gonna learn about now that people are going back and going that’s what happened.

[00:23:23] Evan Francen: Right, Yes, I did, yeah. So there’s some good, you know, tips on how if you are a software development shop on how you can uh you know, kind of avoid this attack, I think now these not unless the things is going to guarantee it,

[00:23:43] Brad Nigh: you know, it just as a kind of an insight but on the on the same lines, the web server that had uh the malicious activity it was due to IT DLL or basically the library That was like three years old Or it had a known execution, remote code execution vulnerability that was patched in 2019 and it was from 2016. So, you know, you gotta have Yeah, sure. The web server itself, the OS and you know, the web server software was updated but the those packages that they were using for, you know, functionality, they didn’t think to update that. Right. So basically the same kind of thing

[00:24:36] Evan Francen: it is man, how many times have we seen? I mean, I’ve seen it, I can remember at least half dozen times when the maintainer of open source code essentially, you know, wants to retire. Right. And so another maintainer comes in or somebody else, you know, ends up, you know, sort of maintaining the code, didn’t we have a like a major card wasn’t it? Major card, Yeah, it was a malicious person who took

[00:25:05] Brad Nigh: over

[00:25:05] Evan Francen: maintenance of the code and major card was in, you know, thousands and thousands of installations.

[00:25:12] Brad Nigh: Yeah. Well what’s crazy on this one? It was it was paid software like it was, you know, commercial software that didn’t get updated. Right. You know, I can see where you’re going though like yeah, the maintainer stops, maybe nobody takes over and now it doesn’t get updated but it’s so you got so many dependencies or other libraries have to depend on it that you can’t just stop using it.

[00:25:42] Evan Francen: Right. Right. So from a software development perspective, I mean you really need to be cognizant of these attack vectors. Right? And account for them in your own software development as a consumer, you’re basically powerless.

[00:26:02] Brad Nigh: Oh yeah. I mean this is mm literally one of the few times where there is nothing you can do.

[00:26:11] Evan Francen: Right? I don’t know. Yeah, because you wouldn’t know if this is normal behavior right? Or abnormal behavior because you don’t know the internal workings of the code and it’s not like you’re going to, you know, take it d compile it, try to figure out all these things, figure out all the dependencies, track that back and go down the path of who calls what and what may forget about it. Right?

[00:26:38] Brad Nigh: Yeah. It’s it’s crazy.

[00:26:42] Evan Francen: Yeah. It’s a huge mess, man. And I’m thankful that that he, you know, went down this path and took this approach because it opens up a whole pandora’s box of issues that we’re going to have to we’re gonna have to account for a deal is somehow. Yeah,

[00:27:03] Brad Nigh: yeah. And you know, he has a good article at the end of from Microsoft, I haven’t read it yet, but the three ways to mitigate risk using private package feeds. So I’ve downloaded that I’m gonna be reading that later for fun because that’s what we do. But yeah, I thought this was a really well written article and had some really good recommendations at the end.

[00:27:27] Evan Francen: Right. Right. For sure. And for people who want to reference it or go read it themselves, the name of the article is how one man silently infiltrated dozens of high tech networks. It’s on the naked security blog by so foes a really good read. The author does a great job of walking you through how this becomes a big, I mean how this is such a big issue and it’s a kind of that Pandora’s box. I also like how you know there were But six tips on what you can do, you know from a development perspective. So the first one to separate your developers from live public repositories don’t allow external package updates in your development network until they’ve been downloaded and vetted by your security team. So it’s basically correct. Ain’t containing creating a container where you’re not just gonna allow these automatic external package updates, you’re going to get them first, make sure the legitimate and then allow them into your repository.

[00:28:36] Brad Nigh: Yeah. And if you read the actual article that’s reference, there is a lot more technical information in it. It’s on medium but that was really cool. It’s crazy how some of these people like find these things and I know our guys have done it to with you can’t mention some of the stuff because you know but like yeah it just blows my mind. Like I was I saw it and like I probably have never thought of that.

[00:29:05] Evan Francen: Well, that’s why, you know, in that another thought process, you know? Uh no matter how good you think you are, how you know, technical, technically brilliant you are. Mhm. It’s so important to have different perspectives. Different people look at problems from a different way. I’m much more of a break down your front door kind of guy. You know, I mean occasionally if it’s too hard to break through your, you know, your door, maybe look for something around the other side. Whereas other people think like I’m already looking around the other side. I don’t give a crap about the front door. And it’s just a different way of thinking. It’s a different perspective. And people like verse on people like you, you know, people like, you know, Oscar and his team, that’s why it fascinates me. Because it’s like you looked at this problem from a totally different angle. Mhm. And exposed something. Made it, you know, made our solution a lot more valuable.

[00:30:06] Brad Nigh: Yeah. Oh yeah. The the more diversity and experience, we’ve said it many times, it’s going to make the team and make you better.

[00:30:15] Evan Francen: Yeah. And I look at it from I’m much more about logic person to, you know, logic kind of reason kind of person thinking critically take race out of it, take everything else out of it, take gender out of it. What’s important just functionally is the diversity of thought. Now somebody who grows up in a different race, a different race than me has a different perspective on things. That’s why they’re so valuable. I mean, all these different perspectives, right? Raise gender, sexual preference, whatever you’re thinking different than I am. And rather than like that’s bad, it’s like no, bring that stuff. We want that. Okay.

[00:31:01] Brad Nigh: Yeah. It you know. Uh Yeah, so good people that, you know, and we see it all the time. And that’s probably part of the problem with our industry is that they know everything aren’t willing to listen to others.

[00:31:19] Evan Francen: I think those are the people that are the easiest to attack.

[00:31:24] Brad Nigh: Mhm. Yeah.

[00:31:27] Evan Francen: Because you’re so you’re so myopic and close minded and focused on this one thing while, you know, everybody’s taking stuff out the back door,

[00:31:35] Brad Nigh: Right? Exactly. Yeah. You’re so focused on making sure the front door is locked and secure that you forgot the garage is wide open. Yeah.

[00:31:44] Evan Francen: All right. Uh So other things, you know, just real quick. I’ll go through the list in the article. Be prepared to rewrite your modules uh and keep dependencies under control. Uh Really vet every single dependency that you use in your code and and follow the rabbit hole, right? You need it’s your responsibility, your responsibility to do that, not your consumers responsibility to do that. Mhm. Soviet it all the way through. And if you can’t or you too lazy or don’t want to well then don’t use it. Yeah, you gotta know your code works man. And the code that you’re borrowing from other people, you got to know how that works,

[00:32:27] Brad Nigh: yep. Yeah. Well yeah, can’t just assume

[00:32:33] Evan Francen: no another tip review all package update tools and stop them accessing public repositories unless they are supposed to specify and verify dependencies that are in there allowed versions as strictly as you can uh don’t let code review become a simple checkbox. Oh my God, could check box security ticks me

[00:32:55] Brad Nigh: off. Yeah,

[00:32:59] Evan Francen: yeah, the check boxes are meant to use that meant to be used at a higher level. Right, Did you complete this task? And this task might be, you know, a static code review, you know, given these all these requirements. So it’s not like the minimum I do you know, it’s just the check box, it’s like no, it’s a reminder sort of thing. Not a right, you know, Yeah,

[00:33:25] Brad Nigh: agreed.

[00:33:27] Evan Francen: The last one is verified external package updates by watching for unexpected file system changes on a test system first before releasing into production, that just seems reasonable. Mhm. Uh So and really the onus is on development man, this is not something consumers can or should do

[00:33:48] Brad Nigh: and I can tell you, you know, we’ve had multiple engagements with companies that do you know there’s software development companies are internal deV teams with our pen testers about sclc and you talk to them And it’s like,

[00:34:05] Evan Francen: mm, Okay. Yeah. But if you can develop software, uh, responsibly don’t develop software,

[00:34:17] Brad Nigh: Right? And I will give credit to this company. They realized and identified a vulnerability or weakness and took steps to correct it. Which I mean that’s really all you can ask for. Yeah.

[00:34:33] Evan Francen: Yeah. Well, and one of the things we’re working on and I haven’t really mentioned it too much because it’s not exactly ready is uh, me and some friends are putting the other a think tank sort of thing. And in that is, and it’s it’s not like you’ll have to see that eventually we’ll put it on the show, you know, and you and I’ll talk about it. But it’s a it’s very much focused on fixing real issues in our industry, as a collective, as a collaboration, keeping money out of it, keeping ego out of it, keeping all this crap out of it. And so the core values of this are very strict, right? It’s not data for you to make more money. We’re not going to accept sponsorships. You know, it’s just, it’s very clear, but one of those problems, you know, as a seed problem that I want to, that I’m suggesting that the group work on because you’ll become a member too. I’m guessing you would certainly be invited to become a member? It’s up to you or whether you want to? Um, but one of those issues is how do we hold ourselves accountable? So how do we hold a software development organization accountable for crappy code that leads to significant losses for their consumers or death. Mhm. Because until you start holding software development shops and start holding Microsoft and adobe, whoever accountable for their code, you’re going to keep having this problem, it’s gonna get worse. Yeah,

[00:36:08] Brad Nigh: well, it’s not just a a simple problem either, because how much of this is open source. And how do you do you hold a volunteer that’s not making any money, That’s just doing it, you know, Do you hold them accountable because they made a mistake versus that company that’s counting on it and didn’t right, do their proper vetting. It’s like, yeah, that’s a complex.

[00:36:36] Evan Francen: Well, these tech companies are making billions and billions and billions of dollars. You can’t tell me that you can’t slow down a little bit, invest a little more time and effort in ensuring your code is top notch quality, right? Including follow following all these dependencies to put it on the consumer who can’t afford that and couldn’t do it anyway.

[00:36:59] Brad Nigh: Yeah, my sorry, my dog is an idiot. He’s out on the deck, rolling around in the snow. It’s like what negative two out.

[00:37:07] Evan Francen: My dog’s an idiot too. I love my dog so much. But yeah,

[00:37:12] Brad Nigh: sorry, totally distracted me. That that’s right outside the office. Um

[00:37:17] Evan Francen: Yeah, but what we agreed. Yeah, stay tuned for uh for that man, I’m excited to put that together and excited to be a part of that. Uh The other thing that I wanted to mention was so Michael Cohen, who is an attorney at Lathrop GPM. Really good guy. I enjoy every time I get to visit with him, they just published a free guide that’s called a Legal guide to privacy and data security. Its current its data 2021. It’s a long read, but it’s a reference guide. It’s 220 pages long. I doubt most people would read it cover to cover, but he does a fantastic job of breaking down all the confusion.

[00:38:08] Brad Nigh: I don’t think I would guess he didn’t intend it to be read cover to cover. It is really a reference. Hey, I have a question about this, I’m gonna go look at that.

[00:38:19] Evan Francen: Yeah, for sure.

[00:38:20] Brad Nigh: But yeah, it’s just really, really comprehensive.

[00:38:23] Evan Francen: Yeah, I did read, you know, some of it uh well, and one of the things, one of the questions that, you know, I debated with some friends and I think maybe even you was, you know, the right to privacy.

[00:38:39] Brad Nigh: Yeah, we talked about that.

[00:38:41] Evan Francen: Yeah. So on page one, essentially, actually the 15th page and the guide, he’s got, you know, the legal basis for a right to privacy and I thought, wow, that’s that’s a good read. And so he highlights, you know, constitutionally, there is no explicit reference to privacy as a write in the United States Constitution. But the Supreme Court of the United States has however, held in several cases that there exists a right to privacy or at least a reasonable expectation of privacy As implied in the 1st, 3rd, 4th, 9th and 14th amendments. And so I started reading, man, I’m like, okay, okay, that’s great that that we’re not doing any of that crap. Mhm. It’s as a country, as an industry, the Supreme Court of the United States has held that these things are true, but that’s not how we’re operating. Yeah. Yes.

[00:39:49] Brad Nigh: Yeah. It’s a uh it is a really interesting, you know, discussion. And you know, the fact that Yeah, he listened to that. There’s 10 states that have right to privacy explicit in their constant state constitutions. Mm hmm. It’s not good.

[00:40:11] Evan Francen: Well, and they’re all and and and and their languages all different to right. And then what about the other 40 states? And it’s not like you containerized all of your information in one state. Right.

[00:40:24] Brad Nigh: Well, I think that’s why you’re looking at some of these big companies saying, hey, let’s get a federal privacy law. It’s not because they’re doing it out of goodwill. It’s Complying with 50 individual states is a nightmare.

[00:40:38] Evan Francen: Yeah. Yes. Yes. So if you’re in security and uh and you’re not a lawyer. But even if you are a lawyer. It’s it’s just a great reference guy. Uh you know, I’ve got it downloaded to my computer already and started reviewing it and it’s uh it’s going to be handy in a lot of different. Oh

[00:41:01] Brad Nigh: yeah. Yeah, I get asked these privacy questions all the time and it’s always I’m not, a lawyer does not constitute legal advice if you want here go talk to a lawyer, but you can look it up and give an opinion. It’s like, hey this is how I read it, but that doesn’t right. You need to talk to a lawyer.

[00:41:23] Evan Francen: Well, I don’t mind at all quoting lawyers. I mean this is if I quote right out of this guide, makes me sound smart. That’s for sure.

[00:41:33] Brad Nigh: Right. And you did a good job of putting it in a way that you can use to. It’s not just quoting. Yeah. The lots.

[00:41:45] Evan Francen: Yeah. Very good. Yeah. Yeah. It’s probably one of the best reference guides that I’ve seen and it’s free. Mhm. Yeah. He’s got a broken down, you know, legal basis for the right to privacy is kind of the opening and then talks about federal laws governing data privacy and security. He’s got HIPPA copa can span E. C. P. A. G. L. B. A. T. C. P. A. F. F. C. R. A. In fact the F. A. A. Some having heard it before.

[00:42:16] Brad Nigh: Yeah. The junk fact provincial facts prevention act. I’ve never heard of that.

[00:42:21] Evan Francen: I never either. He had junk facts prevention act. J. F. P. A. Yeah, I never heard of it either. Yeah. And then he talks about things. Got a section dedicated to privacy and employment, the employment relationship, which is pretty being cool. They breaks down all the state data privacy and security laws, you know, starting with Minnesota because that’s his home state. That’s uh it was actually this was a collaboration effort between the state of Minnesota and him to make this guide free and then breaks down all the other states. Yes, it’s pretty cool stuff. And then he does talk a little bit about Canada in other countries, but this is really um domestic.

[00:43:11] Brad Nigh: I definitely read through the Minnesota one just just because it’s where we live. So it’s good to know.

[00:43:19] Evan Francen: Yeah. Yeah. He uh he emailed this to me yesterday and I was like, oh dang because the last one I liked to, but he made this is really, really is a lot better even than this last month.

[00:43:33] Brad Nigh: Yes. It’s really impressive.

[00:43:35] Evan Francen: Yeah. And the guy’s name again, Michael Cohen, if you need a, I don’t know if he needs business. I doubt it because he’s probably swamped. But he works at Lathrop GPM, which is also really good law firm. So there you go. Yeah. All right. That stuff is that’s not a cluster enough for you on a Wednesday morning. How about some news? Yeah. Oh boy. Oh boy. So here’s uh here’s one the first one I’ve got. It’s a hot for security from bit defender, uh their blog and Graham Cluley is the, I think the author of this article, the title is after hackers blackmailed their clients finish therapy firm declares bankruptcy. Remember this attack?

[00:44:22] Brad Nigh: Oh yeah.

[00:44:23] Evan Francen: No. Yeah. Well there bankrupt now. Yeah. Has surprised.

[00:44:30] Brad Nigh: And to just see the how they got in blogging was root Root.

[00:44:37] Evan Francen: It’s insane man. The basics, isn’t it? Always the basics? Yeah. Yeah. So it’s hard to excuse yourself for that. And also the fact that you know the ceo billy Tapio I believe it’s really it’s B. I. L. L. E. Um tweet. They knew about it for a while, tried to kind of cover it up. And it wasn’t until the Attackers started going after the clients that it’s like okay we have to sort of spill the beans here. And so I wonder if I know it would be nice on things like this to hold an executive criminally responsible because it’s criminal behavior.

[00:45:25] Brad Nigh: Yeah. I know I didn’t see anything specific to him other than that he was fired.

[00:45:35] Evan Francen: Yeah. I mean

[00:45:36] Brad Nigh: he was responsible for setting up the database apparently. So.

[00:45:40] Evan Francen: So he’s saying so the Ceo sets up the database, the data basic attacked and then he tries to hide it. No. Yeah. I don’t have your seat set up databases in most cases,

[00:45:54] Brad Nigh: not that no offense to ceos looking at,

[00:45:59] Evan Francen: you know I’m not saying. But

[00:46:02] Brad Nigh: even if you had done that in the past, it’s not what you’ve done in a really long time

[00:46:09] Evan Francen: no wine. Even if I was super skilled in setting up databases as a ceo I’ve got 1000 different things to do.

[00:46:16] Brad Nigh: Right? That’s not your job.

[00:46:18] Evan Francen: How much attention can I actually give to it? How much attention to detail? You know, I’m going to get that thing set up because it works as a work. Okay, go through and try to secure it, harden it, okay. I got something else to do and then you forget where you left off. Yeah. No, let the specialists do that stuff. The only databases I stood up is maybe in test, you know, monkey around with suffering but

[00:46:41] Brad Nigh: more for like Yeah,

[00:46:44] Evan Francen: yeah. So 40,000 patients were affected by the breach at the end of the day there it’s and in the name of the organization was fast um Oh, a psychotherapy practice. Right. So really significant data to go on blackmail the clients with. So sorry, not sorry that you’re declaring bankruptcy because you probably shouldn’t have been in business to begin with.

[00:47:13] Brad Nigh: Yeah, the downside is the people aspect of 400 employees. Yeah. Any of those were completely unaware or had no input into any of this and now they’re out of a job.

[00:47:27] Evan Francen: Exactly, yeah, hopefully they’ll land land on their feet and hopefully in the Ceo maybe lands in jail because yeah, you’re right, look at that, you do that crappy behavior. You put 40,000 people At risk and the 400 employees that you lied. That depend on you to make good decisions. Any you got to pay a price for that pen. Yeah. Great. Those are real lives. Those are real people that suffer. Alright. The next one we can keep sort of short. It’s one silicon angle and I just thought it was interesting because I haven’t heard much you know publicly from Microsoft ceo brad or president brad smith, he labels the solar winds hack is the largest most sophisticated attack ever.

[00:48:23] Brad Nigh: Yeah. I mean He said that they figure it’s well over a 1000 engineers that worked on the attack. That’s I mean a significant amount of manpower.

[00:48:38] Evan Francen: I’m telling you brother this is and people don’t, at what point do you just call come out and just state that this is an act of war.

[00:48:50] Brad Nigh: Yeah. Well I mean it’s been attributed to the Russians but that’s as far as it’s gone.

[00:48:56] Evan Francen: When we talked about last week how the chinese although they didn’t come through the same door. They were there to. Yeah. And I when will people really realize that the chinese are not and the Russians are not our friends. Right? And I’m not saying a chinese person right? Who immigrates to the United States? That’s different. The s they’re chinese I’m talking about the chinese government. I’m talking about the Russian government

[00:49:25] Brad Nigh: right? The leadership

[00:49:27] Evan Francen: not our friends.

[00:49:28] Brad Nigh: No. And I think that’s a good distinction too because I think a lot of times people do say, you know, chinese arrogant, nothing. I mean you’ve got good and bad people everywhere. So look at the government, the leadership pacs, that’s where the issue is.

[00:49:44] Evan Francen: Exactly. So most significant attack ever. That doesn’t come as any surprise to you and me and many of the people in in information security. The thing I liked about it was that this was this came from an interview on 60 minutes that ran I think it was last sunday night or the sunday. Yeah, last sunday night.

[00:50:05] Brad Nigh: Get ran on down Wednesday.

[00:50:08] Evan Francen: Yeah. So you know, hopefully the public wakes up because the only way you’re going to get real change at this level is a governmental change. And the only way that that’s going to happen is if you get the legislators to start taking this more seriously crafting real bills and laws that actually work. The only way that’s ever going to happen is that the citizens actually become educated and demand a change. So you know, I’m I’m grateful that this was a CBS news thing. It wasn’t some, you know, security blog, right? None of the normal people read.

[00:50:48] Brad Nigh: Yeah, I’ll have to watch that and see you.

[00:50:51] Evan Francen: Yeah, well that’s what I’ve got is uh, you know from the hacker news and yeah, I’m tired of Microsoft patches, but you know, you got to do them. We issued patches. Microsoft issued patches for in the wild zero day attacks. Our vulnerabilities, I guess attacks exploits vulnerabilities in 55 other Windows bugs. I don’t know if you’ve noticed, but certainly on my own systems, I’ve noticed I’ve had to patch a lot more and I’ve had to reboot a lot more months now. The fact that the other things he’ll going on in the world, including solar winds and an increase in patching of not just Microsoft, but other things Apple. Uh, there is a relation. You never know the exact correlation, but it’s not coincidence. Right? So Patrick Window systems and it’s a pain in the butt for everybody when you have to reboot and you got 500 windows open. It’s like son of a gun. I can’t remember what I had open wear. Remember when Microsoft promised us that they, we weren’t ever going to have to reboot again on our patch.

[00:52:05] Brad Nigh: No, I probably just ignored it as like, Yeah, right.

[00:52:10] Evan Francen: Yeah. They promised it was sometime around two Windows 2000 I think, you know, people were migrating off of NT and No, and whatever it was a while ago. But I remember because we were planning about when, you know, when we were more sys admin e was, I’m tired of rebooting all the damn time is so disruptive to the business.

[00:52:33] Brad Nigh: Yeah, I’m tired of having to work on the weekends or overnight to patch

[00:52:37] Evan Francen: right. And uh, yeah, I think a lot of times we were using like HF net check for patching, remember HF net check?

[00:52:45] Brad Nigh: No, I never used that.

[00:52:46] Evan Francen: Okay, that was a command line tool that uh HF net check and I think it was shoveling. Hm.

[00:52:54] Brad Nigh: Look at that.

[00:52:55] Evan Francen: Yeah. But you know we get so Microsoft, you know, came out in public and I’m gonna find a reference to where they said it but uh publicly, I think yeah, they said we’re going to build new versions of windows that will not require you to reboot when you patch.

[00:53:16] Brad Nigh: That’s funny. I don’t remember that at all.

[00:53:20] Evan Francen: I have to find that. So here we are in 2021, I’m still having to reboot all the time, which is so disruptive because I do have a bunch of stuff open, I might have four or five spreadsheets open uh 5, 6 different word. And then the fact that you’ve got all this authentication with cloud services that’s so tightly inter interweave with all of this, that it’s not uncommon for me to use words and then I can’t get the stupid air message saying you can’t update or can’t save too. My one drive because of just give me a break.

[00:54:02] Brad Nigh: I have used the W. S. U. Uh w says offline, I use that for years anytime that there’s a new server before we got on the network. You have that USB plug in and run all the updates because immediately vulnerable and you don’t want to touching the internet. Right.

[00:54:29] Evan Francen: But I would suggest, you know, for people that are responsible for, you know, technical aspects of security and organizations to go read what the actual patches are. So we do obviously patch patch, patch, patch, keep software updated. That’s we’ve been beating that drum for a long time. But I wonder how many security folks actually take the time to go and read what the vulnerabilities were that we’re patching against. Uh But it’s always a good interesting

[00:54:59] Brad Nigh: read. Yeah.

[00:55:02] Evan Francen: Right. That’s that. Uh Yeah, I think that’s our news brad That this is it for episode 1 19. Does that what I said when I started this thing? Okay. Mhm. Hey, and we are going to get back to writing show notes. You know you and I were talking about before we will start posting show notes again. We’re not going to post the kind of the verbatim sort of dialogue. Show notes. We’re just going to post the things that we’re going to talk about on on the podcast. Yeah, so brad. Thank you. Thank you to our listeners. Uh Any shadows.

[00:55:37] Brad Nigh: Yeah, I’ll give matt Dowd and tom Freidel shut out for their hacked our hack dot E. D. U. It’s our internal kind of training for they did a uh thing on juicy potato. So token manipulation last week. Thanks Really, Really, really well.

[00:55:56] Evan Francen: Cool. Yeah. I’ll see what the technical services team to. I’ll give a shout out to uh mike Thompson pinky, I’ll give a shout out to eric, I always give shoutouts to Oscar so I’m not giving him one anymore. I mean not today. He always gets shut out. But those guys did a great job. I thought on hacker box on friday,

[00:56:17] Brad Nigh: I wasn’t able to listen. I’m optimistic that a meeting so bummed.

[00:56:22] Evan Francen: I think it’s recorded two. Yeah, it’s not a chance, but those, I love the way those guys were late and when I watched them, not only are they like super, super skilled, they’re just normal guys. You know, I mean there’s so much suffering. I love it. Right, That was fun. So, shout out to those guys. All right, thank you for our listeners. Send us things by email at un security at proton mail dot com. I am actually going to go check that email today. So it’s been a while. My apologies. It’s on my list. Uh if you’re the social type, you can certainly socialize with us on twitter. I’m Evan uh, @EvanFrancen. So my name and brad’s @BradNigh, isn’t it? Uh if you wanna follow things going on with our companies, uh @FRSecure is always putting out some good content. Uh like things like hackle box things like uh you know, webinars and things that they’re doing. They’re usually or they’re always very educational and I think they do the one with uh what was the one they were going to do with

[00:57:33] Brad Nigh: huntress, but

[00:57:33] Evan Francen: they don’t get enough. And then we’ve got one,

[00:57:37] Brad Nigh: I don’t know when that one is, but we’ve got one at that one with arctic wolf here in a couple weeks.

[00:57:42] Evan Francen: Okay, cool. Very cool. So tune in to uh you know, follow up are secure on twitter to check up on that stuff and then uh security studio, we’re @StudioSecurity. That’s it. So good to have a good day. We’ll talk to you next week.