Archive for category: Podcast

With many people working and schooling from home this year, in-home security is more important than ever. But why? Check out this episode to learn more about cybersecurity for remote workforce and the current work-at-home movement. Get some advice from the guys about the what you can do. As always, please feel free to send comments, questions, and feedback to us via email at unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: hey there, thank you for tuning in to this episode of Unsecurity podcast. This is episode 108. The date is december 2nd 2020 and I’m your host Brad Nigh joining me as usual as my good friend and coworker Evan Francen. Good morning Evan.

[00:00:37] Evan Francen: Good morning Brad. Nice to have you back man.

[00:00:39] Brad Nigh: Yeah, yeah. So I’ll share a little bit with with everyone. What was, what happened? So I had labyrinthitis which is basically the labyrinth is the fluid sack in your inner ear affects balance. And when I had that uh sinus and ear infection in october apparently the viral infection got into that and it can just sit there and randomly strike. So On the 17th, about noon I was like, Hi, something’s wrong. Um and you know, mentioned it right before the show. My dog, my 14 year old was like came in the office and was like dad, you look awful. And uh About 2:00, uh my wife is the nurse ended up saying no, we’re not, I’m not taking to the urgent care. I’m calling 911. So when, when the nurse says I’m doing that, you don’t really argue. Um, but yeah, yeah, it was, I was pretty much completely out of it from about noon on the 17th through really the following Sunday. And then um that monday Tuesday Wednesday of last week and was like, you know, if you’re even on cruises, you know that first day where you just can I feel like off it and kind of you just stumble or you know, you feel the rocking of the boat. That’s basically how I felt All the time uh from the 17th or the 18th on on the medicine, if I was doing the medicine we wear off, like it was about a half hour window where it would kind of stop but wind down and then another half hour where would start to pick upstairs about an hour. I was basically unable to do anything.

[00:02:49] Evan Francen: Uh Man, so it’s called lab bronchitis,

[00:02:52] Brad Nigh: yep. Yeah, so it’s basically like uh for anyone who’s had vertigo and it’s bad on steroids and it sticks around for you know, one or two weeks and a full recovery can take two months. So even now I’ll be standing and all of a sudden just like I feel like I’m falling or lose my balance, I have to take a step to like uh recover I guess, I don’t know the right way to put it, but um or yeah, I’ll be walking them, just like I was joking to one of the neighbors to see me walking down the street and be like picking up the kids from the bus that Why is he drunk at 4:00 in the afternoon stumbling around,

[00:03:40] Evan Francen: Well 2020 man. You have populations drunk by afternoon.

[00:03:46] Brad Nigh: Yeah, I am so done with 2020

[00:03:49] Evan Francen: well and add labyrinth itis to your list. Yeah. So we’re not we’re not sharing video today because that’s another that’s another trigger, right?

[00:04:02] Brad Nigh: Yeah. Yeah. I found the last couple of days here that, but having the video on and try to watch that in the screens. The screens enough are like I was offline for basically like seven days except for just kind of texting people to give updates because I couldn’t watch tv I couldn’t look at like an ipad or the phone or anything. Uh I would put on shows and then put on my uh you know, hat pulled the bring down so I couldn’t really see anything. I just listen to things. So it was like movies that I’ve seen or shows that I’ve watched a bunch of times just to kind of get through the day because I couldn’t actually watch the screen.

[00:04:47] Evan Francen: Yeah. Uh huh I’m glad you’re back man and I’m glad that it sounds like things are going to eventually returned to normal. Things are better today last week. Uh I’d go solo on the show again. Which are, you know, it’s just I totally get it. It’s just awkward as hell because you know, I’m sitting here talking like yeah, having a conversation with myself.

[00:05:11] Brad Nigh: Yeah. Yeah. I would have loved to have been able to do that. Yeah. But uh the fun part of it was the treatment is you basically just treat and uh handle the dizziness so that you don’t feel like you’re gonna be violently ill all the time. And so it was like meh cuisine which is basically it’s a cousin of Dramamine for the emotion sickness stuff and Valium. So I just basically slept for the three or 4 days and then was pretty kind of cut the dosage down. But yeah, I didn’t care too much. It was a nice I guess you know if you’re gonna suffer through it at least be pretty chilled out

[00:06:05] Evan Francen: someone something through it. High man, why not?

[00:06:09] Brad Nigh: I would not wish that on anyone. It was yeah, it was not fun.

[00:06:15] Evan Francen: Well there’s probably some people I would maybe wish it on but Well that’s a whole nother that’s a whole nother show.

[00:06:21] Brad Nigh: Yeah that’s part of the uh security shit show.

[00:06:26] Evan Francen: Or maybe that’s part of CNN or Fox News. Yeah, there you go. Alright well anyway, it’s your show to lead uh fourth quarter man. So on top of all of that, fourth quarter is always crazy, you know, for people, for people who are you know security people or people especially in information security consulting. This is the craziest time of the year man. And so you’re having to deal with that and this Labyrinth itis thing man. How’s that? Gotta be nuts. Be backlogged right now.

[00:07:02] Brad Nigh: I signed on monday and had I don’t even I honestly don’t know the exact count. I had well over 100 emails to try and get through

[00:07:13] Evan Francen: from the that’s not that’s a weekend man. Yeah. Well not

[00:07:19] Brad Nigh: to mention you know a week and a half of work that I missed. Yeah it was uh you know we’ll get caught up at some point like in you know february march.

[00:07:32] Evan Francen: There you go. Well. And for people who who know me know that my son joe is also a penetration tester. Uh I like to think he’s a good one because he’s got I put pressure on him but you know I don’t know well that Oscar tell us But the uh I was talking to him this weekend. He came over for a little bit and uh just you know hey how you doing man busy? It’s like 100 100% capacity. Like I I have no time. I’m like well then what are you doing here? I didn’t say that. But now they’re uh what the team is working under um if you want to take on extra work you can get paid extra. Right?

[00:08:16] Brad Nigh: You’re kind of like a little bit of a bit program where if you’re going to work nights and weekends to take on the extra work we’ll get a little little bonus to you for giving up your personal time.

[00:08:30] Evan Francen: So like that and you make it so then it’s not mandatory you know and you know, if I want a little extra few extra bucks for christmas, you know, I can, I can do that.

[00:08:39] Brad Nigh: Yeah, yeah and you know Oscar has been fantastic with managing that team to and making sure like, hey, there’s no pressure if you, if you have something to do, don’t worry about it, if you want to take it on, let me know and we’ll, you know, we can schedule something. But yeah, yeah and then uh yeah, I think the text services, the pin testing team is kind of pretty much booked through like mid january at this point. There about six weeks out I think. And then I know consulting team was at 92% capacity across all of the analysts through at least through the end of the year. That was Prior, it was 16 November. So it’s been two weeks, I’m not sure exactly where they’re at at this point.

[00:09:33] Evan Francen: Yeah, all the, yeah, like I said, man, it’s that time of year, it’s the same way every year.

[00:09:41] Brad Nigh: It’s well this year has been interesting in that, you know, with covid and everything shutting down, you know, for kind of like april may june, we were like nobody wanted to do anything because they were trying to figure out how to work remotely and just keep afloat right. And then all of a sudden it was like okay now go everyone at the same time, we need our stuff that we didn’t do three months ago on top of our standard like you for everybody freaking out to get stuff done at the end of the year. So it’s been uh been an interesting interesting year. Yeah,

[00:10:27] Evan Francen: let’s get it will keep your body of trouble. You gotta keep him busy. It’s better to be busier than it is to be not busy. Uh True.

[00:10:36] Brad Nigh: Although I won’t lie. Uh you know, not, not how I wanted to keep get some time off,

[00:10:44] Evan Francen: but you know, I don’t know, man. All drugged up chilling out. I don’t know.

[00:10:51] Brad Nigh: Yeah, no, it wasn’t not cool.

[00:10:56] Evan Francen: Well, the uh and there’s been a lot of stuff going on. So last week was thanksgiving. It seems like, you know, by really fast, we didn’t do the security show last week because it was thanksgiving um that there’s 1000 things going on, you know, and in my world it seems like, you know, between development stuff and you know, last I guess just yesterday wrote uh I don’t know if you saw it. The holiday shopping safety checklist. Mm Just see that.

[00:11:33] Brad Nigh: No,

[00:11:35] Evan Francen: it’s probably the best piece of work I’ve ever done. All

[00:11:39] Brad Nigh: right. I’m gonna Okay right now

[00:11:41] Evan Francen: over talking. Love it. Uh a few weeks. About a month. I think I’ll be heading down to uh heading out of town again to write another book United and get a chance to finish our book. No, I really even get started much because of Covid this week, this year. Um So, you know, there will be we’ll talk more about that. I think in future shows about what the book is. And I think it’s going to be really helpful to people. It will be sort of a handbook on how to do virtual chief information security officer work. I think it’ll be fun.

[00:12:20] Brad Nigh: Yeah. And you know what’s interesting? I think it will also be good not just virtual but just for CSOS in general. Right? People that want to run their own program or are trying to run their own program, but yeah, it will be primarily focused on the virtual piece. Yeah. But yeah, I’m gonna send you a picture. I speaking of thanksgiving and I smoked turkey. Uh So I was very glad I was feeling well enough to do that. So I did this that part

[00:12:56] Evan Francen: uh gets rolling. It’s a rolling papers for a turkey.

[00:13:01] Brad Nigh: Mhm. I did the uh did the dispatch coughing where you cut the backbone out and what? So it’s there was so good.

[00:13:14] Evan Francen: Yeah. All right, well, uh we’re back to information security at home. Right? Yeah.

[00:13:22] Brad Nigh: Yeah. We were planning on doing this last week, but like it says in the notes 2020 won’t stop 2020. So talking about, you know, kind of what we do um Why is this a big deal? And and you know, how can normal people or what can other people do to protect themselves?

[00:13:48] Evan Francen: Yeah, well it’s uh that’s the thing man? I mean at home nobody is responsible for your information security more than you are. Right, Right. Nobody can stop you from clicking links unless you’re going to stop yourself from clinics, nobody’s going to keep your kids safe, you know more than you should write as much as I’d love to help you more. I can’t. Right, everyone did you try to keep my kids safe?

[00:14:19] Brad Nigh: And we’ve said it, I mean how many times, you know what, what if you see people clicking links at work, you know, they’re doing it at home so we want to get good, you know what they do at home and what they do at work are going to be the same. That’s why it’s so important for training awareness and trying to help people because you know, if there if they lose their their bank account gets trained, do you think that’s going to affect their work? Oh yeah,

[00:14:48] Evan Francen: exactly. Well, so what are some of the things now, you and I are security people, we do this stuff, you know, for a living and I think what makes that different, you know, it’s just like a there’s one of two ways to go about it, you know, I think of some of my friends who are auto mechanics and some of them have the worst running cars on the road because they don’t care. I know that if it breaks down, I can just fix it,

[00:15:18] Brad Nigh: it’s like the is it the cobbler shoes, right? It’s always the you you always have the worst of whatever you’re doing.

[00:15:27] Evan Francen: Yeah, so I think some of us, you know in this industry, you know the way we secure ourselves at home, it’s whatever than others of us I think are a little more paranoid and probably can we go too far?

[00:15:41] Brad Nigh: I’m probably more on the the maybe that that called paranoid, but definitely on the that side of it versus the

[00:15:52] Evan Francen: Yeah, I think having kids makes a big difference to write uh or having you know family at home because I might trust myself pretty well, but you know my six year old daughter, I kind of want to protect her, I kind of want to do whatever I can to make sure that she’s safe, right? Mhm.

[00:16:14] Brad Nigh: Yeah. Yeah, so you know, I think we’re looking at it immediately, what are some of the like really call it, I guess quick winds that people could do. Um and I think the most obvious one to me is just make sure you change the default passwords on your wifi or your router, like you haven’t done that start there. Yeah, don’t worry about anything else, just start with that. Mhm.

[00:16:45] Evan Francen: And defaults always make it, yeah, make it too easy for you know, the bad guys to get in, wow, I think it’s a great start and I think it’s, you know, have a discussion with your family a lot of times you don’t even talk about this stuff. You know, you don’t, you don’t sit around the dinner table and talk about, hey tell me about your passwords. You you’re keeping those was legit but if you don’t have to, you know, obviously say that I was joking but just talk about, you know, what do you do online? Talk to your daughter, talk to your son. I talked to your wife. You know you me you may find that I don’t know she’s shopping. Yeah, I mean I don’t know there’s all kinds of things that could be happening but it’s it’s just this conversation we just have this ignorance about us. Sometimes we’re, you know, I don’t know, especially this time of year, right? You’re gonna be flooding in probably some new IOT devices. Maybe a new Tv. That’s uh you know it’s gonna be a smart Tv because they don’t make dumb ones anymore. You know do a little research before you start plugging things in. But I agree with you man, the biggest thing is update and uh change defaults, keep things, you know, patched.

[00:18:10] Brad Nigh: Yeah well that’s a good point updating, you know, making sure that you do apply security patches when they become available. Um although unfortunately with IOT you just don’t see that very often.

[00:18:27] Evan Francen: No, no when it’s funny this last was last week, the Senate, I think just past the uh the first um federal legislation on IOT security um it needs to be signed by the president before it becomes law. But it’s that’s kind of exciting. I okay I O. X. T. Alliance I think lead kind of the charge on that. Yeah. Nice. Could expect I would expect IOT to get better in time but between now and then you’re gonna have to suffer through some of this stuff.

[00:19:07] Brad Nigh: Yeah I think understanding. Well yeah yeah it’s gonna be it’s gonna be interesting for a while. Um I think looking at I would personally look at what the companies update policy is or what they what do they say before I buy something um you know like I do have the Arlo system and and they’re actually pretty good about pushing out updates to their app and firmware for the the cameras themselves. To me that’s important, right? I don’t have, my dishwasher is not online, it has a wifi connection if I wanted it, I don’t do it. They don’t have good update. So it doesn’t get to go online.

[00:20:02] Evan Francen: Right?

[00:20:03] Brad Nigh: And what’s crazy is why does your dishwasher need to be home?

[00:20:08] Evan Francen: Why? No. Well they call this, you know smart homes. Right? And really if you’re not configuring your things well if you’re not if you don’t want to use the stuff your smart home is actually really stupid. You have a stupid home. You know because I mean just think about this every time I plug something into the, my home network and it calls somewhere, right, It goes out into the ether or the internet somewhere that’s you’ve got another connection into your home. And it’s not like your, you know, your old school physical connections where you knew who was in your home, you knew what was in your home at any given time with this transition to everything being digital now, you have no idea who’s in your house every day. You know, you think physical, but the digital can cause you just as much damage if not more, you know, if an attacker’s, if an attacker has got control over my dishwasher or my washing machine or my garage door or my home security system or my camera surveillance, you know, there’s all sorts of things that they can do with that. People are just kind of oblivious to this, they get a cool new gadget, blinky light thing that I can, you mean I can watch what’s going on in my home, on my iphone. This is super cool. Yeah, but it’s default passwords and so is the attacker, the Attackers looking at the same thing, you are including your including you making love to your wife or your daughter. Uh, you know, playing it’s a lot more dangerous than people think it is.

[00:21:49] Brad Nigh: Yeah, no, absolutely. If you, and like you said, people don’t consider that, you know, it’s if you don’t change those things and you put those cameras in your house, you know, personally, all mine are outside. So it’s all what would be considered public anyway. Right. I’m not gonna put anything inside the house where I wouldn’t want somebody to see it. Right.

[00:22:16] Evan Francen: Well, there’s that and I’m sure you’ve secured your Arlo, you know, uh, video better than others, you know, some the uh because even then Attackers can watch your comes your comings and goings. Right. And then uh, right now, I know they’re going to steal something. No, not now.

[00:22:38] Brad Nigh: Yeah,

[00:22:40] Evan Francen: eventually

[00:22:41] Brad Nigh: at some point. Yeah. No, I I agree. You know. But I think also if you think about it is, you know that risk assessment, right. If somebody is going to hack my cameras to see if I’m coming or going it’s going to be easier for them to just break a window to get in, you know? So, there is some level of like, yeah, of course I changed all the default passwords. It’s I I don’t even know the password I use, you know, last pass for it. I have no idea what the actual password to log in To that is. It’s 20 something character. Random generated password. All right. Right. You know, there’s there’s some level of making sure you do those basics of, you know, changing the default. And then at that point it’s like, well, you know, if they, if they have that, I’m probably I’m pretty well screwed at that point anyway.

[00:23:40] Evan Francen: Well right. And I’m talking like, you know, your everyday user. I I had to have, you know zero concern really about, you know, your own security or her mind because I do understand much of the risk. I don’t plug things into my home network unless I understand what the hell it is, how I’m going to secure it. It’s what it’s talking to, what’s talking to it, you know? But most people don’t do this stuff. Most people don’t think the way we do and it’s not because of lack of intelligence or anything like that. It’s just we do this for a living

[00:24:15] Brad Nigh: well and yeah, the same thing like people that think of C. P. A. S. Right? They do their taxes a certain way and they know all the things you and I are like, okay, sounds good to me, right? It’s it’s the same kind of concept

[00:24:33] Evan Francen: across. But yeah. But the sad thing is is now. Yeah, I agree. But C. P. A. Is like a specialized skill and so is some of the deeper information security stuff. But I’m talking to basic security stuff, you know what I mean?

[00:24:50] Brad Nigh: I think? But I guess how many people don’t even think about balancing, you know every week or every month validating and looking at their accounts and making sure that hey somebody hasn’t gotten one of my cards in chart fraudulently charged things, you know? So I think there is a kind of a linear or a linear. There is a comparison between the two of just the basis of finance. The C. P. A. And then basically in Passaic and what we do.

[00:25:25] Evan Francen: Yeah. I mean I see the comparisons in terms of that stuff but the thing that actually pisses me off and it sort of breaks my heart is uh My taxes don’t lead to my Children being propositioned by some 45 year old in Philadelphia. You know. Very true. My taxes don’t don’t uh late to privacy violations and things that I can never really get back right if you and some people may not care. But you know, let’s say I have a camera surveillance thing in my uh you know upstairs hallway and my my wife comes out of the bathroom naked, somebody else sees my wife naked. Some people may not care about that but you can’t you’re not. Yeah it’s like that is gone now. Whatever privacy you had for that, it’s not there anymore,

[00:26:21] Brad Nigh: Right? No that’s that’s a good point. And you know, I think

[00:26:27] Evan Francen: one of the things I don’t want people to do man is I don’t want people to minimize this. I don’t want people to think, you know, whatever it’s somebody else’s job. No it’s not. It’s not your I. S. P. S. Job. It’s not your it’s not it’s not your kids job. It’s it’s nobody’s job, yours, nobody else should log into your router, make sure your passwords are changed you know? And if you feel like tinkering around a little bit with the settings, go ahead and do that. But at a minimum like dead the password like I don’t know who’s your who’s your I. S. P.

[00:27:03] Brad Nigh: Uh Mediacom don’t. Yeah sure. Uh Yeah thank this. Mediacom

[00:27:11] Evan Francen: mind here is uh shoot names escaping me now. Yeah. Who’s the big shoot? That’s fine.

[00:27:21] Brad Nigh: So like neither of us actually know what who he is.

[00:27:27] Evan Francen: Right? But here’s the thing about Centurylink, Centurylink when they install your router uh they put your password for your router thicker underneath it. So for people who are listening who don’t know how to change your password or even log into your password, you know, log into your router. Look there right? Typically there’s a sticker that says an I. P. Address right? It’s a it’s a four octet numbers. Right? So it’s a number dot number dot number I don’t know I lost count of how many numbers and dots that was. And then there’s a password, their rights, open a browser, type in that address. You’ll get a prompt, your username is probably going to be admin and your password is gonna be whatever the hell they put it at.

[00:28:13] Brad Nigh: Yeah. Mhm.

[00:28:15] Evan Francen: Yeah log in. Change it yeah

[00:28:19] Brad Nigh: and change it to something not not just change it but make it secure. Right. Right.

[00:28:25] Evan Francen: Right. And that’s the beginning so and then if you’re even a little bit more paranoid, like some of us uh central bank still has access to my router, you know what I mean? Even if I change the default password, they have a back door into my router. They do that for support purposes for people who you know, call them and nothing’s working whatever. Uh if you I would suggest change, you know, just getting rid of their router and putting yours on your own in. I don’t like I don’t like people having backdoors to my stuff and maybe you don’t mind because you trust, you know Centurylink, but I dont central link

[00:29:13] Brad Nigh: If you also if you look at it, if you lease their router, I mean you’re paying typically what $10 a month for that and you can get a personal your own for less than it would have cost you for one year of leasing. You know, they’re 92, you know, $150, whatever that is. And honestly this is gonna last you you know, I’m the one I’ve got this lasted. Yeah, Well four plus years at this point

[00:29:47] Evan Francen: Yeah, I’d say like 400, there’s no moving parts,

[00:29:50] Brad Nigh: right.

[00:29:52] Evan Francen: Things that don’t have moving parts last long, long, long time. Mhm. But so okay, so the first thing to do, number one change your default or change the password on whatever. Yeah,

[00:30:09] Brad Nigh: whatever your internet facing devices, change your password.

[00:30:13] Evan Francen: Right? And if you don’t know what your internet facing devices if you got DSL follow the phone line you know into a box that you don’t recognize that your

[00:30:23] Brad Nigh: router

[00:30:26] Evan Francen: yep. You know the same thing with co ax on your you know Mediacom?

[00:30:30] Brad Nigh: Yeah I mean think of it typically like they’re mostly black and a size of a book.

[00:30:39] Evan Francen: Yeah

[00:30:41] Brad Nigh: you know figure out where you’re at and you know if you buy if you’ve gotten your own and you’re not using the cable companies or your internet providers just do a google search for whatever device name it is default password. And I mean that’s the easiest thing just to get into them.

[00:31:03] Evan Francen: Yeah another thing you can do is you know if you if you don’t feel comfortable with this stuff ask ask a friend ask uh call Mediacom call Centurylink Call your I. S. P. And asked and asked them for help too.

[00:31:19] Brad Nigh: Read

[00:31:20] Evan Francen: Write because this is just step number one of many many many more steps to come. And I know people can complain that it’s so confusing and everything else like that. And I’m one of those hard love kind of people on this. You brought it on yourself, you keep plugging stuff into your network, you have this lust for technology yet you have you don’t know how to use it right? So if you feel overwhelmed by all the security stuff that you need to secure your home a lot of that falls on you a lot of it also falls on the vendor, that’s a whole other issue, man, I mean we’re vendors just continue to make crappy products from a security perspective, but You know, I mean, I think most people, but 90, of people have no idea what’s even on their home network, they think they do, but they don’t.

[00:32:09] Brad Nigh: Yeah, which is why would I want to argue with you? But no, you’re probably right and that’s scary.

[00:32:17] Evan Francen: It’s right. Well because I don’t, I mean I was just uh I am, there’s all kinds of tools you can use to find out what’s on your home network because the next thing after you sort of secure the router is to try to figure out what’s behind the router in your house. Right, right. I mean what things in your house are calling out to the internet, Don’t worry about who they’re, what, what these devices are talking to you right now, just figure out what the devices are.

[00:32:47] Brad Nigh: Yeah,

[00:32:49] Evan Francen: and you know, I use uh you know, and map, which you know, it’s free if you feel comfortable using in map, uh you know, just google and man find it, download it uh and run it, see what you got, you’ll probably have a whole bunch of devices that will come up with these funky looking numbers, right, exa decimal things because they couldn’t resolve itself to, you know, a manufacturer id, but at least, you know, and now you can go on a hunt, which is sort of fun if you make a game out of it. Yeah and I use

[00:33:30] Brad Nigh: but it. Yeah. Yeah

[00:33:34] Evan Francen: help you. And I have a little, we have a custom config kind of on our our home networks. So it’s uh I actually have more than one and you have more than one network to uh to find stuff on because we segment our network. But What would you say, 99% of people don’t do that. Yeah. Yeah.

[00:33:58] Brad Nigh: Well you know you think about it and a lot of our listeners are you know in this insecurity or I. T. And they’re like well but I do it but you think of the fact that there’s what you know probably You know that still leaves 300 million people that are doing it.

[00:34:26] Evan Francen: Well that’s one of the chant, that’s one of that. And that’s a whole other topic to is us, us, security people and its people. Yes we actually expect. I think sometimes other people to think like we do other people, other people to look at the world the same way. It’s like no they don’t and they never will.

[00:34:47] Brad Nigh: Yeah. Yeah there’s I think there is that assumption. Uh well everyone thinks this way because I do it I think you know I’ve been talking to somebody um gosh I can’t remember who it was, it was for work, right? A potential client. They were asking about some of the resources on the website and they mentioned the CSP, they said well there was something like training where I just have to buy the book. We’re talking about it. And I was like even if you don’t want to take the exam and you don’t want to buy the book, just listen to the recordings, it will change how you think about things. And I think you know there’s gotta be a better way for that information. That is I mean let’s be honest it’s painful sometimes but how do we get that too? The vast majority so that they start thinking of these things in a way that yeah they’re, they’re gonna be more secure and reduce that risk.

[00:35:57] Evan Francen: I wonder, I think we expect them one. We talk with our own clan a lot more than we talked to them. You know I don’t sit down with my friend. You use bobby as an example. My buddy bobby, he’s an ironworker awesome dude. I don’t sit down with him and talk talk to him very about, hey man, tell me about your passwords on your iphone you know let’s talk about you know, good cyber hygiene. You look at me like what the hell are you talking about

[00:36:28] Brad Nigh: shit. Yeah

[00:36:29] Evan Francen: because I actually have done that because I’m weird but we talked to are like you and I talk about security all the time just about every time we get together. We, you know we’re talking about either barbecue or you know family stuff, things that we enjoy, you know, it’ll lead to some security conversation at some point and then but we speak and we speak that language fluently when I go talk to bobby, I can’t use the same language.

[00:36:59] Brad Nigh: No. Yeah. And I think part of the issue is, well yeah, people that do speak this language just assume or look down on people that don’t speak it and that’s a huge issue

[00:37:16] Evan Francen: because it is man, it’s so dangerous.

[00:37:19] Brad Nigh: We we need we need those people to be aware of these things because I mean realistically it just makes our jobs easier. Yeah,

[00:37:30] Evan Francen: well there’s that isn’t aren’t these the people that we serve that we’re trying to protect. I’m not trying to protect me, I’m pretty well protected. I got my shit, excuse my language, I got my stuff together. Well who I’m trying to protect is my body bobby,

[00:37:49] Brad Nigh: right? Yeah.

[00:37:53] Evan Francen: And so if I want to try to protect my body bobby, well then I better learn to either speak his language or translate my language into his language. Something that will resonate because you know people, it’s just the problem just continues to get worse. We just keep especially, you know this christmas, I don’t know how many IOT things and cool blinky light things will be plugged into people’s homes, you know this holiday season but it’s going to be a lot

[00:38:22] Brad Nigh: Yeah, well and you know, coming from a business perspective with everyone being remote for who knows, you know, probably another 3-6 months at least if if people even go back, what does that mean? Right, would have if they’re plugging all these things into their home network and then connecting to a VPN into your corporate network, you’re, you’re exposed to everything they’ve got plugged in, you have a vested interest in making sure they know and have right, have good hygiene at home security husband.

[00:39:02] Evan Francen: Well it’s funny man because you know, I talked to some people and they’re like, oh we got, you know, XC endpoint protection in place or whatever the hell they got. I’m like, okay soul. Do you, I mean, do we not know? Do we, do we forget some people never knew, but did we forget how Attackers actually work? You know, they compromise the system, they elevate their privileges, they plan to back doors, they can come back later. Then they pivot, they pivot and they pivot until they find what it is they’re looking for. Now that sometimes can be a lot of those steps can be automated. Sometimes it’s a manual process so they may not waste their time, but if I find out that, you know joe blow is the ceo of big huge company and joe blow is working at home and I just do a couple of little google and google searches and find out where joe blow lives and find job blows home network. Yeah, I mean what a great opportunity for me to use joe blow’s home network, you know, you say uh vulnerable Arlo or vulnerable, vulnerable whatever. Yeah, probably dryer

[00:40:12] Brad Nigh: online with a back door into the right,

[00:40:18] Evan Francen: right. And there’s enough return on my investment as an attacker that I might spend a little extra time trying to figure out how I’m going to compromise, endpoint protection or compromise, you know? Well something a miS configuration potentially on the VPN think

[00:40:39] Brad Nigh: about this. I mean how many companies are letting people use their personal devices that they have no control over at all to view to connect in. Right. You know, you know, we’re talking with people. Yeah, yeah, we have to let them use their own, we can’t afford to buy laptops for everyone. Okay, so what controls you have in place? What do you do you make recommendations for a good endpoint protection for those users that are using their own? You know? How do you ensure they’re getting patched and what do you have in place to make sure that what that traffic coming in, you know, is legitimate and you’re not getting, you know, imitate trip pot and all the the fun stuff coming in,

[00:41:29] Evan Francen: you know? Yeah, it’s uh, it’s crazy how, you know, we’ve created so many just really convenient or play grounds everywhere. You know, I was talking to a friend of mine about schools, you know, in remote learning, schools were already pretty poor at security information, security. Uh and that was when they only had a few limited networks that they needed to protect. Right? It was the physical boundaries were pretty well defined. It was, you know, the campus, well then you go to remote learning and you’re 34 campus networks now have exploded into a few 1000 networks that you need to be cognizant enough may be responsible for to some extent.

[00:42:20] Brad Nigh: Yeah. And you know, I will so I do have some sort of a little bit of a vested interest because I do Bc sell for school district and I will say it’s not that they don’t want to do the right thing. There’s so many constraints from, you know, manpower and and budgetary issues are not funded. They it’s not that they don’t want to, they don’t have the resources to do it. And now, like you said, they’re going from trying to protect one to, you know, thousands and they were already not, they already didn’t have the resources to protect a couple. How do you expect them to do?

[00:43:04] Evan Francen: Well, it does a lot of this stuff doesn’t take funding. You know, how about, you know, using some creativity, you know, like um make a community effort, you know, to secure things like uh you know, you have communities in that community service with those community education things that they do uh or make it make it mandatory if you want a school issued laptop to get to me, you need to do an S to me or something right? Start this education process because now the educated now you need to educate the parents more too right? So you can use something free like an S to me and say, hey everybody do this, take this and you know maybe hold maybe start doing information security, cybersecurity is part of a curriculum.

[00:44:05] Brad Nigh: Well yeah, that would be very helpful I think if it’s and not wait until like high school right? Because you do see some of that where they do so start doing some um cyber security stuff in high school, but start in kindergarten right? Like start as soon as they have access to a device I know you know my youngest is in kindergarten and now he has his own ipad for school work, well they should be teaching them and providing like some guidance around that from from like you’re giving them access to basically everything

[00:44:49] Evan Francen: right? I love the so a couple of people, you know just a shout out real quick, even though we’re not at shout out yet, but Rachel Arnold is a great advocate for you know us getting off our island, you know the information security people getting off our island right? And uh I like that piece and then uh when you were mentioning you know putting electronics in the hands of somebody who is not trained or doesn’t understand the danger in it. Like, like you said like a, like a Kindergartner, hey, here’s an iphone danger, you know, and I think of the picture of chris roberts in one of our shows where he held up a phone in one hand and a pistol on the other hand. I said which of these is more dangerous?

[00:45:36] Brad Nigh: Oh the, well the phone just because it’s so much more prevalent.

[00:45:41] Evan Francen: Well yeah, and it’s stealthy and I mean there’s all kinds of things and so, uh, but people need to start thinking about that. Thinking that this is a life skill, right? You it and no matter how much I want you to learn these life skills, you have to want to, if you don’t want to, it doesn’t matter what I say. Yeah, I can, I can preach to the wind all day long. Try to figure out what language is going to resonate with. You. Try try try to get through to you. But if you don’t want to learn this, you’re never gonna learn this and you do so at your own peril.

[00:46:18] Brad Nigh: Okay. Yeah.

[00:46:22] Evan Francen: Because we could hold the, we could hold these vendors accountable for making better devices if we actually knew the danger when we do. But if people knew the danger you wouldn’t buy your Tesla that was connected to the internet. Well maybe Tesla you would because they actually take security seriously, but some of these things that we allow in our own cars.

[00:46:41] Brad Nigh: Yeah. Well, you know, they’re, they’re them proof of concepts of these cars that have, um, whatever the,

[00:46:51] Evan Francen: uh, the autonomous driver think

[00:46:53] Brad Nigh: well the, yeah, they have the cellular, uh, connection where they can be taken over and turned off or just, you know, disabled while in operation. I mean there are stories of hey, this, we’ve proven we can do it

[00:47:10] Evan Francen: right. So bringing this back to home network stuff because I’d like to do next week two is, let’s get, we’ll go a little deeper. You know, I think, uh, today if you, here’s, here’s a, here’s a challenge for people. Uh, if you haven’t logged into your powder at home and I say router, I use that generically because there’s actually some firewall functionality there when I’m going to go into that configuration and other things that you can do with that router. All we’re asking right now today is for you to go into your router and change your password

[00:47:48] Brad Nigh: and you know, simple. If you can change the user name, change that as well.

[00:47:55] Evan Francen: Sure. But just do the password,

[00:47:58] Brad Nigh: password would be the best for now. Yeah, absolutely.

[00:48:01] Evan Francen: Yeah. And if you haven’t done that, do it and if you have done that, show somebody show somebody else. Yeah. You know, we’ve got, we’ve got friends, You know, I’m gonna go talk to my buddy actually, this is what I’m gonna do, but I’ve never asked, I’ll be about this. So I’m gonna go to bobby and say, hey tell me have you ever changed your broader passion? I already know what his answer is gonna be. It’s gonna be like, I have no idea what the hell you’re talking

[00:48:31] Brad Nigh: about. Yeah. Yeah. I mean here’s what what’s interesting is I just pulled up my just the wifi networks on, you know, on the my laptop and I can see neighbors, printers unsecured. I can print anything I wanted to their printer and they, I know all of our neighbors have young kids, you could put some stuff that they wouldn’t want to see.

[00:49:05] Evan Francen: It’s funny you mention that because well I want to get there on this journey that we take. I want to get their uh to that stuff too because I was running kismet on my raspberry pi here because that’s weird. People do uh I think I had 41,000 networks that had found in my small town within Uh I think it was maybe five days. Mhm. 41,000 and a lot of, a lot of that was beginning, right? So it was, you know, systems looking for networks to connect to okay, you know, people driving in their cars with their phones that have, you know, that turned on. I would see that just right. I would also see every bluetooth if I’ve configured to kiss me at the right way. I would see every bluetooth that would never come into range because that also uses a beacon ng a free access point. Yeah. Um so the number when I turned that off because it is, it is kind of a resource hog if I’m using raspberry pi for other stuff. Uh but we can show that to, you know, and I had pie hole, I think there’s another thing that we can show people.

[00:50:20] Brad Nigh: Yeah, it’s funny, I was thinking about this and we were talking about you know potentially showing some stuff and I was like I can’t because my work laptop is on its own network that can’t access the router or the firewall or any of the other tools, those are all set to a IP and Mac address on my home desktop that has its own nick. So if I’m going to manage it, I have to switch my network connection physically to go over to do it, you know? So clearly I’m a bit of a nerd on that stuff. Um So I was trying to figure out how how I could show some of it but people have to talk through some talk through it more than anything.

[00:51:16] Evan Francen: Well I can show mine too. Yeah, start with, I mean it sounds really basic and it sounds like, well that’s it just go change my router password. Yeah, do that now and we’ll talk about after that, you know the things behind your router, you know, I would like next week let’s talk about how to find all the crap on your network.

[00:51:39] Brad Nigh: Yeah, I like that and you know, I think the two things that we all that I tell every customer, everybody I talk to here is the two things you can do. They’re going to have the biggest impact on reducing your risk, change default passwords and use multifactor everywhere. You can just do those two things and that. But you know, that’s the easiest way. I mean it’s not hard to do those, you know, google Microsoft, they make they uh those apps they’re free, they’re easy to use. I get this. Okay, well now I have to put in a have to open my phone and put in a, you know, open it up and understand what the pin is to log into my bank. Well, yeah, but the alternative is you have no money

[00:52:35] Evan Francen: while you know, but a lot of the people that we’re talking to about that they have no idea what you just said.

[00:52:42] Brad Nigh: Well and true and and obviously I would translate that right. I wouldn’t use exactly those that were the way I just explained it here with.

[00:52:53] Evan Francen: No, I know I get you to man because but because it is really basic and I think it’s just some of our frustrations, this is really simple to do and then and I’m not saying you’re doing it. I’m saying I know I have a tendency to do it and I think others in our industry, do you know how simple and easy this is to do so I get so frustrated that you haven’t done it.

[00:53:14] Brad Nigh: Yeah. Well yeah and it, I think that’s kind of the pit a pitfall or whatever the trap we fall into is you get so frustrated and then you talk down to people because you’re like, oh my God, how are you not doing this? And then they let you out, right? They tune me out as soon as you approach in my way.

[00:53:39] Evan Francen: Or if you if you think are reflective, you’ll realize that they don’t understand what I’m saying because I’m not speaking their language has nothing to do with intelligence. It would be like if somebody was yelling at me in mandarin chinese.

[00:53:56] Brad Nigh: Yeah, that’s a great comparison. I

[00:54:00] Evan Francen: agree. I would have no idea what the hell they’re talking about and this person might be the dumbest mandarin chinese speaker that ever lived and I maybe like whatever, I don’t get what you’re saying, you know, I think that it’s so much of it is like that, trying to figure out like what’s the language and that you will understand and I’m gonna and that’s why and that’s why I am actually going to do that this week. Just talked to my buddy bobby. I know he doesn’t speak geek natively.

[00:54:35] Brad Nigh: Yeah, okay, well you know it’s so easy to do. I I do try to make a very concerted effort to not do that to people outside. You know, our group as it were the tribe and and speak in ways that they can understand. And it’s so easy. Even then I got told the story on here before, but when we moved into the current house, we’re talking to the neighbors and they were like, so what do you do? And I was like, well, you know, we’re information security. He’s the usa we do this. Although he’s like, okay, but I’m a salesman. I I don’t understand anything. You just said it was like, oh my gosh, you’re right. I am so sorry. So I went back and said, you know, explained it and he was like, oh, okay, that makes sense. But it’s so easy to just like slide back even when you’re trying. You know, I do try to make a an effort to not alienate others because I do know, we need Everybody’s buying to secure things. You know, we’ve there’s about 800,000 security professionals out of 300 plus million people that are probably on on the internet or you know, online in some fact fashion. At this point, we can’t do it alone.

[00:56:00] Evan Francen: Mhm. Right. And this is truly, I mean, people, you know, I don’t want to get all, I don’t want to freak anybody out. But this is a national security issue. You know if I mean think about it if I’m An adversary on the other side of the planet and I can compromise 50% of all those in the United States, that’s a pretty good asset on my side. You know, in well, if

[00:56:27] Brad Nigh: for nothing else to do DDOS attacks, right? Even if you’re not gonna gonna actually compromise that those devices and what they’re doing, just the fact that you have control and can just beat us whatever, Right? I think about the amazon outage earlier. What was that last week?

[00:56:52] Evan Francen: Like?

[00:56:55] Brad Nigh: think about how what the impact was. Now, imagine that if their entire thing went down because 50 million homes were compromised and all those compromised devices started just detoxing. There’s no way they could handle that

[00:57:16] Evan Francen: now. All right. Well, so next week, so that’s that’s it. The challenge for people, listeners change the default password on your honor. If you’ve already done that, help somebody else do it. Yeah, that’s a take away anybody, pick somebody, pick your mom, pick uh friends, whatever. And you don’t have to go there physically to do it. You can certainly show them on a zoom call zoom was free, I think for 50 minutes or some 30 minutes, there’s all kinds of ways that you can do it. Uh be creative trying to reach out and get somebody to help, you know, help somebody. That’s it this week. Right. And then maybe next week we’ll show you okay if you did that now, the next thing I find all the crap on your under network, right?

[00:58:03] Brad Nigh: Yeah.

[00:58:04] Evan Francen: And you and I you and I can maybe hopefully you’re laboratory services feeling better than and we can, you know, show a couple tools, simple free tools that you can use. I was thinking, is there are there instructions, I wonder if there are instructions for changing the default password on my router, you

[00:58:26] Brad Nigh: know? So that’s one of my uh Rocks for probably it will probably, I mean it’s going to be Q1 at this point but is to do some research and find the top five or top 10. What are the most common sp routers and putting together easy to understand instructions the screenshots of, hey, do this, do this, do this. Here’s how you do it. So because uh there aren’t really good uh resources out there and doing those uh parent uh sessions were teaching me hey how do you watch what your kids are doing this? That’s been almost unanimous like that. That’s a top request. I don’t know how to do it. I can’t find how to do it. How do I do it? You know, what should I do? So, you know, I think looking from our standpoint, well, we’re definitely gonna be putting some of those things together here over the next couple of months to Mhm. Try and help people uh secure that personal networks.

[00:59:42] Evan Francen: Absolutely. I just found the instructions for how to change mine. Yes, essentially, I just put that in the chat but I’ll make that available to because I think a lot of people, you know, some people might be listening to and I don’t even know how to do this. Well if you haven’t changed anything else on your home network, the instructions from Centurylink are pretty straightforward. You just open, the browser would go to http Now. That’s right. No. S 1,921,680. Bring up a login. Admin will be your username password will be taped on the bottom of thing in my job. Yeah, and then just follow these instructions so I’ll provide that after after this too.

[01:00:30] Brad Nigh: Yeah, that’s good, you know, and that’s the thing is is putting those resources together and making it so that yep it is accessible for people. Uh huh.

[01:00:46] Evan Francen: Mhm. All right. Do we have to do self time for news?

[01:00:50] Brad Nigh: Uh Probably not, we could just talk through real quick. So the first one was go Daddy’s employees were used in attacks on multiple Cryptocurrency services was Krebs. Uh It was a phishing attack on Godaddy employees. Whoops It was pretty interesting read on that one.

[01:01:10] Evan Francen: Um Yeah,

[01:01:13] Brad Nigh: The next one was the worst passwords of 2020 and that was with uh oh who was it was uh

[01:01:23] Evan Francen: oh secure world expo

[01:01:25] Brad Nigh: Yeah, North Pass password manager released the worst the list of the worst passwords of 2020. Um There was some new ones that I was surprised to see uh number 10 was Sina which is Portuguese for password and I haven’t seen that one on there before but that’s actually a really it was a pretty funny read. I was like oh come on stop.

[01:01:50] Evan Francen: I thought million to. Is that that’s a new one on the list to just just million in the number two. Mhm.

[01:01:58] Brad Nigh: Yeah. Picture one. I was interesting that that’s number three.

[01:02:04] Evan Francen: Yeah. Where did that come from?

[01:02:06] Brad Nigh: I have no idea that there’s a lot of

[01:02:10] Evan Francen: engineering. Yeah. Yeah interesting man. Sorry? Yeah.

[01:02:15] Brad Nigh: No. Yeah it was uh there was a lot of like face falling as I was reading through that one.

[01:02:22] Evan Francen: Yeah so when you change your default password on your router, do not choose one of these

[01:02:30] Brad Nigh: races please. Yeah. Yeah. Um And then the last one was again from secure world uh was California proved strongest consumer privacy law in the world. It’s a it will be interesting to see what that actually end up doing for people, how that’s enforced. And

[01:02:56] Evan Francen: we’ll have to talk talk about that. I think we could do a whole show on C. P. R. A. Yeah

[01:03:02] Brad Nigh: but

[01:03:02] Evan Francen: I think they can

[01:03:04] Brad Nigh: it’s a good I think it’s a good step you know I haven’t read through the entire law but I like the fact that it’s you know focusing on giving you no more kids privacy. Uh you know, things like that.

[01:03:20] Evan Francen: Well but my biggest frustration and I’m tired of state laws. I’m tired of state laws that should be regulated federally, there should be a federal, yeah, California is over already. So damn regulated and they got such a bad name for it. There should be a federal thing, Man ticks me off.

[01:03:44] Brad Nigh: I believe it well and honestly it was federal would be so much easier for everyone. You have 12 following that. What is that? They’re like 38 ish state privacy laws that are all different.

[01:03:59] Evan Francen: Yeah, Yeah, I don’t know. Well, it makes you wonder, I mean, what the hell are our legislators so busy doing? They’re busy politicking and not work, not governing, it’s just it’s so frustrating, yeah, learn how to govern for crying out loud.

[01:04:18] Brad Nigh: Yeah, yeah, okay, so yeah, these are, these are the news stories uh That’s it for this episode, Episode 108. It’s just crazy that we’re at that number. Thank you Evan who you got shot out for today

[01:04:36] Evan Francen: Already said one Rachel Arnold Shout out to her because she’s a good advocate for trying to us to speak normal people language and we should all speak normal people language by the way because we’re all supposed to be somewhat normal, not that we’re not exceptionally that, you know, to just in general, so I think I’m gonna do Rachel Arnold and uh Andrea Hatcher remember? Andrew Hatcher from way back when yeah, one of our episodes when we did uh women, the women and security series, She invited me to speak to her group a while back and gave me Sent me a Penn State Lyons hat and a Penn State shirt that my 16 year old daughter is stolen for me already. That’s awesome. Yeah so shout out to Andrea she is going to be so any listening. Uh we’re trying to I know if our secure is trying to reach out to her to figure out you know she’s going to be a superstar in this industry, so watch out for her, it’s gonna be awesome.

[01:05:46] Brad Nigh: Yeah. Um Yeah I was really impressed with her. Uh So you know I’ll give one to uh uh Pinky one of our employees, he stepped up and was able to help out with a really a large national retailer while I was out and help answer some questions for him. Uh so uh shout out to him for helping cover for me while I was unable literally unable to work. So

[01:06:22] Evan Francen: yeah he’s that old team is awesome man. But yeah, I think he’s great.

[01:06:26] Brad Nigh: So All right well thank you to all our listeners, you can send us things by email at insecurity at proton mail dot com. If you’re the social type socialize with us on twitter, I’m @BradNigh and Evan is @EvanFrancen and the podcast is @UnsecurityP. He and he followed me man. I almost made it through the whole thing without stumbling, be sure to call security studio @StudioSecurity and FRSecure @FRSecure for more things we do when we do what we do. That’s it. And we will talk to you all again next week,

The number of aggressive cyber attacks we’ve seen has been on the rise very recently—including a calculated Ryuk ransomware targeting healthcare organizations. Knowing attackers are taking extra advantage of the chaos of the pandemic, Oscar (who leads FRSecure’s technical services team) gives some thoughts on incident response best practices and what to avoid.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Welcome back. This is episode 105 of the insecurity podcast. I’m your host this week. Friday nine. Today is november 10th and joining me this morning as usual is Evan francine. Good morning kevin.

[00:00:34] Evan Francen: Good morning brad.

[00:00:35] Brad Nigh: Are you today

[00:00:37] Evan Francen: tired again? Grumpy or No, there fat

[00:00:47] Brad Nigh: a normal day.

[00:00:49] Evan Francen: Yeah. Yeah pretty much. It’s good to be here though.

[00:00:53] Brad Nigh: Good. Well and as you can see on the video we have Oscar meets with us today. Good morning Oscar.

[00:00:59] Oscar Minks: Hey good morning brad.

[00:01:01] Brad Nigh: I don’t know if you saw the show notes but called out your sweet southern drawl there.

[00:01:06] Oscar Minks: I did see that. It’s a lot to live up to today. So I hope I don’t let anybody down.

[00:01:11] Evan Francen: Hey Oscar Oscar state barbecue.

[00:01:16] Oscar Minks: Uh, barbecue. Yeah, I love

[00:01:20] Brad Nigh: it. All right. As this tradition, let’s catch up with what has happened over the last week. Uh Evan, How was your week in your weekend?

[00:01:32] Evan Francen: It was a good week man. Um five or 6. Really good uh partnership. You know potential meetings I. O. X. T. I don’t know if you’ve ever heard of I. O. X. T. But that’s a pretty cool alliance with the IOT makers manufacturers. You know to get certified on, you know how to secure those things. Uh so there’s a movement now with IOT to start um you know, sort of self regulating to get them to secure their devices and secure their things out of the box. Uh so that’s pretty cool. Um a bunch of other really cool meetings, consortium networks was another really cool meeting which was kind of a bunch of old, not old, well maybe they’re old but bunch of information security veterans who grew up in places like Mandiant and fireeye and places like that that have now gone off in one. I do kind of this greater good thing. Yeah, so you know, good meetings last week they did the security show, we talked about seven ways to seven ways security can improve your sex life. That was an interesting show, but it’s, you know, it’s, it’s adults, all mates, 10 PM at thursday night but we didn’t get raunchy, we, we totally stayed on topic but we found a new, what do they call it, they call it? The Fitbit for your markets. Not cool man. But so it was neat and then last week’s podcast was really cool with you, me and richie breathe or I was really good week. Just you know, just tons of stuff going on man. 4th quarter. You guys are just as crazy if not crazier.

[00:03:14] Brad Nigh: Yeah, it’s been, it’s been crazy. Speaking of crazy Oscar, how was your week?

[00:03:20] Oscar Minks: It was busy, It’s been a very busy last few weeks over here. Lots of incidents fires, things like that going on, saving the world one day at a time. It’s

[00:03:32] Brad Nigh: uh, good thing. I think you got your, you guys on that team have been 24 7 for what? 2.5 weeks?

[00:03:40] Oscar Minks: Yeah, 24 7 for a little over two weeks. Um, so you have lots of knots weekends and uh, now we’re starting to ramp down, which is good helping our customers through these tough times. And uh, I don’t want to jinx myself, but things are going pretty good so far this week.

[00:04:00] Brad Nigh: That’s good. Yeah.

[00:04:02] Oscar Minks: Well you bread

[00:04:03] Brad Nigh: mostly doing that. A lot of that office 365 hardening for the national retailer. Um, it’s been interesting because the guys that I’m working with want to do the right thing and, but they don’t have experience with us and the person that had set it up and then was in charge of it just basically left. There were some, I didn’t have like good documentation so there it’s, yeah, it’s been good. They want to do the right thing. That’s the important part. So it’s been a lot of like teaching and he got, where did Microsoft, where did they move this to now?

[00:04:45] Oscar Minks: Okay. It’s like a carousel in there man. Every time I log into someone’s admin portal, uh, something is in a different place than it was before and then a

[00:04:56] Brad Nigh: bunch of changes for like, yeah, like the security settings are not going to be under the compliance center and you go to one place and their documentation and go to the link and then it’s like this is going away click here and then it’s completely different. So yeah, it’s been interesting that uh, you guys have had the I. R. S pretty well under control the last week. Haven’t had do anything that way. This weekend was Nice. Here is like what, 75 both days, which record highs records for both of them. So just relaxing and enjoying that weather because now they’re saying 47 inches of snow this afternoon. So yeah, 75 to 47 inches. Yeah, hoping to Minnesota.

[00:05:44] Oscar Minks: Yeah, we got that 75° stretched down here too is about the same in Kentucky over the weekend. And we’re lucky if you can see the sunshine bearing in through my window here. Uh, it’s another beautiful day today. I think we’re supposed to 80 today, which will be a record high for us november 10th. Um, we’re gonna get a cool down. Not quite as cool as you guys. I think we’re down to like fifties. Second half the week lows and thirties. So I’ll take that normal fall weather.

[00:06:10] Brad Nigh: Yeah. Yeah.

[00:06:14] Evan Francen: The sunshine and where I’m at two mm hmm.

[00:06:18] Brad Nigh: No, there’s no fun outside. It’s all overcast. The worst part was looking at the weather and had seen the weather service saying like get out and enjoy this weather. It’s the last time we’ll see the 70s until April

[00:06:32] Oscar Minks: oh man. So depressed. Yeah. Did uh all the snow melt you guys have gotten before because I know you had quite a bit piled up right?

[00:06:43] Brad Nigh: Uh I mean in the parking lot where they put them into the giant piles, they’re still actually snow. Um It’ll be there till probably may.

[00:06:56] Oscar Minks: Yeah.

[00:06:59] Brad Nigh: Yeah. You know what you signed up for?

[00:07:02] Evan Francen: It’s Minnesota,

[00:07:04] Oscar Minks: those could be some pretty sweet jumps if you have a dirt back. Yeah.

[00:07:12] Brad Nigh: All right. So I guess we should probably get started on some security stuff. Huh?

[00:07:19] Evan Francen: Yes. I mean I don’t know I’ll talk about anything. It’s just cool to hang out with you guys. Mhm. Do you see this cell right here? Yeah, This one right there.

[00:07:32] Brad Nigh: Yeah.

[00:07:34] Evan Francen: Yeah, that’s the one that they kept me in for a while. Yeah, this is what happens. This is what the prison looks like when you try to lock me up, it ends up going like this for you. So just saying you probably don’t want to catch me.

[00:07:49] Brad Nigh: I thought it was a D. I. Y. Project.

[00:07:52] Oscar Minks: I can’t keep lying in the cage, man. Can’t keep lying in the cage,

[00:07:55] Evan Francen: nope, wow. Yeah. Alright security

[00:08:01] Brad Nigh: security self let’s talk let’s talk incidents. So no surprise that as Oscar mentioned that our work is keeping us busy. You know they had that reporter on healthcare from was at DHS and Secret Service a couple weeks ago? Um So but had enough? I r. S coming in lately. What what are some things that people should be doing? What our dues and don’t when you bring in an Ir firm. Um So that’s why Oscar’s here. But first why don’t you tell us a little bit about teen ambush?

[00:08:35] Oscar Minks: Um Yeah, so he switched gears on me that real quick, man. I was

[00:08:41] Brad Nigh: different questions

[00:08:43] Evan Francen: actually, actually, through, I actually threw that in there because brad wrote the show notes, and I was like, you know, we talk a lot about this team ambush, who the hell are, who the hell is team ambush? And, you know, I want to tell the team a little bit because you guys are pretty damn awesome.

[00:08:57] Oscar Minks: Yeah, I like that, they deserve that to. Uh So yeah, team ambushes uh Red team and blue team uh here at f are secure. And so for those who don’t know, we got a a gang of really skilled technical security experts, uh some of which specialize in offensive security, so penetration testing, um that’s everything from, you know, doing internal tests, uh external test, uh web applications, um Red team engagements, which is, you know, we’ll throw the kitchen sink at you there a little bit of social engineering, a lot of enumeration, trying to find uh weaknesses and your posture and your people and exploiting those to be able to get to to gain an internal presence and foothold in your network and then from there and see if we can get to your um important data. Really simulate what an attacker is doing in the real world today. Um and then we also have Blue team services, which is their defensive services. Uh so that handles all of our digital forensics as well as instant response threat hunting capabilities as well. And um, I know the big talk lately is, you know, we’ve been busy with incidents and we have, there’s been a whole lot of work, but I can tell you this Ring Q four um, are red team practices just as busy right now. Those guys are uh pin testing like crazy, we’re at capacity right now at capacity plus, I’ll say that I’ve got both sides of this team is putting in work after hours and on weekends, so we can help clients are security and, you know, a lot of kudos for me to to both sides of red and the blue. Um feel incredibly lucky to have such a fantastic team, A great, great group of guys who are always always willing to put in extra effort to do what’s right to help our clients and our partners, um, I will say to, you know, on the, It’s been busy all of Q4 so far, which you know, we’re almost halfway through there and like I said, a lot of extra hours put in from both sides and everybody just takes it on the great attitudes. Uh they’re happy to be here, happy to be helping. And I think they all feel similar to how I feel that we’re lucky to have the opportunity to be in the situation, we are to really be able to make a difference and help people and um whether that’s on the proactive side of doing testing for people or it’s on the reactive side of helping people when they’re in trouble. Um I think we’re all driven by the mission and we feel lucky to be here. But yeah it’s just a fantastic, fantastic awesome team who can really do just about anything and uh love them to death.

[00:11:46] Brad Nigh: The coolest part is watching the two teams interact like we’ve got an incident and one of the pen testers jump in and help explain what’s going on with a piece of code or you know the the I. R. To the blue team talking to the right team and say hey here the things we’re seeing. Yeah, I went on in the real world to help them with their testing and similar. Sure.

[00:12:12] Oscar Minks: Yeah it’s it’s really awesome. Um You know, our purple team activities, right? Um are really really beneficial for both sides. Um You know there’ll be some times where we have some some folks on the red team, you know who are really good at reverse engineering, really good at decryption. And so you know if we have something that we’re having a hard time uh decrypting or d obfuscating. Um they’re always willing to hop over and help us reverse those things. Uh The same thing like brad mentioned nuclear identify programs um that maybe we’re a little unfamiliar with what these programs are doing, uh come over and use some of those reversing skills to help, you know, put some sanity to some of these things and some logic behind it, it’s really awesome. And then on the flip side, you know, we’re in a lot of things for them now, we’re um you know, we’re working together in tangent to look at attack techniques and from the blue team perspective um exercising showing how that we can detect those techniques and how they could be stopped and so it gives them, you know, insight into how to modify some of these techniques to be a little more evasive. Uh And you know, through that, I think ongoing relationship, we’re continually just leveling each other up. You know, there’s sharing these skills and we take those skills and we keep building on them and it’s uh it’s a really, really, really great thing. We fired up these uh hacked you sessions. Now we’re doing like once a month to this is really cool. Um and right now the goal is, you know, each month and we’re gonna kick these up to twice a month soon and when we hope to one day be able to start sharing some of these are the public, the videos, but I’ll explain that a minute. But so essentially gonna be picking exploit each week, each month and you know what I’m trying to do is get someone who’s really unfamiliar with that exploit today uh to go in really learn that exploit and we’re not saying how do you run the exploit? What does that exploit? Mean? I want to be able to explain it to me from the ground up, why is it vulnerable? Why is the exploit possible? How do you execute that exploit? And then what repercussions does that exploit have? Can you do with it? And then on the flip side we’re having someone from the blue team that’s working with them, say how do you identify the exploit? What impact will this exploit have on your domain enterprise and then long term, you know, like how do you really remediate and prevent this exploit from happening? And so it’s a lot of fun. We’re doing these sessions together in our lab, we built and doing some uh you know, just some good education to we open those up to the entire company right now. Um see that attendance is is, you know, it’s good getting better. And then when we finish these sessions um right now we started we set up a new piece of our website called fr secure labs and so we’re taking these exercises and the writing blog pieces uh and we’re sharing all that information with the world. So that folks will understand how do you do the exploit, why is it important? And then, you know, on the flip side, folks will understand how to, how to prevent that exploit, how to recognize it and how to remediate it. And yeah, I’m super excited. We’re going so many cool things. I can brag about these guys. How long do we got, we could do it for the whole hour got somewhat.

[00:15:38] Evan Francen: But

[00:15:41] Brad Nigh: yeah, I know it’s crazy like looking at, you know, a year ago where we were at with that team and where those guys were at and just kind of getting their feet wet and now, you know, where when I do need to jump in which is becoming mm less and less often like how much, how it’s just mind blowing, how improved and level up that entire team has gotten in a very short time.

[00:16:11] Oscar Minks: I think it comes from just are like a general um, attitude of the team as a whole, you know, and that’s a big thing that I believe in, my team believes in twos, that we level each other up, we educate from within and um, there’s no sacred knowledge here and I know that you guys have both had that before in the past for, you know, a new guy comes into an environment and there’s someone senior who, you know, thinks they know everything and they don’t want to share it with anybody because they’re afraid that they’ll get away their secrets right? Um and that was one of the things that always drove me crazy when I was young coming up and seeing those people who should be leaders trying to hold information to themselves, um to to keep a gap and we’re really big here on, we don’t do that. There’s no egos. Um, there’s no differences between any of us. Skill sets are things that are learned through support with each other. You don’t judge anyone for a skill they may have or may not have because I guarantee there’s another skill they have that you don’t have, you figured that out yet and you will and do time if you give yourself the opportunity to give them the opportunity. And so we’re really big on making sure that any knowledge that I have on my entire team to have and I want them to be better at it. And I am and I think that bleeds down through everyone on the team. My senior guys all the way down to the junior guys to um, and we constantly share constantly try to help each other level each other up. We don’t work on islands. We work together as a team a whole lot. And uh yeah, I think you’re right. I think we’re really seeing how that model works and and how about in people are too, you know, it’s it’s a beautiful thing to see that, you know, when you got a whole team that wants to support you and help you get to a level that you want to be um magic can happen man. Well, I mean

[00:18:06] Brad Nigh: It’s really beautiful. You have to threaten people to go take some time off working. Like it’s like 12, 15 hours and you’re like, what are you doing here? I’m going to shut off your access.

[00:18:19] Oscar Minks: Yeah, that’s not just one person calling without specifically. I’ve had a few folks on my team that’s like take a day off. No, I don’t want to, I don’t want to or they’re off work, but they’re logged in working with us and I’m like, what are you doing man? You just put in 12 hours. I want to help. I want to be here to help. No, I need you to be able to help and for you to be able to help. You need to get some sleep and get some food to recharge the batteries. And uh I had, you know, other folks like, hey, take tomorrow off. You’ve been burning, you know, for 9, 10 days straight right now, nope, I’ll take another back and we’ve got to get through this. And it, it feels great. I mean, it feels like family feels like a brotherhood and uh like I said, we’re all just, I don’t know, we’re in it together and we’re fighting a good fight and I think everybody has bought in for that and that’s really important. Yeah,

[00:19:08] Brad Nigh: yeah, it’s awesome.

[00:19:09] Evan Francen: Yeah. Super cool man. So you didn’t even mention the seat, You don’t even mention the CTF stuff that you guys do too. I mean, alright, you fit that into. We had your what? Five? No, Yeah, 10 episodes ago maybe. Uh I talked about the CTF work that you guys do to Yeah, I sat in last week on the, you know, on the demonstration and uh he was damn cool man. There was what? I don’t know 50 people there may be

[00:19:44] Oscar Minks: Yeah, that was quite a

[00:19:44] Evan Francen: few like,

[00:19:45] Oscar Minks: yeah, we had a pretty good uh pretty good crew on there. Um and I haven’t got to see the, I didn’t explain the beginning and we have this tradition now where every week or every month, whoever presented the previous month makes a slide show for who’s presenting this month and they’re not allowed to see it until until they present it. And so uh you know, it’s, it’s kind of on top, it’s meant to be fun to kind of warm everybody up, get a few laughs and let it set the presidents that we mean this to be fun. We want it to be loose. We want people to interact and ask questions if they want to, don’t feel uncomfortable. And so it was pretty hilarious. I think there was a lot of top was a golden, we’re looking at golden tickets. Um but I think I learned how to make a golden ticket soup, which I’m not going to arrest you

[00:20:34] Evan Francen: here. Right, Well, yeah, you’re right. I didn’t know that when I came in. So I was like, what the hell? I’m trying. I’m like, uh huh. No, I mean it’s not. I don’t get it so distracting. Like I know the pieces and then I’m seeing how you’re putting together the soup. I’m like, what the hell does that have to do with that? But then, yeah. And then you guys got into the real dick. Okay. I get it now. Yeah, it was funny, but at first it caught me soft guard. I was just like, I don’t all right.

[00:21:12] Oscar Minks: You know, others were feeling the same way. I have a feeling that when we got to the slide that says uh, Captain Picard is the best jetty. Everybody probably understood this was a joke.

[00:21:23] Evan Francen: Yeah,

[00:21:26] Brad Nigh: that’s a fight.

[00:21:28] Oscar Minks: Oh yeah. Yeah. There’s some things in there that, you know, are meant to be like a just find triggers for people.

[00:21:34] Brad Nigh: Yeah, yeah, for sure. So Bill, that’s how you can tell that that team is on both sides of so close. Like nobody like they know the limits, but nobody takes it personal. Yeah,

[00:21:46] Oscar Minks: a lot of fun. A lot of fun. And that goes on. I’ll say,

[00:21:51] Brad Nigh: I mean you have to when you’re working that much that closely.

[00:21:55] Oscar Minks: Yeah, we laugh a lot. I mean, and that’s important. I’ve worked into those environments to where we didn’t have that kind of open communication top environment or it was okay to put your guard down by yourself, you know, say things that you might get poked at and poke other people sometimes, but it builds camaraderie and it keeps us motivated and happy when we’re interesting times and uh you know, you really see the team pick each other up at times and you see us really have a good time even when we’re in the middle of a really challenging and stressful situation. Um you know, there’s always something to smile about in life. We’re helping people, we’re trying our best even if it is hard right now, so we should enjoy doing that as much as we can.

[00:22:38] Brad Nigh: Yeah, so it’s a good, good transition. Um, you know, talk about with all the incidents that you’ve been doing recently in the stressful times and you know, let’s get a recap of what we’re seeing right now. It’s it’s active. I mean,

[00:22:56] Oscar Minks: yeah, I think it’s so, you know, I’ve been thinking about this a whole lot and you know, we saw the report that came out, um, I think it first broke on CNN, right, and the DHS put out some statements and then every other news media picked it out and some other people would probably don’t even say the name, put it out there to um and I’m not saying that that wasn’t real a real threat, but I’m saying that threat’s been there and it’s always gonna be there, right. And that threat existed before that article came out. That threat exists today, that threat’s gonna exist two weeks from now, two months from now, two years from now. And so there is always a thing, you know, where we know the media love sensationalized things and in some cases that’s good. I can see the positive from that. It got a lot of people thinking that may have not been thinking about that at the time. And it gave us an opportunity to communicate with him and give them some knowledge that they would need and that would hopefully help them prevent an incident from occurring or be more prepared if an incident did occurred. And so while I may say that I do believe that was sensationalized. Um, I think that threats it’s real. It’s always going to be real. And if we see those opportunities as information security experts to use that to help people that we can touch and we can’t communicate with, I think that’s a good thing. Um, I will say that, you know, there has been an uptick and incidents. Um, I can also say that I looked through our actuals this year and I can see there was an uptick in incidents about March april um, see it died down a little bit after Covid. I could look through last year and see there was an uptick around this season as well. I kind of Q three, q four ish. Um, we know that these things are cyclical and there’s a lot of reasons around why they are cyclical. When you look at a Pts, right? There’s a lot of challenges that as advanced, persistent threats have to face and conquer to continue to be operational. And so the nature of the beast is these things are going to be cyclical in nature. But that being said there cyclical, but they’re always constant meaning. There’s gonna be times where there is an increased pressure. But still every week, the same old attacks are going on. People are still trying to gain those footholds.

[00:25:14] Evan Francen: Yeah, and so too. So just for the listeners, you’re, you’re referring to, um, they’re, they’re clear. And what we’re referring to when we talk about the joint statement by the DHS and FBI were talking about that, that credible threat, uh, and then there were credible threat against health care entities. And so we had some back end and you know, Information, you know about. So we kind of knew what was coming before it was released to the public. But you know, we heard word of up to 427, you know, health care entities getting hit at roughly the same time. Well, that threat, that specific credible threat never materialized, right. Because it was, it was already supposed to have happened. So it didn’t. But to your point, Oscar 100% these things are gonna happen probably when you least expect it, that’s just like Murphy’s law, whatever the hell it’s called, where when you let your guard down, that’s when you can expect to get hit, it just happens. So even if it’s cyclical, even if, you know, we see a significant uptick in, uh, and we predicted this too, right? I mean, I’m right when Covid first came out, I remember my fish diagram, yep, you know, you knew that that was going to happen because it happens every single time when significant world events occur that capture everybody’s attention, Attackers start to craft their attacks. They take the existing uh methods, right? There’s nothing new. And even in the A. P. T. S today, there’s some technical nuances that are new. But in terms of the steps that are taken, They’re the same as they were 5, 10 years ago. What Attackers do is when these world events happened, they they changed the messaging, They, you know, they just make it crafted a little bit better to capitalize on this current world event because they realize that it’s got everybody’s attention, right? And you’re letting your guard down, you click the button, no Covid thing, blah blah blah. Next thing, you know, you know, you’re in the news. So anyway, I just wanted to add, you know, those two pieces. One is the, you know, the listeners knew specifically what we were talking about, then, you know, secondly, just to build off of what you said, Oscar that, you know, these things are cyclical, but don’t let that fool you. You know, if a lot of attacks happened in May and so you let your guard down decided you’re gonna take your big vacation and you know, not patch in May. Well you can get smacked. Yeah.

[00:27:56] Brad Nigh: Yeah. So what are some things that you’ve seen, I guess I’ll call it successful I. R. S where what are the things that companies should be doing when they engage with us or any other IR firm to maybe lessen the pain or make it faster to recover or minimize damage.

[00:28:17] Oscar Minks: Yeah, I think, um, there’s a whole gang of things we can say on the good and the bad people do, right. Um, the big thing I’ll say is, um, you know, having a partner you trust and acting quick, uh, because that can make all the difference in the world here. If you see things in your, we’re working with some clients right now, um, I saw some things that they thought were uh, alarming concerning, consider holding that inside to say, well we’ll figure it out and we were engaged and we’re engaged, we’re able to get in there and see that this was, we had Attackers stayed in for ransom on a significant environment and by them calling us quick and us being able to act, um, you know, we’re able to contain that threat contain that risk and prevent that ransom delivery, we’re also able to get in and make sure they have protected backups because even when we engage, there’s no guarantee we can stop that ransom delivery depending upon where they are and the kill chain. But what we can do is look at your backups right now, make sure we’ve got good backups and you can secure those backups because we beat down that instant response and so I acted fast is really important. You know, and it’s better to err on the side of caution and just talk to an expert and see um I can tell you that we don’t charge uh for an initial call. You know, it’s free. You can call me call my team since an email and uh get on the phone with you for an hour or so. Talk about everything that’s going on and give you are honest opinion. And there’s been many times we talk to people and we say, yeah, I appreciate you reaching out. But I think you guys are okay that could contain this. You’ve done a good job continue to monitor for these 23 things. Maybe do this right away. And if you need my help, you know, I’m always going to be here, let me know and then we have some folks who, you know, reach out and say, yeah, this is a good call. We probably need to get moving right away to try to stop this because we know, you know, we know what the kill chain is, we know where they’re going. So let’s try to stop that. Um So I would say that you know my number one is um have a good security partner trust beforehand, make sure you have that relationship because you don’t want to be hunting for a partner. Uh and Melbourne incident. Um And then on top of that to, you know, one thing it’s always stressful is we go into an incident, you have sovereign Insurance and you got to start working with your Sovereign insurance and then who knows who they’re gonna sign to your case. Um And always I talk to people, it’s like this. Would you rather have your partner, they trust working your incidents, knows your environment that knows your people, I understand your business or would you rather have some random companies signed by your insurance that doesn’t know, you have no idea who it’s going to be and they don’t even know who it’s gonna be until it’s time to instant most cases. Um And the answer is always yeah, I’d rather work with people who know me. And so I urge people if you have Sovereign insurance, talk to your provider and get your partner set up as a preferred vendor and if your partner is set up as your preferred vendor and you have an incident, you don’t have to worry about any of that, You call your call your partner right away and now get to work under incident and then you can handle the entrance stuff on the back end because what’s most important in negotiating with the incidence, what’s most important is protecting your assets and your people. And so I would say getting that done up front is critical and then you know, besides that erring on the side of caution. You know, if you see things that you’re unsure of, it’s like the same thing we tell our people and we do social engineering training, fishing training. If you’re unsure, if you see something that’s suspicious, reported find out from someone who knows and I would say the same thing for entities and businesses are partners and clients. If you see something that’s suspicious that you’re not sure of. Like I said, it’s free to talk on the phone with us. We’re gonna charge you for that. Send us an email, give us a call and let us look at it together. We’ll give you an honest opinion and at the end of the day to, you know, I hope it’s nothing. I hope we can coach you through it in that hour so you’re able to contain that. But if you need help to, you know, we’re always here for that. And even if you go with someone else to get that help, that’s fine. I just want to help people prevent these incidents. I’m sick of seeing people get ransomed. I’m sick of seeing the businesses impacted families hurt all of that. So we’re here to help.

[00:32:48] Brad Nigh: And you touched on a really good point. You know, acting quickly, How many times have we had somebody call us on a friday afternoon where they detected the incident monday morning and then they, yeah, friday, they couldn’t figure it out all week. And I mean when you’re looking at that, I’m thinking that there’s a couple where you know, they did that the pre work with us that they identified something about what one in the afternoon and by like four or five we had tool deployed and you know, they were super on top of it and stopped what would have been, uh, just devastating raising them,

[00:33:33] Oscar Minks: right? You know,

[00:33:34] Evan Francen: well, and one of the, one of the things that it seems like people get sort of confused is acting quickly and almost panic. Right? So I always say act equipment in deliberately meaning, you know what to do and you’re gonna move quick, right? You’re not going to take a bunch of times to go here, go there because on the what not to do side of things, what you don’t want to do is not know who to call and started just picking up the phone and just start making calls. You know, we talked about, the one that you guys know, the one I’m talking about, you know, just a couple of weeks ago called my cell phone at two a.m. All right. I’m not the guy To call at two am I will certainly come and help you when I awake but that’s not your first call. So everybody who’s listening right now should know if you’re if you’re involved in this, what’s my first phone call? Mhm. You know, make sure it’s on speed dial, make sure it’s available. Make sure that people that are on your incident response team assuming you have one. No, that number. Right. And hopefully you’ve arranged you’ve done this leg work ahead of time because it is all free. It’s things squared away. Right? Like you said, Oscar, you know, calling the person that you would call, whether it’s fr secure or whether it’s India. So whoever you preferred provider is for incident response, you’ve already made the call. They know that you’re the person, they know that they’re the person you’re going to call. Right? So they’ve got, you know, maybe some paperwork already squared away with you. Maybe they’ve got a copy of your incident response plan on file so that when you do call, they can pull up that plan, start executing on that plan. It’s all just simple leg work. And it is all free. Right. I mean, in terms of just getting who am I going to call and then, you know, calling my insurance provider if I have cyber insurance, making sure that they know who I am going to call. Right? Because the one thing you don’t want to do is start getting down this path and realize that some of your expenses may not be reimbursable, right? Or you get halfway down the path with your preferred provider before the insurance company says, well you have to work with this provider. Well now you’ve got rework and the only people that are suffering, it’s not the insurance company that suffers. It’s not, it’s not your security partner who suffers. It’s your business who suffers. It’s your customers who suffer. So you owe it to yourself, your business, your customers, your employees to just get this stuff way. So if you haven’t done this and you’re listening, push pause on the listen, you know, I mean, figure out who you prefer provider is going to be, get that number squared away, Call your insurance provider, get that squared away and then come back and hit play again on the podcast. It’s that important. It’s that urgent.

[00:36:23] Brad Nigh: I mean, we, you just are wrapping up one exactly where that happened. Maybe talk a little bit about what we did for them. And what happens

[00:36:35] Evan Francen: are we talking about the one that I got

[00:36:37] Brad Nigh: called? Okay.

[00:36:42] Oscar Minks: Yeah. I mean, it was exactly what was going on. Too many details, right. But it’s exactly what Evans talking about there. It was, you know, we come in to work with a client who was in a critical situation. This is beyond hey, we observed something. This is a critical situation. And so, you know, we were their preferred provider. We weren’t the preferred provider with their entrance, they didn’t go through that set up so they call us and they needed help that. So we were engaged, I mean, boots on the ground, rolling 24 7, like you had mentioned brad within a couple of hours, you know, uh, I mean, it was probably from the time they called to the time we were actively in their hunting, um, to three hours, right from that triage call. And so we’re in there are making significant progress. And, and then the entrance provider comes into play and says, uh, we have our own preferred provider that you need to work with. And it was an incredible challenge for our client because, you know, we’re fully embedded in their infrastructure right now and we’re actively hunting. And so to switch vendors would mean we’ve got to stop what we’re doing, remove our tools with the vendor, deploy their hunting tools and kind of start all over again. It’s what caused a ton of complications throughout that. And we did reach a gentleman’s agreement in the beginning to say, let’s get through this phase, let’s continue to hunt and identify those indicators, compromise how they got in. Uh, well, let the other firms just with more back in dead box forensics. And so that way we try not have any overlap so they can get reimbursed for all of our services. But I can say that, uh, that one situation right there, we probably had to focus over the course of, you know, the week and a half to two weeks where we’re engaged every day, there was a couple of hours focus toward the sec segmentation of those duties. Were those lines were negotiating those contracts to make sure entrance can understand what’s, what, what’s what and the point being, it slowed down the process. It wasted a whole lot of time, a whole lot of my time, you know, and I mean, I’ll help you through that. But my skills are better suited hunting threats than negotiating with insurance and we see those things and and these situations every minute matters, every hour matters. And every time that your energy is spent on something that you’re trying to solve outside of solving this instant, you’re in its not efficient time, it’s not, your time should be focused and it’s going to delay your business becoming operational again. So it’s critical, you know, like everyone’s saying podcast, go fix that for people to get those relationships established, those processes established to have your plan, have, have those relationships built before this ever happens. Um, you know, again, the last, last place you want to be figuring this out as in the middle of an incident. You got to have all this sort of before and I know we’ve, you know, touted like this before, but we got a plan, It’s a really good plan and it’s free on our website. If you haven’t go get that, download that plan. If you need us to help you, we’ll help you through that. Um, Start there, call your insurance and get those relationships built right away and know your insurance policy too. That’s another thing I talked to some people, Hey, what’s the deductible on your policy? I don’t know figure that out. It’s just like car insurance man. Um, if you can’t afford, you know, a $3,000 deductible to repair your car, that’s fine if you’re aware of that and you can afford that. But what if you can’t, what if your car is in the worst 6000 bucks, you got a $3,000 deductible. That’s the entrance is worthless because your car is going to be total. It’s over $3,000 in damage anyway. So see where your deductible is. See what’s covered. Understand if your insurance provider really does want to get to know you want to work with you or if they’re on the back end hoping that their deductibles too high that it never kicks into play and you’re gonna be caught holding the bag in an incident. I mean we see some astronomically high deductibles that some businesses have on their policy that they’re not built to handle. And so there’s a whole lot, you know, that you can be doing right now up front to make sure that if an incident happens, you’re going to be able to respond, you’re going to be able to afford the services, you need to get through that and your insurance is going to actually have your back instead of fighting against you.

[00:41:24] Brad Nigh: Yeah, those are good points. I think given, given the team some props, the best part of that situation from kind of the outsider perspective as it were, was the other company complaining that we were finding all the I. O. C. S and that we were going too fast. We’re basically too good.

[00:41:43] Oscar Minks: Yeah, that was, uh, yeah, I don’t want to get into the, that too much. But it was nice to hear from someone else that hey, that’s, that’s what we’re supposed to be done. Tell us slow down there finding too much stuff. No, I can’t use the words right now that I want to say and how that made me feel. But uh,

[00:42:05] Evan Francen: but, but it’s so, it’s so cool to be able to have this team. We talked because we just talked earlier about how this team, you know, is loose and enjoy joys each other and can have a good time. Yeah. When it’s time for business, we get down to business, we got work to do. We absolutely 100 realize, you know that the importance of the situation and so yeah, we’re working. I mean the way you’ve organized things with the team Oscar has been amazing. You know, working in shifts, you don’t drop, the ball has never dropped from the beginning of the incident until, until we’re done. Uh, you know, which is, would I know that if I were on the other side of this, it would make me feel good. It makes me feel what I’m not going to feel good about is that the Attackers got me, you know, the bad things. But having somebody on your side is such a, I mean, Yeah man, it’s like calling the police, you know, except that should not be your first call in 99% of the times, you know, but it’s like that, it’s like you call in there, there we drop everything and like there you go. What can we do?

[00:43:16] Brad Nigh: Yeah. You know, kind of, you did touch on it to maybe the second thing that I would consider it is the right thing to do is like you said, trust your partner, right? If we’re coming in and saying, okay, here’s what needs to happen and here’s how we need to get this done. There’s a reason for that. Don’t, don’t argue, don’t not do it. Mhm Yeah, for sure. Like those are probably maybe the top beyond what you said of being prepared, Getting this stuff figured out ahead of time, you know, being proactive about it is once something happens, just a person. Just that partnership that you hit,

[00:43:59] Oscar Minks: yep. Yeah, I think that goes back to the right in line with what we’re talking about, right, build those relationships before choose someone you trust have everything taken care of before an incident happens with your insurance and so on that you can cover that financially. I understand that and then yeah trust them that’s what they’re here for. Are the experts to help you?

[00:44:20] Brad Nigh: Yeah. What would you say is uh the top thing not to do

[00:44:25] Oscar Minks: uh

[00:44:26] Brad Nigh: panic,

[00:44:28] Oscar Minks: panic, do things that you’re unsure but you think they’re right because you’re going to do the wrong thing half the time at least called five

[00:44:37] Brad Nigh: different companies.

[00:44:38] Oscar Minks: Yeah. Don’t panic and trust even trust your own support group and team internally too. I mean we see that you see sometimes there is a really good team that worked really hard. Um They got a leader who makes the decisions who isn’t necessarily integrated with that team. And so the team may have some knowledge, well the team has knowledge, have an idea of what should be done. We sometimes see leaders outside of that bubble making decisions without their team. I mean that happens quite often and that causes so many problems too because number one you’re probably gonna make the wrong decision, you’re not trusting your own internal team. Um And then # two Break Trust with that team. Um And the number three suspect what we talked about if you’re in an instant situation it’s probably going to negatively impact your time to recover as well. So a lot of trust in this.

[00:45:40] Brad Nigh: Yeah I agree. I think maybe one of the things that that leaders kind of maybe miss out on and I’m not just studying I. T. But business leaders right? Is in an incident the amount of work that that I. T. Staff is doing.

[00:45:56] Oscar Minks: I mean it’s always a very you know cohesive exercise between your incident response team and your technical team. We have to be one team when we’re working through this we rely upon each other entirely to get through this exercise. And those guys you know kudos to all these awesome technical teams that we’ve been working with because you know we’re working around the clock. Those guys are putting in serious hours too and they’re right they’re doing great work cohesively with us to get through these tough situations.

[00:46:32] Brad Nigh: Yeah and I’m just thinking of the active ones right now like how how much they care right? Like you can see like this back, I’m not going to name names or anything but I remember when one of them was first taking off like maybe a couple of days in and you could just feel the guys pain like when he was putting a message like it was we were talking about it on the back and like oh jeez you need to check on this guy like he’s really struggling with this,

[00:47:06] Oscar Minks: that’s the hard part about I mean there’s a lot of things that are hard about this but that’s one of the harder parts of scene, people who care about their businesses, you know, and just seeing them struggle mentally. It’s it’s a huge weight and huge burden. And I think sometimes, you know, people will put more of that burden on themselves and they should, because they haven’t been through this before. They don’t understand, you know, how a common this is. And you know, we were delivering a tough message yesterday too, um to understand when we’re delivering messages to people. Like I was wondering who was it? Like, who’s the account that got breached or who managed that? Or who did this? You know, and there’s there’s always fingers to be pointed, right. You know, there’s always something more that we could have done. But the end of the day, like these root causes aren’t shaming exercises. Uh we’re humans, we make airs, people make mistakes and as long as it wasn’t negligence that got you, there was an honest mistake that got you there. Um should be no shaming in that and we should just take that as an opportunity to learn and become better people. But we see exactly what you’re talking about a whole lot. Yeah, it gets hard. I mean, I hate seeing people um mentally struggle with these situations on top of everything else.

[00:48:31] Brad Nigh: Well, what you said is, you know, putting myself in the eye tissues and and having gone through some issues, you do care, you want to get back up to b, you’re always like if you don’t have support from above, you’re like, well, am I going to get fired for this, right? Why am I going to be putting in 15, 18 hours a day for two weeks if I’m going to be the one who’s, you know, going to have to take the blame and get it cut. Yeah,

[00:49:03] Oscar Minks: We always hope that doesn’t happen. You know, and that’s something we’re very clear when we explain these root causes, like it’s not to the blame again. If it’s not negligence, right? It’s not to blame that person. This is an opportunity to improve, right? Always good to see these opportunities to get better to improve. And, and I’ve seen some of these phishing campaigns, man, one that we’re looking at this week right now. It’s like we were looking at the issue of the team. It’s like, I mean, some security professionals could have fallen for this. It was a really, really good fish. It was phenomenal. And it was a new technique we haven’t seen before. And so, uh, you know, like, like Evan mentioned the same old killed chain right there doing the same thing over and over every year. They’re just tweaking and doing different things. There were good that, you know, unknowing psychology and the things that were more adamant to click on it and they start to learn the tools we use a little bit more. Like we’ve seen one note fishing and the window fishing is that’s, it’s really good. I mean, uh they’re using a legitimate one notes to send to people and the majority of population isn’t gonna be able to discern that based on their own fishing training. Like make sure it’s a legit link, that’s legit link, that’s Microsoft, that is going to a legit link, but embedded in that one note is malicious content and so like, it’s kind of brilliant, so simple, but it’s kind of brilliant and we’re seeing some stuff to with other uh, like ASAP and business tools and things like that, that we’re using uh that they’re able now to compromise and embed exploits within those. So we’re seeing those fishes kind of evolved for now. They’re, they’re getting valid tools from other entities you may do business with, they’re using valid links and then within those links they’re embedding malicious code. Um, and so, you know, it’s gonna continue to evolve. We’ve got to continue to learn and get better and people are going to get fished, but I think it’s important for us, like, you know, as being security researchers, when we identify those techniques to educate and to modify our services, you know, like for our social engineering stuff. As soon as we saw those window fishes start, we started doing fishing campaigns to match that. And so it’s so we can stay ahead of that curve and try to get ahead of that curve and try to get our users and our clients and partners ahead of the curve. So they don’t get fished. It’s all about learning, it’s all about becoming better

[00:51:23] Brad Nigh: well. And,

[00:51:24] Evan Francen: and one of the things you, you mentioned brad and this just lends credibility. One of the things you asked Oscar was uh, what’s one of the things, you know, one thing you tell people not to do, you know, and the answer was, I think it was perfect. It was, you know, don’t panic. I think another thing not to do his Nike false assumptions to assume that this isn’t going to happen to you is wrong. It’s going to happen to you. You have human beings who work for you, you have futures, you know, the views that can be manipulated to trick them to do all kinds of things. You know, you talk about the new phishing attacks, they’re using intelligence beyond what we’re using to defend, not our company I’m saying, but in, in the Gin general, right? So they’re moving faster than you are. Their attacks are moving faster than your ability to defend. And if you don’t have anything for response, it is, I mean, I don’t understand, I struggle with believing that not having a a response is not negligence because you know, it’s going to happen. So you’re not planning for it in my mind is negligent

[00:52:36] Brad Nigh: pretty indefensible. I think, oh God, Oscar,

[00:52:40] Oscar Minks: I was just going to say the first phase, an incident response is to prepare, that’s the first phase is to prepare and prepare is having that plan right? But prepare also includes a lot of things we’re talking about now prepare involves actively doing social engineering campaigns on your own employees to see if they’re susceptible in identifying ways to educate them. Prepare is also to do penetration testing on your external network, identify where those soft spots are. So you can start to fix those things doing continual vulnerability scanning, doing internal penetration testing, testing your environment and your people. So you can identify where your blind spots or your soft spots are so that you can place better controls around those things to help prevent the incident from occurring uh that prepare phase is critically important and we see it being neglected a whole lot and a lot of these situations were in, if they had really really paid attention to that first phase, they could reduce that likelihood by a significant amount,

[00:53:42] Brad Nigh: You know? So there’s what, six phases 566. So we did the higher maturity assessment, put that together and and I think yeah, we knew prepare was important but I think what actually caught me a little off artist when we finished it, that prepared section was probably had probably what Almost 1,40% of all the questions were in prepare.

[00:54:09] Oscar Minks: Yeah, it was a big significant piece of the whole plan, entrepreneur,

[00:54:13] Brad Nigh: you don’t realize how how comprehensive it is until you you actually sit down and do it. I think part of that to preparing is is that executive buy in right? Like if you have an incident as an executive, were you giving that team the proper resources, the proper manpower to do their job to protect the organization? It’s not why are you blaming them when you’re hamstringing them?

[00:54:43] Oscar Minks: I

[00:54:43] Evan Francen: think you have you have no buck stops at the top. Right. Ultimately I I asked this question over and over and over again just about every organization I’ve worked with who is ultimately responsible for information security here because I want to know the answer. I already know the answer. The answer is your ceo your board of directors. If you have one that’s who is ultimately responsible for information security here, their job and they delegate all kinds of things. I’m not saying that they’re the ones who write the incident response plan but it’s their job to delegate to somebody that an incident response plan has been created. Uh it’s their job to ask questions of their I. T. Folks or their information security folks. Where are we at in our preparation for an incident response. You know I saw on CNN you know that hospitals are getting attacked this week, you know going back to what you know what we said, it was in the news, the air situational awareness is so damn important ask your you know I. T. Folks are we prepared for this If not where are we not prepared for this? You know, I mean, it’s just those, those discussions that never take place. A lot of these things don’t cost a dime, right? Taking responsibility for information security in your organization. That decision doesn’t cost you a dime.

[00:56:12] Brad Nigh: So so you shouldn’t also say, I was gonna say you should be the executive that told me after an incident quote, I’m somebody’s gonna have to take the blame and it’s not me s rolls downhill.

[00:56:23] Evan Francen: Yeah. And that that person, that person should be held liable.

[00:56:28] Oscar Minks: I was gonna say going back to exactly like Evans message we were talking about before. It’s also their job as that ceo whatever to trust their people and to trust that message there people are delivering. I see that so many times and you know, it’s one of the biggest things we talk about around is the inability to communicate. But it’s also and it’s two sided. Like maybe it’s us sometimes explaining things to those sea levels, but also maybe sometimes it’s those sea levels, just not wanting to hear those messages or dismissing those messages. I can tell you, I mean past lives, I’ve screamed out loud for for years to those sea levels about things that are going to get us if we don’t take care of them now, this is going to be a problem. Was it a problem now? Well, no, but it’s going to be well then I don’t care about it. That’s a message. A lot of those sea, uh, the sea suites deliver and you know, I hate to say I told you so. But I can say that those things later came back to get us and it was a problem with that trust, internal communications between leaderships and teams.

[00:57:35] Evan Francen: And I’ve always, you know, I mean sea level of, you know, executives, they deserve, you know, I understand, you know, kind of a conundrum that they’re in. They they’ve got a billion things on their plate. Right? I know sometimes, you know, we, they’re super. Most of them are very, very smart, right? You don’t get to be a ceo of a company by accident usually except for this guy. But you know, once you, they got so many things on their plate and then here’s another thing and you’re telling me. And, and I think one of the things we’ve done in our industry that kind of shot ourselves in the foot is we cried wolf damn times that were just the boy who cried wolf, here’s security again, what you know what I mean? So we have a long ways to go before we really start to get, I think Ceo, S and C level executives understanding that this is to be treated just like anything else. You know, business like sales. Well, the business doesn’t run anymore. If we don’t keep selling stuff. Right, The business doesn’t run anymore. If we don’t keep track of our money so we need to have a cf, CFO the business doesn’t run anymore if ransomware takes us down for two weeks so we need to have a C. So right, but you need to elevate this this role to where you’ve got the same voice. You know, I mean the same tone because I don’t think there’s many ceos that are like sitting around going Yeah, I just like being negligent so screw security. You know, we got to figure this out because there’s just so many times you come into an incident and they’re like caught completely off guard. I mean the one that you were talking about, you know, a couple weeks ago uh where they you know, they’re kind of forced to negotiate. Mhm with the attacker. It’s like just pisses me off so much that you have to negotiate because you didn’t take the proper precautions, you know, to protect your backups and what have you that prepare face. Right? How important to prepare phases.

[00:59:37] Oscar Minks: Yeah. I think we should talk about that story for a minute. I didn’t touch on that. Uh So what Evans talking about? We had a partner who was ransom and unfortunately their backups were also encrypted destroyed. And so that’s like we talk about number one things you can do besides preparing if I’m just telling you one tip, I always say that the people secure your backups, make sure, make sure not just you have good backups. Because I talked to a lot of people that have these great sophisticated backup systems that are all network connected. And at the end of the day, uh, if it’s network connected, our Attackers are going to find those backups before they encrypt the rest of the environment. They’re going to destroy those backups first because that’s the guarantee they’re going to get the money from you. And so the one thing you can do is like Evans said, get out that old tape library fired back up and uh, put some stuff on tape and store it off network. Um, so that way you’ll secure data anyway, they don’t have any backups. They were gone. Uh, so they had to begin um, negotiations. And we’ve seen in the beginning that process isn’t quick. Um, the attacker was went dark multiple times dark for over a day at one point. And so here’s the company down that’s ready to pay because they want to get their business back up and operational with an attacker who is uh, not always around, I guess we could say. Um, and then we go on, uh, to find out that the attacker in this situation uh, was actually on the United States terrorist organization list, which means that there federal government prohibits negotiating with a terrorist organization. And so essentially government said, no, no, you can’t pay these guys if you pay them, you could be held criminally liable for funding that organization and so on top of that. Now our client then my backups. I don’t even have an attacker to negotiate with their data is gone. It’s completely gone. And so now they’re working through that painful process of rebuilding their entire infrastructure and also at the same time accepting at a large portion of the historical data they need would need for that business is gone. You can’t recover it and still Don’t Always Trust # one. If you get ransom, you’re gonna get your data back. That’s one story. There’s 10 other stories about the encryption keys not working Attackers disappearing. There’s so many things that can happen in that situation and I don’t want to fear monger and scare people. But this is reality if you get ransom, there is a and you don’t have backups that are offline that are recoverable. There’s a really good chance even if you want to pay that ransom, you don’t get it out of back. So prepare step one of the six step process is the most important step of instant response

[01:02:46] Brad Nigh: on that one. Right? They have no way of telling there was data X ville, everything’s locked up all that history is unavailable. So you have to almost assume that it was

[01:03:03] Oscar Minks: Yeah, that’s a really, really challenging one right now and everyone wants to know that, right? We come into these cases. It’s especially if legal is involved. That’s typical many priority number one is um is there evidence of X. Ville and there are things that we can do to look for that like you know even if the you know the servers are not boo double um Sometimes when you look at network data right to see anomalies network traffic and network data to determine there was a surge of egress over this three day period going to this I. P. And I don’t want you know eastern europe. Um But we often see too that that that is not available unfortunately. Uh you know it’s it’s kind of a crapshoot if we see that people are gonna have a good network logging and they’re even gonna store it for over a couple of days. It’s a big problem in these two like um you know people aren’t storing artifacts for long enough and that’s logs I mean it’s your system logs that your network blogs that your device logs, it’s your storage logs all of those things and there’s things that we could do to pattern to determine if you have the next pills. If we have those good storage logs, if I start seeing your sand performance logs are getting hammered the same time there is a network spot and we see there was a mass ton of zip files that were created but deleted. I’m gonna go ahead and say they zipped up yourself and shipped it out the back door. Um But again if those things are destructed. Um it’s really difficult to be able to determine truly what was touched from what was X. Field. Um We do know like was we’re learning more and more about a Pts and that’s something we’re focusing on is trying to identify who the attacker group is that’s deploying these things. The ransomware as a service model throws a loop into a lot of that. Um You know and so but if we can’t have those statistics we have to rely a lot on what are these A. P. T. Is known for? Do they X ville do they shame? Um things like that. But at the end of the day yeah it’s a huge huge challenge for all of us.

[01:05:18] Brad Nigh: So uh great conversation. I know we’re running up on time and there were a couple of real quick uh uh stories that I think are important. First one that we have out there is a web logic has an open exploit that is allowing installation of cobalt strike which is uh that span of control. And so uh if you have a web logic server the patch right now

[01:05:49] Oscar Minks: I got good news on that one brad. I did do a little bit of research on that uh last night we are sending a blurb about today um Some data I seen from the Sandstorm Center I think they estimated there’s only about 100 to 120 somewhere in there. Of vulnerable systems publicly available publicly. Now there could be internals. Right. But um so that made me sleep a little better last night but exactly what you said patch that today.

[01:06:16] Brad Nigh: Yeah there’s a patch out there that came out a couple of weeks ago and it’s being actively exploited if they get into your network and they can get cobalt strike in. I mean how we see that as that main

[01:06:30] Oscar Minks: Yeah I mean that’s just when we’re done penetration tests. That’s how we start our penetration test. That’s a

[01:06:36] Brad Nigh: good thing for people. Yeah. Uh the other big one is around Cisco, they put out some zero days there’s a zero day for their any connect client and there’s no catch yet which is not not good allows an arbitrary code execution um and then they also turned out and kind of like got hidden was uh what was it? There was 13 other ones around arbitrary code execution flaw and webex meeting desktop and three arbitrary code execution glitches in the Webex network recording player and Webex player and uh so that’s that’s not good.

[01:07:21] Oscar Minks: No it’s that’s not uh have you seen any proof of concepts on that yet? I really

[01:07:27] Brad Nigh: uh No yeah I haven’t seen I don’t think so. This is the one I had was from threat post. I don’t see that it’s been executed yet.

[01:07:41] Oscar Minks: Um it will be given a day. Right? Yeah.

[01:07:46] Brad Nigh: Hey there are some mitigations around it feel like the any connect they have to have a an ongoing session by the targeted user at the time of the attack and then the packer needs valid credentials. Uh, the system that any connect is running well. Yeah. So that, that does mitigate it a little bit, but we see, how many times do people have bad passwords

[01:08:08] Oscar Minks: every every time. Right? For every time

[01:08:12] Brad Nigh: if you’ve got the other ones where the Cisco SD wham which includes a file creation bug, privilege, escalation flaw and denial service law. So check your, if you got Cisco in your environment, you’re using the SD when or webex or any connect, check that out and you know, apply patches or apply the mitigation controls that are documented.

[01:08:38] Oscar Minks: Yeah. And I would say to, you know, I don’t have numbers like on this vulnerability like compared to the way of logic. But I can tell you they’re gonna be way higher as far as systems that are publicly available and vulnerable to this right now. So I think it’s important people get on those updates immediately.

[01:08:55] Brad Nigh: Yeah. Yeah. And the last one, we don’t really need to talk about it. That was interesting. But it was the Campari group on the rocks after a ransomware attack and you never want to see this. But I won’t, I won’t lie. That headline made me laugh when I realized it’s a alcohol basically they do while Turkey, Grand Grand marnier and Appleton Estate. So

[01:09:19] Oscar Minks: you know, that actually makes me really sad because uh, as a Kentucky and love bourbon and wild Turkey is my favorite of all the brands. Well Wild Turkey and Buffalo Trace, I’ll give them both a shout out, but I hope it doesn’t affect their rare breed production. Maybe I needed to drive over there. It’s Lawrenceburg today and see if they need any help because that facility up and running as fast as possible.

[01:09:40] Brad Nigh: So they’re saying it was bragging their locker that was on there. But I thought it was a pretty interesting uh, funny headline for an unfortunate situation,

[01:09:50] Oscar Minks: a very unfortunate situation, which uh, which those guys luck in the fight forward. Hopefully they can get up and running again. Hopefully they had good backups and hopefully they had a plan. So

[01:10:01] Brad Nigh: yeah, All right, well that’s it for episode one of five. Evan did have to drop off. We went a little long here today, but that’s, well, we could go for hours on this stuff. Any shout outs, uh, this week, Oscar

[01:10:18] Oscar Minks: oh, just shout outs to my whole team, reiterate what I said before. Uh, Team ambush one team. Um, just can’t be more proud of everybody on that team and uh, feel more lucky to be part of what we’re doing than I do and uh, I know those guys are working incredibly hard and doing great work and uh, so just, yeah, huge shout out to the whole team with an awesome,

[01:10:44] Brad Nigh: yeah, I’ll kind of mirror that and say shut up to the consulting side as well. You know, had to completely redo how we do assessments and everything being remote and they’re just flying and they are

[01:11:00] Oscar Minks: killing it. We saw complete, like we got hit with complete curveball right for them and the type of work we did where hey, guess what? You can’t go outside anymore and they were able to quickly adapt and keep our quality of work the same level. It was before and yeah, second rather than an awesome job

[01:11:17] Brad Nigh: and I’m also going to give a second shot out for and this goes for both teams is the back end support because you know, our resource managers, project managers, customer success managers, all those like juggling all these analysts and making sure things don’t get dropped and just the amount of work that they’re putting in is

[01:11:38] Oscar Minks: yeah, they’re like helping babysit my teams and theme to and at the same time keeping our customers happy, keeping our projects moving. Oh my gosh, they’re doing so much work right now. They’re doing such a great job. Um, yeah, they are. And

[01:11:54] Brad Nigh: what’s amazing is I don’t think I’ve heard any analyst complaining or any customers complain and they, they’re just the amount of projects that they’re managing and like you said, babysitting, try to babysit ox. Come on.

[01:12:08] Oscar Minks: I think it’s Renee calls them, they’re like analyst Wranglers. Yeah,

[01:12:14] Brad Nigh: yeah,

[01:12:15] Oscar Minks: pretty good time.

[01:12:16] Brad Nigh: So All right. Well thank you to all our listeners. Uh, send us things, send things to us man. It’s tough to, to read by email and insecurity of proton mail through the social type socialize with us on twitter. I’m, I’m @BradNigh and Evan is @EvanFrancen Oscar I know you uh, keep a low profile so people can just reach out. Your contact info is on our website is probably the best way to get a hold of you.

[01:12:43] Oscar Minks: You have to shoot me an email. Um, well, I’m sure you have the security podcast. You guys know how to find me all the time too, so yeah.

[01:12:51] Brad Nigh: Alright. Lastly be sure to follow security studio @StudioSecurity and FRSecure @FRSecure for more things. Thank you guys. And we will talk to you all next week.

Things don’t always go as planned. With Brad out last week and a riveting conversation with Neal O’Farrell about mental health in the information security industry, Neal joined the podcast again for an impromptu part two in episode 103. In part two of this discussion, Evan, Brad, and Neal review some very specific self-help cybersecurity measures they’ve tried—and what their experiences were with them. Give this episode a listen/watch and let us know what you think at unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Hi everybody. Welcome to another episode of the Unsecurity podcast. This is episode 103. The date is october 27th 2020 and I’m Evan Francen, your host joining me is my good friend and coworker Brad Nigh. Good morning Brad.

[00:00:37] Brad Nigh: Good morning Evan.

[00:00:38] Evan Francen: Glad to have you back man.

[00:00:40] Brad Nigh: Yeah, so much better.

[00:00:41] Evan Francen: Good. Also joining us for a second week in a row is our good friend and founder of the cyber Resilience project, Neal O’Farrell. Good morning Neal.

[00:00:50] Neal O’Farrell: Good morning guys. Thanks for inviting me back. I guess I didn’t mess up last time.

[00:00:56] Evan Francen: No man. The conversation was great. And that’s that’s kind of the reason why we wanted to have you back. I think we talked so long that we never got to news, which is good because news is just filler. Yeah, but the conversation was great. And judging from the feedback from how many people, uh, you know, listen to the show, people find it really intriguing. So, you know, here you are students.

[00:01:22] Neal O’Farrell: But yeah, that

[00:01:25] Evan Francen: so catching up real quick. What’s anything new in your life? Anything new with you guys? Exciting things.

[00:01:33] Neal O’Farrell: Um, we had some tragic news yesterday. Our neighbors are not doing trick or treat this year and refused to give me their candy. But other than that, it’s pretty, pretty smoothly.

[00:01:44] Evan Francen: Drop your address in the chat man. I’ve got candy. I’m trying to get rid of.

[00:01:48] Neal O’Farrell: All right. Okay. All right. We’ll set something up because it’s, it’s not so much. Candy is the free candy. You know, you’re gonna, you’re not gonna use it.

[00:01:59] Evan Francen: Yeah. My wife, my wife has attended. I don’t think she understands. Well, if you look at my body, either I don’t understand or she doesn’t understand or we both don’t understand portion control. She’s a she’s a thin little thing, But man, she’s buys candy. There’s candy all over the over the house. I swear we got like five bags and we’ll have like three kids. So yeah, I want to get rid of it.

[00:02:23] Neal O’Farrell: Okay. We’ll set something up. We’ll get there. You’ll be my candy

[00:02:28] Brad Nigh: dealer. Yeah. We’re not doing the trick or treating this year. Either my daughters are a little older, so they’re not not into it. And I said we just, we bought some candy for my son and he’s like, cool. I’m good.

[00:02:42] Neal O’Farrell: Thanks.

[00:02:45] Evan Francen: Exactly.

[00:02:46] Neal O’Farrell: We had about 1000 kids last year. Wow 1000 kids.

[00:02:53] Brad Nigh: I thought we were busy there. Gosh, We had probably so a couple 100. I went through like £220 or £210 bags of candy.

[00:03:06] Evan Francen: We don’t get like three kids. It might be the doberman pinscher. We sit on the front porch. Uh, so we haven’t had enough

[00:03:15] Neal O’Farrell: other neighbors know you.

[00:03:17] Evan Francen: That’s true too. I’m the guy with the pickup truck guns. Beard. Yeah, I’m product typical.

[00:03:26] Neal O’Farrell: It’s the beard thing.

[00:03:28] Evan Francen: Yeah, for sure. So brad. What’s uh, how’s uh, how’s that, how’s the family doing well?

[00:03:34] Brad Nigh: Yeah, he’s doing great. Um, You know that good news from his testing for like reading and math. He scored very 99th%ile for both. Not put into an advanced math class as a kindergartener, which is awesome. Like doing multiplication on his own. There’s a, I think it’s dan coming to stand up comedian. He said having smart kids is a lot of work. Sometimes he’s jealous of when he goes to the mall and sees like the parents of the dumb kids for you can just pop them down in front of the tv with some chips and has some time to himself. Smart kids are always asking questions and want more stuff like Yeah,

[00:04:15] Neal O’Farrell: that’s about right.

[00:04:17] Evan Francen: That’s true. Well into Neal’s point before we started the show right now. When did you have your first Guinness?

[00:04:25] Neal O’Farrell: Her swiss ski? Three months old for skin is six months old.

[00:04:30] Evan Francen: That’s the, that’s the irish way to raise kids. Maybe we should adopt

[00:04:33] Brad Nigh: that.

[00:04:35] Neal O’Farrell: Yeah, yeah, It explains a lot about the irish

[00:04:42] Evan Francen: gotta love the irish,

[00:04:44] Neal O’Farrell: This is where I wanted to stroke my beard and as I put my hand up, I realized there’s nothing there,

[00:04:49] Evan Francen: right? Yeah, sometimes you do that like we do the shit show on thursday nights and you know, chris roberts has a long beard like mine. And I’ll see him stroking his on the video and then next thing I know I’m doing the same thing. I’m like, stop it. What the

[00:05:03] Neal O’Farrell: hell? It’s a gamble thing.

[00:05:06] Evan Francen: Mhm. Well, yeah, it’s uh it’s actually scientific. It’s uh wisdom. Yeah. Right, This is all I’m right here. All

[00:05:17] Neal O’Farrell: right, we’ll go with that colors. If you know what? There you go. In terms of theory on this, Please call in.

[00:05:25] Evan Francen: There you go. Yeah. So neal, thanks again for joining us this week. Last week. We had a great talk. So great. In fact, we didn’t have time for the news. Uh No matter though, uh you know, most people I think can read, I think most people probably don’t read. But if you wanted to read, you could still find the news online. There’s a thing called google and then you can type, you know, security news and find that stuff. Two. Anyway, we talked about your background. Both of us shared our personal struggles with mental health bread. You didn’t get to share your personal struggles with mental health, but you probably don’t have any mental health issues anyway.

[00:06:05] Brad Nigh: Right.

[00:06:07] Evan Francen: So we’re good on that.

[00:06:09] Neal O’Farrell: What are you doing insecurity?

[00:06:11] Evan Francen: Yeah, brad. You got stories brace.

[00:06:16] Brad Nigh: Oh yeah, I’ve had, we’ve talked about bad jobs and stress and things. But I’ve always been not does havent struggled absolutely have had issues and struggled with it. But I don’t know, I’m like personality pretty laid back and just don’t let things get to me very often and so you know I’m able to most of them just let it go and not not get bogged down by some of that stuff. But it absolutely happened. Mhm.

[00:06:48] Evan Francen: Well before you jumped on bread Neal and I were talking about how you know one of the things so I was involved in an incident response on friday and you know, yeah and you know the one I’m talking about and it’s just like you you couldn’t have handled this any more poorly. I don’t think in terms of you called the wrong people, you called too many people who had the FBI involved, the department, Homeland Security involved, you had the local sheriff’s department involved, you had another company involved, you have the insurance company involved and then you had us involved. It’s like what in the hell is going on here? And the fact that you were so poorly prepared led to just this cluster of so in our in our job there’s lots of things that we see all the time. It’s not I don’t think it’s probably all that unlike you know, maybe first responders in some ways we don’t see body parts but we see things that we want to. I mean I can’t tell you about, I want the world to know how poorly this company treats treats information because they have you shouldn’t be in business, You shouldn’t be in business because people trust you and you? I mean, I’m gonna I’m gonna start saying swear words, but you can see how I get heated about this. Well, that adds stress. Uh Neal you were talking about cortisone levels in the last podcast. I mean, hell pissing me off. And what do I where do I go with that? Wow.

[00:08:27] Neal O’Farrell: Yes, It’s it goes to the core of so many of the challenges with stress and mental health and security that so many of us come in this business because we we have a very solid moral compass and that kind of stuff eats at us in a way that something, it’s something it shouldn’t. But the only way Walters, if we lose that moral compass and we can’t afford to do that, because it’s what defines us and it’s what keeps us saying that we’re able to still rise above it. But yeah, it is a little bit like courses on the way that it, you know, left unchecked and constant and raised. It eats at you. It really does eat at you and you have to find an outlet. You have to find a way to to release that valve or you’ll end up like me.

[00:09:15] Evan Francen: You think that’s one of the reasons why we’re such a tight knit tribe, you know, security people. And if you listen in on security people’s conversations, it’s not uncommon to hear us complain and bitch about customers or clients or people who don’t get it, do you think that that’s one of the reasons is we just need to get it out.

[00:09:39] Neal O’Farrell: I think that’s, I think that’s critical. Absolutely. I mean I’ve always said we’re not fighting Russia or china or, or, or, or criminal gangs or long walls providing stupid and indifferent. Those are our biggest frustration. I mean, we know the enemy, we know their motivations. We expect them to behave that way no matter how cruel, uh, they can be, but we don’t expect the same from the people we work for the people we work with our, with our clients. And yeah, I mean one of the reasons that I finally ended up being burned out was was they did the stupid cycle. You know, I’ve been doing this for 40 years. I see the same stupid coming back again. Whether it’s whether it’s vendors or security leaders, You know, every time I see some more, there’s going to be, you know, federal privacy legislation this year guarantee that yeah, I think a 20 year old song, I mean you’ve gotta really all playlist. Um, so yeah, we are, we are, I think we are united in the fight against them in many ways and dumb is so frustrating because it doesn’t have to be that way. So many of these things don’t have to happen if you just were slightly marginally above dumb.

[00:10:51] Evan Francen: Yeah. What and you talked about the moral compass, you know if I’m facing this stress because I’ve also had conversations with really, really, really good security people over the years and they’ve asked me the question why what keeps us from going to the dark side? You know, there is that moral compass, but holy crap, you certainly make a hell of a lot more money and I don’t know, maybe it be less stressed if you went to the dark side, but then you have to forgo your moral compass right?

[00:11:31] Neal O’Farrell: Um, I don’t think I’ve ever been tempted to go to the dark side other than, and accidentally went to the dark side way in the beginning of my career when when hacking was espionage and hacking was not into a network, we’re going over a wall and breaking into a building is stealing some floppy disks. And I remember and I didn’t do it deliberately, I helped someone else do it. They didn’t tell me what the, what the mission was. But I, I don’t know. I I I’m not too sure about that. I think the people that I’ve worked with, the people that I’ve dealt with, I know some people, I don’t know if you’ve come across Brett johnson um, the the shadow crew guy. I mean he grew up on the dark side, uh, he struggled to come over to the, to the light, but talking to him, he’s no longer attempted to go back, even though he could make an awful lot more money and even though he stumped and struggles financially because he makes a lot of money on the speaking gigs and that dried up. So I don’t know. I don’t, I think we do have to have enough, but I think it’s, it’s almost like being trauma doctors, you know, you see the same shit night after night, the same people ending up in awful situations and often because of stupid mistakes are alcohol, whatever it is. And it leads you alive if you don’t deal with that. And, and the same with cops. You know, I’ve got a really good friend that actually helped profoundly who co founded the identity death council and she retired as a result of PTSD after more than 20 years. And she said she never once fired a gun. Um, she was never once fired at never gotten a gunfight. But you said it’s the, it’s the accumulation of being first on scene at a gory traffic accident, of picking the two year old out of the pool of her. You know, putting it, putting a dead body out of the stream after being there a couple of weeks. And our fiscal to the chest cavity is that it’s the accumulation of all those things that finally breaks you. And she only found out after she retired that there were tools and techniques and systems she produced to compartmentalize that and not let it eat her up. And I think that’s something that we haven’t done yet in security. I don’t think because there hasn’t been enough focus on this topic. Right?

[00:13:50] Brad Nigh: Yeah. I was gonna say, I think that’s probably one of the good things that are one of ways that I’ve been able to do it is I think I’ve been really good at being able to compartmentalize it and,

[00:14:00] Neal O’Farrell: and well,

[00:14:01] Brad Nigh: you know, obviously we’re never truly off, especially when, you know, you’re coming up in 1924 7 types support. But being able to say this is now personal time, this is family time versus work. If something comes up, then sure we’ll switch back over. But I really try hard to make an effort to leave work at work. Uh it’s been a little more difficult. I think this with everything being locked down and be in the house all the time. But I work, I have an office, I work in the office, I don’t take my laptop out of the office. And when I’m not on the weekends, I really try hard not to come in here just because, you know, it’s that separation is that chance to get away and kind of decompress.

[00:14:51] Evan Francen: What I think about you brad is your ability to set boundaries and stick to them. I’m not that way. Uh you know, for instance, There are no two mornings I get up at the same time. Yeah. And since I forever and I’ve tried so hard to change that. You know, I’m like I’ll set my alarm six o’clock. I’m just gonna get up every morning at six o’clock and then what do I do this morning? I got up at four yesterday, I got up at three tomorrow. I don’t have no idea what time I’m getting up tomorrow. I mean I’ll set my alarm and get up and over the hill at you. Like

[00:15:26] Neal O’Farrell: why isn’t it? You know,

[00:15:29] Evan Francen: I think it’s uh well I don’t know, it’s been a conundrum for me for a while. I think I’m just a person who hasn’t been built for routine. It’s not a skill, it’s not a gift of mine. And so when I finally decided that I was going to give up trying to be something that I’m not and just embrace that this is the way I am. Then it became a freeing experience that uh this way and it’s okay when you use my gifts to the best of my ability, I’m going to minimize my weaknesses. So if I’m all random like that, well then I’ll try to find time during the day maybe to take a nap. No, you know, my wife certainly adapted to it. So it hasn’t affected home life. But it I admire people that can set boundaries and stick to them. I’m not that guy,

[00:16:29] Neal O’Farrell: is it is it is a D. H. D. Play anything, any role in it, it’s just you can’t shut down.

[00:16:36] Evan Francen: I think so and I just uh I’m random like a uh someday I decided I was gonna get my guitar out and start you know playing guitar again. Some more friday. I decided I was going to get my Arduino out and I want to build a rocket that can shoot down drones. Who doesn’t

[00:16:58] Neal O’Farrell: mr just just just another day right in the head of Adam

[00:17:03] Evan Francen: I said yeah

[00:17:05] Brad Nigh: because I know I’ve had those days where you know that was a problem where you couldn’t shut down right? Just your mind just is going at night because I’m actually fall asleep and all of a sudden it’s like hey what about this one problem? And then it’s just go and I think having going through that building out like routines and building out okay this is what I need to do to if this happens do these things and write it down or you know I can’t get to sleep, get up, I’ll do some walk around the house just to kind of change, change the situation right? If I’m laying in bed and just like oh my gosh I can’t sleep, Just get up and walk, come downstairs for 1520 minutes reset and then go back up and you know it’s I think it’s difficult, I can understand where that I mean that would be stressful for me. I wake up occasionally early where it was like I already got my six hours of sleep it’s four AM and I’m ready to go. But most retirements, I’m pretty good at keeping that routine.

[00:18:13] Neal O’Farrell: Yeah, yeah, I’m, you know, I’m, I won’t say I’m the opposite, but I’m certainly very different. I can sleep soundly for eight hours. I can sleep soundly for 10 hours if you leave me alone and I’ll also nap during the day and it’s depression, it’s just, it’s the chemicals in my body and I’m constantly fighting and and it’s actually beginning to work. You’re trying to take these two to recalibrate the, I mean, they call them depression apps. It’s a well recognized side effect of depression. It’s a way of the body to cope with the turmoil in your mind tries to switch off by, by my uh, you know, forcing interest. And it’s also a way to the body deals with cortisol. You know, if you’re constantly stressed, you have constant, we talked about this last week, high levels of cortisol courses all that. The creation of energy. Your body gets tired constantly creating energy and it says, you know, time out you’re going to have because that will stop you being stressed, You’ll stop creating energy. The body can go back to its normal level. And so I’m kind of the opposite. I wish, I wish I could get away with 34 hours a day a night, but I have been that there’s, there’s a lot of science around they, the long term negative impacts of not getting less than eight hours solid sleep at night. And it’s not just, you’ll feel better for it, but it actually connects to aging to cognitive decline to memory. Um, the body really, really, really wanted to sleep solidly for eight hours no matter how you manage it, you know, naturally are pharmaceutically. It really, it’s, you know, my wife is a little bit like you haven’t cheese, you know, she’s in bed for for for seven or eight hours, but she’s on this evening for two of it. I and then, you know, and she’s now being to realize that that’s not good for anything, not something to be proud of. It’s not about your honor.

[00:20:12] Brad Nigh: It’s interesting

[00:20:12] Evan Francen: though. But I think, you know, one of the, you know, when you take an inventory, you know, one of the things that, you know, when I take inventory of me, who I am, what’s going on, what my brain is saying, you know who I really am, you recognize that there are certain gifts that you have in certain weaknesses that you have. And I read a book, you know, strength finders, right? It’s a very popular book. And when I read that it was like, yes, capitalize on your strengths, minimize your weaknesses, you know, because other strengths are very introspective. Uh I’m constantly reviewing me like, you know, I don’t point so and that also leads to the fact that I don’t point fingers at others before asking myself what did I do to contribute to this problem, which then becomes a kind of a good leadership attribute. But uh discernment is also a gift, you know, it’s difficult, it’s not that I can’t be fooled, but it’s difficult to fool me because discernment is just a gift. Uh you know, but there are certain other things that are weaknesses. I don’t exercise, like I should, you know, so body wise, mentally, I’m pretty strong spiritually, very strong physically. Yeah, fuck it. I guess, excuse my language. You know

[00:21:33] Brad Nigh: What? one of the things that I realized is, it was a real wake up call, slap in the face of the thing is with this lockdown, you know, it’s basically been seven months that I’ve been working from home and I didn’t realize how out of shape I had gotten until I started playing with the kids and was like, oh, oh yeah, we got the uh the ring fit for them and they’re like, do it off the car, it fine. And I did like, it was like a five minute jog and you know, you’re doing exercises and squats, and I was like, at the end of it was like, ok, that’s a problem, you know, you don’t really, it’s so easy to slip into those bad habits without realizing it. Like, You know, I don’t get up and do things now, it’s 2020 ft to the bathroom, the kitchen is literally around the corner, You know, I don’t go out for lunch anymore. So not walking or going and doing things. And so I’ve had to make a concerted effort to put time on the calendar and make sure, that you know, have a reminder that during the day, get up and go do 15 minutes of exercise, go do something and oh my gosh, just you just feel so much better. You don’t realize it until it’s, you know,

[00:22:52] Neal O’Farrell: you just slipped into it. Yeah, we’ve got a pellet on and we’ve got to tread climber and my wife uses them an hour every day and she’s skinny as a finger and not one of heaven singing about the typical fingers. So, and she does, she she used to run marathons, all that kind of stuff. And she would criticize me in the general kind of way for putting on late. And I tell her, don’t market it’s a disease. It’s covid, you know, it’s not my fault. But yeah, and it’s and it’s and again, coming back to these brain chemicals and and and I think it’s particularly affects people in security a lot of times. They worked alone anyway, even if they’re physically around other people, they they they confine themselves to their own headspace, But it’s this thing oxytocin, it’s one of the most powerful chemicals that we have in the brain and it is the it’s it’s the chemical, it’s the hormone that allows us to create communities. So fundamental to the survival of humans. But it’s also the cuddle hormone, the love hormone, let’s say when, when it’s a it’s a hormone that makes us appreciate therapy animals want to hug the car and all that kind of stuff. And if you’re not totally engaged, it goes down and it really does make you feel bad. It makes you feel lonely. It makes you feel even more isolated mentally than you are physically. So yeah, we don’t I mean, I think Covid is teaching us things about us that we’re always there, but we never really looked at our address and it’s it’s reshaping our brains. It’s going to be interesting how we, how we appear and how we think we would come out the other side assuming we’re not hit with something else.

[00:24:27] Evan Francen: Yeah.

[00:24:28] Brad Nigh: But so because,

[00:24:31] Evan Francen: you know, I love the way you put that, because I’ve always said, you know that we’re social creatures, that human beings are social, it’s in our DNA, we can’t help it and how, you know, there’s going to be bad things. So it will be side effects too, us being isolated like we have and but you put you put like a different perspective on it and a and you use, you know, some scientific evidence to support that. That’s that’s cool.

[00:25:02] Neal O’Farrell: Yeah. And that’s that’s that’s where a lot of this is kind of coming from, you know, as you probably gather, I may, you know died in the world card carrying genetically unmodified cynical Irishman to anything that I adopt, I asked it has to be science based. So, you know, you present me with the proposition, I’m not, I’m not gonna take your word for it. Let me see what the data says. Let me see what the science says. And then the science behind that we decided, you know, on and on and on. And the more I learned about this, the more I realized that you know, we are, we are fundamentally products of the chemicals in our brains over which we exert incredible control. We just don’t know it. And so I’m experimenting with all these things and it’s and it’s it’s, I don’t understand evangelical about it, but it’s almost like go tell it on the mountain. You know, just you know, we talked before about when I tried mindfulness for the first time Uh just as a stress management tool and I 10 minutes and I pulled it out of that room. I just I just I remember this almost argument out of out of body feeling approaching my wife and saying Kathy Kathy Kathy Kathy Kathy, come here, come here, let me tell you about this. And I was I quite literally had a high, I had a dopamine high and it lasted for you know, probably half the day and that that’s dress, watch stress. I mean, you know, no alcohol involved, no risk you’ll get us involved. But the more I’m learning about this and I’m thinking if only I had discovered this 20 years ago as a way to manage stress, I wouldn’t be so cynical and jaded and checked out from security as I am now. And maybe it might have been a more productive and enjoyable career. Maybe I wouldn’t be so angry at how things shouldn’t have should have been and weren’t. And so, you know, again, I have to be careful that I’m not being a zealous evangelical or field of the same kind of mission, but anyone I can convert to this knowledge that your breathing absolutely re wires your brain and thus reshapes your view of the world. I’ll do it.

[00:27:17] Brad Nigh: Yeah, I use the app headspace. I have

[00:27:21] Neal O’Farrell: heard of that one. Yeah, I use that

[00:27:24] Brad Nigh: for that meditation. Is that guided meditation?

[00:27:28] Neal O’Farrell: You

[00:27:29] Brad Nigh: can do

[00:27:30] Evan Francen: that

[00:27:31] Brad Nigh: head space. Yeah. And uh it is, I was kind of a little cynical of of it, right? Like people keep talking it up and It’s amazing what 10 or 15 minutes of just, you know, headphones in just computer off, sitting here quiet and just eyes closed and focused on your breathing and you come out of it. It’s like,

[00:27:55] Neal O’Farrell: wow. Yeah.

[00:27:56] Brad Nigh: You yeah, it’s energizing. It’s it feels just better

[00:28:04] Neal O’Farrell: they just down and it’s it’s it’s it helps in so many different ways and again, it’s because you’re lowering your cortisol and you’re you’re bumping up your your friends and your, you know, all that kind of stuff, but the physical benefits to our incredible to gut the diet, which you know, really counters a lot of what goes on security. The sedentary lifestyle is sitting in the chair for so long. Yeah, I’m I’m I’m, you know, I never thought I’d be a fan I now now and I hate to say it and I’m glad this is not being recorded. But

[00:28:36] Evan Francen: my wife,

[00:28:39] Neal O’Farrell: wait, no, okay, well I’m halfway into that conversation, I’ll finish it anyway, I’m going to try yoga, I’m gonna try, I’m gonna break this old body of mine and you know, steve I can, I mean I’ve done I have done downward dog and a lot of times outside bars, but now I’m going to do it on a mat in a warm room.

[00:29:01] Brad Nigh: Yeah we use uh I haven’t done it lately, I pick it back up but my wife

[00:29:07] Neal O’Farrell: and I way back

[00:29:08] Brad Nigh: had done the uh well, gosh, what is it called? P 90 x that work out

[00:29:15] Neal O’Farrell: and they have a yoga.

[00:29:17] Brad Nigh: Yeah, yeah, I hate that guy. Uh oh Tony Horton, Oh I would yell at him on this when we’re doing these workouts to be so cheerful, but they have a yoga series as part of that and and what we ended up doing for a while and like I said I’ve done it since we moved, I don’t even know where they are at this point, but we would just do that. And it’s your like sweating and it’s a workout, you don’t realize. Yeah.

[00:29:45] Neal O’Farrell: And the next, the next thing I’m experimenting with this, I think we mentioned last week is uh sky breath. And again, it’s just it’s taking the science for the science and the tradition from from buddhism and Hinduism and yoga for maximum. The centuries of breathing and how different types of breathing in certain sequences can be incredibly powerful in modifying your your mood and anxiety. Um it takes a little bit of time to to figure it out because it’s long until 35 minutes of lots of different breathing. There are bellows breathing and this ocean breathing all kind of an alternate, alternate nostril breathing. It gets a bit complicated. But what drew me to it was a Yale study uh where they had Iraqi Iraq and Afghanistan veterans try it who are dealing with PTSD and they saw effects within a week. I mean, normalizing their anxiety to normal base levels within a week and then sustaining that for a year afterwards. And I thought, all right, heard of Yale, they’re pretty credible. And there’s a lot of other supporting evidence and and and and all the yoga file thing. Yeah, we’ve been telling you this for centuries. But that’s the that’s the next thing I’m going to try because it takes mindfulness to a much much higher level because the science around how different types of breathing affect different parts of the brain. Uh So I’ll let you know how it goes

[00:31:18] Evan Francen: and what’s that called?

[00:31:21] Neal O’Farrell: Sky bread SK Y. And the S. K. Stands for Laroche in Korea. I think tradition create yoga is ky it’s proprietary. There’s an organization that has developed a yogi I think. Um But it’s yeah I mean you know I psychologist psychotherapist are practicing practicing and raving about it and yeah let’s all try together shall we and see how we uh does involve a time commitment.

[00:31:54] Evan Francen: Well you said it takes mindfulness to the next level. Maybe I should start with mindfulness first.

[00:32:02] Neal O’Farrell: You can get if you haven’t tried to try it and and remember and and and I’ll send you some links where you can learn about it. But the most important lesson that I r I suppose instructional piece of advice before I started with it’s not really meditation. You’re not trying to tune things out. You are you are you are accepting everything, it’s about being in the moment to accept everything that’s going on around you without judging it. And so I remember sitting there and listening in my mind I I imagine I was in battlestar galactica and all my stress was coming at me. I’d be like asteroids was going. Yeah no problem, yep don’t care. Yeah how you doing and and that aspect of it. Just accepting that these stresses are all around. But they don’t have to hit me, they don’t have to eat me. That was the most powerful part of it I found apart from the breathing and breathing, slowing down the heart region, you know, readjusting the chemicals, but just accepting that the ships out there protesting about is not changing it and it’s not going to make them go away. It’s this, this might be discussing. We’ll have another time. I developed my own system for dealing with stress, separating stressors from stress. And that was my way of compartmentalizing all this.

[00:33:18] Brad Nigh: Yeah, that’s interesting. I haven’t heard of that, but it does make a lot of sense. So heaven knows what my youngest is, six and he has a luckily a mild case of cerebral palsy, but he still has that startle reflex that where he gets, if he gets surprised her where and he goes into the lock in really gets upset. And one of the things that his doctors have have worked with him on is breathing. And so he’s now luckily he’s old enough now that this has been something for his whole life. Uh now he goes off to his on his own and does his breathing and he has like a it’s a toy, like the ball that expands and contracts and and that was the way they taught him is hello. And it absolutely calm them down. So it makes a ton of sense that the doubt, yeah, would work.

[00:34:13] Neal O’Farrell: You know, I I I’m now I found myself automatically turn into breathing for everything. So I want to clear my head. 3, 10 deep breaths. I want to get a bit more creative Neal Breathe. I want to remember where my car keys are. It just it’s you know, whether it works or not, doesn’t really matter. I feel good. So I guess it does. But yeah, you find yourself automatically going into, oh, you forgot to breathe and we do, you know, uh most humans are breaths are very, very, very short because life is stressful and short.

[00:34:49] Brad Nigh: Yeah. To I wonder if part of it was so in high school, like I went up through uh come up through the theater, I needed in ninth grade, I needed an extra class and I was like, man, that looks easy and uh did well in it and did like enjoy the building of the sex and stuff. But a lot of it was breathing exercises and controlling and yeah, I bet you that, not thinking back. I bet you that had a lot of

[00:35:14] Neal O’Farrell: maybe why you’re able to do with stress, that you are able to without thinking about it, take that deep breath and have everything down.

[00:35:24] Brad Nigh: It’s always been focused on breathing into your chest, doesn’t expand first. But it’s like kind of from the bottom up and it’s just how I breathe at this point, just because I have four years of training on it without realizing

[00:35:36] Neal O’Farrell: it, she ever made a breakthrough already, wow.

[00:35:40] Evan Francen: I know. Well, and I was what you were talking, I was looking at mindfulness because it’s a thing that, you know, I understand how the word is constructed, but I don’t understand what it really means. Uh, so I found a place called Mindful dot org. Is that a place?

[00:35:56] Neal O’Farrell: That’s the place? Okay. And probably the biggest proponents and supporters on there?

[00:36:02] Evan Francen: Yeah. Mhm. So, you know, for listeners, there’s a great place, you know, Mindful dot org is the, is the website. We’ve also mentioned a couple other resources that I want to make sure, you know, people know about headspace that you brought up bread as a, you know, I just downloaded and installed it on my iphone

[00:36:25] Brad Nigh: have a sleeping what God is sleep that might really help us help. That helps me.

[00:36:31] Evan Francen: Why sleep really soundly. I just, I don’t have a schedule. Yeah. If you take my average of hours of sleep across the week, I get eight hours every night, believe it or not. I mean, yeah, it’s just one night, I might sleep three hours one night, I might sleep 10. You know what I mean? It’s just like, oh, I am totally the wrong house to come rob.

[00:36:58] Brad Nigh: You never know if you’re awake or not.

[00:37:02] Evan Francen: If you scoped out my house. If you were like one of those people who was like scoping out trying to find the right time. You’d be like, what the hell is with this guy?

[00:37:10] Neal O’Farrell: Yeah, yeah, I’m gonna, I’m going next door.

[00:37:13] Evan Francen: Yeah,

[00:37:15] Neal O’Farrell: well that’s that’s the fundamental rule, the security, you know, you just, you you create a stance to persuade the attack and go next door is not worth it.

[00:37:25] Evan Francen: Yeah. And I think a lot of things that helps me cope with things is, uh, there’s always positive things, You know, even some of the worst things that happen in life, You know, I had cancer and I told my wife, you know, when I told her I had cancer that either way, that, you know, no matter what happens, it’s a win for me. I die tomorrow, based on my worldview and I understand other people have different world views. I’m going to jesus, that’s a win. I mean, I’d rather be there than here

[00:38:02] Neal O’Farrell: anytime

[00:38:05] Evan Francen: if, if this, you know, it, they cut out my kidney and it’s all good. Well then there you go, life’s back to normal. And I’ve got a story to share the, if it’s a long drawn out, you know, chemotherapy thing. Well then, you know, what a great way to, to demonstrate strength for other people that maybe they can, you know, grab from it. So, I mean, that’s another thing that helps me cope is I’m looking for silver linings and looking for things that are positive, you know, positive potential

[00:38:36] Neal O’Farrell: and you you just brought up another element of, of calm and happiness that again, has a ton of science behind it, gratitude um I mean, people struggling with PTSD are taught about the process of gratitude and it’s, it is a process, it’s, it’s it’s it’s a routine and quite often involves writing down but simply the notion and we all practice without necessarily thinking what it is, but it doesn’t make us feel better is being grateful for you have not worrying about what you don’t have and that does again, it rewire the brain, it Rebalances the chemicals and it increases calm and it’s again when the more we talk about is the interconnectivity of all these things and all that, you know, happiness for example the power of happiness in creating calm and reducing stress and anxiety, but it’s a process, you have to learn how to be happy to learn techniques that uh huh put you on the path to being, you know, I call it happier this because there’s no such thing as happiness, it’s an Absolutely, yeah, gratitude is an incredibly powerful tool in common your mind, but you have to practice it, you have to every day just look around and say, you know all the shit that’s coming at me, I’ve got, I’ve got this was great, my family is great, my wife was great, my health is great or good or enough and it’s a really, it’s a powerful way I again of, or saying the asteroids and the media media is to just buy it

[00:40:10] Evan Francen: right,

[00:40:11] Neal O’Farrell: Yeah, You’re doing it without knowing necessarily the chemistry behind it.

[00:40:16] Evan Francen: Yeah. Yeah, that’s a good point because it is a great coping mechanism. I wrote a blog post last week about I was having my own pity party. You know, I was had two dogs that passed away this year. You know, just, I mean there’s always things right? There’s always you go down this rabbit hole and it’s like, wow, there’s a lot of dark stuff and it’s not like you you deny that it exists, you have to confront it. You can’t just, you know, skate over it because it will come back up again. But I was having this pity party and then just like you said, it’s interesting that you confirm it for me because then it was like I heard a voice that was like, Did you forget about the blessings? Did you forget about the good things that happened this year? Did you forget about? And then that list just replayed in my mind and it was like 30 things. I was like holy shit, 2020 has been a great year regardless of covid and social injustice in this election and all the other crap going on. It’s like, no, it’s been a great year. Good things have happened.

[00:41:21] Brad Nigh: You know, it’s interesting what you mentioned that because you know, it is easy, especially we’ve kind of talked about it. I think this, I don’t know, nebulous roll, right and not really part of anything in particular, but figures in a lot of things. So it’s kind of a it’s a new experience for me and you know, I was struggling with what am I breathing value, right? Especially being isolated and this is, you know, but it’s hard, especially you don’t see people and you just kind of helping a lot of different areas. And one of the things we do is is quarterly with our video is the rocks for attraction and sitting down and writing out everything that I’ve done the different documents that it was like, oh wow, okay. Yeah, good. Like made me realize what I had accomplished because you don’t see it day to day, you lose lose sight of the big picture really easily when you’re just constantly moving all over the place and then stepping back and going, okay, what happened, what did I do, what’s gone on? And it’s like, yeah, okay good. Yeah.

[00:42:34] Evan Francen: And now Neal does mindfulness help with that does mindfulness help with you just stopping and just kind of identifying things like that.

[00:42:46] Neal O’Farrell: Yeah, it does because if only for the fact that in order to practice mindfulness, you have to stop And for someone with a PhD and you get it. I mean telling me to sit still for 10 minutes is like, you know, I can’t sit still for 10 seconds. I’m physically and mentally I can’t and so the first time I tried mindfulness, it was a nightmare. It was just my mind was raging. Just, you know, as it always does. You know, so many ideas, So many plants, so many schemes, so many worries, so many things that I’ve got to take care of and and and and fix and all that kind of stuff. But they’re coming out of it because it had calmed me right down. Um I was able to suddenly, I mean, I sound like monty python. I was looking on the bright side. I was just like I said, when I flew into my wife is like, nothing is bad. And so I’m I described it repeatedly as this euphoric sense of calm and peace. And that’s that’s as close to, you know, happy in Havana as I’ve come in a long time. So, it certainly made me, it made me grateful for the moment. It may be grateful that I’ve found the tool that actually worked for me. It made me grateful that I listened to my better angels instead of being cynical and staffing at us and just try it. Just stood up and sit down for 10 minutes. You know? Do we get all um So yeah, and again, I go back to it. It’s all interconnected. It’s helped with my outlook on life. It’s helped with my happiness. I was unhappy for years. I didn’t know happy what I was just joyless. I couldn’t, you know, anyplace I was, I wanted to be someplace else. You know, I was just, people were pouring me. I was, you know, I had these voices Reggie in my head, You don’t know what you’re talking about. You should live in my shoes. Just stupid talk. But yeah, um, it’s the, uh, and I think it’s an incredibly powerful tool for so many things that we, most of us are dealing with the same things to different degrees, you know, where they’re, you know, I mean, I talked to a good friend yesterday and You know, he’s only a nubian securities, only been in there for 22 years. So it’s time was just, you know, given your mind shoes, you know, but he’s just jail with everything. And you know, he’s very, he’s very politically involved and he’s very morally focused and, and he, he was angry at how the world was, you know, not doing what I’m supposed to do and and doing what it was, was supposed to do and the cover and, and, and then I said, what, what’s really bugging? He says it’s just the security thing and it was just, you know, he’s been doing it for so long and nothing’s changed. And he was just frustrated that he wasn’t leaving a mark making a difference. Same old story, shame old people, same old faces. And then he just sat back and said, I’m so grateful for what I have. You know, my health is good, my family is good. My kids are fantastic. I got a beautiful house. I got a great girlfriend and it was just at the end of it. He wasn’t camp and it was camera. Um, so yeah, it again, it comes back to some time we talked about earlier that this security thing can really grind you down if you have a conscience and you really, really do need to find a simple way to put yourself above the water line or your little grounding

[00:46:09] Evan Francen: one. You know, a lot of things that we’ve been preaching recently about security is um, we need to slow down, right? We for so long we’ve been, you know, going much faster than we have the ability to secure things, right? New technologies, new devices, new applications, knew

[00:46:31] Neal O’Farrell: everything, certifications, frameworks. Oh

[00:46:33] Evan Francen: my God. Right. And so we’re always going, we’re always falling behind. And so it’s such a good thing. I mean that’s one, it could be another takeaway for me personally. And this is slow down, Stop. Yeah, go down. The world will continue to evolve. The world will continue to turn if you’re not working right? Yeah. You know, Just take a minute, take 10 minutes, take half an hour and just set reflect, relax, breathe, you know, and I’m gonna use some of the, I mean I truly, I’m the next week we have another guest. It’s uh, it’s a guy, his name is Richie, I met him. Uh it’s a long story, but the topic of what we’re going to talk about next week is the security industries stigma against healthy stuff.

[00:47:31] Brad Nigh: Yeah. Yeah I mean yeah that’s the big thing is nobody talks about it right And it’s good

[00:47:39] Evan Francen: for from it. I mean I just I just said that you know physical I don’t do physical exercise well that’s not going to be proud of man

[00:47:48] Neal O’Farrell: but

[00:47:49] Brad Nigh: there’s that stigma I think around mental health and you know I haven’t really talked about it that I was recently diagnosed with A. D. H. D. Inattentive inattentive. Um And it was like going through that and then getting that and reading about it and was like holy crap so much makes sense

[00:48:09] Neal O’Farrell: that like all

[00:48:11] Brad Nigh: the other things in school and coming up and you know I have to have if you’re watching and I think it made me who I am which is a good thing right? I have to have things documented a certain way I have to do these things because I had to do it that way to overcome some of those issues and it made me really good at some of the things that I do but getting that treatment for you know getting finding out about it and just it was like yeah the the angels of light shine it’s like holy crap

[00:48:46] Neal O’Farrell: so

[00:48:47] Brad Nigh: I mean yeah and it started with I just started talking with my doctor and was like I’m really struggling with these things and when and did the whole, I don’t know. It’s all ridiculously long test and all sorts of questions and I was like, yeah, no, you’re like, it’s not a severe case, but you absolutely have this and like

[00:49:07] Neal O’Farrell: really violations.

[00:49:09] Brad Nigh: That’s like,

[00:49:11] Neal O’Farrell: wow. Uh There’s a thing to, that comes back to to to perspective and we all guard need to teach the new guard about this because to learn it over time is a big price to pay. But You know, like I keep saying doing it for 40 years, the one the the most valuable things like Gospel was perspective. You see all these cycles come and go. You see all these ideas and people and vendors. Um but the one thing that I, that I that and I only can have admitted it recently is nothing ever turned out as bad as you were stressed that would, and if you learn to accept that now you’re not going to get fired because you failed or you didn’t show up. You’re not there 12, 14, 16 hours a day. But if you do get fired, there’s 1000 employees ready to hire. There’s 1000 everything works itself out in the end without allowing stress to eat you up along the way. And that’s the one thing that I’ve learned from all this and I, you know, we talked about it before. I’ve been in some really stressful situations and also complete that. I chose them. I took risks and business, I went for contract that I had no business going for. I worked in environments that I really was talking about imposter. I was a complete charlotte, but and I learned the stress on me. But this is this is one of the most important things we have to deal to. We have to teach to the other security professionals to get the stress. It’s not worth it. It doesn’t change anything and nothing is ever ever as bad as your worst demons screaming it.

[00:50:50] Evan Francen: Well, that’s great advice because it’s in line with, you know, but I’ve been preaching to, I mean, I guess I meant I was somewhat of an old timer, but not 40 years and Like 30 ISH. But it’s the fact that when we’re involved with security stuff and we’re so we care so much and we pour our hearts and souls into this stuff, it’s really easy to think that security is the thing,

[00:51:18] Neal O’Farrell: right? But

[00:51:19] Evan Francen: security is a thing, it’s not the thing. There’s so many other things in life that happened that you need to pay attention to, that you need to focus on that perspective. I’ve also said the easiest way to tell a an inexperienced or a bad see so is their inability to put things into perspective. You know, they can’t put risk into perspective. They see one vulnerability over here and it’s like all hands on deck, that thing while meanwhile the house is burning down. Yeah. You know, so it’s great to hear you because people like you that I certainly respect in this industry when you validate things that I’ve thought for so long, you know, it strengthens me my resolve. You know, it makes me realize that I’m not as much of a weird, I was like, maybe I thought I was

[00:52:14] Neal O’Farrell: So your instincts are your instincts are right. Always trust them. You know, I feel like I should look like Gandalf with all this wisdom on his cousin, right?

[00:52:24] Evan Francen: But I keep standing this industry. It’s going to be down to my knees pretty

[00:52:28] Brad Nigh: soon.

[00:52:29] Neal O’Farrell: Yeah, probably get some little white stuff to go along with it. Yeah, I end up looking like bishop can also

[00:52:36] Evan Francen: when I think it’s like, it’s like plato, right? If you put enough pressure down, it pushes the plato out. So there’s a lot of pressure here and this is the plato

[00:52:47] Neal O’Farrell: I had such a cranial beard. Yeah. All right, keep going with that. That’s one instinct you should not

[00:52:54] Brad Nigh: trust

[00:52:56] Evan Francen: now. Well, I think another thing that really helps for me personally is, and I know that not everybody is married, not everybody has a significant other, but everybody can build a support structure around them. You know, my my best friend by far is my wife and she’s the only person that can really corral this craziness and uh, just this last year, you know, she was mentioning in july how I wasn’t myself because you’re not yourself, you’re just, you’re more on edge your crab here. You’re, I’m like, you know, well actually what I said to us, you don’t know what you’re talking about, leave me lost. But then we went on this road trip to south Dakota, just her and I where we got away and it was time to you guys point I got away, I pulled my, we were pulled out of the day to day crap, spend some time together. And then that’s when I realized how she was right all along. I wasn’t right mentally I was messed up, but getting away was so therapeutic for me for all I know it might have saved my life. You know what I mean? But if I hadn’t had that support structure, you know, I’m my own worst enemy. Yeah.

[00:54:20] Neal O’Farrell: And the trick is figuring that out before it’s too late, which is why these conversations good because if we can spark in other people, you know, maybe I’m looking at this all wrong. Maybe I’m looking at myself all right. Uh, you know, early intervention and it’s just, it’s such most frustrating thing is it’s common sense, but common sense can often be the most obscure. You know, it it’s they that stuff at the end of our noses unless you cross side you don’t even see it.

[00:54:51] Evan Francen: Yeah. When I think another thing we do a lot with security stuff like when I reached my talk about support people and I think of the people in this industry, you know what I used to do when I was younger was we’d all talk about security stuff, right? We get together talk about this exploit that exploit this hack, whatever, you know, and it was all work, work work. And now as I’ve gotten older, I realized a lot more of my conversations with people in this industry are more personal, right? Or investing in people like brad. I know about the struggles that you’ve been going through and you know about mine, you know, yesterday I took a call from a friend of mine out east who, you know, super good guy and he called me to tell me about his daughter in treatment. Mhm. And how she’s struggling with it and how she’s been, you know, in treatment for a couple of months and she almost walked out yesterday. So he’s struggling with that. It’s like we’re not talking about security stuff that that stuff is secondary, right? Was cool. You’re gonna get

[00:55:58] Neal O’Farrell: I worry sometimes. So that the reason that we’re doing that is because where were all we’re dealing with so much pressure self inflicted and otherwise we’re about to blow and we’re reaching out in ways that we never did before because of that reason. It we realized something wrong and that if we think or talk about security anyway, and then, you know, we’re crying out. And so that that’s the that’s the dark side of it. But if you’re if you’re if you’re connecting with people in the same industry on a personal level and not on an industry level, that’s good. Because that’s the way to compartmentalize that’s way to shut that door when you leave. That’s incredibly important. I just I just worry that so much of this is more of a cry for help is that I I need human contact and connection and interaction far more than I need security right now. I need a hug, you know?

[00:56:56] Evan Francen: Yeah, right. When they’re crying out for help is I think it’s a good sign too, because, you know, we’re trying to fight this stigma that it’s okay. It’s okay to not be all right. Nobody is all right. I mean, nobody’s like normal what is normal. I don’t even know what the hell that means.

[00:57:17] Neal O’Farrell: Yeah. I can’t remember the last time I came across someone who was joyfully blissfully happy. I mean, I’ve come across people who say they’re very, very content and I look at them and they’re, you know, again, it’s just it’s just different, wiring different values, but they never they’ve never wanted to achieve anything. So they set themselves a very low bar that they simply be content with existence, that’s fine. If that makes you get you through life, that’s fine. But you know, if you’re wired to really want to make a difference to protect others, which is the motivation of the motivation and security. Um or you want, you know you’re you’re interested in technical breakthroughs, whatever it happens to be, you are going to create a lot of unnecessary stress. But most of the people that I found who are content or happy, I tend to be people who um how do I put this without being harsh on them? Um They really wanted they really wanted to achieve nothing, you know, a yearning for achievement puts a lot of pressure uh Yeah. Self doubt your feelings of inadequacy, pressure to do something now, pressure to do. Leave a legacy on.

[00:58:30] Evan Francen: Yeah, for sure. Uh huh. Well so here’s what I’d like to do. Uh we’ll recap so the tools that we talked about Headspace is one mindful dot org is another Neal you mentioned one more that was kind of taking mindfulness to the next level. What was that again?

[00:58:51] Neal O’Farrell: Oh sky breath meditation. Sk y so you just it just google it, it it can be hard to find detailed information on because it’s proprietary and the people who created wanted to pay for it, it’s not particularly spent a couple 100 bucks to get into the system but but try that but also there’s an organization called the Greater Good Science Center at UC Berkeley and so they call this a lot a lot of this. They bring a lot of the they hunt on a lot of the great science and a lot of great studies and make it more digestible. Um But they are very much focused on all the interactions between between brain chemicals stress happiness mission uh meditation mindful and all that kind of stuff really. Some fantastic articles B. U. C. Berkeley very very science based. Um So that that that’s one of the things that I found that early on was a tremendous resource because it allowed me to come to a lot of crap. There’s a there’s a lot of people marketing mental on the side there there’s a lot of people marketing that held out there and you know when province motivation integrity. Canada it’s not even in the back seat but it’s on the alongside you know so yeah greater Good Science center U. C. Berkeley is a great place to to get involved with some of this and it’s all free.

[01:00:19] Evan Francen: Yeah and I just pulled that up. The U. R. L. Is greater good at Berkeley dot E. D. U. And it’s you know on the I mean the the top article or the top thing there is managing pain with mindfulness.

[01:00:34] Neal O’Farrell: Yes it’s you know it’s you know every every time we read about mindfulness is I mean there’s now a lot of science that it’s helping treat cancer because we know stress uh impacts the immune system. The immune system makes it harder to cancer and they recover from chemotherapy. So yeah mindfulness is then I won’t say that you got. But uh, it’s certainly the more you read about it, it pops up february. It’s almost like the universal cure for mankind’s self imposed fractures. You know, I call stress fractures.

[01:01:10] Evan Francen: Well, here’s, here’s other ones that are right on the homepage. Can America make a course correction? We’ve done it before and then eight questions that can help you survive election stress and who the hell isn’t stressed out by this damn election? Yeah, I’m going to spend half the day on this site today, man. So thank

[01:01:27] Neal O’Farrell: you. Yeah, it’s like I said, it’s when I they’ve got free happiness courses and really, really powerful, engaging. Easy to do stuff. But it’s it’s like it and you have to put the cynic aside and replaced it with a little bit of time. You’ve got to devote some time to do, you gotta vote time to learning and practicing. But once you do, once you do a huge payoff.

[01:01:55] Evan Francen: Well, of course, you know, before we wrap up, you know, mentioning and we didn’t do the news again, which again, is just evidence that it was a conversation at the name. I think that is a positive because like I said, people can read, Yeah, most of them, some of them, I don’t know. Maybe none of them. I don’t even know anymore. But the yeah, uh, we’ll wrap up with, you know, the cyber resilience project. That’s where you’re from Neal, that’s your it’s the organization, you found it. I love this story. If you want to, the story behind you know, Neal and Why he got into this very, very intriguing in the lap last episode, episode 102. We talked about that. I’ve shared your story probably a couple dozen times Neal just in the last week with people that I’ve talked to because one of the things that stood out is like, I can’t imagine having to get up in the morning and check under my car. Yeah.

[01:02:51] Neal O’Farrell: Yeah, it’s been a while. It’s been a while, but, but even today, my wife will tell you when I put the key in the ignition. I freeze just for a fraction of a second. That has never left me the idea of click cause okay, we’re gonna drive off and that’s 30, 30 years later. Yeah. It’s weird. It’s weird when I look back. It’s just weird. I

[01:03:16] Brad Nigh: didn’t feel like you’re the survey on your site. It was really good.

[01:03:20] Neal O’Farrell: I’m good. Yeah, we need, we need lots of people to do that because although it, we’re not necessarily getting great data because everyone spread, it’s I think it’s a very curative a very therapy to think just about to go to that type of screening chair.

[01:03:35] Brad Nigh: Yeah. No, it was really, I like the questions and it does, it makes you kind of reflect and do some self reflection and think about

[01:03:42] Neal O’Farrell: it. Don’t ever asked me that before. Right,

[01:03:45] Brad Nigh: Do that

[01:03:46] Evan Francen: very true. So I’m gonna I’m gonna summarize these resources to and share them on my linkedin? Uh probably later today. Uh and then next week for, you know, listeners, we’re going to continue down this path. You know, we could talk, well, there are entire podcast, you know, dedicated to this. You know, we will move on to other security things, but I don’t want to damn I mean, I want to if anything, I want to overemphasize the importance of this in our industry. Next week, we’ll talk about the security industry stigma against all this stuff. You know, I’ve seen, I don’t know how many times people in our industry brag about how much they drink brag about, you know, the unhealthy side of life in there’s more to it, right? We don’t that’s a slippery slope. So we’ll talk about that next week. Right? Alright, Episode one of 3, Just About Complete Thank You Again, Neal Superman. Yeah, good stuff, man. I learned so much last week, I learned a ton this week. Great having you on the show.

[01:04:56] Neal O’Farrell: Thank you and thanks for thanks for keeping the pressure on this. It’s fantastic. I mean, let’s let’s hope this spreads like a good wildfire.

[01:05:04] Evan Francen: Absolutely. I I plan on it. I plan on doing everything we can even to the point where we’re talking about now trying to figure out how to build tools into our existing tool set? Um you know, what is mental, what role does mental health play in the black and white sort of risk assessment stuff right? There is a risk play here that we need to figure out to let’s say that, you know, so this is not going away for sure. Uh

[01:05:33] Neal O’Farrell: Your homework is to try mindfulness for 10 minutes and go back and tell us what you think of what you think of it.

[01:05:40] Evan Francen: Absolutely. Yeah, I will and I will spend time on the Greater Good website and I did download and install the headspace app. Me being 80. HDD that’s like three things that I did and I’ll probably do another five and none of it will make sense until something settle. So we’ll see uh brad, I’m glad you’re back man. Uh glad you’re feeling better. Okay, any shout outs for either of you this week, sometimes we do shout outs just like hey somebody’s a top of mind, I just want to say hey shout out to you anything for you guys

[01:06:19] Neal O’Farrell: where to begin. Mhm. Um Yeah no one little tool that maybe, you know people will try this, I don’t have you know wearing people down to too much with tools but wot bots I’m trying a an ai therapist called robot W. E. B. O. T. And it’s just unhappy download to your phone again being very cynical. I thought this is going to be silly, it’s going to be can responsive, but it’s a I driven so I thought it might be a step side different holy crap. It’s very interesting. So if you’re interested in a stress management tool, a happiness management tool, having a little character on your phone who really seems to get you try. Uh The reason I’m saying is you’re part of a grand new experiment in ai being our our happiness coaches and our life managers. It’s an interesting resting place in in in in humankind. So W. E. B. O. T. And I have no interest whatsoever in this organization.

[01:07:21] Evan Francen: It’s interesting. You know, I just downloaded the app and I look at it and one of the things that says is your data is private and encrypted with hospital level security standards. And so I deleted the app.

[01:07:33] Brad Nigh: Look, this is Mhm.

[01:07:36] Evan Francen: No, I’m just kidding. It’s still there. Uh Maybe

[01:07:40] Neal O’Farrell: maybe we ought to have a chat with them and say, hey, we could do a fair trading. You help us, we’ll help you hospital level.

[01:07:47] Evan Francen: Huh?

[01:07:50] Brad Nigh: Hospitals. Uh

[01:07:54] Neal O’Farrell: I ask them are they still using they using single desert triple dance?

[01:07:59] Evan Francen: Right. What’s your password? 1234. Okay, good.

[01:08:04] Neal O’Farrell: Now admit 1234, you have that. There is no

[01:08:09] Evan Francen: God. All right brad. Do you have any shout outs? Anything, anybody you want to call out?

[01:08:15] Brad Nigh: You know, I’m just uh just the team like looking at the consulting team and the text services and I are and just, You know, it’s been difficult for them. I think that go for um kind of Q2 Q3 where nobody wanted to do anything from a client perspective too. They’re like over 95% calendars full through the end of the year and it’s just ramping up and picking up and getting things done. It’s just awesome to say

[01:08:48] Evan Francen: cool. Yeah, fourth quarter man, that’s how it well that’s how it rolls. Mm I’ll give a shout out just to the security studio team. Since you did fr secure. We are we already exceeded as you know, we became cash. Well positive for the first time. You know, there’s two companies that’s one of the others a couple of months ago and uh I mean within the first like two weeks of this month already exceeded goals and quotas. So that companies just kicking button. It’s a hell of a lot of work when you’re doing a startup stuff. So that team man their hearts in the right place there kicking ass. So I’m happy about that big deer. Yeah. Alright. Always grateful for our listeners. Send us things to our email. Uh it’s unsecurity@protonmail.com. If you’re the social type socialize with us on twitter. I’m @EvanFrancen. Brad’s not very social but he does have a twitter account he’s @BradNigh.

[

Securing an election has never been more difficult. Especially with the current state of the pandemic and its impact on in-person events, there’s much more to election security than protecting voting machines. Things like voter intimidation, disinformation, and security after election night all tie back into election security as much as infrastructure. Brad and Evan break down securing the 2020 election on this week’s episode.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: hey there, thank you for tuning in to this episode of the Unsecurity podcast. The date is october 14th 2020. This is episode 101. I’m Evan Francen your host in Germany. Uh it’s my good friend and co-host Brad Nigh. Good morning brad.

[00:00:37] Brad Nigh: Good morning Evan.

[00:00:38] Evan Francen: I know uhh we’re a day late and getting the podcast out again this week but cal we’ve been busy. You and I talk offline and there’s just a lot of a lot of stuff going on. Yeah. Yeah. Yeah. Get on track back on track next week. Hopefully.

[00:00:57] Brad Nigh: Yeah, that’s the plan. You know like life just happens and work is nuts. And what are you gonna do?

[00:01:05] Evan Francen: So you’re saying security people have a life,

[00:01:09] Brad Nigh: I mean and maybe you know, I have a family. So you know, family life gets nuts. I wouldn’t say necessarily have a life.

[00:01:19] Evan Francen: What would uh you ever think? What would life be like if you know, as a security person if you didn’t have your family?

[00:01:30] Brad Nigh: Oh I’m with I’m the same as you. Like my family is what keeps me from like working around the clock. Okay.

[00:01:39] Evan Francen: Right. It’s such a buffer.

[00:01:43] Brad Nigh: Yeah. Um

[00:01:45] Evan Francen: Yeah, because I wondered because there are lots of people in our industry who don’t have families and I wonder. Mhm do they work more? I mean, I don’t know, I didn’t have a family. I would work all the time,

[00:01:59] Brad Nigh: you know, I’m saying just I think it depends on how you’re wired, you know? Yeah, I love what I do and passionate about it. So yeah, why wouldn’t I do it?

[00:02:14] Evan Francen: Okay, Right now, on my task list, I have 65 things. I should share my task list someday. Maybe someday we’ll take something off of it.

[00:02:23] Brad Nigh: Yeah. Yeah, I got a lot of mind crazy,

[00:02:29] Evan Francen: But if I didn’t have family, I wonder if I would just keep working until my 65 things were Because then it just fills up in another 65 things.

[00:02:37] Brad Nigh: Mm Yeah, Yeah, anytime one thing gets taken off, it’s like, do you think that added?

[00:02:45] Evan Francen: Yeah. And I don’t think I’d be any more accomplished. I don’t think I’d get any more impact done on the industry. I just think I die earlier. Yes, probably it’s an interesting conversation about how important family is or something, you know, because I don’t want to rip on the people that don’t have families, because you don’t have families. There’s nothing wrong with that. But my God, if I didn’t have my family, I’d be screwed.

[00:03:15] Brad Nigh: Yeah. Yeah, I think, well, like I said, everybody is a little just a little different, you know, some people that’s just not what’s right for them, but, you know, uh it’s a kind of anchors, me and

[00:03:30] Evan Francen: we should have somebody that come on the show Who doesn’t have a family. We can find one and who’s kind of an a type personality in our industry and talk to them about this. Okay. Yeah, different. Yeah, I’m curious about it. How do you build margin? You know, add a pastor once you told me how important it is to build margin in your life, which is like time for like, you know, not doing anything or just relaxing or whatever it is, it’s healthy.

[00:04:05] Brad Nigh: Yeah, I do know that if I didn’t have family, I have a lot more toys. I wouldn’t have more money, but I have more toys.

[00:04:13] Evan Francen: Yeah, no, that’s a good point, man. I don’t know. I don’t know. I I really like my family. So I don’t think, you know, some people read into it, you know, could read into it. Well, you know, if you’re sitting there thinking about what life would be like without your family, are you wishing you didn’t have your family? It’s like, no, no, no, no, don’t take it there. Yeah, I just wonder like without my wife, you know, how screwed would I be? Oh, thank

[00:04:47] Brad Nigh: you for both of us.

[00:04:50] Evan Francen: Right. All

[00:04:53] Brad Nigh: right. Uh

[00:04:55] Evan Francen: yeah, so I real quick just, you know, well actually, let’s get to that in a minute. I want to reiterate, you know, we did the last two podcasts about, you know, just kind of our review of the social dilemma. That’s the netflix documentary about social media. I saw another news are this morning um about the very same thing. And they were talking to see if I can find it quick. Uh tim Kendall. Remember Tim Kendall? He was the one who was head of monetization at baseball. I just saw something in the news today about it’s interesting that this is a tie in uh the title of this article is ex facebook pancho, tim tim Kendall says Big tech is a threat to democracy, calls for social media reform. Like, huh, we’re talking about election security today and we just talked about social dilemma The last two weeks. Yeah, it was totally on accident. I was just getting ready to take a shower this morning and opened up the news, I was like, oh, interesting. Mhm. But I liked it so much. I actually liked that because I love when things like spur thoughts in my mind, you know, makes you think like, wow, is my reality been Yeah, different than I thought it was? Or uh is there a different perspective that I didn’t consider, you know, as I formed my own reality in my mind? And that’s the thing, right? With people? We if you’ve got seven billion people, you know, in the in the world. Yeah. Really? When you think about it, are there seven billion realities walking around because we all have our own perception of things.

[00:06:51] Brad Nigh: Okay, so weird, right? Mine won’t like it.

[00:06:58] Evan Francen: But somehow somehow the seven billion realities all have to be weaved together to create you know

[00:07:11] Brad Nigh: this Mhm.

[00:07:14] Evan Francen: It’s freaky but you really go out

[00:07:17] Brad Nigh: your way to explain too deep to be talking about it. I don’t know you really didn’t know is that deep?

[00:07:23] Evan Francen: But I think that’s the reason why I want to watch that documentary again is I just want to like you know kinda sit there and stew on that more. Yes. But anyway, seven billion realities because that’s one of the things that just frustrates the crap out of me man. I you know there’s obviously now what dominates the headlines as trump and biden right? And then you’ve got the other you know stuff all around the outside like you know uh Amy coney Barrett. I think it’s really the

[00:07:59] Brad Nigh: the Supreme Court.

[00:08:00] Evan Francen: Yeah, yeah. You’ve got you know this other ancillary stuff but more of it all right now is biting and trump and yeah, you know I was I read things I read I try to be as non biased as possible but we’re all biased right?

[00:08:18] Brad Nigh: Yeah. Yeah. I mean it’s

[00:08:22] Evan Francen: not

[00:08:23] Brad Nigh: there are certain biases you have it’s just human nature, you can’t not.

[00:08:29] Evan Francen: Yeah. Yeah I think and I like to think that it’s good to be able to reflect on you know what your biases might be and are the decisions I’m making biggest and those biases,

[00:08:44] Brad Nigh: you know I mean I’ll say this that might be part of the like that next level of mhm of devices is being aware of what they are and you know, being cognizant of those when you’re doing things because like you said, we all have different backgrounds, We’ve all come up different ways. It just shapes who you are, which builds in some biases, but that doesn’t mean that that’s just not always negative.

[00:09:18] Evan Francen: Right? Right. And I think if you can, for me, it seems to help if I can pull myself bias, pull myself out of it, try to pull, you know, try to change the my my mind on is what this person saying making sense, just at face value. Forget about where they’re coming from. Forget about their background, forget about whether they’re from is saying makes sense. And can I fact check it? Yeah, because uh huh because I was doing that yesterday, there was talk about the latino vote. Um and one side was saying uh you know, playing the de Sposito thing when biden did that. I don’t know if you saw that clip, but um how that was pandering to the latino vote and you know, you gotta give Latinos more credit than that they have, you know, they have a head on their shoulders. And and then I was watching and that came from like a UFC Fighter, Jorge Mas Vidal, I think it’s his name. Yeah. And so I was like, well, you know, you got a point, you know, uh so then I start reading the comments on this tweet. It’s like the comments on the tweet are not there. They take their side polar opposites left or right biden or trump. And it’s like they didn’t even watch the video. Oh

[00:10:56] Brad Nigh: no. Yeah. Yeah. That’s why overall just I avoid social media as much as possible,

[00:11:06] Evan Francen: right? But if they did watch the video and then they still have these comments. It’s like are you that stuck in your ideology into your bias? That you will not accept any other point of view anymore? Yeah.

[00:11:23] Brad Nigh: Yeah.

[00:11:25] Evan Francen: That’s a dangerous spot to be because then then you become radical. That’s what radical.

[00:11:31] Brad Nigh: Yeah. Well that’s what we’ve talked about is with with social media. It’s it’s they with their algorithms, you know, it’s like, oh, you like this. So I’m gonna show you more of this. And it’s like that lack of a better phrase death spiral, right? It’s a the echo chamber where it does, it just amplifies those extreme views,

[00:11:56] Evan Francen: right? Because something I don’t want to be, I want to stick to my values because my values are who are what sort of make me who I am and the the one I stand on, right? When the world is pushing around. It’s like I got my values and then so I try to stick to that. But then God forbid I don’t ever want to be a radical. So I don’t want to get so stuck in my mind that I’m closed minded to other point? It’s another thoughts but I see so much of that today. Yeah it’s just so much like I don’t care if what you could be hitting me right upside the head with some of the most impactful facts that that uh on something but if it goes against theology, if it goes against my made up mind it doesn’t matter. Yeah if anything if anything I might come out fighting right, it’s like putting putting a cat in the corner, they’re gonna come out, I pray to kill.

[00:13:01] Brad Nigh: Yeah. Yeah it’s not. Yeah. Mhm.

[00:13:05] Evan Francen: Yeah it’s nuts man. So alright catching up, how you doing, how how’s your week house uh you know housework, good, it’s uh some cool stuff yesterday.

[00:13:17] Brad Nigh: Yeah just kind of wrapping up some things from Q3 and identifying some new free resources and tools that start developing here over the next, you know deliver something this quarter and just keep moving forward with that. So I’m pretty excited about some of that have a big project on a 40 to 50 hour project that kicked off monday there has to be done this month for customers so it kind of stepped in and helping out So that’ll be good around office 365 hardening and stuff like that, impressed that they they have they are using the email only at this point and wanted to come in and and be proactive on making sure they have all their configuration set properly, you know, what can they do before they migrate everybody to using SharePoint and one note and all the additional uh services. So I’m really happy that they’re being proactive about it. Um Nice. It’s

[00:14:26] Evan Francen: gonna be fine. So they’re actually talking about security at the front end of the project

[00:14:32] Brad Nigh: pretty much, I guess they went to the email which, you know, you know, email online versus on prem really isn’t a huge difference in terms of some of the stuff, but the others would be new services, they’re going to offer their employees. So yeah, they’re being proactive with that. And then um also doing the the election security for the Minnesota counties. That’s going really well. Been really happy with ever. It’s been i opening in a good way, like it’s not what I was expecting and that’s it. Come on, I don’t want to sound negative about that. But yeah, it’s been really energizing encouraging. Maybe I don’t know what the right word is. Apparently it’s an the word though. Um but just talking

[00:15:34] Evan Francen: with anything enticing right Evans in the word, Evans new york.

[00:15:40] Brad Nigh: But uh yeah, that’s going really well. And then next week we have our uh, quarterly VTL so that would be awesome. Start planning for 2021 and it’s my calendar for the rest of the month is completely full. Okay. So it’s good problem to have, but little chaotic.

[00:16:08] Evan Francen: Yeah. So that’s, well this is fourth quarter, right? This is how fourth quarter works in much of our industry, you know, the uh Yeah, and you and I talked about, you know, that that project you have coming up or that, you know, you’re just starting. That’s that’s exciting. There’s always, I mean it’s cool to see you getting back into project a little bit too because you kind of take you for a while, you were doing more innovation stuff, creating things leading, you know, other analysts and stuff like that. So it’s good to see, you know, every once a while it’s nice to get actually for sure. Yeah,

[00:16:49] Brad Nigh: I’ve kept a couple of D. C. So clients, but they’re pretty low maintenance finds its good. I mean they’re in really good shape, so that’s nice. But yeah, I agree. It’s it’s good to just keep stay in the game, make sure you’re, what you’re doing is actually still relevant, you know, you’re not falling behind staying on top of things.

[00:17:19] Evan Francen: Yeah. Yeah, for sure. Uh for me, it’s been a couple of talks this last week yesterday, I gave a talk. It was kind of a an impromptu talk, I was invited to a pretty large public company to speak to their team and I think we’re 43 people online and that team and it was, it was truly impromptu it was like I was pinned on it on thursday like, hey Tuesday morning at eight a.m. Can you come talk to our team at cyber security awareness month and blah blah blah? And I’m like, and it’s a friend of mine, you know, the ceo like, yeah, man, of course I can do that. So I move things around. Uh, did that talk yesterday. That was awesome because it was the second time I’ve given that talk cause I didn’t, I’m not going to create a whole new slide back for this. So I just used the simplification slide deck that I used for from A bunch of college is like 50 Personal Colleges River. That was last week. So, uh, and then, you know, my dog died last week, so that through last week off, kind of just funky, but um created this as to index, which we’ll do a release on that pretty soon. Them marketing people have to make it pretty because I’ll make things pretty uh Got a nice peek at your fact version two and suffer fact for listeners. In fact, is uh, the way we do VC. So virtual chief information security officer at at fr secure and you showed that with me yesterday. I thought it looked really, really good. Um, I’m excited to dig in a little bit more on that. Uh, had lunch with Pat Joyce last week. He’s the chauffeur. Medtronic, one of my favorite people. I mean, can I just love that guy. He’s so he’s an exceptional, exceptional leader and, you know, being able to, you know, have lunch with him and just share thoughts. We’re talking about mental health on, uh, you know, insecurity teams. And how would, you know, if one of your people are struggling with mental health? That was a really good talk. And it was just a lot of really good security stuff going on. A lot of good conversations. And then you got the day to day administrative Bs that comes up. So, I got to, you know, deal with that. That’s the part I don’t like, like so and so is upset about, you know, such and such and, you know, our culture is so, so important to us that you have those things, but people are people, right? I mean, humans are humans and they have issues with other things and that is just such a pain in the ass. It’s like kids, you know, sometimes.

[00:20:06] Brad Nigh: Yeah. No. Yeah, I know what you’re talking about.

[00:20:11] Evan Francen: I know. Uh, so that’s distracting. I got one of those things actually, what I got the call last night about our text last night. Uh, there’s something big, but it’s just like, uh, then they’re never big. They’re usually petty stuff. You know, right? You have to stop what you’re doing to do something else. And it’s petty. But you know what if you don’t care. Everything’s a lot of that’s just like security. Like life. You don’t take care of the petty things. They’ll become big things potentially. And you would have taken care of it when you when you learned about it.

[00:20:47] Brad Nigh: 300%.

[00:20:50] Evan Francen: All right. So we’re both busy as hell. Yeah, That’s how busy. Why don’t we come up with that? Who came up with that thing? I’m thinking too much today.

[00:21:02] Brad Nigh: I know you’re really like deep and uh, philosophizing.

[00:21:10] Evan Francen: I don’t know what they think it’s called the election rap man. It’s it’s like, uh, that’s not a bad point. But you’re not somebody who’s going to vote for the person I’m gonna vote for. Probably. Yeah, I know she’s weird. All right. So let’s talk about election security. As you know, uh, today where 20 days yesterday, it was three weeks. We are 20 days away from the election. If you haven’t registered to vote yet. And I’m speaking to the listeners and you brad. I’m sure you’ve registered. Um, go out and register to vote. You should. It is a civic duty. It is something that we’re all supposed to do. You can’t really complain. Even if you think your vote is insignificant. Every thought that then nobody would vote and we’d have a dictatorship. All right. Well,

[00:22:00] Brad Nigh: you don’t get to complain if you didn’t vote.

[00:22:03] Evan Francen: That’s what I’ve always do, man. It’s like you can’t complain about the president. If you didn’t vote for the president or against the president or whatever. So yeah, Get out and vote easy. Quickest place that you can. I mean there’s lots of places you can go to register. The one that I would recommend would be vote dot gov. So you can just go https colon slash slash vote dot gov. That’s where you can register. So uh and you get you get to keep your own vote, you’re supposed to be somewhat anonymous, right? You don’t have to tell anybody who you voted for. So you know, you don’t have to do that. People should respect, people should respect your right to that. So somebody’s pants, you know, I don’t know if you had anybody ask you, who are you voting for? Who to vote for Other than my wife. Nobody asked me that. Either they don’t care or they know that I’m just gonna be like I’m telling you home phone

[00:23:02] Brad Nigh: before. Yeah, I don’t really outside of like a close circle of friends that it’s not really a secret or whatever, however you wanna put it. Uh Excuse me. Yeah, no, I haven’t I haven’t really had that this this time I had it happened in the past, but maybe because we’re all remote, it’s a little different dynamics. But no, I haven’t had really anybody asked me. This

[00:23:28] Evan Francen: is, So the date is November three. That’s Tuesday three weeks from yesterday. Uh Yeah please please vote. It’s interesting. You know, I don’t know if you get turned off. I get actually pretty irritated when I have people who can’t relate to a single thing that I go through in my life other than maybe taking a dump and eating food who try to tell me who to vote for, right? You have all these uh uh celebrities uh you know, sports people people that in a totally different world than I live, right? You talk about different realities. Seven billion realities. Their reality ain’t mine. Right. Right. The pandemic didn’t didn’t bother. You have all that much other than the fact, I don’t know. You live in your mansion and you have people that go and got food for you anyway. You never had to do any of that stuff and then you’re gonna tell me who to vote for, right?

[00:24:32] Brad Nigh: Yeah. Yeah. Yeah. I don’t know. You

[00:24:37] Evan Francen: talk about bias if you talk about bias, what do you think their biases? Yeah. Do you think they really give it to me? Uh You know, that’s my language,

[00:24:48] Brad Nigh: I don’t know, right? That’s that’s their right is to say, hey, here’s who I’m supporting as part of that. So whether you agree with it or not. I think it is. Mhm. It’s what’s good is one of the things is that they have the ability to speak freely about this stuff. You wouldn’t see that in, you know, in Russia or china

[00:25:15] Evan Francen: and I do like that fact. I like the supporting thing. What I don’t like is attacking the other side thing or when it becomes make more than just supporting. Yeah.

[00:25:26] Brad Nigh: But yeah, no, I already voted and mailed in ballot, uh, last week and nice. You’re,

[00:25:39] Evan Francen: you’re ahead.

[00:25:40] Brad Nigh: Yeah, we did it. Um, two years ago I guess, uh, as well, we’re whenever the less I get L. A. Every year, but the big ones, we’ve done the main line, it’s been great here in Minnesota, you know, everybody gets its own bar code on there envelope. And actually for the primaries, I put the wrong identify where I just forgot what, you know what. But uh, you know, they have multiple things that they can put when you register to, uh, do the absentee ballots and I forgot which one I did. And they actually called and emailed and said, hey, there was a problem with this and took care of, it was phenomenal. I was really impressed with, uh, with how that went. Yeah, because I registered bike in March and forgot.

[00:26:34] Evan Francen: That’s really, because there’s so many, uh, you know, I didn’t realize that it was excited not voting that way. I’m going to go to the polling station. Uh, then I wear my mask and be responsible and all that stuff. But the, um, do you, if so much of the news is like, it’s chaos, right? It’s so creates corrupt and also the stuff, but that sounds pretty, you know, and

[00:27:04] Brad Nigh: secure and having worked with a bunch of these counties. I mean, here’s the thing is like I said, you have specific steps you have to follow, right? So there is the opportunity for making a mistake, you’re right, you have to put it inside the privacy envelope, then you have to put that inside the signature envelope and fill out your information. And like I said I made a mistake in the primaries and and but they were able to contact me because you have to put your how do you get contact when you register for that? But yeah the signature of Lopez a barcode on it. And so you didn’t even if somebody were to try to catch multiple votes, the system is only going to count one. That’s the way it’s built. You know, so if that bar code for that person has been processed, that’s it the other any others that may come in are going to get rejected. So if I were to try to go in person on november 3rd it wouldn’t work. And there’s a you know the statement said it has a really nice website where you can go and put in your information and use the different things and see where your ballot is. Have they received? It hasn’t been processed as it was it accepted. So I think there’s a lot of misinformation out there and there’s a lot of you know obviously there’s there’s opportunities for mistakes to happen but the security overall for the the absentee ballots is it’s really pretty solid from from what I’ve seen young you

[00:28:50] Evan Francen: uh huh. Sorry that’s like the saying the sang of 2020 you’re on mute. Well that’s the nets in Minnesota uh is it run differently in other states? Do other states? And every other counties in other states have different approaches to it.

[00:29:08] Brad Nigh: There’s some extent but you know, overall from what I’ve seen, it’s very similar with having the barcode and having the privacy envelope and the signature envelope and requiring uh you know some states require a witness so you have to have somebody else signed that they saw you do this. Um But as far as I know it’s the they have that barcode in place uh kind of system to prevent these things from happening from not allowing multiple votes to be processed for a single person.

[00:29:46] Evan Francen: Mhm. Okay well I’ve seen, you know we’ve heard stories of about you know ballot stuffing where you know maybe I can take somebody’s vote and change it or you know gather a whole bunch of people that wouldn’t normally vote and course them into voting for my candidate and then taking those things in uh Yes I think there’s there’s always to be um I think an opportunity for fraud in anything.

[00:30:23] Brad Nigh: Yeah but I agree and you know but what you see is you do hear about these stories where somebody gets caught and to me it just shows and indicates that the system is working right? These things are not actually have being they’re being taught that that’s what you would want to see like somebody’s trying to do something they shouldn’t. And they got caught that to me shows that those checks and balances are in place to ensure that It is done well. And you know, you’ve got states that have been doing vote by mail for, you know, I think what Colorado or Washington state has been doing it for over 10 years and not had any issues. Like there’s security measures in place and tampering with the mail is a federal offense and you do not want to mess with the postal inspectors. Those guys are no joke.

[00:31:21] Evan Francen: So inspectors, right?

[00:31:23] Brad Nigh: Yeah. Like, you know, they have their own enforcement wing, they have their own police service basically. And yeah, tampered with the federal, Yeah. Oh yeah. No, they, you can read stories about it. They are, no, no joke. They’re very, very serious about their stuff.

[00:31:44] Evan Francen: So, you know, that’s one. So, okay, go ahead.

[00:31:49] Brad Nigh: I know. I would just say it’s just another level of protection that’s in there, right? It’s built in.

[00:31:57] Evan Francen: Yeah. And hopefully there is some consistency across, you know, the different counties or districts, you know, across the United States, but it sounds like Minnesota’s got things pretty well squared away and I really like the fact that they engaged security experts to come and some, uh, each county and the state actually, I think arranged for it to do it at no cost or low cost. So that

[00:32:24] Brad Nigh: No cost to the counties. Do we just fill out the risk assessment and they get a 30 minute you know, conversation, no cost to them. It’s been really, really good.

[00:32:37] Evan Francen: That’s awesome, man. I wonder what we can learn from that. Can we learn something from this to do, you know, after the election? You know, what things can we do for counties, for states, for counties, cities, municipalities after this way, the way that we’re doing this election security thing,

[00:33:00] Brad Nigh: I would say right now, based on. And it’s so still, I’d say relatively small sample size, but based on my conversations to this point there, the one consistent theme that I’m seeing is, well, I guess to like one of these people truly care. They are very passionate about what they do. They’re very much aware of where some of those holes are. Like I’ve gone through this and none of them have been surprised by what the results have been. You know, and they don’t see it until we have this call, Right? So they’re not, they don’t have any problem. They just don’t have a questionnaire. Um, but the biggest issue has been, uh, capacity like, you know, budget. It’s the same thing you would have it, you know, schools and things like that is, Yeah, I know that this is a weakness. I just don’t have time to do it. I need more staff or I need. I know I need these tools. I just can’t afford it. And so how do we baby? Yeah, that’s the kind of that you’re talking about. What we’re talking about. Some of the things that are coming. It’s that mission before money approach is building out some of these tools for uh, you know, schools and counties and and small businesses to be able to leverage at no cost that that are going to increase uh there’s security, reduce arrest.

[00:34:39] Evan Francen: Right? All right. Well, so, um your mail in ballots, that’s that’s one way to do elections now. I found some resources online that I think are pretty cool about election security. I was surprised to see, you know, how many actual quality resources there are. Um and I listed them on, you know, in our show notes, we have the election Infrastructure Security, you know, site from Yeah, the Election Security from the Department of Homeland Security has a nice site. Uh another one from the US Election Assistance Commission. Um and then there’s even one from uh D. N. I the national counterintelligence and Security center. Foreign threats to US alone. So good resources there, you know, even the first one, right? If you look at cisa so if you don’t know who sisa is, it’s the cybersecurity and infrastructure Security and see it’s part of the Department of Homeland Security. They usually have some pretty good resources in just October seven. They released uh actually October two they released election disinformation toolkit, which I thought was kind of cool like a toolkit about disinformation and it’s meant to help election officials um communicate well as a trusted voice uh to spread the importance that we are all in this together despite the partisan bs that we’re all bombarded with every day. Uh we’re trying to reduce the impacts of disinformation campaigns on the elections. I thought that was really cool. Yeah.

[00:36:22] Brad Nigh: What

[00:36:23] Evan Francen: really about

[00:36:24] Brad Nigh: uh real quick with Sisa is that they do free no cost vulnerability scans for government agencies. So like there used to be

[00:36:36] Evan Francen: oh sorry, wasn’t there a big, wasn’t there a big like waiting list for that? Has that been resolved? It’s

[00:36:45] Brad Nigh: from what I’ve heard the people that the cannons have not had any issues. Okay. Yeah, it’s automated and you get like weekly reports, so you just have to email in and request it. And then so if you’re a government, city’s county governments, the government who take advantage of that. 100% take advantage of that.

[00:37:14] Evan Francen: And there’s another. Yeah. So because we we hear a lot too about, you know, election elections can be hacked right from the nation state and so much of that is overblown. Yes. The machines can be hacked just about anything that you have physical access to. You can be hacked uh the code running on a lot of election machines can be hacked? The thing is, can I get to it? And can I get to it in mass. Can I get to 50 election machines when the 50 election machines are run by sort of 50 agencies are 50 different counties and you know, they’re just independent. They’re not all, it’s not like I can go after one central. You can, but it’s not that’s that part is very, very well protected. And

[00:38:11] Brad Nigh: those are the actual ballot machines are on separate networks there. You know, basically like call home to only a specific thing. They’re all fine until, you know, they need to call home now and that’s all of them. But that is, you know, there are some that are like that. And so yeah, it would be a massive, massive undertaking. Could it be done? Sure. But is it likely? I don’t think so.

[00:38:39] Evan Francen: Well, it could it be done without detection, Right. No, I don’t know how you could possibly without detection.

[00:38:47] Brad Nigh: Yeah, I would agree. I think you would be, it would be uh pretty obvious.

[00:38:54] Evan Francen: Right? And so I think what you’ve seen and who and who would have the motivation to do that other than, you know, the partisan people who don’t have probably don’t have the skills or the resources anyway. So we’re talking probably a nation state Russia china Iran. And even if they have the capabilities, what would be and they might but doubtful what would what’s easier for them to just engage in disinformation campaigns? Well,

[00:39:30] Brad Nigh: it’s exactly what

[00:39:31] Evan Francen: actual election boxes?

[00:39:33] Brad Nigh: It’s going to be more beneficial for them to spread that disinformation. So the uncertainty and doubt, Right? But the fund that we talked about, so I think that that’s probably there bigger they are, the more we talk about hackers are they’re going after these Attackers are going path of least resistance, Right? That’s just the reality of what they do. They’re not going to what’s the what’s going to get them what they are looking for with the least amount of work? It’s not going to be hacking individual polling sites or things like that. It’s going to be spreading the disinformation to start with. It’s social engineering, right? Is really what it comes down to. Is there are they gonna do technical hacking or social engineering? What’s the easier way in? It’s always through the people not the technology.

[00:40:30] Evan Francen: Right. Right. Why If you thought you would have thought we would have learned some of this from 2016 that election? Because we uncovered a bunch of disinformation campaigns, we knew how the adversaries at least in that election. How many of them were trying to influence the election?

[00:40:50] Brad Nigh: And you do see like, you know, twitter and facebook, just deactivated a huge number of Russian accounts that were spreading this information. So I think we have learned from it, but it’s not proactive yet. It’s still reactive um in finding these things,

[00:41:11] Evan Francen: Right? Yeah, yeah, I agree. So, there’s, you know, to close this out. I think there’s a lot more to election security than just infrastructure. We do have we do have voter intimidation. We’ve seen evidence of that. I don’t know if even that’s as widespread as the news might make you feel like it is um where I’m going to be voting. Uh, I’m fairly certain that there won’t be any voter intimidation. Um and I think in most cases for most people, you won’t be intimidated now. I understand it’s your right. If you don’t want to tell somebody who you vote voted for it, don’t a lot of the intimidation comes from the fact that, you know, that I’m voting for not your guy, right? And you’re so passionate and kind of, you know, wound up into that ideology of that guy that, you know, you’re gonna intimidate me for voting for not your guy. So just avoid it if you

[00:42:13] Brad Nigh: can

[00:42:16] Evan Francen: The disinformation absolutely is 100 there, right? That is the way elections are influenced. That’s the way. And and it’s like if you read all the stuff you do, you have, I think most people without most divorce so confused about was this a fact or not a fact? I mean, it’s just like it’s crazy.

[00:42:38] Brad Nigh: Yeah. Yeah. There’s just so much to try and process. It’s like how do you filter, which well, it’s made up which goes back like the social dilemma stuff that we’re talking about,

[00:42:51] Evan Francen: right? But even out of the mouth is the candidate, which hasn’t always been that way anyway, but it’s straight applies both sides. I mean we’re talking about the presidential election. It’s not just trump supply. Oh no, it’s straight up lives because the truth is binary. I don’t know why people in most cases, right? It might be a bunch of binary so that it looks great, but it’s still binary. Uh And what about all this stuff after election night two man, I’m kind of nervous about all right. You know, the polls close on November three or November four what now?

[00:43:31] Brad Nigh: You know? Yeah. Honestly, regardless of who being voted for, I just wanted to be clear on election. I don’t want this dragging on for another 2346 weeks after I just want to be done with like I’m over this.

[00:43:51] Evan Francen: Yeah, Well this is I think the first election in my Life, you know, I’m almost 50, this is the first election of my lifetime where actually have a little bit of fear regardless of who ends just because we’re so polarized. You know, if if trump wins, there’s a whole bunch of people on the left that are radical that will cause a whole bunch of trouble man. And if biden wins, there’s a whole bunch of people on the right, there are radical, you know, I mean, it’s just like Yeah, for for a centrist for somebody who really wants people to work together on things.

[00:44:29] Brad Nigh: I think the only the only hope that I see with some of that stuff is is a landslide that victory where once I can’t really claim and fight it and put it and let the let the people talk and then see what happens versus well, we’re going to take it to court and just going to be six weeks, it’s going to, we don’t know, it’s coming up on christmas and nobody knows what’s happening. So, and I’m with you though, I it’s unfortunate. It really, really is that we’ve gotten to this point. Yeah. And you know, I think going back again tied it back into the sessions of Alabama. I mean, that’s part of why we’re ears, is that they need that echo chamber, they feed and help do that. And then it sucks.

[00:45:24] Evan Francen: Yeah. I think a lot of times we sold ourselves out without realizing we sold ourselves out. Yeah. You know, I hope there’s a day of opening. Alright, well, and uh we’ll be talking more about disinformation to on thursday nights. Shit shows that that would be fun. We’ve done a little bit of research for that. But there’s just so much out there. Yeah. Okay, well, good discussion securing election. Certainly, you know, hasn’t been any more difficult is today the 2020 election is uh hard one to secure when you talk about, you know, all the different ways to influence our, you know, hack in books, uh election, let’s catch up on some news quick here. Some here’s some recent news that I thought was sort of interesting anytime I see john Mcafee in the news, it always makes me giggle because that guy is a character. Uh So this comes from Graham Chloe. Uh The title is john Mcafee arrested on U. S. Tax evasion charges. That’s

[00:46:29] Brad Nigh: the other group. You don’t mess with the I. R. S. Postal inspectors in the I. R. S. They will get

[00:46:33] Evan Francen: you. Yeah. N. S. A. C. A. Yeah postal inspectors I. R. S. Yeah. You don’t mess with people’s money or mail I guess. Yeah but I thought it was interesting that Mcafee, you know he bumps up in the news every once in a while and uh he was arrested in spain tax evasion charges allegedly there’s about 24 I think ish million dollars in the sec complaint that was filed against him unclaimed uh earnings revenue

[00:47:09] Brad Nigh: from crypto currency.

[00:47:12] Evan Francen: Right? So this is the same Mcafee for people that you know are haven’t been around for a long time. This is the same Mcafee that founded the antivirus company. But he left that In the 90s. So so I guess his name but he has nothing to do with the company anymore. But he’s an interesting character. He’s done a lot of her stuff.

[00:47:37] Brad Nigh: Yeah he’s a that’s a good way to put

[00:47:41] Evan Francen: it. Yeah and I don’t know you know, I don’t know if I put him in. I don’t know if I could go, he was, he would not be somebody that would want in my circle because it’s so I think it seemed just reckless but bitch, I don’t know. It’s interesting to watch. Yeah,

[00:48:03] Brad Nigh: definitely.

[00:48:05] Evan Francen: So anyway, if you want to go read about it, if you want to know about the 55 page complaint, it is public. It’s, it’s on the docket. Um, yeah, he’s back in the news and this is the same guy by the way that you know, and then that news story, you know, he was, he was, I think he was wanted wanted for questioning in a murder in beliefs And then a whole bunch of other stuff. He was running as a President Presidential candidate in 2016.

[00:48:37] Brad Nigh: He has a colorful character.

[00:48:39] Evan Francen: He really is. So I thought that was interesting because his name always catches man. This one you could do a whole show on this one. We could do a whole series of shows on this one because this keeps popping up. Uh, and this is from the register five eyes nations plus Japan India and India call for big tech to bake backdoors into everything.

[00:49:05] Brad Nigh: Such a nightmare.

[00:49:07] Evan Francen: Here we are. Here we are again. So the five Eyes, if you don’t know that security alliance to Australia Canada and new Zealand us and the UK. So yeah and of course Australia is they already built back doors into all the encryption I think, didn’t they? Last year?

[00:49:26] Brad Nigh: Uh Yeah, I don’t know if they think they pass them in that said they were going to I don’t know if it’s actually is in effect yet.

[00:49:36] Evan Francen: Mhm Yeah. And us there’s normal citizens were kind of caught in the middle of this crap, right? Because big tech, they have their own motivations, their own reasons for doing the things that they do, they they come off like, well we don’t want to give you a backdoor because then it would violate potentially people’s privacy, but I know enough about big tech that they don’t care about your privacy. They only care about privacy enough to give you the illusion that they care about your privacy. That’s different.

[00:50:07] Brad Nigh: Yeah, the pr for them, right? Hey, we’re protecting you from these things to some extent. Right? If they you don’t want that negative price of people leaving your Yeah, uh infrastructure or whatever, whatever you do, you want to put it. Yeah.

[00:50:27] Evan Francen: And but us as consumers, we’re stuck in the middle, like big tech, Yeah, they’re going to use this as a pr play to come off like no, we’re standing government because we care about you and government is like, well, well I assume we want these back doors so that we can protect our citizens better and, you know, without criminal activity more. And then, you know, I says like normal term sitting in my home, I’m like whatever, I mean, I don’t want you to read my stuff right? But that’s not the that’s not the reason why you’re fighting over this stuff anyway so it’s like we’re just caught in the middle of whatever they’re going to decide yep. I don’t like backdoors because back doors are always abused period.

[00:51:17] Brad Nigh: Yeah

[00:51:20] Evan Francen: you might go into this with the best of intentions ever ever. Put this back door once you’ve gone down this path it’s just a matter of time for somebody else in your team or in your organization is gonna yeah it’s going to abuse it. All right that’s what humans do. Alright so that’s that one Verizon 25%. Only 20 according to Verizon their P. C. I. D. S. S report Verizon’s big into that game is also from the register. Just 25% of global businesses fully comply comply fully with the payment card industry data security standard.

[00:52:00] Brad Nigh: I mean it’s not surprised and what really really frustrating is that these companies are getting basically that rubber stamp from some of these Q. S. A. Companies. I mean we’ve seen it we? Re come in afterwards and we’re like whoa I’m out what in the world is going on here?

[00:52:26] Evan Francen: Yeah. Yeah there are fraudulent you know newsflash not for you but for people there are fraudulent information security consulting companies in our industry.

[00:52:39] Brad Nigh: I mean yeah there’s a reason that some of those USa companies are you know having to have every single one of the rocks they do manually reviewed and having to prove that they are doing it. There’s a reason for that. Yeah. Right.

[00:52:57] Evan Francen: Yeah. It’s sad too because even if you spend millions of dollars and become P. Ci compliant in the bridge which again you can’t not have breaches. It’s risk management. That risk elimination, just having this them exposes you at some level, right? So P. C. I. D. S. S. Is meant to, I don’t know if it’s meant for this, but the best it can be used for us to reduce risk, reduce something that you know the likelihood and our impact of something bad happening. But yeah you can’t eliminate it. And so I’ve been in a breach to that like take target for instance, they had their breach, they were P. C. I. D. S. S compliant. They were uh you know they’re Q. S. A. And rock was issued by um oh God I can’t remember the name now but it was the biggest player plays. Where’s my brain anyway. They uh but they were deemed to be non pc. It compliant after after the breach. And that’s the that’s the racket pc ideas. That’s by the way Trustwave they go that’s the racket with pc. I. Compliance. You can be assessed and have your rock and do all the things that you think you were supposed to be doing. And then you experience a breach you will be found that you were not PC I compliance after the breach. That’s the way pC I that’s the way the council plays the game with not having to take liability african plants. But anyway, that’s a whole another that, Yeah. Alright. And the last one, hackers disguise malware attack as new details on Donald Trump’s COVID-19 illness. This comes from a trip wire.

[00:54:50] Brad Nigh: It’s not surprising to me at all. We see that every single disaster, natural disaster, whatever this is what we see

[00:55:00] Evan Francen: exactly. And that’s, that’s the reason why I pulled it out is um, yeah, this is just consistent behavior that happens from, from Attackers, right? Donald trump, you know, is found to have covid and somehow you start getting emails that say, hey, you know, do something about this, you know, or whatever that you didn’t get before. I mean that’s just how Attackers work. Right? Whatever is top of the news, expect attacks related to that. Yeah. All right. So Great episode. That’s 1.01. It’s just about complete thanks Brad. Do you have any shout outs for this week?

[00:55:44] Brad Nigh: Uh, you know, I think I’ll give a shout out to R. P. M. C. S. M. R. N. Team. They’ve been doing just a great job with some transitions and realignments and then just keeping everybody in line and myself included, which is never an easy task. So they’ve been doing a really good job, jumped out to them.

[00:56:08] Evan Francen: Awesome, awesome. Yeah. Just, you know, we started you know it, I didn’t really think of my shoutouts until we start broadcast. Uh We talked about family was going to give a shout out to my family because you know, thank God for my family or I’d be dead in jail. So appreciative. Yeah

[00:56:28] Brad Nigh: that’s that’s another girl on

[00:56:31] Evan Francen: keep on jailing me please. Right, because if you are in jail it’s a different than D. Jail is D. Jail bail. I don’t know. Hold other good thing again,

[00:56:43] Brad Nigh: you just write philosophizing needs.

[00:56:47] Evan Francen: I know man just lock me in a room somewhere and give me a pen and a piece of paper and come up with some stupid alright. Always grateful for our listeners were we are behind on email. At least I am. I don’t know if brad’s gone and checked lately but we will promise to respond soon. Mhm. Send things to us by email at unsecurity@protonmail.com. If you’re the social type socialize with us on twitter, I’m @EvanFrancen and brad’s @BradNigh lastly be sure to follow security studio @StudioSecurity and FRSecure @FRSecure or for more things that we do. Uh we’ll be creating more stuff. Giving away more stuff. I’m sure uh that’s it. We’ll talk to you next week.