CISSP Mentor Program Behind the Scenes

Unsecurity Podcast

We’re just under two weeks away from FRSecure’s annual CISSP Mentor Program—a free event that Evan and Brad host every year in the spring to help train industry professionals and get more people involved in the industry. In episode 125 of the UNSECURITY Podcast, Evan and Brad take a look back at why the program was started, how it’s grown, and what to expect during this year’s sessions.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 125 and the date is March 30, the last day of March In 2021. And here with me again, two weeks in a row is Mr Brad Nigh, how are you Brad?

[00:00:41] Brad Nigh: Good. Yeah, it’s ah had a bit of a scare on friday. I was like, not sure what was gonna happen, but everything turned out good. I was it was it was a rough weekend,

[00:00:53] Evan Francen: but I’m glad you’re back and I’m glad you got some good news. You know, I’m hoping that you’re getting a streak of good news now and

[00:01:03] Brad Nigh: you know, you can read it. Yeah, it was crazy like, you know, I won’t go into details, but there was probably what, six or seven separate like, are you kidding me? Type of things that we’re all, it’s independent over like a, you know, or five week period is just like, good Lord.

[00:01:23] Evan Francen: Right, well, back to the back we’ve never heard. Yeah, now we’re heads down working are our tails off again.

[00:01:36] Brad Nigh: Yeah, yeah. Yeah, that’s the downside. I have to catch up.

[00:01:39] Evan Francen: But I finally got caught up an email man, I think maybe someday From having my week off two weeks ago.

[00:01:50] Brad Nigh: Yeah, yeah, I know I took the week off well, and by taking the week off, I mean I did all the meetings that I had scheduled that week, luckily they were all on monday and Tuesday, so it wasn’t horrible. But yeah, I’d like I would say like 1600 emails that week.

[00:02:12] Evan Francen: Yeah, I do you ever get do you ever get anxiety when like you saw an email? Because you know, a lot of times I’ll see the emails, I just don’t have a chance to respond to them so that they kind of go down and then I’ll remember like a few days later, like, oh my god ahead, make kind of respond to that email, Do you run into that

[00:02:30] Brad Nigh: all the time? It’s like for me it’s always like, right as I’m laying in bed ready to go to sleep, I’m like, oh crap, I forgot to do this apply to so and so well I’m not getting up and doing it now and then I forget in the morning and then I feel bad because I’ve forgotten like three days later, I finally remember to do it when I’m in front of the computer.

[00:02:52] Evan Francen: Right, well today I wanted to uh so I figured our show would be well talk about the 2021 fr secure CSP mentor program, we’re only a couple of weeks away now. Uh this one’s pretty exciting and I think a lot of people may have heard of it, they may not know some of the details about it. They may not know some of the background of the history, They may not know how to get involved, you know. So we’ll cover all that stuff today. Um And then I also wanted to talk about just kind of any current kind of security things that we’re working on. I know I got a personally got a uh uh an incident response email yesterday now when I’m getting them, it makes me wonder like what the hell is going on.

[00:03:38] Brad Nigh: I was in I was in meetings because I got copied on that and they were like, I was in a leadership meeting. I’m not checking my emails were discussing Important things and I had to Miss two voice mails from him and the email I got out of it. You already responded. But like, oh my gosh, what is going on?

[00:04:00] Evan Francen: Well, it’s not like I appreciate the fact that on this particular incident that you know, you attend to it right away and you he treated like you don’t, I mean you let the facts take you where you they take you right. So you don’t know on the surface, you may think, oh, It’s just, you know, compromised email account or two or 60,

[00:04:23] Brad Nigh: right?

[00:04:24] Evan Francen: You know?

[00:04:25] Brad Nigh: But yeah,

[00:04:27] Evan Francen: you know, we’ll just change passwords and go on with our day. But that’s that’s really dangerous because you don’t know.

[00:04:35] Brad Nigh: Oh yeah, no. Yeah, I mean we could go down a rabbit hole of, right? We have the team has put together just a ton of scripts for what you have to run to check like the basics after a business email compromise. And you know, most people don’t think about that. Like you said, they just change password and good to go, well, did you reset all the sessions? Did you do this? Did you do that? Did you check for these things? And

[00:05:03] Evan Francen: well and where else is where else could that password potentially laid somebody and their environment, you know, I know in this particular one, you know, yesterday you had email that was only secured by, you know, museum and password, but you also have the PMO the same way, right? And Attackers aren’t stupid.

[00:05:21] Brad Nigh: No, it’s all publicly accessible, right? They username password, they’re going to now check what else can they get to for that company? Yeah, definitely. Good. And so

[00:05:36] Evan Francen: yeah, and you don’t want to freak out either, you know, so people that are listening haven’t been through an incident before. Maybe you have and you know, maybe I burned, it’s uh let the evidence take you where it takes you, right? There’s logic think things through engage an incident response team that has been there before that. And one of the things that’s really cool that I was talking with Oscar about, I think maybe last week, did you talk about these scripts? You know, he’s automated. That team is automated. The entire, you know, you know, initial evidence gathering.

[00:06:09] Brad Nigh: It’s, I mean you think back to kind of, gosh, mm well, well tom just had his second anniversary. So it’s you know, to two years and where we’ve gone and in those two years is it’s amazing to think about like how far that team has come. I mean they went from, You know January February of 2019 where I was, you know, basically the only one doing anything to, I’ve got what, eight people on the team and just Not nine, I don’t even know, I can’t keep track.

[00:06:51] Evan Francen: Well they’re hiring and there continued to add to it and and the thing that I’m most impressed with is just the, I would stack this team up against anybody.

[00:07:02] Brad Nigh: Oh absolutely. Well we’ve had, we had one for sure like that the insurance said no, you got to go with this other company. The other company only did the one thing on like the exchange server that was it for, you know, the big book and they came back and said no we don’t, we don’t think they did a good job. They just basically said we fixed it. You’re good and they came back to her like yeah we want you to, we want to engage you guys to make sure.

[00:07:32] Evan Francen: Well that’s interesting for people to hear too because just because your insurance company recommends that you go with an incident response, this incident response team and also included, right? No matter who, um, don’t just don’t just take it at face value, Right? I mean, you forgot us telling you they didn’t do a thorough enough job. Ask somebody, you ask somebody you trust, don’t ask somebody is trying to take your money. And uh, another thing about that is just because an incident response company is on an insurance panel doesn’t mean they’re good.

[00:08:08] Brad Nigh: Oh, good board bill.

[00:08:10] Evan Francen: Right? Because people, people need to realize what it takes to get on that panel. It’s often who, you know what strings you pulled and

[00:08:18] Brad Nigh: well, an insurance company, Yeah, they’re looking to the lowest, uh, you know, yeah, lowest price. What are they gonna,

[00:08:29] Evan Francen: that’s yeah, that’s definitely one of the things that maybe we’ll get into that may well have Oscar on and we’ll talk about what’s broken, broken in the cyber insurance industry from an incident responders perspective, right? None of us are insurance experts. You know, I can’t tell you what your policy should say and shouldn’t say, but I do know you should read your damn policy and I do know that if stuff hits the fan that you’re going to be in good hands, right? You need to have that assurance.

[00:08:59] Brad Nigh: Yeah, yeah. You know, I think one of the best ways that we can tell that that team, you know, is just in general is doing well well as lawyers seem to like us, which you never really, it’s not it’s kind of like a double edged sword, but but at the same time, you know, that they’re super picky and have they usually have really good questions of you’re making the lawyers happy. That’s a uh it’s probably a decent sign of you know what you’re doing and can speak to, you know, the quote unquote normal people.

[00:09:37] Evan Francen: All right. And as a business owner, I the lawyer better understand it, better be comfortable with my case because they’re the ones who are going to have to defend it should it come to that? You know what I mean? So, the fact that lawyers are pleased with the work we do uh It just makes everybody happier. Yeah. Right, so the Sea Ice has been Metro program for people who don’t know this uh This is free uh Like free isn’t free, free, like there’s no strings attached kind of free that nobody, it’s just it’s free. Um We started this in 2010. His free CS speed training. And really what it’s meant to do is train you teach you everything you need to know to pass that exam. Mhm. And then teach you some security life skills along the way and teach you what you can forget about after you pass the exam. Like things that just aren’t practical.

[00:10:40] Brad Nigh: Yeah, I think well that’s exactly the word I was going to use. Its practical training, right? It doesn’t mean you go through this and you have to pass, like you don’t have to do any other work, you still have to do with studying and all that. But I think my goal and it is like you just said is what do you need to focus on? What is the, what are the areas, what are the tips and tricks, you know, what should you be memorizing versus, you know, just sort of threw a book and reading off of it.

[00:11:13] Evan Francen: Yeah, absolutely, man, because, you know, there’s street smarts and there’s book smarts, right? I mean, you can get through the C I S. P exam with book smarts and not know the first thing about how to actually run a security program or do a vulnerability scan or uh figure out network or a firewall, but it’s the street smarts, right? It’s a combination, I can’t be street, I can’t be booked dumb and street smart and I can’t be the other way either. It’s kind of this mixture.

[00:11:39] Brad Nigh: Well, I mean, there’s definitely things that the only time I ever think about are when it comes up in the class, you know, it’s like, oh yeah, that’s right, I don’t use that ever, but you know, it’s important to know and have that history.

[00:11:57] Evan Francen: Yeah, for sure, man. So we started in 2010 with six students last year, I think we had 2400, some odd students.

[00:12:06] Brad Nigh: Yeah, 20, 24:00 somewhere where it

[00:12:12] Evan Francen: Was really cool. It’s really been really cool that over the last 10 years of strong to that. And then this year We’ve got what? Yesterday? You send me a message. We have over 5300 students.

[00:12:24] Brad Nigh: I mean, I’m excited. That’s fantastic. But holy crap. Yeah.

[00:12:31] Evan Francen: What is It is a lot of people and it’s, but it’s it’s so cool to because the reason why we started this thing way back when I guess it was just me was our mission, right? Our mission is to fix the broken industry. Our mission is not to rate people over the coals. These are skills nowadays that are, they should be considered life skills.

[00:12:54] Brad Nigh: Yeah. Yeah.

[00:12:55] Evan Francen: I mean in the 21st century now

[00:12:58] Brad Nigh: we’ve absolutely had, I mean, you know, some of the people, but we’ve had see IOS and steals that have gone through and have no no intention will never take the exam. I mean even Renee right, she might take at some point, but it just makes them so much better at their job to just to understand it. I think the biggest thing people miss is even if you’re not gonna take it, it changes how you think changes how you look at things and that’s a good thing.

[00:13:30] Evan Francen: Oh, absolutely man in it. Yeah, because I mean, okay, so you bring up a really good point. So our, I’m gonna, I’m gonna get to that like who takes, who takes this thing, who goes through the mentor program. Uh but we still, you know, going back real quick that we started in 2010 or six students, it’s grown every year, last year, you know, the pandemic hit kind of the same time, you know, because we teach this in april every year and uh so it was weird having this quick transition to going all online

[00:14:03] Brad Nigh: like this before we were supposed to start.

[00:14:06] Evan Francen: Yeah. Right, right. And this year it’s all online. Uh and uh so you know, the part that’s really kind of just amazing to me is how many people we’ve touched and helps, you know what I mean?

[00:14:26] Brad Nigh: And I don’t know about you, I’m sure you get it to, but it still blows my mind the linkedin invites from all over the world that are like, hey, I really appreciate you doing this. You know, it really helped me if we connect and it’s like, I mean it literally all over the world, like every top. It’s crazy.

[00:14:48] Evan Francen: It is crazy. And it it feels good because I mean this is why we exist, right? We’re mission before money we make money, right? Security studio fr secure will make money, but focus on the mission make money, focus on the money. You won’t make the mission. So it’s kind of just giving these priorities straight.

[00:15:06] Brad Nigh: Yeah. And I think I’ve said it before, it’s a for me it’s giving back and being that resource that I didn’t have when I was kind of coming up and you know, it would have been incredibly helpful. So if I helped someone else, why why wouldn’t I?

[00:15:27] Evan Francen: Absoluteing 100%. So now the people that typically, because we’ve seen hundreds, thousands of people come through the program, ah some of them are coming with the intention of taking the exam. This is there. I just saw a message yesterday in the in the community group about this year’s class that they’ve already got their exam schedule. That’s for july. So this is there kind of like, you know, I’m studying for the exam in, I want to pass the example. That’s one approach and those people and that’s the thing about everybody, truly everybody kids or even, I don’t know how much kids will want to sit through all this, but high school students, college students, I’ve had

[00:16:12] Brad Nigh: multiple that I’ve gone and done presentations at the schools around here. High schools ask and say, hey, would this feel a good thing to recommend in my kids to the suits. Yeah. And some of it’s gonna be way over their head. That’s okay. Get them thinking if they can get into it and it interests them. That’s fantastic. Even if they only understand 25% of it. Get them interested in it.

[00:16:39] Evan Francen: Well, that’s the thing too about learning right? Very rarely. Do you hear something the first time and you, you know, just immediately a master it. Right. Right. Usually the first time you hear something like what the hell is that? I’ve never heard of this before. I don’t doesn’t make any sense but then you hear it again you know maybe a year later, maybe a week later and you’re like oh I’ve heard that before, where the hell did I hear that? And then you make that connection? Well that’s how learning works. By the way you start making connections biological and ecological connections in your brain. They’re like oh okay yeah I remember hearing about that. Where did I hear about that? All that CSP metro card. Ok now you made a connection Right and then you’ll hear about it again because this stuff isn’t going away by the way security is here to stay just like the internet is here to stay

[00:17:29] Brad Nigh: it’s only going to become more prevalent.

[00:17:32] Evan Francen: Exactly. And the more you hear those things the more you start putting these connections together. Now the cool thing about which means you start to learn it and master it. The really cool thing about the C. S. Sp that I’ve always liked it won’t make you a master or anything but it makes you kind of the jack of everything right? You you can put things into context and so now when you hear something again a year from now you’re like oh yeah I remember that that was part of this thing on that leaves these other things. Right?

[00:18:02] Brad Nigh: Yeah, absolutely. And I mean you can put it into just so many different examples, but you know, I think just encryption, right. A lot of people are like what we start looking at what the algorithms are and then how did those get implemented in what ssl certificates and you know, it just all comes together. You don’t need necessarily need to know how AS to 56 works. You just need to know. Okay, that’s a good like what? Right, from a high level perspective, what’s good? What’s not, what should I be looking for?

[00:18:40] Evan Francen: Right. Well, the thing about security is security is risk management, which means assess decide, you know, implemented. It’s that kind of construct. Right? So the people who can make the best risk decisions are the people who can put risk in the context. So when you look at an information security program, when you look at all the things that go into play right, roles and responsibilities, asset management, training and awareness, uh, you know, policies, procedures, network architecture, application development on and on and on and on and on. When you can take Oh yeah, that thing fits here. If I make a change here that will affect this thing over here. Now you cannot really understand and appreciate how risk management works.

[00:19:28] Brad Nigh: Right, Well, I don’t know about you but like personal life with like friends and neighbors and family. When when I explain to them what I do exactly what you just said, risk and this is what we do every day is assess this and make a decision and suddenly not even information security, just general things. They’re like, what do you think about this? Because right, when you think about this stuff all day all the time, you do tend to look at things from maybe a little bit different perspective because you are, you do have that bigger context a lot of times. So I get that all the time. Like, hey, we’re thinking of this where we got this. What do you, you know, it’s like,

[00:20:09] Evan Francen: well that’s the thing, man. I mean, people, people will recognize the fact that you are better at putting things into context, right? You take like even, and I’m going to get off on a little bit of a tangent even think about like covid all the stuff going on, right. If you look at any one piece of it, you can either be paralyzed with fear or ignorant, right? I mean those are kind of the two sides of the spectrum and everything else is sort of in between. But when you do have this ability to put risk in the context, you can put it into context like, okay, yes, Colbert is a serious thing. No, I will not be paralyzed by fear, but I also won’t act like it doesn’t exist, right? You figure that stuff out. Well, it really works the same way, right?

[00:20:59] Brad Nigh: Yeah. It’s at risk tolerance is really what it comes down to and wayne, pros cons you know innocent and. Yeah absolutely. That’s one of the bigger ones that people are get asked about is like what do you think about?

[00:21:12] Evan Francen: Yeah they did the same thing with me. Right. I think they just pick up on the fact that wait a second, you know how to put risk in the context. I mean they don’t think that they don’t say it but they’re consciously but then they ask you these questions all the time like hey you seem pretty reasonable. What do you think about this? You know? Yeah. Well I’ll tell you what I think about it. But you know hopefully you’ll make your own decision. So uh those things and that’s one of the things that that’s cool too about the C. S. Sp mentor program is you do talk the CSB itself is like the perfect thing to do a mentor program with because it’s so broad. I don’t have to dig deep and specialized in any one piece of it. Which then opens the door for information-security professionals. People have been in this business for 10-15 years who want to get the the certification. It also opens the door for students. It opens the doors for business leaders that opens the door for everybody.

[00:22:07] Brad Nigh: Yeah people I mean we’ve got we’ve talked to her last year during the women and securities victoria. You know, people changing career. Right. Right. It’s, there is no wrong person For what? What’s the audience? Yes.

[00:22:24] Evan Francen: Right. Yeah. Not only do we need you as a practitioner in this, uh, industry because we are allegedly short on talent, but we need you. The thing is that people don’t realize is that people are, people are creatures of habit. You’re the same person at work as you are at home may act different. You may do certain things different because you’ve kind of been conditioned that way. But information security skills, uh, they apply at home at home. You’re the ceo, you know, I mean, you’re the one making executive decisions, making risk management decisions for you and your family. The thing at work is if I make the wrong decisions or let’s say I just dropped the ball altogether. We lose some information. We get hacked. Whatever The thing is, the sad thing about at home is your kids potentially suffer your wife and your husband significant other,

[00:23:24] Brad Nigh: which directly impacts your ability to work.

[00:23:27] Evan Francen: Oh my God. Right. So, yeah, so CSU metro program, uh, it’s how many weeks is it? It’s about

[00:23:38] Brad Nigh: what I think.

[00:23:41] Evan Francen: All right. It starts April 12 its evenings, uh, usually two evenings a week. So we’re not, we’re trying not to, you know, I think it so you can’t do your other duties.

[00:23:56] Brad Nigh: Right? And I think it’s like every three classes or so there’s a break after. So three classes day off, three classes a day off. So it’s right, gives people a chance. I mean, yeah, I mean we know it like there’s real life, you’ve got family, you’ve got work responsibilities, maybe you’re gonna fall behind so give people a chance to stay uh or to catch up I guess.

[00:24:23] Evan Francen: And what year did you start? What year did you start helping?

[00:24:27] Brad Nigh: This will be in 2017? So I did 17 18 1920. Yeah, it would be like, oh my God, you’re,

[00:24:34] Evan Francen: it’s crazy is the ones before that man, I used to uh you know, it was like one of those things where you feel like you’ve been called to do it, but I’m not really enjoying it because because of that it was too much work, man. It was, yeah you have a normal day job, you have family responsibilities and then you would teach. And so it would be like 78 weeks every spring where Yeah, you know, I just started to dread it. So the fact that you came along uh and then last year Ryan came along last year was like this is easy.

[00:25:16] Brad Nigh: Well it like I mentioned last week like having the online moderators that just like I don’t have to worry about that stuff and I know it will get taken care of the questions will be answered and if something comes up, they’ll let me know via a back channel that I can actually see. Yeah. And I have to try and keep up with. I mean, you, you moderated some and saw the chat. It’s just like, I’m not gonna be able to talk and watch that. Yeah.

[00:25:48] Evan Francen: Yeah. It’s cool to see how it’s evolved because I think last year it was really well done. It was professionally done. We had, we had our technical glitches because I think we had to switch things so fast and find their technology.

[00:26:02] Brad Nigh: We have, we have two weeks from the start of it. They shut down to, oh crap. We’re gonna have to do this. All virtual.

[00:26:11] Evan Francen: Right. Yeah. And so for people, so we start in April 12 in April 12 where we ease into it, right? It will be the introduction class. It will be our introduction to the program and introduction to security and everything. And that’s taught by me and we’ll dig in and get into domain one that security and risk management. Both of those things will happen in the same week. That’s a pretty easy week, right? It’s not like we’re gonna slam me with a whole bunch of stuff.

[00:26:41] Brad Nigh: We’ll get him hooked and then dropping,

[00:26:43] Evan Francen: it’s about it too, man. Because the next week it does kinda dig in with, you know, yeah, we get, we get going pretty fast after that. And some people uh, feel overwhelmed. Um, if you like, they’re drinking from a firehose, that’s normal and that’s okay. You’re not supposed to master this the first time you go through it right you’re not like oh I got it I’m ready for the exam. No you’re going to have to do some study afterwards.

[00:27:11] Brad Nigh: So I mean personal experience if it helps people you know and where I was living at the time down in Lexington there’s there just wasn’t very many C. S. P. S. I didn’t have a lot of support so I didn’t know what to expect right? So I read the Sean Harris book cover to cover and field to legal note pads with notes. Then I read erich Conrad’s uh book did I did a. S. C. Squared uh you know webinar and then did the cyber very uh free word version and you know it’s not like I mean that’s a lot of and then I can’t even tell you how many practice tests I did at on a see see here right I was at the end leading up to it. I was doing basically a full 250 three times a week for the last like month. Just because I was like I don’t know what to expect a lot of stuff. You can’t don’t take it lightly.

[00:28:18] Evan Francen: No no you know that but also don’t get overwhelmed The

[00:28:23] Brad Nigh: oh I absolutely over

[00:28:25] Evan Francen: prepared. Everybody goes everybody goes at their own pace you know what I mean? And uh so for the people that are taking this to get the exam that’s you know, we’ll give you plenty of advice along the way and you’ll have the support of other students, right? We set up the study group online, you know, where people can share ideas and thoughts and whatever they do. Then, um, you got the other side of the spectrum where I’m just here to learn. Um, because there’s always some nutrition, right? You start with with the first class and you know, just about everybody’s there and then it starts to wane a little bit. We didn’t lose a lot last year, I think by percentage. But because as you get through it, people are like, man, this is just more than I can handle. Uh, and it’s may because at that point it’s probably may and you’re like, the weather is nice.

[00:29:18] Brad Nigh: I don’t want to sit inside for two hours after being

[00:29:21] Evan Francen: right, right.

[00:29:24] Brad Nigh: A big part of why I wanted to do with this and volunteered is because I didn’t want other people to go through what I did because like I said, I didn’t have those resources to know what should I be doing? What, how do I know if I’m ready or not? And so, you know, that’s, I think that’s the biggest takeaway and probably the biggest feedback I’ve gotten from people is yeah, the content, I mean the content is what it is, right? It’s not like we’re creating something new, It’s those practical tips of here’s what to focus on here is what you need to be understanding versus just memorize a book,

[00:30:05] Evan Francen: right? And for people on a, Sorry, we got so far in before I even mentioned the Lincoln where you can go to legislate because it is April 12 is the date. You can register up until that date and maybe even after, but it’s fr secure dot com slash ci SSP dash mentor dash program. And on the bottom of that page you’ll see a little description in the schedule and, you know, in the middle of the page, you’ll see a register now button, you can register their um as for minimal information, really, it’s just, you know, how do we stay in contact with you basically, so that we can tell you,

[00:30:44] Brad Nigh: right? I get the links for the class is really like,

[00:30:50] Evan Francen: well, that’s another question we get all the time too, is when will I get the links where you’ll get the links for the day’s class, the day of the class, because we’re finalizing everything kind of getting everything, you know, all the bugs worked out and everything. Uh we’ll also post those in the study group. Uh so we have multiple places where you can find where to get into, because people panic on that, like, you know, like two days before the class. So like, where’s the link to get into the class, I don’t have the link to get into classes, like it’s okay, you’re gonna get it

[00:31:23] Brad Nigh: and well, and now all of them will be on our Youtube channel as well. So if you miss a class it’s not the end of the world. Yeah. It’s a little different and that you don’t get the opportunity to maybe ask questions in the chat as you go. But everything is there Right.

[00:31:40] Evan Francen: Yeah. Yeah for sure. And the books, you know the books that you’ll need. So you will that’s where you’ll have some expense right? You’ll have expense in two places. You have to whatever supplemental training stuff you want, meaning books. We found some practice exams or things that you’d like to purchase that’s that’s going to be on you. Um And then the other is the exam itself right? We don’t cover that cost. That’s expensive as hell. We probably go to business.

[00:32:09] Brad Nigh: Yeah it’s like $6.5700 or something like that. Now

[00:32:14] Evan Francen: I don’t know what it is but

[00:32:16] Brad Nigh: At least at least now it’s adaptive. And the most you have to do is 150 questions because you and I

[00:32:23] Evan Francen: I don’t mind on paper man. I had to fill out the holes.

[00:32:26] Brad Nigh: Yeah I did I had a computer exam for CSP but it was the 2 50 but then my CSM was yeah was scantron filling out the Yeah that’s you know, so 11 of the other things that I think we want to probably want to talk about and I’ve had asked I can’t do the two digits is well the Why are we using the Eric Conrad book from 2015 and then is what are you going to update anything because um like they’re gonna be coming out with another version here in June or July yeah what what what is this going to mean? So you know from my perspective we’ve talked through this, I think the Air Conrad book was for the Old when they had 10 domains vs eight. Like the content in those domains changed like less than 1%. It was just rearranging where they fit and with the new version coming out it even says on the iC squared website. Hey, this is, it’s a oh gosh well have this out like a life style exam right? You can’t just study it, you have to have practical experience and again I keep coming back to that word, but you have to have done this stuff and worked in it. Um So if you are studying on current material, it shouldn’t have an impact if you take the exam on the next version And I can tell you I studied on the previous version, the 10 domains and took it on the eight domains and I didn’t have any problems. Right, nothing in there.

[00:34:17] Evan Francen: Well that’s the thing. I mean security is security right? It just doesn’t, it’s the same. What’s changed is maybe some technologies, maybe some, you know a few techniques, maybe the names of a few things. But really security is security,

[00:34:31] Brad Nigh: uh

[00:34:33] Evan Francen: 2015 book is absolutely still 100% applicable to today’s test, the future test, you know, what’s coming in july uh there’s hints about what that is, but there is no book for that right now. There’s no training for that.

[00:34:48] Brad Nigh: The thing is, what’s crazy is they’re going to start doing the newer tests before there’s even a study guide or a book officially from IC squared. You can’t even buy a book yet. Right. So to me that indicates it’s not going to be a fundamental shift there. You know, if if they were going to make major changes, I don’t know how they could possibly justify making people take a test on the new content without having anything to study, Right?

[00:35:19] Evan Francen: Yeah, I agree. Mhm. So that, that’s a good question. We do get that question a lot. The just, you know, why are you using a book from 2015 when the year is 2021? And the reason why is it’s a very well written book. It’s tried and true and it covers everything. We need to cover

[00:35:37] Brad Nigh: that. The content hasn’t changed has just been moved around. Yeah,

[00:35:42] Evan Francen: the instructors for the exam, I mentioned that I’m one brad is also one and then Ryan Cloutier, we’ve heard on this podcast before. Uh he works at security studio. So that’s kind of cool too, because I think if I was a student, I would get sort of tired of the same instructor, you know, every exam, because you’re talking about What, 26, 28 hours of instruction? Mhm. So switching it up, getting a different, fresh perspective, we all have different experiences, right? We’ve got similar stuff, but they were different. Yeah,

[00:36:21] Brad Nigh: and and now, well, you know, you and I have kind of switched which classes we had taught in the past, So, you know, if you go back, you can get all of our, you know, different views on these different topics. So, you know, I think this year even we’ll switch it up, so it’s not going to be, well, I’m definitely not doing security models, I’m drawing the line there. Uh that was painful as you give it to Ryan, yep, I think it won’t, it probably won’t be as bad this time because we’re used to it, but I mean, at the time it was like, what am I doing? Um but yeah, you’re gonna get different perspectives on the different topics, because we do rotate those year to year.

[00:37:09] Evan Francen: Yeah, yeah, for sure. So that’s cool. I can’t think of anything else. One of the things that I’ve been asked before, and we actually put it on our website, you know, the value of the training, Because some people like that, I mean, we had 2,825 students, so the average cost perseus just be training for self paced online courses, which isn’t the same. This is actually a little better than that because it’s, it’s instructor led training. But the average cost for online self paced Courses is $2,795.

[00:37:45] Brad Nigh: I was gonna say about 2500. So yeah, that’s higher than, Yeah, I know that. I mean back in 2000 and Pen 11, I paid 3500 for instructor delight training. Well, my company did luckily at the time, but

[00:38:04] Evan Francen: uh huh. Well, that’s another thing that, you know, I uh I really like is the number of people we’ve been able to help um that couldn’t afford it. Mhm. You know, if you do the 5300 students at which, you know, we’ve surpassed that. That was yesterday At $2,795, You’re talking 14 million

[00:38:30] Brad Nigh: And you wonder why the financial people are like, well, couldn’t we charge like 50 bucks,

[00:38:36] Evan Francen: nope, we’re not charging a dime for this. We never will as far as, you know, as long as I’m around

[00:38:41] Brad Nigh: and I will be honest when you, you say that I have to talk to people and told them that and you do get some looks like what is wrong with you,

[00:38:50] Evan Francen: our mission men. I mean we make money in other places, right, doing other things

[00:38:55] Brad Nigh: and the reality is we’ve gotten some phenomenal hires from students who are like, I really like what you’re doing. I’d love to work with you.

[00:39:05] Evan Francen: Yeah, I guess there is kind of now that I think about it, you know, there is sort of a weird kind of way strings attached because it does give us a really good reputation, you know, in the industry has come as a company that generally cares about people that generally want to help people gonna

[00:39:21] Brad Nigh: ask anything of any of the students. I think that’s the big thing, right? We’re not gonna sell their information. We’re not gonna do anything. It’s, it’s getting back like you said and helping others.

[00:39:36] Evan Francen: Yeah. Another thing I’ve gotten to is the future of the CSP mentor program. So real quick, what I’m thinking the future is going to be is Uh, two things I’d like to figure out is how to get more. Uh, we have a company, an organization, not a company, a nonprofit called Virtual testing out in California. They do some really amazing things there too. It’s a nonprofit. Well, they’ve been sending a bunch of students are way too, you know, it, which got me thinking, you know, we’re working on, I’m working on another, I told you I have a D d. Right. But another thing, it’s a, it’s a nonprofit called uh The Gray Matter Society. You and I talked about, you know, before we started the show, just the, I think the inability or unwillingness for people to think through things critically. So, you know, we’ve got some really big issues and problems in our industry that we need that we need to think through things critically. So we can come up with solutions. The no strings attached, no partisan crap. It’s just how do you solve problems? But that’s going to be a nonprofit. I think kevin right now is in the middle of setting up that 5013 C or whatever you call it. Very cool. Yeah. We might move the CSP metro program into that nonprofit and the reason being is so, you know, fr secures a for profit company. Some other companies may not want to partner with us because of, you know, whatever intimidation competition, whatever if we put it in a non profit, then we can do, you can grab that far secures all across the country and get them to participate

[00:41:19] Brad Nigh: joke,

[00:41:20] Evan Francen: that’s one thing. And I think that will also lead to this perpetual training I think rather than having, you know, only doing this once a year, why don’t we get, you know, experts from all over the industry and teach this thing you’re wrong you and I know the benefit in terms of the blessings we get,

[00:41:39] Brad Nigh: I mean, even if he did it three times a year, right? Or once a quarter, which would really be year round because it is that long. But yeah, even if hell, jeez, just a second one in the fall because we had that’s that, that’s the other big one. When is it going to start? What you have to wait till spring? Well, because it’s a lot of work, it’s just really three of us with three or 45 moderators behind the scenes. Right?

[00:42:09] Evan Francen: Yeah. So I think we can make it, you know, year round and uh invite other people, you know, to play with us. Yeah. I think because this is for the benefit of society, it’s not for the benefit of our secure or any individual. It’s about like how do we help people? Right. Yeah. I’m not it’s not monopolize that

[00:42:34] Brad Nigh: people just don’t. It does, I guess, you know, society or businesses typically or seem to be, you know, there’s always a bet gotcha what’s attached. You know, just like we do this because I mean I will, I’m gonna speak for you because we care. Right? You said it a million times its information security is about information security is about people. Yeah. I said I didn’t have this kind of resource coming up. Well, I know how tough that was that you were the same way, I’m sure because you were you were in focus on security a little bit earlier than I was even and yeah, like if I can help someone with my experience and make their life easier and then not only that make them better at their job or even if they don’t take the programme or take the exam or not, security. Yeah, it prevents a breach. That means it’s less work to write for everyone. It’s there is, there’s no downside other than giving up our time.

[00:43:42] Evan Francen: I agree with that man. And it’s uh in the way the way the world works, right? The these are the basics of security, right? We’re not going to teach you how to hack things. I mean, there may be other court when we move into the nonprofit, we may decide to do other things, teach other specialist courses, but these are the basics here. And the thing that frustrates me about the basics is technology is going way faster than our ability to secure it. So the gap continues to widen and we have to do something in order to close this gap. Otherwise society will fail.

[00:44:18] Brad Nigh: Right? People going back to the book and they’re like, what, 2015 and now you’ve got next gen firewalls and you know what, I don’t care. Do you have port security enabled? Do you know what your rules are are you doing ingress and egress traffic filtering? I don’t care how you do it. Are you doing those things? It doesn’t matter what you’re using for those right now, fundamental, but it’s gonna always be the same,

[00:44:44] Evan Francen: yep, totally agree completely. Alright, lets get some news and so that’s good stuff. Everybody go sign up for the CSP metro program. Don’t just do it just to do it, I guess though. You really do want to sort of commit. It’s going to be april 12th through June two. It’s some weeks it’ll be one class, some weeks it’ll be two classes, never more than two and classes are two hours long. If you miss a class you

[00:45:12] Brad Nigh: what’s that roughly? Some go a little longer.

[00:45:15] Evan Francen: They do especially some of those. Yeah. Really? God, a little shutter their um they you know, if you miss one you can always catch it on youtube. Um and if you are going to sign up commit to go and do it all, you know for almost force yourself to because you’ll be better off for it. You know, even if you’re not planning on taking the exam, sit through all of it. Right? Because you won’t know some of, you know, you’ll find that when we get to the main seven and eight we’ll be making connections back into domain one and two. It really it really makes things. Oh okay. Now I got it.

[00:45:56] Brad Nigh: Yeah. Yeah sick with and I love Drew our sales director, but if you could make it through it, then he did last year anyone can do it because that’s not his interest. He’s a sales guy through and through and he stuck it out. So I love you. Well

[00:46:16] Evan Francen: maybe you will know all right. So I’ve got three news things that will hit real quick and then we’ll close up for the for the day. The the first one comes from Fox news and uh it was really interesting. Um The title is U. S. Strategic command twitter account accessed by child. Mhm. So this is kind of weird because these are the same people that this is us stratcom. So this is strategic strategic commands that maintains our nuclear I guess arsenal. Um They are the ones who keep the codes and you know all that stuff. Well last week actually is only just two days ago uh there was a tweet that came out and it was semi colon el semicolon semicolon G. M. L. X. Z. S. S. A. W. And that was it. You can imagine that caused quite a stir people like what the hell? You know this is a place where you’re normally getting you know legit tweets that. So let’s have a legend bunch of jokes and things. Well it turns out that the guy I think it’s a guy who maintains the twitter account for you know U. S. Strategic command. I was working at home and walked away from his computer and his kid came behind him and send a tweet.

[00:47:50] Brad Nigh: You know what? Yeah I’m just reading the actual response to the freedom the freedom of Information act. But I can only hope that the computer used for twitter is not connected in any way to the uh the confidential top secret like beyond top secret stuff that goes on and stratcom.

[00:48:23] Evan Francen: Right? Well I’m yeah I mean it’s uh you know I agree with that completely. And I’m also like I expect better.

[00:48:32] Brad Nigh: I would hope that well the other thing would be kind of you know you would think that that I got some sort of a written warning or something.

[00:48:41] Evan Francen: Right. Well it just shows how important it is. Like take this to a halt to my work life. Right? Do I walk away from my computer in my home office without locking it?

[00:48:53] Brad Nigh: I like it when there’s nobody else here. Right. Right. It’s just windows key. L is it just is an ingrained habit if I stand up and walk away from my desk for anything more than further than where I can see the computer. That’s my rule. If I’m going to the fridge I can actually see it in the office. I can no nobody came in but if I can’t see it it’s locked.

[00:49:17] Evan Francen: Right one. You’d think with government especially you know something even if it’s just twitter. So some people will be like oh this is cute ha ha it’s twitter. This is information dissemination. So this can mean thank God it was a kid because in the hands of somebody more nefarious you can do some real damage a false information. You know using this twitter account because people come to trust like oh it’s us central command. I can trust tweets that come from here. Mhm. Can you? Yeah if they’re not following good security best practices I. E. In this case? You know, locking your workstation when you’re when it’s unattended. So hopefully they take this as like a okay we can do much better here. I understand that thank God this was you know, a child doing just this but yeah. Uh huh. So kids kids be kids man. I mean what do you expect?

[00:50:22] Brad Nigh: That’s that that is the reason that if I can’t see my computer

[00:50:26] Evan Francen: right. Yeah, you never know what those kids are going to be.

[00:50:30] Brad Nigh: I mean I think my kids are probably more aware than most because we do talk through this stuff but yeah it doesn’t matter.

[00:50:42] Evan Francen: All right to other news articles and we’ll get through these quick and then we’ll uh we’ll head out. So um this one is from security affairs dot c. O. Yeah the title is hackers breached the PHP S. Git server and inserted a backdoor in the source code. Yeah they got they found it. It’s

[00:51:02] Brad Nigh: bad. I mean I think right this is the exact basically what what we just saw with um solar winds is it? I mean not the exact same thing but the concept right? They get in and push it to this trusted source people. I mean how many people use HP HP s I mean

[00:51:28] Evan Francen: PPP is all over the damn place and this was recent to write, this was on March 28. Yeah so two days ago that’s when the Attackers pushed to commits to PHP dash SRC which is the repository. Um Yeah. How does it say how they were

[00:51:48] Brad Nigh: alerted? No, but what’s crazy is the account they used Rasmus Lear dorf, ph d s author and then Jetbrains developer Nikita pop off. But I mean these are not exactly low profile accounts that were used.

[00:52:11] Evan Francen: I so it looks like the Attackers compromise the accounts and then use that.

[00:52:16] Brad Nigh: Uh So they said we don’t know how it happened. Everything points to a compromise of agate dot PHP dot net server rather than a compromise of an individual account. Okay.

[00:52:28] Evan Francen: And that’s here. It says in the future in order to access the repositories users will now need to be part of the PHP organization on get up and their account will have M two FA or two Factor authentication enabled. Does that imply that you didn’t have to have multifactor authentication enabled? Little repository before? It’s like, oh my God people.

[00:52:55] Brad Nigh: Mhm.

[00:52:57] Evan Francen: All right. Well anyway, think how they found it uh hopefully will restore our confidence in PHP source Karl and source code security please people come on. Especially

[00:53:15] Brad Nigh: now I think the last with Ryan and the exchange you’re starting to see some changes so hopefully

[00:53:24] Evan Francen: it’s gonna get worse. It’s gonna get worse before it gets better, sadly. Yeah. All right. The last one I got is from the register and the title is intel accused of wiretapping because it uses analytics to track keystrokes mouse movements on its website, it’s like okay, I mean tell us not even close to being the only

[00:53:50] Brad Nigh: I was just isn’t that like um what every big website does?

[00:53:57] Evan Francen: Right. Well yeah, it’s uh it’s marketing, right? And they track where you go on the website because if there’s certain parts of the web, you know, you want to put your content in the places where people are going and you know, steer people in the right direction. It’s pretty important intelligence and I really don’t. So this isn’t based on a lawsuit. So a lawsuit was filed against the chipmaker against the intel. Uh huh. By its at a florida state court, the plaintiff is a person named holly launders hello N D E R S. And she’s you know complaining about this thing. And the uh the only problem I really sort of see it because if you come to my house I have, you know, my virtual house, my website, I should be able to track where you’re going on my website. I should be able to know where you’re clicking. I don’t see it really a problem with that. I think maybe the problem is you need to tell people that you’re doing it.

[00:55:00] Brad Nigh: Yeah. And you know, reading through it if you look at the seven most it says in here the seven most popular session replace services account for our unused on 482 of the Alexa Top 50,000 websites. So you know that this is happening I think where the concern comes in for me is if you’re putting in social security information, credit card information that what are those, why are they capturing those that information? Because that that’s not an issue if they’re not capturing that. I mean kind of it is what it is. It’s not surprising.

[00:55:38] Evan Francen: It’ll be interesting to see what comes from the lawsuit. You know, if I don’t think, I don’t think she’ll win, but if she does, it’s going to set a precedent.

[00:55:49] Brad Nigh: Yeah. Here’s the list of companies that have been sued over this banana Republic blizzard, CVS, Fandango, Footlocker, Frontier Airlines, General Motors, Home Depot, Old Navy, Nike, morton Ray ban T mobile and web MD among others like it. As long as they’re not, like I said, as long as they’re not capturing that sensitive information, I don’t really, I kind of feel like it’s expected,

[00:56:15] Evan Francen: right? Yeah, I agree. And the claim is this is a wiretapping privacy claim and I don’t think that she’ll win. But because like you said, it’s it’s common practice and I have the same, you know, concerns. You do as long as there’s not no sensitive or I guess highly sensitive information that’s being captured or exposed in the tracking to come to a website expect to be tracked. That’s just how it works, What I don’t like is when you track where I came from. I don’t like when you track where I’m going. So things outside of your domain outside of your website. I don’t feel as comfortable with you tracking. So that’s why cookies, blocking scripts and all those things are good practices, but at least you have control over that. You can’t really do that when you go to, well you can, but most people won’t, you know, when you go to these other sites.

[00:57:09] Brad Nigh: Yeah. You know, there’s there’s some good plug ins to for blocking that stuff if you’re really interested.

[00:57:15] Evan Francen: Yeah, exactly. Yeah. Mhm. All right, well, that’s it for the show, man. What else do I have to shout out to get me shout outs?

[00:57:25] Brad Nigh: Yeah, I’ll give a shout out to my wife for taking care of the medical emergency with our son friday. Uh It was, yeah, she did a phenomenal job. You can tell she’s a nurse, she had her medical nursing approach kicked in and it was fantastic to have that because I didn’t do so well.

[00:57:51] Evan Francen: Yeah, we’re good man. Well, that’s what, that’s what makes a really good partner. Well, since you gave a shout out to your wife, I’ll give one to my wife for let me buy all my Harley parts. So they keep buying. She hasn’t lost patience with me and she’s like, what did you get now, Like this thing, don’t worry about it. It’s good, but she’s uh yeah, I mean it’s it’s amazing how I mean, I don’t think I’d get through life without my partner. You know my wife. Oh

[00:58:21] Brad Nigh: yeah. No, I think you and I both would have worked ourselves silly and would be in a padded cell at this point.

[00:58:32] Evan Francen: Yeah. I tell people all the time I’d be dead or in jail. They’re like, oh no, you wouldn’t like. You just don’t know me man, seriously? Mhm. All right, well thank you to all our listeners. Send things to us by email at if you like doing the social thing. The social media thing. I have a social media account. It’s @EvanFrancen. That’s my twitter account, brad’s is @BradNigh uh other twitter accounts that they might be interested in as UN security. This podcast is @UnsecurityP security studios @StudioSecurity and fr security @FRSecure. That’s all we got for this week to talk to you next week. Have a good