Civic Ransomware – What it Actually Means

Unsecurity Podcast

In a jam-packed episode, Evan and Brad are joined by state representative Jim Nash to circle back on the civic ransomware discussion, recap Evan’s #100DaysofTruth, and call BS on some startling allegations that have been seen in the information security industry recently.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Also joining us this morning is Mr Jim nash. Now I’ve got a special affinity for Jim. He’s a good friend. Uh, but he also represents my home district in the Minnesota State House of Representatives. Hi, Jim. Good morning. He sounds so official.

[00:01:00] Brad Nigh: I know official more officially represents both of us and he’s worried.

[00:01:05] Jim Nash: Oh, that’s right. You’re in a district time sucking up.

[00:01:07] Evan Francen: Did you vote for Jim? You weren’t there yet? You’re

[00:01:12] Brad Nigh: You’re not going to say He said he voted for it. I like to, I like to make him sweat a little bit.

[00:01:17] Evan Francen: I was recruiting for sweaty schweddy. I was recruiting. I was recruiting for him. He was putting signs in my yard. How many science did you put in my yard like to seems like it seems like more than that. You have a small yard.

[00:01:31] Brad Nigh: There was a bunch of yeah. Political stuff in our neighborhood with Horus and stuff. So

[00:01:37] Evan Francen: did you get involved in that?

[00:01:39] Jim Nash: I did not know wisely stayed out of that.

[00:01:41] Evan Francen: So had you voted for jim? Maybe he would have represented you.

[00:01:44] Brad Nigh:  That may be.

[00:01:46] Jim Nash: But I do work here as well.

[00:01:47] Evan Francen: That’s true.

[00:01:48] Brad Nigh: He doesn’t get up just like giving Jim grief.

[00:01:50] Jim Nash: I appreciate it.

[00:01:53] Evan Francen: But no, seriously, I am uh I am grateful for the work that jim does. I could never be a politician. I just, my fuse is too short. I think you’re not allowed to use tasers in the house.

[00:02:08] Jim Nash: No no, they frown on that.

[00:02:09] Brad Nigh: See not happy I’m out.

[00:02:11] Evan Francen: All right. Uh so let’s jump. Right? And we we have a lot of things to talk about this morning. Um Real quick uh like real quick. What about last week? It went so fast. But you know, last week we had our quarterly meeting, which means that here at fr security security studio we fly everybody in from all over the country. Got people in Kentucky reno or Nevada casinos in Nevada um florida florida. North Carolina Missouri is coming soon.

[00:02:46] Brad Nigh: It was canceled last night. So he’ll be in today.

[00:02:48] Evan Francen: His flight was canceled. Who is he flying?

[00:02:51] Brad Nigh: American? The storms in Chicago

[00:02:55] Evan Francen: frickin Chicago.

[00:02:56] Brad Nigh: Everything was

[00:02:57] Evan Francen: Chicago’s Lana. Everything about Chicago. If you wave a

[00:03:00] Jim Nash: teaspoon of water over their airport. They shut it down

[00:03:03] Evan Francen: for people who are from Chicago? My apologies. But every time I’ve gone there have had a bad experience.

[00:03:08] Brad Nigh: Yeah. So at the end of day, but yeah, north Carolina, we’ve got a Virginia, florida, Kentucky Kentucky Tennessee reno, I think that’s it. Okay.

[00:03:20] Jim Nash: Bulgaria.

[00:03:22] Evan Francen: Oh yeah, bunch of a bunch of Bulgarians. The uh, but it was, it’s always so much fun. You know, we start the monday off with uh, kind of the whole company meeting where we talk about our results for the last quarter, which was, you know, incredible. Again, another record quarter and then we all go hang out on a boat ride for a while and then you guys, I think they went out like every night last week and did something

[00:03:46] Brad Nigh: I’m still trying to recover. I’m not used to that, right?

[00:03:50] Evan Francen: Uh, but they all behave themselves and it was just really, really cool to see everybody. So that was,

[00:03:56] Brad Nigh: it is fun. It’s a lot of fun to get everyone up here and you know, just here. Yeah. Unfiltered. Yeah. From, from the, you know, all the analysts and everything.

[00:04:08] Jim Nash: But more than that, I’d say that it’s pretty clear when you get here in a big meeting, why this place is consistently voted to be one of the best places to work.

[00:04:18] Evan Francen: So many cool people.

[00:04:20] Jim Nash: Yeah, there’s cool people management. You know, you guys are okay. I’m

[00:04:24] Evan Francen: talking about the other

[00:04:25] Jim Nash: guys. Yeah, of course. But just the top down leadership being more fun oriented, less crack, the whip. You know, it’s a very genuine place. So

[00:04:42] Evan Francen: if we want another record this quarter, I think he said crack the whip. Right?

[00:04:46] Jim Nash: I said not cracking. Oh

[00:04:48] Brad Nigh: no, no one that I just heard crack. The lift is

[00:04:52] Jim Nash: no one likes that, no one likes being kicked in the head with an iron boot. How

[00:04:55] Evan Francen: about tasers here? We can use tasers here

[00:04:57] Jim Nash: you do.

[00:04:58] Brad Nigh: You note to self, don’t avoid Evans alright.

[00:05:05] Evan Francen: But it was a great week. I just love it. It’s so cool to just, you know, there were times when I just sat sort of in the corner and just watch people and cried, no, no, no, well no, but watch people smile and it’s

[00:05:18] Brad Nigh: almost getting to the point where it’s like, wait, who is that? Yeah, I’m pretty good on staying on top of it. But

[00:05:26] Evan Francen: Lord, there’s a lot of people. Yeah, I know a few few years ago. I could name everybody. I could name everybody now. There’s probably a handful or my God, tom, johnson steve you do some

[00:05:39] Brad Nigh: dog. It was nuts. We did the all company that we did breakouts and so I did the operations break out. And I was looking around and it dawned on me that our analyst team is larger than the company was when I started,

[00:05:54] Evan Francen: Wow and that’s only what, 3, 3

[00:05:57] Brad Nigh: Years, three years was in three days. The 25th.

[00:06:00] Evan Francen: Well that’s cool. Uh, so great. Week for sure. Quick update on the Civic ransomware called the action. So 34 weeks ago we had put out it was after the two cities in florida paid ransoms, which just pisses me, right, because I hate paying criminals. It feels like you lose because you do, you lose. So, uh, you know, created a bunch of or maybe 343 ransomware posts. And we were asking people to email or mail or go talk to your mayor in person and just ask them about the readiness. Ask them in a respectful, helpful way, Right? Not an accusatory. What the hell are you doing kind of way? But, you know, so you can help. And it was really cool because, you know, a dozen or so people took us up on that call to action. And the email that’s on at proton at our proton mail account, which is un security at proton mail dot com. Uh, and the responses are actually pretty cool. I mean, some of them, I’m surprised some of them are like, uh, okay, you don’t want to follow up with this with this one. But overall, good responses, I think. Yeah,

[00:07:21] Brad Nigh: it’s a, well, this won’t surprise jim. But, you know, government moves slowly and it’s not always how you in the private industry or private sector, you would expect it to go. But

[00:07:35] Jim Nash: we’ll progress is progress. I used to be the mayor of the city that Evan and I live in and it’s always a topic of conversation. And the thing that pisses me off about cities, it will do this one. It means that they’ve missed the boat on backups. But to the taxpayers are paying for it. So people say all the city had to pay out this much money. Well, where is the city at the time? It gets the money from levying that the next year. So, and I won’t go into the boring details of municipal finance. But the taxpayer winds up paying for that because I would also argue that the majority of these municipalities that have have suffered either a ransom or something, probably don’t have breached insurance and there’s nobody else down for it.

[00:08:22] Evan Francen: Well, yeah, it’s, and it’s a loss everywhere every way possible because even if you had breach insurance, you pay a criminal $4,5 $600,000 and they’re going to reinvest that money to attack Glencoe, you know, the next town down, you know, it’s, that’s the frustrating part to, uh,

[00:08:41] Jim Nash: yeah, it’s so I was at the governor’s blue ribbon council for which I’m a member and we talked about this. And the majority of cities and many states don’t have insurance. So our own state of Minnesota doesn’t have breached insurance. They can’t get it. They cannot get it because they still have too many data centers that are beyond porous. That’s not imitation for those of you out there. But you know, it’s just a simple, simple reality, the ones that matter already

[00:09:14] Evan Francen: knew that

[00:09:15] Brad Nigh: right. It’s not a surprise

[00:09:17] Evan Francen: what, But the so you know, we’ll sort of put that to rest a little bit until we see the next city pay the next ransom and then we’ll pick up that pick up that torch again torch. It’s probably not the right word, pitch for pitch for pitch for you. All right. So that was good. Uh Did you guys notice that last week I finished up the 100 days of Truth? I started that on April eight and finished up last week.

[00:09:47] Brad Nigh: So I saw that I was like, it’s already been 100.

[00:09:51] Jim Nash: It seemed like it went

[00:09:52] Evan Francen: fast. It did Except for trying to come up with $100. The truth.

[00:09:57] Jim Nash: Well now you need 100 days of falsehoods.

[00:09:59] Evan Francen: Well, that’s what so people were asking, you know, so for people who weren’t following along, I started in April eight with this hashtag 100 days of truth And it was information security truths. We started with obviously one went all the way through to 100. Is that how that works? It did in this case? I know I ran out of fingers and fingers and toes. But the it was really cool because people started kind of falling, falling along and at the end people are like, so what are you gonna do now know it’s

[00:10:37] Brad Nigh: over? Take a break. It was hard. No, no, no, I don’t

[00:10:41] Evan Francen: think breaks. So uh well one the marketing team put together a nice Blog Post with all 100 days, you know, listed. So there’s kind of a digest their marketing people, Good folks. They are good folks. Uh But I think

[00:10:59] Brad Nigh: Jim works on the marketing team. Yeah,

[00:11:02] Jim Nash: Well, you know.

[00:11:04] Evan Francen: Yeah, well, Jim’s a good folk.

[00:11:06] Jim Nash: I voted for him. Don’t don’t get carried away.

[00:11:08] Evan Francen: Oh yeah. You’ll get my vote next time to running. Yes, I am. When is the next elections

[00:11:14] Jim Nash: next year? Oh, alright. I’ll declare now I’m running

[00:11:17] Evan Francen: again. Should I? Um Yeah. What can I do to help signs

[00:11:21] Jim Nash: that interpretive dance? You’ve been promising to get that?

[00:11:24] Evan Francen: That is going to lose. You get that done, That is going to lose. Well, sure you do not want to see this body and any kind

[00:11:32] Brad Nigh: of movement

[00:11:33] Evan Francen: like that. Uh Anyway, so the marketing team put together this thing really cool. Uh and then I think I’m gonna make an e book out of it Where each one of those truths, because really in 140 characters or less people can interpret things, read more into what I’m saying than what I intended. So, I think what we’ll do is we’ll just take each one of those troops followed up with just a short 12 paragraph to explain what

[00:12:01] Brad Nigh: it means.

[00:12:02] Evan Francen: Yeah. And then put it into uh put it into a book with an opening and what have you. But then I think another thing we’ll do, and I was going to do an audio book. Can you imagine listening to this Voice for hours on end.

[00:12:16] Brad Nigh: That’s not without alcohol every week.

[00:12:18] Evan Francen: Yeah. Oh, jeez. We could bundle it with vodka,

[00:12:24] Jim Nash: get your free audio, make a little drinking game out

[00:12:28] Brad Nigh: of you

[00:12:28] Evan Francen: every time everyone says pissed another drink. But then I thought, maybe let me let me ask you guys and see what you think. 100 days of lies. I just, Yeah, yeah. You just sort of suggesting you

[00:12:45] Jim Nash: think, well, I think one of the lions should be what we’re talking about next. But yeah, I think that that’s

[00:12:52] Brad Nigh: that’s good. Yeah, I think there’s that will probably be easier

[00:12:57] Evan Francen: when I think it will catch people’s attention. I mean, just imagine this one, um, information security is a man’s game, you know, has his complete bs, right? Hashtag 100 lives, right? I mean, that’s a that’s a lie. Even though, you know, 70, of our industry is male, right? So, I don’t know. It’ll get people’s attention. That’s for sure. Because

[00:13:22] Jim Nash: I love that first one. Because I serve on the board of advisors for Metropolitan State University’s mid cyber uh, department and over half of those students are female.

[00:13:35] Evan Francen: Good. That’s good. That’s

[00:13:36] Jim Nash: good. Yeah. So, I think you should throw in there that spray cheese. Real cheese because it isn’t. That could be one of the topics, but it tastes good. No, it does not.

[00:13:46] Evan Francen: I don’t know. I’ll do it. I dare you get some spray cheese in here next week we’re doing spray cheese.

[00:13:53] Jim Nash: I think brands with me, baby crackers.

[00:13:56] Evan Francen: All right. Maybe not. It’s not cheese. All right. So that’s the 100 days of truth. Um, I think it was good. It was fun. If you haven’t checked it out, it’s just hashtag 100 days of truth. Hashtag Alright. And then next, uh, this is something and this is one of the reasons why. So, jim. This is jim second time on our show. Uh, the first time, I don’t remember where we were. We were recording way back when on remote it was all on zoom. Now we’ve got like equipment and stuff. We’re almost grown up here.

[00:14:30] Brad Nigh: Let’s not go crazy. I hope not.

[00:14:32] Evan Francen: All right. That was 100 days of lies. That’s where it’s gonna go on the lies. But last week, Jim and I were outside just kind of talking and I brought something to my attention and it was I guess there’s this, you know, it’s in it’s in the blog post. So if you go to Evan francine dot com and blog, the title of the blog post is according to author. Some corporations have quote unquote achieved security. Mm. Like security is an absolute

[00:15:05] Jim Nash: that’s like, you know, she used zen,

[00:15:07] Brad Nigh: right. I know a couple that have achieved security. They shut down out of

[00:15:11] Evan Francen: business. Exactly.

[00:15:12] Jim Nash: No, no computers. No moving parts.

[00:15:15] Evan Francen: So then that blog post, you know, I summarize sort of our discussion, you know, Jim says, yeah, there’s a guy out there claiming that there are unhappy cable companies. I’m like um hackable. It’s like yeah, um hackable, like no way, man, That’s crazy. Who is this guy? Let’s let’s let’s dig in. So he sent me this link uh to an NPR show transcript. Uh and the show is all things considered hosted by Ari who’s uh well respected renowned journalist. I mean, the guy is not some fly by the foot run of the mill.

[00:15:53] Jim Nash: Yeah, you’re certainly not doing a podcast in a warehouse.

[00:15:56] Evan Francen: Fly by night. So you fly by night was sort of the right thing. And I was thinking run of the mill. So I was gonna say fly by the mill.

[00:16:03] Brad Nigh: There we are. Run of the mill and you’re an author. You can make that that’s

[00:16:06] Evan Francen: true. Can I do that? Do it? I’m doing it all right. Run by the run of the mill run of the night, fired by the mill. Fly by the mill. So anyway, so you sent me this link, I read through it and there’s some troubling statements that are made and the person that Ari Shapiro is interviewing is Richard Clarke. Now, Richard Clarke used to be the national coordinator for security, infrastructure protection and counterterrorism for the United States are,

[00:16:35] Jim Nash: wasn’t he called r

[00:16:36] Evan Francen: I think so, yeah. For a number of years from like, I think he served not just in that position was five years, but he also served under like four or five presidents,

[00:16:46] Brad Nigh: he’s done a lot. Yeah,

[00:16:48] Evan Francen: so well respected to right? And this isn’t his first book, this is book like 10 for him and the title of the book, What is it? Fifth, The 5th something, 5th dimension domain areas, fit domain. So I’m just going to read it for the listeners and then let’s talk about it. So Shapiro says one line in the book stood out to me from somebody who was talking about election security could just as easily have been talking about other aspects of cybersecurity. And the line is our house was robbed. So let’s at least lock the door. The problem is there are so many doors in the United States, 50 states, thousands of counties, who knows how many private businesses, It’s like six million each one of them is a target. So it is it naive to think that anyone could prevent the house from being robbed again, that’s his question to Mr Clark. Mr Clark says there are major american corporations that have achieved security cybersecurity

[00:17:52] Jim Nash: doing air quotes

[00:17:53] Evan Francen: when he said that, I don’t know, you can kind of envision that right? Even kind of envision that uh they don’t like to attract attention to themselves. They don’t like me using their names so I won’t But there are Big American companies that have done it 10 years ago when we wrote the book Cyberwar, we said no company is safe if the Russians or chinese want to get into your network they can. Now we’re saying that’s no longer true. So is that implying that a company is unhappy? Kable

[00:18:25] Brad Nigh: that does that is and I’ll say Ari Shapiro’s question and lead up was actually really good too. But my question to him is if the fsB can get hacked and have seven terabytes of data, how the world are you stopping it from a private company

[00:18:44] Evan Francen: or the NSA loses 50 terrorists of data?

[00:18:47] Jim Nash: So Evan and I are reading this article out loud and I’m like well let’s just listen to the interview because there’s a link at the top of it for the audio that came from it. And sure enough the guy actually said what you read because when I read it I’m like there’s no way I didn’t just read this turns out he said it

[00:19:08] Evan Francen: and I think he believes it because later on he goes on to explain how it happens. So Shapiro then asks him do you have something breath and I’ll let you go

[00:19:18] Brad Nigh: oh sure we’ll talk about it.

[00:19:20] Evan Francen: Yeah. So Shapiro goes on what the what do the companies that have been that have not been successful? Sorry let me start over again. What do the companies that have not been successfully hacked have in common, what are they doing? Right Clark says the companies that are resilient spend more money on it and have better have a better governance model.

[00:19:43] Brad Nigh: Does he have something to sell them?

[00:19:44] Evan Francen: You certainly think that aren’t you just questioning and they have a better governance model. Like there’s some other super secret governance

[00:19:52] Brad Nigh: I can tell you from experience governance is always just super well accepted immediately. Yeah

[00:20:01] Evan Francen: but this is a better one. And so the guy in charge or gal in charge reports to a much higher level official. They’re not buried buried

[00:20:10] Jim Nash: like a zen master a yo like a Yoda like

[00:20:14] Evan Francen: figure when I have so many stories where this is just Bs. But uh they’re not buried in bureaucracy of the company. And in terms of just a raw metric the good companies those companies that are successful at this. So good companies good doesn’t mean perfect and non hackable

[00:20:32] Brad Nigh: means perfect.

[00:20:34] Evan Francen: Uh but they’re spending 8-9 8-10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year. So I break that down in the blog post like okay let’s go through math and logic on this and

[00:20:54] Jim Nash: because he certainly didn’t

[00:20:56] Evan Francen: obviously not well in he’s got does he not have any private sector experience or understand what risk is. Can you guarantee me that? I mean we’ve been driving for a long time right roads are pretty safe nowadays. Can you guarantee me maybe if I spent more money on my car, I could guarantee that I wouldn’t get hit. Or maybe if I had a direct link to the Department of Transportation.

[00:21:21] Jim Nash: I mean, it sounds like he’s saying everything that all of us that do speaking engagements for the company here say it doesn’t work. So, so they have a higher level of governance, which means that they have lots of compliance. Compliance doesn’t equal security. Um, he wants to spend hundreds of millions of dollars were great because certainly that will fix it. If you have no idea what you’re spending money on. Look,

[00:21:47] Brad Nigh: you we’ve all said it, you get a certain point where you accept the risk. It’s not the right business decision to spend more money to eliminate a risk. The risk doesn’t present. Right? That much of a threat.

[00:21:59] Evan Francen: Let me pose this question. Is it not impossible to eliminate risk?

[00:22:04] Jim Nash: Well, I never have to

[00:22:06] Brad Nigh: Use. These companies have no 3rd party vendors.

[00:22:09] Evan Francen: You have to cease to exist. Do they employ perfect people, right. And vulnerable people that never make a mistake.

[00:22:16] Brad Nigh: I can say with our fishing and other social engineering, uh, that does not exist.

[00:22:23] Jim Nash: I would love, I would, I’ve always wanted to do this. I’ve never asked your permission. I might start throwing this out there in a few presentations. I’ll bet people $10,000 we’ll hack you, we turn our people loose. So

[00:22:40] Brad Nigh: if we can’t get in, it’s a free pen test. Yeah

[00:22:43] Jim Nash: I mean we can’t I just think that this is patently irresponsible

[00:22:48] Evan Francen: Because we can get in 5% of the company.

[00:22:50] Brad Nigh: Alright

[00:22:52] Jim Nash: there you go. Or you know at least like some beef jerky. I’m a lot of companies I think that this sends people a false sense of of hope and false sense of security

[00:23:04] Evan Francen: Absolutely does.

[00:23:05] Jim Nash: And I think that that that is going to breed Laziness because they think well according to certified smart guy if I’m spending 8-10% of my budget on I’m good. Yeah check good to go. Moving on. Well that’s not how it works.

[00:23:23] Evan Francen: Exactly. Oh yeah. Well so if you spend 8-10% of your IT budget right? Not budget budget IT.

[00:23:33] Brad Nigh: Budget. Seeing how I. T. Is well funded

[00:23:36] Evan Francen: right? Well at the state level and so I did some research like what is how much do companies spend on their I. T. Budget? And the range is 3.227%. Banking and finances on the 7% side. So he’s because he’s talking about banks. So if you take you know take J. P. Morgan chase right the biggest bank in the world Take 7% of their top line revenue. I think the top line revenue was something like $190 billion 7% of that and then take 8-10% of that and if you spend that much money, you must be in hackable.

[00:24:15] Brad Nigh: Yeah, buying just, you know, 600 to $750 million. Right?

[00:24:22] Evan Francen: But then he’s got another point better governance model meaning report and and he he goes more into what that means reporting higher up. Okay, So spend that money and then report directly to the Ceo. That makes you unhappy. Kable.

[00:24:39] Jim Nash: What if the Ceo is

[00:24:40] Evan Francen: hackable? What if your C. So sucks. Right. What? I feel what? I feel crappy. See so who doesn’t understand what the hell is he or she is doing? But maybe in that better governance model that would be vetted out. I’m not sure. But to

[00:24:52] Jim Nash: your point of just a minute ago, there’s still people that work there and people are super hackable

[00:24:57] Evan Francen: and that’s and that’s, that’s always been. So computers are pretty easy to secure right there, discreet. It’s one or 0 on or off black or white. When you throw people, people are analog right there all over the place. You know, sometimes you look at people, I mean we’ve all done it. Haven’t you ever done anything and gone like why the hell did I just do that?

[00:25:19] Brad Nigh: Like

[00:25:20] Jim Nash: every Tuesday?

[00:25:21] Evan Francen: Right. I did that this morning when I woke up, I was like, why the hell did I do this? No, I didn’t. I was excited.

[00:25:29] Jim Nash: I think I would love to call this guy out publicly. Well, I guess we are since we’re publishing this um I think that he owes actual people in the industry an answer to what what is it these people are doing with all this money that gets them to where you view them as unhappy. Kable.

[00:25:51] Evan Francen: Well and to give people because I do like to give people the benefit of the doubt. Maybe he just misspoke, maybe this isn’t what he meant. But I read it like five times we listened to it, you know

[00:26:01] Jim Nash: we listened to the dude and he didn’t equivocate. He wasn’t stumbling on his words. So yeah

[00:26:09] Evan Francen: and I was wrong jp morgan was 100 and nine billion because I did the math 109 billion and they spent 610,000,763 million on information security. That’s what would it would end up being uh with the math. But then yeah there’s the people part. So um what else do we have? Oh but then he goes on there’s more, we’re not done beating this is this horse dead yet. No it’s not done.

[00:26:36] Jim Nash: But wait there’s more, there’s like a pair of ginsu knives or a bamboo steamer.

[00:26:40] Evan Francen: Right? What who’s that guy? Ron Popeil Ronco pio? Alright so Shapiro says you’ve said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can’t the government learned the lessons that these companies have learned. Well Mr Clark says, I think part of the problem is the federal government, you could just stop there uh which has made any question, but no, Which has maybe 40 to 50 major departments and agencies. It seems like it has a lot more than that. There’s more insist that they all defend themselves. I don’t think that that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments. They can’t do it. This is what’s done in the private sector. A lot of companies don’t do it themselves. Shapiro says they outsource it, they hire a contractor. Clark says they outsource it and you pay them a month, pay them by the month and you get the you get them handling all of your security. That’s the way the federal government should do it. So I hired a 3rd party because third parties certainly give a crap of more about your stuff than you do. Don’t

[00:28:02] Jim Nash: imagine it will be very troubling for the employees of the NSA right?

[00:28:05] Evan Francen: Have you ever left a tool to somebody? Right? Yeah, gotta bagging them. Like hell

[00:28:09] Brad Nigh: man. Well, I mean, we see it all the time, right, right, in this piece that are doing it, have a miss consideration and then they investigate their own MS configuration anyway. Yeah. No it’s yeah it helps. Right? That’s I mean we we are consulting. But if the company doesn’t buy in and doesn’t want to make it happen, it doesn’t matter how good the consultant is, how good the outsourcing is. You never get traction. It’s still the company’s risk. It’s still they have to accept it and make those decisions. They have to do something.

[00:28:50] Evan Francen: And I’ve told clients that so many times. I mean, you talk about truth, right? We opened some of the truth. I’ve told the company so many times. Look, your security is not my problem as much as it is yours. Yes, I get hired to do your security. But if you don’t take my recommendations, if you don’t do the things that I have to ask you to do, it’s on you.

[00:29:09] Brad Nigh: Yeah. It’s so frustrating and justice. I’ve had customers myself that. Mhm. What are we doing? Let’s go. Can we do something? They just don’t you don’t have buy in from above whatever it is. It doesn’t matter how good your consultant is. You can’t drive that business to do something. You can’t make them do it. It’s their business.

[00:29:30] Jim Nash: Well to talk to Mr clark, you know, at the state level, having been at the municipal level knowing things in the county, you’re never going to get the compliance of people inside of those organizations because many of them think that they are the taller horse of the trough and they don’t believe that what you told them to do is right Or that their subordinate should do something different than they do. You’re never going to get adherence to any policy uh completely across the board. Uh So I just think this guy is reckless. I mean and I’m gonna I believe reckless is a pretty decent word for that because if people say if I spend this percentage certified smart dude tells me that I’m good and if they could spend that well one they probably won’t know what to spend it on. They’ll just buy things that are shiny objects

[00:30:26] Evan Francen: and what do people normally do when they are when they have money to spend? They call salesperson the wrong person to call?

[00:30:33] Jim Nash: What should I buy? 00 get a better firewall

[00:30:36] Evan Francen: by the stuff I’m selling.

[00:30:37] Jim Nash: Yeah my stuff will fix everything.

[00:30:41] Evan Francen: Yeah it’s a very dangerous path to go down. If you think that risk elimination is even remotely a possibility. If you think that it’s a purely a function of spending and reporting you’re lost right? There’s so much more to information security than this, It’s not an easy button. There isn’t one. What

[00:31:02] Jim Nash: is the temporal effect here? I mean do you if you have to spend that money in perpetuity or is he saying that you can spend it now and be good for forever. I would love to ask him that question to.

[00:31:12] Evan Francen: Yeah. Does anybody know Richard Clarke.

[00:31:15] Brad Nigh: No I was looking he is the chairman for Good harbor consulting and Good harbor International strategic planning and corporate risk management for

[00:31:24] Jim Nash: he might want to perhaps sell

[00:31:26] Evan Francen: something good harbor are they out of D. C.

[00:31:30] Brad Nigh: Probably. Okay

[00:31:32] Jim Nash: throw down the gauntlet.

[00:31:34] Brad Nigh: Yeah I would guess probably. So just given his background

[00:31:40] Evan Francen: it’s uh yeah so anyway it’s it’s frustrating. It’s wrong. The fact of the matter is and get this through if you ever ever ever ever think that you can or could ever be um hackable. It’s a lie

[00:31:57] Brad Nigh: and period I’m thinking through this and I don’t agree with him saying is unhappy. Kable. But if you look at the core have good governance and spent appropriately you will reduce your risk. So it’s like he’s taken actually or while you could but he’s taking good advice. Made it absolute

[00:32:21] Evan Francen: right. Which insecurity there aren’t.

[00:32:24] Brad Nigh: I think that’s the issue that that’s the big one.

[00:32:27] Jim Nash: Yeah. Well again I think if you go back to some of the most secure stuff that we’ve ever had, you’ve had some very high profile spies steal from agencies that were really locked down. Yeah. What happened there? Were they not spending appropriately? I bet they were.

[00:32:48] Evan Francen: Well and if anything it seems like in some cases there’s a happy spot with spending, right? Because you can overspend information. Absolutely and just piss away money and if you unless your business is in business to piss away money? Which most businesses aren’t. That’s stupid, right? Because you’re in business to make money. Right? So you need to be wise with your information security developments. What’s that

[00:33:15] Brad Nigh: balancing point? That tipping point to say, you know, it’s worth it to spend the money and reduce the risk versus you know, We’re spending $50,000 a year on a $5,000 problem. Right? That’s not good business.

[00:33:31] Jim Nash: No. So you spend all the money in the world, emails still get delivered to employees in boxes and they like to

[00:33:39] Evan Francen: click things, right? You have been asked numerous times by boards of directors what’s the number one thing that I can do to reduce risk? And the answer is always the same fire everybody. Yes. I mean,

[00:33:52] Brad Nigh: if you want to eliminate your risk,

[00:33:54] Evan Francen: well, at least produce it. You’ll still have somebody somewhere did something I don’t know. But anyway, so again, you cannot be unhappy, kable. Ever don’t take your eye off the ball. You do the work. It takes work. Why do people hate work so much? Everybody should grow up on a farm. It’s hard. We actually have to, you know, work, learn to work because security is work. Most of it is dirty work too. It’s not fun exciting by a blinky light. Look at my cool new thing kind of work. It’s like all right. You know, asset management or you know, writing of policy, you know. Yeah. And the point of the policy by the way, is not to have the policy. The point of the policy is to influence behavior to set the rules for the organization

[00:34:39] Brad Nigh: here is what we should be doing.

[00:34:42] Evan Francen: Yeah. All right. So anyway, any other things to add about mr clark if if he does happen to listen to the show, which I doubt it. But if he does, um I think we should maybe you could you could clarify and if he does reach out, I think the three of us should join in the conversation and it would be a good conversation.

[00:35:04] Jim Nash: Happy to give him the benefit of the doubt of him saying yeah, I might have Overstepped just a titch, but I can’t think that anybody who has been a practitioner for more than like 20 minutes would say something like um hackable,

[00:35:21] Evan Francen: Right? Yeah. It just it just destroys your credibility.

[00:35:26] Jim Nash: Yeah. I wonder how many other people have been out talking about this very article. As if to say dude is full of pick a thing.

[00:35:34] Evan Francen: Yeah. Well, you know, and it makes you when, when you see something that’s so far off base, I don’t know if you guys ever go through this, but when you see something that’s so far off base from somebody who has all the credentials, you start to question yourself. I start to question myself like Have I been doing have I been doing this wrong for 25 years? I mean, is it actually possible? You know? So then, and then you’re like, no, God, I was stupid.

[00:36:00] Brad Nigh: I would love to see it. I’ve never never seen a perfect you

[00:36:04] Evan Francen: can’t I mean just logically, I don’t understand how that could ever possibly be possible. Even if you had A I. Because that’s the thing nowadays, right? Ai ai ai machine learning ai even A. I. Itself be somebody wrote the code for that Ai and it was a human

[00:36:25] Brad Nigh: being is built into it.

[00:36:27] Evan Francen: Yeah. And there’s errors built into it. And then if you build another Ai to fix your that ai you just keep compounding the problem. You know? The thing is with humans with men. I think in general is for every problem we fix we create two more.

[00:36:43] Jim Nash: My wife says it all the time.

[00:36:44] Evan Francen: Yeah. So if A I if you think ai is going to fix it, what are the next two problems that that’s going to create or more? All right, good spirited discussion. Thank you guys. Thanks for speaking some sanity back into my life on a monday morning. His God knows I need it insanity. That is. Yeah. Did I tell you about my riding this morning? Did I tell you

[00:37:09] Brad Nigh: I saw your tweet?

[00:37:10] Evan Francen: Oh my tweet. You follow me.

[00:37:12] Jim Nash: I

[00:37:13] Evan Francen: do. It’s a good song. So you liked my tweet while we’re sitting here

[00:37:16] Jim Nash: talking of my favorite favorite bands.

[00:37:18] Evan Francen: Yeah. So I was riding my bike in for those who don’t know Harley Harley guy. I was riding on 2 12 coming into Eden Prairie. And uh, on my playlist, uh zombie comes on by the cranberries and I just cranked that. And I’m sure as I’m riding by people, I’m I’m singing at the top of my lungs. Just not even Karen who’s watching, but it was a great way to start a monday morning.

[00:37:45] Brad Nigh: Have you heard the new cover from Bad Wolves? You don’t like it? I like it. I like it. It’s not the same. It’s nothing beats Dolorosa route. And I’m not saying it does. I’m just saying it’s not

[00:37:56] Evan Francen: bad. I just always, you know, like classics. I’d like classics, you know the way they are? But there are some good remixes out there that are like, it’s fresh, but I haven’t heard that one.

[00:38:07] Brad Nigh: I think it’s pretty good. Who is it again? Bad wolves? Bad wolves,

[00:38:11] Evan Francen: Wolves. All right, So there’s a plug bad wolves. If you’re listening, uh, you’d like to talk to you about security as well.

[00:38:17] Brad Nigh: You can get them to do our enjoy music. Oh, I would be down for that Custom jam. There you go. So, so I wanted to talk about

[00:38:28] Evan Francen: that. Um, I thought you were moving us on. I was like, wait, it’s my show bret.

[00:38:31] Brad Nigh: Do you wanna talk news? I have something that I haven’t dropped on you yet? Drop

[00:38:35] Evan Francen: it. Did you see the guitar?

[00:38:37] Brad Nigh: Bulgaria got

[00:38:37] Evan Francen: hacked. Yes. Including our Bulgarian

[00:38:41] Brad Nigh: five million of the seven million people had their records stolen from the country’s tax revenue office poopsie.

[00:38:52] Jim Nash: And the odd thing is Bulgaria is like one of the places that people go to set up hacking shops. Yeah. How funny is that?

[00:39:03] Evan Francen: There is an interesting country. Um, Bulgaria, but actually I’ll make a trip there sometime in the next couple of months. I’ll be able to report back. Yeah. Right. So, good, good discussion. Um,

[00:39:18] Jim Nash: let’s get on to the plug. One other thing to join you here in the near future that we will be announcing a new product. We are here at fr secure.

[00:39:29] Evan Francen: Oh yeah, I was supposed to give a plug to for another marketing thing. Go ahead.

[00:39:32] Jim Nash: So with both of your help brad will do his part this week. Um, maybe I’ll buy you bacon. Um, I’ll do anything. Bacon. We will be launching a new product that will be helping boards of directors who are largely unfamiliar with information security issues with a brief coaching product and getting them prepared to at least be conversant and comfortable with what to do with information security because as Evan, you said that you talked to boards regularly, most boards and I serve on several don’t have anybody who is in info sec on the board. They’re heavy on investment people, real estate people, other folks like that and they’re generally afraid of what it looks like. So as we get closer to that launch, that’ll be sometime hopefully later this month. Once I buy brand that bacon?

[00:40:29] Evan Francen: How much

[00:40:30] Jim Nash: bacon? A lot of

[00:40:31] Evan Francen: Bacon. Bacon. What’s a lot like £3. A couple pounds.

[00:40:36] Jim Nash: Yeah, but

[00:40:38] Brad Nigh: I can feel my arteries hardening, but

[00:40:40] Jim Nash: I think that’s gonna be a really interesting product because in talking to our sales team, they say, yeah, a lot of boards of directors are like, yeah, we’re just gonna kick this down the road until next year to what you want to say, Well, enjoy your hacking because you’re about to get one.

[00:40:56] Evan Francen: Well, ultimately they they are responsible. I mean, when I was, you know, working on the target breach, that was a derivative action lawsuit where the shareholders are filing suit against the board of directors. Um So people are starting to lose patience, combat that though with uh, breach fatigue people, there’s some people are just like just another breach. Here we go again. Still be pissed. You know, still require some accountability, understanding that risk management is the goal not risk elimination. So as long as the board is considering information, security risk on a regular basis, making risk decisions or at least delegating those to somebody who can make good risk decisions. You know, that that’s 80% of

[00:41:43] Brad Nigh: it. That’s what I keep telling them. It’s better to do something and find out, oh, we’ve got a problem and be able to show, yes, we knew we had it and here’s where we’re at now then who knew? Right, Oh, there’s computers, When do we get those hacking thing? It’s like out of a sci fi thing. I’ve never heard of this before.

[00:42:04] Jim Nash: It might catch on

[00:42:07] Evan Francen: on. The other thing that I was supposed to plug and then we’ll get into the news is hacks and hops. Uh this is our 4th tax and hops, hacks and hops is coming September 19. You should go and sign up. It’s really cool. It’s a hacks and hops dot com. Uh This this uh this particular event we’re talking, it’s at U. S. Bank Stadium, which is, you know, plenty of really cool and who plays the violin Vikings

[00:42:36] Jim Nash: viking fan maybe do

[00:42:37] Evan Francen: that Vikings fans. We should get a viking

[00:42:41] Brad Nigh: can get them all mad and be like, yeah, but not into the playoffs very far.

[00:42:45] Evan Francen: Yeah, I know right. The Vikings,

[00:42:48] Brad Nigh: that’s not a word, just like it’s not often often

[00:42:51] Jim Nash: shared were Vikings and playoffs. But you know.

[00:42:55] Evan Francen: But anyway, hacks and Hops. Uh we have some great panelists in that hacks and Hops. Mark Landerman from CPS, his company does um a lot of forensic investigations for every county city, including the state, the bureau of Criminal apprehension uses his company. So he knows forensics and he knows the legal aspects of incident response really? Really well. We also have chris roberts joining us uh In from Denver and if you don’t know who chris roberts is just google chris roberts and american airlines or is it united? I can’t remember. Uh But you’ll learn about him. Uh But he’s awesome. He’s definitely a truth guy and he’ll lay it down and probably scare most of the people in the audience. Yes. And then we have the c. So from uh code 42. Also colonel and she’s uh she’s a rock star. I’m excited to share the stage with. These guys

[00:43:58] Brad Nigh: were planning on, planning on bringing on our I. R. Team and also be able to listen and be there as well. Good. Just so they can good good. You’d probably be a

[00:44:08] Jim Nash: link to register for hacks and hops at the bottom of the online blog.

[00:44:13] Evan Francen: Does the code for the marketing People gave us a code

[00:44:16] Jim Nash: that’s a friend of Jim.

[00:44:17] Brad Nigh: No, don’t give him

[00:44:18] Evan Francen: 50 50% off. No. Why not? Because it’s a competition had to get up earlier. This

[00:44:23] Jim Nash: friend of Jim.

[00:44:24] Brad Nigh: We need to we need the friend. Jim

[00:44:26] Evan Francen: F. R. I. E. N. D. O. F. J. I am

[00:44:30] Brad Nigh: or brad. If you don’t like jim, there’s a pot, there is one for the podcast.

[00:44:38] Evan Francen: I know they gave us a special and

[00:44:40] Jim Nash: that

[00:44:41] Brad Nigh: is that we need to use that one.

[00:44:42] Evan Francen: No, just use friend of Jim who cares? Just get there

[00:44:45] Brad Nigh: are all the sales people are gonna mob jim later. Yeah. What the

[00:44:49] Evan Francen: hell? What’s going on

[00:44:50] Brad Nigh: man? Jim where you all bruised

[00:44:52] Evan Francen: and they want to come and be on the podcast too and we’ll be like sorry, we had enough sales and marketing for today

[00:45:00] Brad Nigh: and then they go out to jim again.

[00:45:02] Jim Nash: Yeah, I like my chances.

[00:45:04] Evan Francen: All right. So industry news, we’ve got only two to industry news is uh this week I figured we talked more about Richard Clarke. So I kept the news articles short but we we’ve said enough about him. Uh so the first one is slack response passwords re passwords reset after four years. Do you remember the slack um hack in 2015? Mhm. I wasn’t using I wasn’t using it now. Anyway, this is Graham Chloe who also runs a pretty awesome podcast. I think at least got many, many, many, many listeners. The title of the article is slack response passwords reset four years after data breach. So in March 2015, that’s when slack announced that they had been hacked in the previous month. Um And the hackers allegedly had gotten the central user database user names, email addresses one way encrypted hash passwords um including phone numbers and other things. Uh They said at the time there was no indication that the hackers were able to decrypt any of the passwords so I don’t know what hashing function they were using. I don’t, You know, like I said it was 2015 so I wasn’t using slack back then and there’s been a few things that have happened in our industry in the last four years, guessing

[00:46:37] Brad Nigh: just come a little ways. Yeah

[00:46:41] Evan Francen: it seems like every week I had trouble remembering what we did last week. Right. Uh anyway um they made a new announcement recently last week. This is again over four years after the attack And says in response to new information about our 2015 security incident. We are resetting passwords for approximately one of slack accounts. I don’t know what this means.

[00:47:11] Brad Nigh: I read it is, they didn’t do it a site wide password reset after the breach and those people are the ones they’ve identified that haven’t changed their password in four years.

[00:47:20] Evan Francen: Oh good. I bet you’re right. So 1%. So 99% of those like users had

[00:47:26] Brad Nigh: either there has been deleted or have changed passwords

[00:47:30] Jim Nash: brand. What does that little uh sign that you have hanging in your office about passwords. What does that say

[00:47:36] Evan Francen: about underwear?

[00:47:37] Brad Nigh: Oh, passwords are like underwear. Was it? Don’t share it with anyone change it often. Some never reveal them. Yeah

[00:47:46] Evan Francen: but if you don’t wear underwear.

[00:47:48] Jim Nash: Whoa, whoa, whoa

[00:47:50] Brad Nigh: PG

[00:47:51] Jim Nash: Oh sorry family show

[00:47:53] Brad Nigh: show panic. No, I suppose

[00:47:56] Evan Francen: to be a process

[00:47:59] Brad Nigh: it took me a second cause I was like wheat. Which password thing? I’ve got like

[00:48:03] Evan Francen: five. So if you, if you are a slack user um used two factor authentication. It is an option in slack that you can set it up. Uh protect yourself from those password attacks to this day. I don’t know how slack is protecting passwords. I don’t know what hash function. They’re using something or anything else. So to be safe. Used two factor authentication for using slack. It slack has really really grown in popularity. We use it here.

[00:48:33] Brad Nigh: Yeah. Still not perfect. There’s still some issues with it but right.

[00:48:37] Evan Francen: But we also don’t use slack for storing much. We use it more for kind of the messaging functions, you know, dropping a note here and there. Hey what’s up kind of stuff? So anyway there it is. If you haven’t changed your slack password in four years or if you have a slack account and um you don’t remember change it, change your password the night. The other industry news was Microsoft. Uh Just this this is a little, it rubs me a little bit the wrong way. Microsoft alerts 10,000 customers of Nation state attacks. This uh this news article is from info security magazine And the title is that Microsoft alerts 10,000 customers of nation state attacks. So they warned them last week uh that they’ve been these companies right? Imagine a call or an email for Microsoft saying hey you were targeted by a Nation state attack. So at some point over the last year. Right? So they I don’t know if that means that they were sitting on this information until now to release it you know or if they went back that far you know in their analysis but it includes hundreds of U. S. Political organizations. Um They made this known in a blog post to promote the firm’s new election guards secure voting system. So the timing. Yeah that just made my ears shut down

[00:50:13] Jim Nash: if I could. So I’m the minority lead on elections at the Minnesota house of Representatives and have been talking about more money for info sack at the state level. And even the state of Minnesota which are underlying ballots are paper still have great concerns about getting hacked because and this is what I preach about down. There is one information that is aggregated at say where we all live. Carver county still has to be transmitted to the state electronically. So if you wanna have a little mayhem on election night let’s let’s get into the county systems. Um And my worst case scenario is if the voter database were to get hacked don’t do it dramatically do it suddenly remove a handful of people every couple of days and add a couple of people every few days as new registered voters. And in a swing district you can ultimately shut out change the outcome of that election. Because not all states do change management on their database which is scary

[00:51:30] Evan Francen: and and not surprising but that’s

[00:51:33] Jim Nash: work. But it’s important to make sure that uh states are up to date. But you know again this sounds like somebody saying hey brad you’ve been hacked but I have something to sell you that will will prevent that.

[00:51:47] Brad Nigh: Yeah. So I did actually read the Microsoft release and it isn’t quite clear if it was they notified them At the time. They, the actual awarding says that over the past year these companies, 10,000 companies had been notified. So they may have been doing it real time with them. Okay. But it’s not, it’s still fuzzy. It’s so fuzzy.

[00:52:09] Evan Francen: Well, the, and the news grabber is,

[00:52:12] Brad Nigh: you know, a blog post. It’s still,

[00:52:15] Evan Francen: and at the same time there they’re selling, we can have good voting system. Uh, the majority of the attacks allegedly come from Russia, surprising what Iran in north Korea mm 84% of the state sponsored sponsored attacks were targeted at Microsoft’s enterprise customer customers with the remainder hitting consumers personal email accounts. Um, so interesting note. I don’t know Other than the fact that it would suck to sort of get notified that you’re, you’ve been hacked by a state sponsor. Uh, well, unless you’re spending 8-10%,

[00:53:01] Brad Nigh: you have to do is get better governance. And

[00:53:03] Evan Francen: yeah, if if you followed Richard Clarke’s advice, then this is a moot point for you. But for all those other people, the normal people who have to deal with day to day stuff that would suck to get notified. Hey, you’ve been hacked, that still hasn’t happened for me personally, but it’s happened to a number of my friends in the industry getting notified by the Secret Service? Your credit cards are?

[00:53:35] Brad Nigh: Yeah. That’s not our for sale. Not looking forward to that day.

[00:53:39] Evan Francen: Well, it’s bound to happen eventually.

[00:53:43] Brad Nigh: Maybe it’s the same. You made it.

[00:53:44] Evan Francen: I don’t think so. I don’t want to make it then. Right. All right. So, you guys have anything else to add before we close this thing up? Mhm. I want to I want to thank Jim again for for coming. Thank you. Jim. You’re well behaved. So, I think there’s a door open for you to come back again someday.

[00:54:08] Jim Nash: I’ll have to try harder next time.

[00:54:09] Brad Nigh: Yeah, maybe.

[00:54:10] Evan Francen: Yeah, Exactly. What? I can be a little less behaved. All right. Well, that’s how it is. Uh We have a ton of things going on around here. We talk about a lot of stuff. Again. Special thanks to Jim for joining us this week. If you are in Jim’s district vote for him because he represents well, and he understands bringing bacon first. Yeah. Oh, yeah.

[00:54:35] Jim Nash: I already let the cat out of the bag. I would go to prison.

[00:54:37] Brad Nigh: Yeah.

[00:54:38] Evan Francen: That’s that’s that’s illegal. What are you from Chicago? Uh huh. All right. Uh We get good feedback every week from people. Please keep it coming in. Uh Some of us give us some people give us feedback through linkedin. Some people give us feedback through our Have you been checking that? Okay. All right, good. It only took what six months

[00:55:07] Brad Nigh: we’re on top of things?

[00:55:08] Evan Francen: Well, it’s security man. I had to vet you write properly but do keep that feedback coming. If there are things you’d like to hear us talk about or things that uh you know, you don’t want us to talk about, we’ll still talk about him. But let us know uh be sure to follow me or brad or jim on twitter. I’m @EvanFrancen brad’s at @BradNigh – Jim’s @JimNashMN. We all tweet semi regularly. Kind of things that are going on brad doesn’t but Brad’s busy.

[00:55:43] Brad Nigh: I did tweet last week

[00:55:45] Evan Francen: and I’m all about I’m just all about self promotion. And so was jim because jim is gonna get elected. So there you go. All right, that’s it. So email us Have a great week everybody.