Compliance vs Security
Since the initial announcement of CMMC requirements and certification, the information security industry has abruptly shifted its focus towards preparing for it. While there are differences between compliance vs security – CMMC seems to be one of the best compliance approaches to date—really taking important security fundamentals into account. In this episode, Brad and Evan discuss the differences between security and compliance, how to approach information security the right way, and how those relate to CMMC. Give episode 118 a listen or watch and then send your comments, questions, and feedback to firstname.lastname@example.org.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Brad Nigh: Good morning and thank you for tuning into episode 118 and Unsecurity podcast. Today is february 9th 2021. I’m your host today, Brad Nigh and joining me as usual as my good friend and coworker. Evan Francen. Good morning Evan. I can see by the palm trees that you are not here in Minnesota, enjoying the blo zero temperatures.
[00:00:48] Evan Francen: No, thank God for that man. There are some uh, once in a while, some privileges and you get to get away.
[00:00:54] Brad Nigh: You definitely lucked out with the timing because this has been our coldest weather of the season by far.
[00:01:04] Evan Francen: Yeah, that’s what I heard man. It sounds like I have chickens, you know, and uh, my chickens, my daughter called me when I was, I was down here a couple of days ago. It’s gonna get down to 30 below. Should I bring the chickens in the house and I’m like, hell no, you leave them outside. They have a chicken coop and they survived. So that was like the coldest weather I think we’re going to get,
[00:01:27] Brad Nigh: Yeah, I mean we can to be pretty brutal. But what are you gonna do?
[00:01:32] Evan Francen: Hey, at least everything is closed.
[00:01:34] Brad Nigh: I don’t have to go anywhere. So, you know, there is some positive.
[00:01:40] Evan Francen: Yeah, that’s true and you know, it makes it grateful that you’ve got a furnace that works like it’s you know,
[00:01:47] Brad Nigh: Yeah. So much that
[00:01:51] Evan Francen: it hasn’t been, it’s been kind of a mild winter overall I think. Don’t you think?
[00:01:56] Brad Nigh: Oh yeah. Yeah. Our snow seems to be pretty low so far.
[00:02:01] Evan Francen: Yeah. I was reading in the news that the northeast I think is getting hit again with a pretty major snowstorm if they haven’t already. So they’re busy digging out.
[00:02:13] Brad Nigh: Yeah, those Northeasters can drop some snow in a hurry. It’s like wet heavy snow to
[00:02:20] Evan Francen: yeah, I’m not I don’t know man. The older I get when I was younger I used to like you know I think I had more energy and I like playing around But now you know at the age of 50 I’m like no I don’t want it, it hurts, everything hurts.
[00:02:40] Brad Nigh: Yeah. It’s a special feeling that when you go outside and you can feel the inside of your nose freezing and crystallizing.
[00:02:48] Evan Francen: Yeah. Well that’s another thing man. I mean you talk about age, the older you get to the longer your nose hair skin and if you notice that so they collect more condensation from your breath. And then yeah, you get plug your nose up with ice.
[00:03:04] Brad Nigh: I definitely get in the moustache with at the bus stop or whatever doesn’t take.
[00:03:11] Evan Francen: I’ve taken a shower before you’ve probably done this, you’re taking a shower before and then let my beard fully dry and then you know, ran an errand or something and yeah, it’s like my beer becomes ice.
[00:03:25] Brad Nigh: Yeah, it’s uh stop it,
[00:03:28] Evan Francen: I like it. I was talking to uh for listeners, you’ve heard him before. Yeah, Oscar Oscar makes yesterday. No, we’re talking about whether we were talking about a bunch of things, talking about some weird stuff with forensics and whatever, but he, let’s see, what kind of weather do you like? He goes, man, 40s is like perfect for me and like what the hell is wrong with you? That’s too damn cold
[00:03:54] Brad Nigh: to Yeah, I don’t know. It depends. I do enjoy the seasons. It does make you appreciate the other ones.
[00:04:07] Evan Francen: Yeah, I suppose, I suppose, you know, like I said, you know, don’t take for granted the blessing of being able to travel, you know? Mhm. So being in Mexico right now, it’s it’s weird because you know, Covid has changed the travel industry so much. Uh we’re on a resort in Puerto Vallarta and they’re very very safe here. Every wears masks I get I need to get a Covid test. Uh No, this morning, actually getting Covid test, they want to get back into the country back into the U. S. You have to have a negative test within three days of your departure. Uh So I got that scheduled this morning at 9:15. Yes. Uh but you know, you’re down here in the resort that we’re staying in, its there are some nights where you feel like you’re the only one here and the whole resort,
[00:05:04] Brad Nigh: wow, nuts. Yeah, that’s very different.
[00:05:08] Evan Francen: I feel bad because these people especially here, you know, they’re so dependent upon our tourist dollars, you know, to pay their bills to feed their families. So on one hand, you know, you feel like during a pandemic, maybe you shouldn’t travel, but I think as long as you’re responsible, then on the other hand, it’s like you feel good about it because you are helping somebody eats.
[00:05:33] Brad Nigh: Yeah, wow, that’s crazy.
[00:05:36] Evan Francen: Mhm. Yeah. Well one of these days we’re gonna get you down here, you’re gonna have to bring, you said that before, but you know, with different stages of life too, right? I got one child left at home and you still got three. So coordinating daycare and You, young man, I didn’t start traveling, I’m 15 years old now, I didn’t start traveling like this until like three years ago. So I was 47. Yeah, we got like 18 years before you get to my age,
[00:06:06] Brad Nigh: we’ve done a couple of cruises and done some some some travel, but not a lot, but yeah, it’s kind of funny because your youngest is basically the same age as my oldest. Yeah.
[00:06:20] Evan Francen: Yeah, I know the phase of life that you’re going through it, you were sharing last night about uh you know, kind of just all the health things and kids and arranging stuff and merits chaotic, But I remember it.
[00:06:32] Brad Nigh: Yeah. Yeah so my oldest got sick and had a low grade fever and so the high school called and was like you gotta come get her and oh by the way all the siblings have to quarantine until she gets a negative covid test because that’s how things go now. I guess I called like 9:15 and I have a 10 o’clock training session with the executive like board sea level director level of one of our big V. C. So clients. So The high school is about 15 minutes or so. And then I got to the high school and that’s when they told me, oh yeah by the way you got to pick up your son at elementary school too. Oh like
[00:07:22] Evan Francen: struggle. You know maybe maybe that’s a good topic for an upcoming show is just juggling family and security. Yeah.
[00:07:32] Brad Nigh: Well and So I made it, I got I got home and logged into the meeting at 10.01 so I was a little panicked got there and it went really well. So that’s good. But yeah it’s tough because my wife’s a nurse, she can’t just be like well sorry. Right. Right. A different kind of expectation around that. So just happy we were. You know, we’re at first year were so flexible to kind of allow for that emergency like oh I dropped out of the old company meeting and miss the consulting meeting. I was like I feel like I do what I gotta do?
[00:08:12] Evan Francen: Oh yeah, for sure man. Well that’s the culture to the right I mean nobody’s going to give you crap when you go run to your family. Oh no.
[00:08:19] Brad Nigh: Yeah it was super supportive. Like you know when I was like ok, go and then when I got back she was like I was everything is everybody okay? You know, people actually cares kind of it’s good.
[00:08:32] Evan Francen: Right? Yeah Ryan, you know, for people listeners don’t know. Ryan is the chief security consultant or whatever senior security consultant over at security studio and he’s uh he’s taking his first vacation. Yeah, he never, I don’t know if you start taking a vacation here but he’s got like four days and he’s running hard man. I mean we’re all running hard and he emailed me yesterday because we have an important meeting next week and he’s going to be on vacation. So I was like, well do you want me to dial in? I’m like hell no. Yeah. Yeah. No. You take a vacation to disconnect and the last thing I want to do it is connecting during your disconnection.
[00:09:14] Brad Nigh: Yeah. It’s tough to do though. It does take some willpower right? You know I did have vacations getting around thanksgiving and that had the health issues which pretty much forced the disconnection, but it wasn’t exactly relaxing, but you know It was just like 10 days where I couldn’t do anything.
[00:09:39] Evan Francen: Yeah. Well, so now that you know we’re talking about it. Do you have a vacation planned?
[00:09:46] Brad Nigh: Not yet. We’re trying to figure that out.
[00:09:49] Evan Francen: I got some help.
[00:09:51] Brad Nigh: No, it’s just scheduling. I mean it yeah, yeah, we were going to go down and visit my sister had for Fort Myers for spring break last year. And how do you say that that was the last week of March? So we met you know that right, when everything shut down, that kind of sucks. But that will be we’ll probably do that again. It’s fun to see her and her kids and our kids like hanging out with her kids. So it’s always good.
[00:10:25] Evan Francen: Yeah, absolutely. Yeah, it’s good for that work life balance, you know, you know somebody sent me out a book that said the work life balance is a myth, like maybe different interpretations of work life balance, but I think it works by balances, you know, because they are so integrated. You know, I mean my work is kind of my life and life is kind of work in me, but it’s just that being able to just stop working for a while, go do something enjoyable, go see the world, see, you know, walk, ride a bike, do something, just get away from you know the connection all the time because if you use it, if you’re connected to much man, it becomes hell.
[00:11:13] Brad Nigh: Well it’s the same as what is it? You work to live not live to work, work. Do you think you enjoy not just work on?
[00:11:25] Evan Francen: Yeah, no, that’s totally true brother.
[00:11:28] Brad Nigh: No, but yeah, it’s uh we’ll get there. It’s everybody is uh going through the same type of stuff so. Mhm. Its adjusted and moving on
[00:11:43] Evan Francen: totally. So what do we what do we uh security stuff where we got today?
[00:11:48] Brad Nigh: Yeah. We could talk a little bit about the difference of between security or secure being secure and compliance being in compliance. And what does that mean? Just because of with, we’re getting a lot of questions and a lot of really good conversations from uh central customers with C. M. M. C. And that being such a big piece in the news and uh like there you know what the confusion is or what their expectations and understanding are versus you know, kind of how we do things. And so that would be a good good topic because I know you’re pretty passionate about that as well.
[00:12:28] Evan Francen: Yeah. Yeah. It’s frustrating, man because, you know, we’ve you and I’ve managed so many security programs before. And I don’t know how many times I’ve heard out of the mouths of Cordner verse or ceos, you know, what’s the quickest way we can get whatever compliance, which is the cheapest way we can get whatever compliance. And that’s, you know, it’s It’s 100% or 180° opposite of the way you’re supposed to be. Mhm. Right. The way we’re supposed security is supposed to be integrated into the business. It’s the only way you’re ever going to get any return on your investment. It’s the yeah. So doing things the secure way, it’s part part, you know, making it part of your culture. And if you do it the compliance way where compliance is your definition of security, then you miss out on all of that and you miss out on a significant amount of risk,
[00:13:21] Brad Nigh: yep. Yeah. So I’ve had A B. C. So that I was working with um that their their security program went through their compliance officer and never made any. It was, well I will say they never made progress. They did, they did actually get some really good stuff done. You know, like rolling out multi factors, some some of those types of things. But it was just painful. Like security was not our priority in any way. And then, you know, I’ve got others that are like wanting to do things the right way and it’s just such a, it’s a breath of fresh air is invigorating to like energized, energizing. It’s hard to work with a company that this is like all in one like okay, what should we be doing, how should we be doing this, what is the right way are we doing this the right way, How can we improve it? You know, kind of peppering me with questions like we said yes, They ask if they have a whole bunch of new leadership that’s coming over the last year and that’s why they asked. They said, hey, we’ve got this meeting scheduled. Can you join and talk about security and incident response stuff? And it’s absolutely, I think you can get in front of the, you know, sea levels and board or whatever directors. Yeah.
[00:14:47] Evan Francen: Right. No, it’s, and that’s it, man. I mean you can’t, I don’t understand, you know, I’ve been studying people for so long. It’s still hard to understand. Well, I don’t understand. I think nobody does because in general, people don’t like to be told what to do. These would go against or at least there’s some resistance or some uneasiness about being told what to do yet in information security. They like the compliance thing because, and you’re basically doing what you’ve been told to do. Then on the other hand, I mean, how many, how I’m going to hear people that actually want to do security the right way that just also say, well, just tell me what to do. Mm. So I think a lot of it’s just kind of a mental, you know, if you start off with your security program or if you are a check less type of no company doing security by the checklist or the well, changing the mind of the way you approach it.
[00:15:49] Brad Nigh: Yeah, there there are benefits to having those checklists, right? Like for sure. I, I’m all on board with some of that stuff but it’s I think you’re right. It’s the mindset behind how those are created, how those are implemented, right? It’s not all right. I’m just doing this and that’s it. It’s not robotic, but I’m doing this thing. I need to make sure I get these things covered. Mhm.
[00:16:16] Evan Francen: Yeah. Yeah. I mean and you know that there’s I’ve always said this two, there’s two ways to approach compliance. You’ve got the letter of the law versus the intent of the law. And what is the shortest path to compliance is to do the letter of the law. Yeah because it doesn’t require much for interpretation. I can create checklists out of it. I can just follow along now what oftentimes gets enforced though is the intent. So you find yourself kind of in this false security. Like I did all these things
[00:16:50] Brad Nigh: uh may have lost Evan so if he comes back well well he wait while we wait for him to. Oh there he is. Hi Evan. You’re back.
[00:17:07] Evan Francen: Hey maybe my V. P. M.
[00:17:09] Brad Nigh: Yeah it froze up there for a bit. But yes
[00:17:16] Evan Francen: I was on a rant. I was on a rant to man.
[00:17:18] Brad Nigh: I agree with you though. It’s like I see the appliances being building code. It doesn’t mean it’s all you have to do is the bare minimum. You have to do.
[00:17:31] Evan Francen: All right. Well so I think what I was talking about before I get for a cut myself off with my people. And by the way, VPN public wifi. Good idea. Yeah.
[00:17:45] Brad Nigh: Oh yeah.
[00:17:47] Evan Francen: So uh Yeah. Well when you do the check box security, you you have this false sense of security because you checked off all the boxes. You think that you’re compliant to now watching for these other things that are outside of that letter of the law because you can never fully communicate the intent of something ah you know, in documentation and you know words. Right? So you you check off all the boxes you think oh we’re secure because you’re telling executive management that you’re compliant. Executive management. That’s the only thing that may be caring about because they haven’t been told anything different so they think they’re fine. And then you move off the agenda until the next time you need to become compliant, then you have the breach. So you followed the letter of the law. What do you think gets enforced?
[00:18:42] Brad Nigh: Yeah, I mean
[00:18:44] Evan Francen: it’s the intent.
[00:18:45] Brad Nigh: Right? Right. Exactly. I mean there’s some of that uh where you know, it’s people going, oh well it’s defensible because I’m doing what they said. Mhm. It’s I would tell you what are you in compliance is a it’s open for interpretation.
[00:19:09] Evan Francen: Well, it is, man, I mean tell tell the OcR you know after a breach the office for civil rights, you know, if you’re in health care and you just had a breach. Uh never seen them investigative breach and not have findings. Not have a corrective action plan. Not have a fine, yep. So that’s always going to happen even if you were managing risk right? If you did security the right way. But I think the fine would be a lot less because when you look at those corrective action complaints the number one thing and most all of them is to do a comprehensive risk assessment. That you didn’t do a comprehensive risk assessment. So that brings us all the way back to step one when we define what information security is. That’s the beginning
[00:19:53] Brad Nigh: yeah.
[00:19:55] Evan Francen: The fact that people still missed that starting step is so frustrating
[00:19:58] Brad Nigh: well in so many and we’ve seen it right we’re working with customers that have had that exact situation where they were doing risk assessments against a narrow scope. Right? The healthcare piece but none of the back office non health care. And I think that’s what so many missed. They’re like oh but I did this risk assessment against the clinic that you didn’t include HR and finance and accounting and I. T you know all these other supporting business units and.
[00:20:33] Evan Francen: Right. Which is the mentality. Right? Because when I’m when I get told by executive management what’s the fastest cheapest way we can get compliant. Well obviously narrow scope.
[00:20:44] Brad Nigh: Yeah. You know and I will say you know you didn’t talk about CMC a lot has been in the news. One of the nice things I talked to actually, I was able to have a conversation with a certified assessor whose number 70. So that’s pretty cool. A really good conversation. And, and uh, you know, he’s lucky to get their company Certified and obviously he can’t do their certification, but he also wants to bring in an independent Party, to yeah, help prepare for it just because it’s always good. Right. I really enjoyed talking with him. I like his approach. And uh, I said at the end, I was like, all right, well, let me ask you a question because I’m curious what does the scene and see what guidance that they provided you around? The requirement for a significant amount of time for evidence. What does that mean? Is that six months, 12 months? Like what they’re very big about it? And he said they are leaving it up to the assessor to determine if it is, uh, if it satisfies it. But basically the end of the day, what they’re looking for is does the company, are they doing it? Do they have a budget for it? So are they giving enough money and finance? Do they have the manpower and staffing to actually do it? And then obviously from a documentation standpoint, uh, is it, is it hasn’t been around or is it straight off the presses? It’s hot off the presses. That’s never going to cut it. It is, you know, six months old and they say, hey, look, we found out and immediately started doing this and here’s our proof that we’ve been following it since we implemented it. And they shouldn’t show all the other pieces then. Yeah, that might satisfy it. So I thought that was pretty interesting. But I like that approach. I mean, that’s,
[00:22:41] Evan Francen: yeah, it’s good. It’s like any approach, you know, I think you have, but its pluses and minuses, the minus or the negative in that approach is it’s subjective, so you’ll have, you’ll have a different I want at least a month. And in my interpretation, you need to have three staff members in order to do this thing where as another guy might look at it and say, it’s got to be there for six months and you need eight staff members, right? You know what I
[00:23:08] Brad Nigh: mean? Yeah. And you know, obviously, I don’t know the full details, but I agree with the overall, it’s better than the check box that we’ve been seeing, right. It’s not at that point in time.
[00:23:22] Evan Francen: No. And it’s getting and I think it’s getting closer because uh, there’s less interpretation. There’s less uh, letter of the law versus intent of the law
[00:23:34] Brad Nigh: well and right. And the controls are are pretty well written and that it’s easy to, you know, the, it’s pretty clear what they’re looking for, I don’t think, yeah, confusion there.
[00:23:47] Evan Francen: No, you know, just again, this looks like anything, man. I mean it’s a double edged sword thing is with people it’s a good people design really cool stuff and then people start to use it and then they find ways to abuse it or they find ways you know because the sad thing about some of those controls is they are pretty prescriptive so there may not be any business benefits. You’re doing this one thing but if you want certification you need to do this one thing and there’s also gonna be time. And so I think when you do this one thing and based on your circumstances, the way your business operates you don’t get a lot of security benefit out of that one thing you’re gonna need to have it. Well
[00:24:32] Brad Nigh: part of it’s one of the other things that came up is you know right now they have d fars and based on 871 and he said basically the D. O. D. Estimates only 34% of their supply chain is actually doing it. It is meeting the requirement. So it’s kind of like well hey we gave you this opportunity, nobody is doing it too bad now. You have to do it.
[00:24:58] Evan Francen: Yeah that’s it. One in give the government some credit too because at the end of the day the government is the customer and customers need to be telling their suppliers their vendors, their business partners. This is what I expect of you right?
[00:25:15] Brad Nigh: Yeah and you know, he did say that the other thing and I think this is gonna we were talking about it before of it growing uh he said that it’s very very it’s not surprising that all the other government entities are watching this very closely. Mhm. Like, you know, hey, if this actually works, if you’re going to see it though, for basically every government contract is what the expectation is.
[00:25:45] Evan Francen: Well, hopefully it’s the same process. The same controls the same everything. Because, you
[00:25:49] Brad Nigh: know, they’re going to adopt the MNC.
[00:25:52] Evan Francen: Okay. Because I saw I was reading a state of the States are not kind of putting together not all the States, but you know, small group of them are not putting together a state grant. Uh huh. You have fed ramp, right? Mrs ST ramp. And you know, I get it. It’s good. But my god, you keep creating more stuff for people to do that distracts them from running their business. Don’t forget the purpose for a business is to serve their mission. Not necessarily to secure information. So if you figure out a way to integrate security into the mission, that’s where you get the biggest benefits. So if I have just another thing I like to him and see to I mean based on all the other things that I’ve seen. Uh But if I’ve got to see MMC. And I’ve got this other thing and this other thing and the other thing. And I got it. Give me one thing I think that some of the frustration for business leaders with compliance.
[00:26:52] Brad Nigh: Yeah. And you know that that is a good point. So it’ll be interesting to see what if anything is fed ramp is impacted by obscenity because federal, But that’s a bear. That is a nightmare,
[00:27:07] Evan Francen: right? Yeah. It’s expensive as hell, man. If you’re a cloud service provider, I don’t do that process. Get out the checkbook man. It’s another thing about security to us. I think so many people in our industry sort of abuse it, right? Because I can set up shop because I was actually talking to No. Oh, okay. Another company, I’m not going to mention my name because I don’t want to I don’t want that. But they they’re they’re an IT shop and they want to get into security. Right? So they’re like, well what should we start with? You know, they’re not asking me this, this is their own internal discussion. Well, they decided, let’s get in to see MMC. I’m like, and then they, they told me this, right? So why did you choose CMC? Like, well, because you know, people have to get it. So they see it because they don’t, you know, it would be much easier for them to sell because companies have to do it. But I was like, well, do you know, do you know the timeline for the implementation of cmm. See, you know how many organizations need to be certified by the time this thing you know, is fully implemented, lecture your your target market if you will. And then do you understand the competitive landscape there? I mean you’ve got some security companies, some huge audit companies that are all involved in this game. And how are you going to But I’m not for your business. It’s just like I don’t think you should do it because I think that markets already, I mean so quickly that market already been saturated with that with that will come I think. But I do like the way cmm she did that to right. You’ve got the the gap analysis or the gap assess and then you’ve got the sort of certification. I like how to get those separate.
[00:29:03] Brad Nigh: Right. Yeah. Yeah, I do. I really like that. You cannot do both. Right. Yeah. Right now there are 300 R. P. O. Organizations.
[00:29:16] Evan Francen: Yeah. You’re gonna get Game. You got zero experience. And for what? And what’s the target market, I mean, how many how many government at this point? We can’t assume the entire government. We can only assume Department of Defense contracts. Right. How many of those are there? And then how many those are going to be? You know, need certification this year. Next year
[00:29:43] Brad Nigh: we’ll and then the CMC this what you certified. It’s good for three years. So it’s not like an annual thing that you’re gonna do readiness every year. All right. Get them written there. It’s maintaining it, right? So if you’re not offering those supportive services to help continue it. And what what what’s the benefit for the customer to.
[00:30:10] Evan Francen: Exactly exactly. When we’ve seen other compliance, you know, F. F. I. E. C. For sure. G. L. B. A. You’ve seen, you know, hip hop probably the two biggest ones where you’ve seen a number of companies really abuse that that will claim. You know, you do these things work with us and we’ll get you HIPPA certified or hip hop compliance. It’s like, what the hell is HIPPA certified? That doesn’t exist first of all. But you’ve seen it. People are charging, you know $10, $30,000 to a health care organization that can’t afford it. The same with banking now, everybody in banking, pretty much not everybody. Most banks. Credit unions are very much checkbox security.
[00:30:50] Brad Nigh: Oh yeah.
[00:30:52] Evan Francen: Right. It’s like you’re missing the point. That’s not how security works.
[00:30:57] Brad Nigh: Yeah. Yeah. It’s been interesting. But the other thing, you know, it’s it’s interesting on these some of these calls to talk to companies that really it becomes very clear that that 34% compliance rate is probably very accurate because these are. Yeah, because I mean, well the requirement has been you have to self certified D fars and we’re having conversations with companies that are current contractors or subcontractors. So in the supply chain that have like basically nothing and have no understanding of it. It’s like, what have you been doing? Like, you know, the penalty for lying. Yeah.
[00:31:43] Evan Francen: Well that’s another thing too. I think that our industry could use a lot more of, and I know people may not want to hear it, but it’s more accountability,
[00:31:52] Brad Nigh: right? Well, you know, let me see. So in this, it’s big because it’s the false claims act is what it’s at its Trouble damages or three times a contract value plus a penalty of $11,000 per claim. And in 2019 fiscal year and even 20 September 2019 Department of Justice had obtained more than $3 billion dollars in settlements and judgments for people violating the false claims act. And like, you know, if they, if something happens and they just crush you and you’re not gonna get contracts with them again. Probably
[00:32:30] Evan Francen: Right. Well, but I’ve seen organizations, what they do is they shut shut down shop. The third banker proceed. Set up shop is another name.
[00:32:39] Brad Nigh: Yeah,
[00:32:40] Evan Francen: that’s, you know, just game stuff. You know. But so you know, one thing pops into my head so compliance is good. I like compliance. Honestly, what I don’t like is when you get your priorities mixed up and you think that compliance is something that it’s not, you got to be compliant because we live in a nation of laws, right? But the right approach is to understand build a good security program and ensure that compliance is built into it.
[00:33:14] Brad Nigh: Yeah, exactly. That’s and that’s our approach is, hey, look, let’s do security correctly. Let’s get you as secure as possible. And in that process you’re going to become compliant. Let’s, let’s do it, right? And if you do it right, you can check the boxes. That’s not going to be a problem. If you just check the boxes, that doesn’t mean you’re going to be secure.
[00:33:35] Evan Francen: Exactly. Exactly. You know what I’d like to see maybe in a version two or version three of maybe see MMC is uh like a mitigating controls, checklist kind of thing. So like if I don’t implement this one control because I have a justifiable reason for it, meaning I’m addressing risk in other ways or you know, it just doesn’t apply to me some reason to have like a mitigating control.
[00:34:02] Brad Nigh: Well, they do have that. You can have it not applicable, but you better. You have that very detailed explanation of why it’s applicable. So they sort of have that. But yeah, I get what you’re saying. I think the problem has been uh the reason they went with a pass fail is people would have these plan of action and milestones and then not really make progress on them, right? Like, okay, well, I know I got to do these things and gosh, next year, I know I got to do these things. Right. Right. It’s uh, these companies being, I don’t know. I don’t want to say negligent or however you want to put it, but not willfully or don’t want to anyway, you know. Right? But right. They forced the hand All right. Like,
[00:34:57] Evan Francen: right. Yeah. I mean, it’s across the spectrum I think once, you know, for people that there’s ignorance, they just don’t know right? People don’t like to be called ignorant. And I get that, but we’re all ignorant about something and I don’t know lots of things, but there’s certain things that you just need to know to become a responsible business leader, business owner, father husband, you know what I mean? There’s just things that I can’t claim ignorance on I can’t claim, well, I was supposed to pay taxes. Well, nobody told me
[00:35:29] Brad Nigh: that,
[00:35:30] Evan Francen: you know, I wasn’t supposed, you know? So these things like you have the ignorant and so and I point fingers at both sides for being ignorant. I think a lot of business leaders just don’t want to know has I’ve heard that before too. Well, if you tell me this stuff, well then I have to fix it. It’s like where the hell is the logic in that?
[00:35:49] Brad Nigh: That doesn’t Yeah.
[00:35:51] Evan Francen: Yeah. Yes. You may have to fix it in time or have any reason on why you didn’t fix it, but that just makes sense. That’s just good business, right? So you got down on one side and honestly you have the willfully negligent people, they’re basically criminals. Yeah, businesses,
[00:36:10] Brad Nigh: but it’s a fine line between going, I don’t want to hear about it. And I don’t know from that ignorance, that negligence, it’s a very fine line,
[00:36:22] Evan Francen: right? I have that saying because people would say ignorance is bliss and say no, it’s breach.
[00:36:28] Brad Nigh: Yeah, I like that.
[00:36:31] Evan Francen: Yeah, ignorance isn’t bless its breach. So, so what about um, like the right way then because we see we preach all the time the right way to do information security. And I think I think we can do a lot better just as an industry and explaining what that actually is, how you actually do that. And it’s a big part of what we’re putting in our book to write the VC. So handbook is like
[00:36:57] Brad Nigh: Yeah, there you go. Exactly that. Yeah. I think you know, it’s, it’s to me the the end game is to get the organization to buy in. Everybody talked to bottom in what we’re doing. But in order to get there, you have to work with the company, right? You can’t just be this stand alone no dictator approach, which we see all the time of it’s my way or the highway for security and you have to do it. So you got to listen to me. Well you’re never going to get a truly good security program that way. And so it’s it’s reaching out, making building those relationships within the organization, getting their trust and working with them to understand what’s their risk tolerance, What you know, how do they, how does the organization work and then giving them the options and say, hey look, here’s my recommendation, we can do this. But if you want to do this, here’s the risks associated with it and educate them.
[00:38:00] Evan Francen: Yeah, I agree with that. I think a lot of times we skate over the fact of, you know, how important roles and responsibilities are in an organization. Security doesn’t come second nature to everybody, right? And I think sometimes I know personally I forget that and so if you don’t give somebody specific responsibilities, you don’t communicate those specific responsibilities. You don’t train them and enable them, then they never do, it never gets done. And so you know, just I think starting out with an organization figure hanging out what assets you have to work with, what resources, what people do I have, who’s going to do what when you run a security pretty program at the beginning start high level. Right? Until you really understand how this is all going to kind of work. So getting to know that, working with executive management to communicate how information security can be used to accelerate the business, how can be used to accelerate the mission, how we don’t want to have a security program that gets in the way of those things because yeah, you’re not serving the business, right. I mean if you have a control that you put in place that restricts the ability of the business to make money or serve their mission. We really need to reevaluate that control. That might not be Or probably isn’t the right control, right?
[00:39:28] Brad Nigh: Yeah.
[00:39:29] Evan Francen: So is this the creativity peace And then it’s risk management, Right? I mean, the definition of information security is managing risk. How the hell am I ever going to manage this? I’ve never assessed it. I’ve never made risk decisions before. I’ve never put risk decisions out onto a road map and assign those two people to accomplish and track that progress. However you want to track that progress. Uh Mhm. Well, you know, it’s just fundamentals, man.
[00:39:58] Brad Nigh: Yeah, you bring that up and it triggered this. But you know, before I started here, I interviewed a couple of places in back to Kentucky. You know, they’re always like, what are you gonna do from a security perspective? And that’s the first thing I do is sit down and talk to everyone, you know, talk to I. T. Talk to the different business, believes and understand, get to know the organization and then figure out what we have. You know, what is here and there like mm now we need to do you come in and just start doing things like, okay, good. I’m I’m done. Thank you. As soon as you hear that, it’s like, no, I can’t I can’t do that. You can’t be successful coming in and saying all right, everything has to change. You can’t lose that. You’re gonna lose it. It’s a company. You’re not going to have any credibility.
[00:40:53] Evan Francen: Yeah. Actually bound to fail. And you will you will 100% become a scapegoat
[00:40:59] Brad Nigh: when
[00:41:01] Evan Francen: the poop hits the family. Because you don’t have those relationships. You don’t have that support. You’re gonna need that when crap really does it defend,
[00:41:10] Brad Nigh: right? You know, I very clearly remember asking, okay, well then, you know, do you have an asset inventory? Do you have uh you know, hemming and hawing? And I was like, how what do you what how do you do that? How you can’t do this? It’s not help.
[00:41:29] Evan Francen: Well, that’s what, you know, it’s ideal. But it doesn’t happen as much as it should, but it’s ideal that when you hire a consultant to do information security style or a B. C. So for instance or a C. So whoever is going to be the person that’s going to help put this thing together, the best place to start the entire engagement is with the ceo right? Have a conversation with him or her and ask, what are your expectations? What does a good security program look like to you? And what you’ll find is they either don’t know most in most cases or their expectations are unrealistic. Mhm. Yeah. But that’s the consulting piece, right? That’s why I’m here. That’s why I’m here to say all right? I get that. Let me explain to you why that’s why I don’t think it’s a good idea for us and here’s what I think is a good idea for us. And the reason why I’m having this conversation with you is I need you at the end of the day to own this. Yeah. I can’t hold it. How much money you pay me no matter what you put in the contract. I don’t know this thing you do,
[00:42:39] Brad Nigh: right? Yeah. Yeah. That’s why I’m really enjoying this this new DCs I’m working with because yeah, I didn’t even the ceo, but I met with the their security Director of security, our information security. And then the C. I. O who he reports up to. We had an actual like interview prior to them signing the contract. So we knew it was like a good fit and I knew I had a good idea of where they’re at. And then, you know, even yesterday during the training, the the top person was like, had a really good question. Was engaged, you know, go through some of the things around, you know, fishing and some of that stuff and examples and joins in. It was like, oh yeah, that really resident, you know, and it was super gauge, which is rare, you know, And so I feel like that stuff it is it’s really it’s fun at that point. It becomes fun. It’s not pulling teeth to get progress.
[00:43:44] Evan Francen: No, man. I mean the best, the best species. So uh things that I’ve projects that I’ve worked on. I became really, really good friends with the people that I was working with, the leadership there. Because you do, it’s collaborative, right? I’m not here to be Debbie Downer and you know, I’m here to collaborate. I want to understand the business so I can help this thing succeed if I’m not providing value to the business and this is a message for all security people. If you’re not providing value to the business, what the hell are you doing here?
[00:44:21] Brad Nigh: Right. Right. And you have to know I think to what that value is. What is the business expecting? Right. Because I do have to
[00:44:29] Evan Francen: quantify it. Right.
[00:44:30] Brad Nigh: I have other ones that work with it are extremely happy just having that monthly called to check in and just having it as a resource and you know, somebody to bounce ideas off of and and things like that. So it it’s going to be different for every organization but knowing what they expect and what they want and what they need is what makes it successful or not? No. Yeah.
[00:44:59] Evan Francen: I love getting those expectations. And then it also helps when I asked a question like that. Like what do you expect out of the security program? What do you envision it being? What would it be for something that you would because what I need from a ceo is I don’t need you to tolerate my security program. Our security program, I need you to champion our security program. And I’m not asking for a ton of time. I’m asking for maybe 15 minutes a month maybe. You know, just to give you kind of current state of affairs. This is what you said. Your expectations are. This is how I’m meeting those. But yeah, I mean if you don’t get that, then you’re shooting in the dark, chances are really good that you won’t meet the expectations or Yeah, because unrealistic expectations are the shittiest. Excuse my language. I mean, they’re the worst.
[00:45:51] Brad Nigh: Yeah. Yeah, agreed. Well, I’m not being clear about that. He said it’s going to set you up for failure. Mhm. Like how can any every time I know what you’re expecting. If we don’t talk about it, how do you know what? You know what? It’s got to go both ways. You have to have that communication. You have to have relationship so that there aren’t these big misses.
[00:46:15] Evan Francen: Right? Well, and as a security professional, I mean, if you’re if you’re in a position where you don’t get space time with the Ceo, you can’t get face time with the Ceo, no matter what you do, you gotta question if this is the right place for you to be working because the expectation from the sea cell. I’m not expecting a weekly one hour meeting. Right? Although that would be awesome. What I’m asking for is can I get 15 minutes a month. Can I get 20 minutes, you know, a month And if you can’t get that kind of buying from the ceased from the Ceo, it’s a great indicator of where this is headed eventually.
[00:46:54] Brad Nigh: I think part of it too is just the way the consulting works and stuff. I think you have to build a little bit of a relationship and trust with your primary contact for, right? Like I can’t, I don’t feel like I can go in and demand that right away. Like I need to assess the situation where they’re at where the program is and build that relationship and then say, okay, here’s, we don’t know where we’re at, Here’s what we need to do and then bring that up, right? I don’t think it would be successful going in day one and say, Hey, I need 20 minutes a month with your executive leadership.
[00:47:31] Evan Francen: No. Well maybe, I mean it depends on why you engaged in the first place. If it’s just to be a resource versus do you want me to own this and drive this? I mean, not truly on it because that is, I can’t do that, but I can treat it like I own it. You know, I can drive this security program, I can start, you know, setting up projects and having people do things. Yeah. I think with your point of contact, uh, you can always lay that out. Like, hey, here’s the steps at some point in the next month. You know what I mean? We need to talk to the Ceo hardboard or whoever
[00:48:08] Brad Nigh: right now. I would, you know, they just worked well with the one I’m doing. You know, now we do. We deliver their, uh, Assessment results two weeks ago or so? Yeah. We’re gonna go through the road map tomorrow, I believe. But one of the first things after that was, hey, look, we’ve got this meeting. Yeah. Can you get in front of all these people and, you know, do this and that’s perfect. That’s exactly what you want.
[00:48:36] Evan Francen: Yeah. And so you can see that the approach you take, that approach, the approach that we’ve been talking about the last 5, 10 minutes, you compare that against the approach of compliance. You know, I mean, it’s just vastly different.
[00:48:50] Brad Nigh: Yeah, Yeah. You’re the far more successful with the approach that we take than, and you know, it’s not to say, but that’s going to prevent all breaches. We see it happen right? It’s just, it’s a matter of, not a matter of if it’s a matter of when we just want to try and push that wind out as far as we can and make it as small as possible,
[00:49:14] Evan Francen: right? And I’ve told I’ve had c, so, you know, CEOs, I’ve had these conversations with Ceos, I’ve asked them, what are your expectations in a common one, meaning. I’ve heard it more than a few times is I want you to keep me out of the news. Yeah. Right, okay. I get that. Who wants to be in the news for something like this? But I can I will never be able to meet that expectation and they’re always kind of surprised like what do you mean? You know, because I can’t guarantee you bad things won’t happen. They will when those bad things happen, at least you’ll have a story to not look like such a dipshit, you know what I mean to the rest of the world will be like, yeah, this is what we were doing to prevent this and bad things happen, you know what I mean?
[00:49:56] Brad Nigh: Wow. Yeah. You know, it just, it still surprises me. I know it shouldn’t, but it’s like I just can’t get over the fact that people are still given everything we’ve seen still have that approach.
[00:50:12] Evan Francen: Oh yeah, that’s a that’s still somewhat common. Another somewhat common. Not they don’t say in so many words, but I’ve heard it numerous times is what? And the most of the time I get it in the form of a question and it’s kind of rhetorical question, it’s, you know, will information security make me more money. Uh huh. I mean like, well maybe I mean it depends that will really really really depend upon your involvement with me if you will be really tightly I mean if you want to work towards that. Yeah, we can make it part of the culture, right? We can look for all business processes that are over complicated because complications, complexity is the enemy of security. So we can go through that and streamlined as many processes. We can take those 30 step processes, make them into 23 step process is realize efficiencies in business operations and at the same time get the security benefit right. We can also brainstorm about how we can use every one of our information security dollars that we’re investing as a marketing play as a business different jitter as you know, to get more customers. So, I mean if you get creative, so the answer to the ceos at advanced me that before, it’s like yes, but you return on your investment will be directly related to your involvement.
[00:51:35] Brad Nigh: Yeah. Yeah. And and understand it’s tough to quantify that.
[00:51:41] Evan Francen: Right, Right. And that’s again, why would need more involvement from the ceo because we have to agree upon. Alright, I bet you this 10 step, 30 step, 50 step process was probably costing the company, you know, works do some math, give them the variables and say, well, you know, I think it was probably costing the company half a million dollars a year. Now that we’ve streamlined it into a two step process, it seems, you know, based on, you know how much Human involvement and stuff like that. Maybe we’ve got it down to $200 or $150,000 a year. That’s a $350,000 return on your investment cost us $30,000. Not necessarily turn investment but Cost us $30,000. You know, to go through the process of evaluating refining their process. We put in $50,000 with the security control so we’re more secure and we got a positive ri it just takes a hell of a lot of creativity and I think a lot of us don’t get the time to do
[00:52:36] Brad Nigh: that all the time. Like you said, it’s, it’s just, it’s kind of an intangible ry right? How do you, you have to agree ahead of time that hey, this is how we’re going to measure it. You know, it’s hard to get people to do that sometimes.
[00:52:57] Evan Francen: Yeah. And in all honesty, uh with all the security projects, you know I’ve done and you’ve done, I’ve never once had a ceo take me up on that.
[00:53:08] Brad Nigh: Yeah.
[00:53:10] Evan Francen: You know where they’ve said? I’ve heard it more than once. That hey, well, well, you know the security make me more money. The first time I ever heard that I didn’t have an answer. I was just like probably not. I don’t know. And then, but you know, I don’t like being in that position. So then I obsessed about it for like the next week. Like how are all the ways I can answer that question. Yeah, of course we can. So then, you know, probably three times after that, maybe four times after that Ceos have asked me that same question and the answer’s been young, but this is what it’s gonna take. And they’re all like, yeah, that’s what I’m gonna, Yeah, I’m going to focus my time on marketing or yeah, I’ve
[00:53:54] Brad Nigh: gotten that that approach from more of an I. T. Perspective, but it’s the same thing like, hey, we need, Here’s the justification for this piece of software. It takes me 15 minutes a day to do this task. That that adds up. If we get this software, it goes to 15 minutes a week, we’re now saving, You know, an hour a week, 52 hours a year at this France. Here’s what it costs. It’s going to, it’s going to, you know, save this money over the and allow me to do these other things. And it is really effective when you can’t do that and show that because otherwise people go, you want to spend money on software and why, why are we doing that? You’re, it’s working fine now, right? Yeah, it’s an hour day.
[00:54:47] Evan Francen: Well, and that’s a message I think about culture companies. No, two companies are exactly the same. So what resonates with one ceo of border directors doesn’t resonate with another. You know, that’s why again, it’s really important that you start off on this journey or dependent no matter where you’re at in the journey at some point, you need to really understand what’s important to them. You know, do they want to make more money? Is there a mission and they’re so just mission driven. That money is kind of a secondary thing. Well then focus on that damn mission show how everything we’re doing in this information security program is making us better towards that mission and then you’ll get a budget all the time. It’s crazy,
[00:55:33] Brad Nigh: right? Yeah. Yeah. It’s a kind of a, I don’t know where you were here, but it’s a law school. It’s not something that missing skill for a lot of people and security is, you know, talking to an understanding and then being able to execute on what drives the rest of the company. You have to adjust your approach. Mhm. To meet them. Otherwise it’s gonna be really tough, yep.
[00:56:07] Evan Francen: Yeah, for sure man. Yeah, it’s an art form I think, you know, and there’s just sometimes when you just don’t
[00:56:17] Brad Nigh: click right and in those cases we’ve had this happen where either the analysts or the companies, like, I just don’t think this is a, I think we’ve had it with the analysts going, hey, you know what, I think sometimes it would be a better fit for this. They’re going to get there just personalities are going to match me better than, and it’s going to be more successful, awesome. Don’t be afraid to do that. And we take the companies do and say the same thing. Like, hey, you know, so, and so was fantastic. But it’s just not the right fit. Yeah, it’s, and, and you don’t, you can’t take that personally. No,
[00:57:01] Evan Francen: no, don’t take a person.
[00:57:03] Brad Nigh: I’d rather than, you know, from a, from our side of it from my first year, I’d prefer them to tell us, hey, can we try something out? Like it’s just not working rather than being unhappy and disengaged and leave?
[00:57:17] Evan Francen: Right? Yeah. Yeah. For sure.
[00:57:21] Brad Nigh: We’ve got plenty of uh, analysts with plenty of different backgrounds and different personality types. We can, we can get somebody to fit. You know, I think essays are pretty good at at doing that as well. Are gauging customer and making some recommendations of, hey, I think someone would be really good for this
[00:57:40] Evan Francen: on from an analysis perspective to, you know, it can get personal, you parse much heart and soul in time and energy into our work, right? I mean we genuinely care about the people we serve and uh, to be told by somebody that you serve that they don’t like you well, you know, I don’t think or whatever. Yeah, but it comes off that way. That’s the way you feel it. Yeah,
[00:58:04] Brad Nigh: I don’t know. Yeah, I can totally see that personally. I, it’s like, okay, I get it. I know that and usually, you know to like, you can tell if it’s not, not going to be, if it’s not going well. But yeah, I can see that
[00:58:20] Evan Francen: one. Yeah, but your devices by not taking it personal and for every one company that It doesn’t fit. There’s probably 500 that do so just you know well and stuff and keep going
[00:58:38] Brad Nigh: well. It’s like any relationship right? You’re not going to get along with everyone. It just is the reality right? You can do your back.
[00:58:46] Evan Francen: Yeah. I’m betting like 20% I think One out of five can I dig you know working with me? So that’s pretty good.
[00:58:56] Brad Nigh: Yeah, I’m going to get a little higher than that.
[00:59:01] Evan Francen: Yeah. Maybe 1.5 out of five. Alright. News.
[00:59:05] Brad Nigh: Yeah. Yeah. So I said you,
[00:59:08] Evan Francen: let’s talk by the way man, I really enjoyed talking with you. It’s always fun.
[00:59:13] Brad Nigh: I think we’ve got it’s been it’s more fun when we go a little bit more unstructured and just let it happen. Yeah. Um So the first one I sent last week um suspected chinese Hector’s used solar winds bug to spy on us payroll agency. This is all for Reuters. Um And it was a different mhm. Let’s see. Is it different software flaw than what the Russian government operatives are using or we’re using. So I mean pretty brutal for solar winds. O Ryan. Uh Right. Yeah. I think I think Okay the problem is uh huh. Not necessarily with polar winds itself in terms of like maybe they had well they I’m not going to defend them but just the fact that they’re so prevalent um they become as an incredibly high value target,
[01:00:17] Evan Francen: right? Uh hindsight is hindsight is 2020, you know, obviously, but you just, I just wish they would have, you know, knowing some of the things they know now then because I don’t think there’s any, you know malicious intent by solar winds. I mean it’s easy, you know vilify them but you know, they were doing the best they could. I’m sure it cut him more by surprise than anybody else. But the birthday sort of I guess concerns me is you know the United States and china and Russia and Israel and great Britain and Canada and north Korea we are at war. Mhm. You know the chinese government is not our friend
[01:01:11] Brad Nigh: period. No.
[01:01:13] Evan Francen: Mhm. And I know in a politically correct world we really really really want to be friends. No we’re not.
[01:01:22] Brad Nigh: Well I mean the reality is it’s not any different than what has been the case with, you know spying and stuff like that. It’s just how it’s being done. It’s changed
[01:01:35] Evan Francen: right? Well, you know the Cold War when when you know with Russia and get a little bit of china, you know the Cold War, we were much more skeptical of things from Russian origin and we’re a little more protective of ourselves and our things that we consume in terms of electronics and information but hey we just seem to be so really really and just blow this stuff off like these were chinese hackers state sponsored in our governments, you know, some of the most sensitive places of our government.
[01:02:12] Brad Nigh: Mhm Yeah, yeah, this is, it was the National Finance Center. So the federal payroll agency and department side, the Department of Agriculture was among the affected organizations. So you now have, you know, potentially very some sensitive information on a lot of government employees. Yeah,
[01:02:37] Evan Francen: They serve 160 agencies and 600,000 federal employees. It’s nuts.
[01:02:46] Brad Nigh: Yeah, they are separate and distinctly different operations. So that’s crazy.
[01:02:53] Evan Francen: And so with solar winds just to recap involvement by cool the chinese and the Russians have both been implicated in maybe not the same attack, but you know that they coordinate. I mean it’s no coincidence that they were both in using flaws or whatever quota Ryan
[01:03:15] Brad Nigh: it was, it’s, you know, this is kind of like, well what are they doing to each other that they both knew about this stuff right there, both infiltrating, it’s like just, yeah Jack,
[01:03:25] Evan Francen: we share intelligence with our allies and we share intelligence with Canada with great Britain with Israel, they share intelligence with each other.
[01:03:33] Brad Nigh: Yeah, so scary. This is just going to continue. It’s gonna be multiple four, we know everything.
[01:03:40] Evan Francen: It’s funny chris roberts on thursday’s show he brought up, you know, we were talking about this a little bit and he said, well the United States is doing it too. I said, yeah, but I’m on that
[01:03:54] Brad Nigh: team,
[01:03:56] Evan Francen: I don’t care if my teams winning, I don’t want the other team to win.
[01:04:00] Brad Nigh: Yeah so yeah uh you can do uh Second article we had was from the register U. S. Court system ditches electronic filing goes paper only for sensitive documents following the solar wind attack. So in this my lawyer is required to hand in dead tree copies. No seriously. Um But yeah the U. S. Court system has banned electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system. So any document that contains information that is likely to be of interest to the Intelligence service of A. Four foreign government has to be physically printed out and provided in physical format.
[01:04:44] Evan Francen: So like I like it I uh if I like it because lawyers are involved too and I know how much they hate anything that’s inconvenient, you know because nobody’s time is more valuable than a lawyer’s time. So I kind of like that even if they’re going to give it to clerks and everything to do with that stuff. But uh yeah it’s definitely more secure.
[01:05:07] Brad Nigh: It read something I have to go back and find it uh if I’m remembering correctly that some of the german government has gone back to typewriters for some of the more super sensitive stuff like nope you’re going to type some of these types of things up. It’s offline, it’s mechanical, It’s not electronic.
[01:05:27] Evan Francen: Yeah. I’m the more I’ve, the longer I’ve been in security, the more I appreciate the simple things and the analog, you know, doing things the manual way we have adopt all these technologies all the time in the name of convenience, in the name of making our lives easier and it just hasn’t, man. I mean my life is more chaotic than it’s ever been, you know?
[01:05:55] Brad Nigh: Yeah. Last one is when you sent over which I hadn’t seen, which is uh incredibly scary is from BBC uh hacker tries to poison water supply of florida city. This happened in Baltimore florida and if they got access to a uh computer remotely and tried to increase the amount of sodium hydroxide which is lie in the treatment system, luckily a worker spotted it and reversed it, you know, basically immediately. But why, why is that system remotely accessible? It was the first thing I thought of. Mhm.
[01:06:40] Evan Francen: Yeah, I mean, think about the catastrophic. I mean, it could have been much, I don’t know how many people would have really died. But there have been many people get sick from drinking that water and it could cause widespread panic too. Right. I mean, people would maybe stopped drinking tap water altogether and go to bottled water. So you have a rush on bottled water. We’ve seen what’s happened with, you know, Covid and kind of the the mass hysteria associated with that. This is a big deal, man, because it could have very easily gone undetected the fact that the attacker was basically using some sort of remote access software, I’m guessing because the operator who was there at the time saw the mouse moving on the screen and that’s what alerted them to like what the hell is going
[01:07:35] Brad Nigh: on? If
[01:07:37] Evan Francen: he would have been sitting there or if the attacker would have used something non gooey related, right? Yeah, we would have known and they would have gone off successfully,
[01:07:48] Brad Nigh: yep. Yeah. One and the problem is, is, and they do mention it in here is you’ve got basically your utilities are running on out of date, you know, skated systems with no redundancy. So, you know, it’s like good, well, we can’t take it down because it’s critical infrastructure. Okay, well, what are you gonna do, excuse me, when this happens or it gets ransom because you didn’t catch it isn’t? Yeah,
[01:08:21] Evan Francen: that’s where that’s where it’s such an illogical argument. Would you rather have a planned outage for you to implement some redundancy into the system and patch it? So it makes it much more yeah, service a gap or so you want to planned outage? Do you want an unplanned outage, Right? Because if you don’t do something about this, you’re going to have an unplanned outage and if that’s your choice. Well then let’s go take a look at your incident response plan and all that other shit because you’re gonna need it sooner rather than later, right? It stopped building crap without redundancy and stop building crap with my gosh, Really?
[01:09:01] Brad Nigh: Yeah, Well, and probably the alliance were built so long ago that it wasn’t right considering
[01:09:10] Evan Francen: let them are running XP or MTs since mentee. So there was, there was redundancy and yeah,
[01:09:19] Brad Nigh: it wasn’t a consideration with built, that wasn’t something people were really were thinking about.
[01:09:27] Evan Francen: Yeah, I guess obviously.
[01:09:29] Brad Nigh: Yeah. All right. Well, good conversation That is for episode 1 18. Thank you. Evan got any shout outs?
[01:09:38] Evan Francen: I got a shout out for uh yeah, I do, let me give a shout out for our tenants, I don’t know at Nasa anastos development leads the development on the security studio side. We had our meeting this morning at 4:30 a.m. Central and he went through a nice laundry list of things that team is just running at full steam. So
[01:10:02] Brad Nigh: I’ve been impressed with the progress that they made, we’ve been, you know, been more involved in the last year really and just leaps and bounds and just how responsive he is to request and stuff. So yeah, I agree that um, I think from my shout out, I’m gonna go with teachers and educators just based on the experience that I’ve had with my kids and their teachers that, you know, with all the e learning and now the transition back and they’ve just been phenomenal and very flexible and understanding of kind of how difficult this is for the kids and try to make it as positive and experiences it can be and I know it’s tough on on them as well
[01:10:47] Evan Francen: so yeah, I’ll definitely second that man. I agree.
[01:10:51] Brad Nigh: All right. Uh, thank you to all our listeners, send us things by email at un security at proton mail dot com. We have seen several emails come in, your social type socialize with us on twitter. I’m @BradNigh and Evan is @EvanFrancen and lastly, be sure to follow security studio @StudioSecurity and FRSecure @FRSecure for more things. Uh, they’re constantly pumping out really, really good content way more than I do. Yeah, that’s it. And we’ll talk to you all next week.