Cyber Attacks on Healthcare

Unsecurity Podcast

The UNSECURITY Podcast welcomes special guest Tony Alsleben this week. Tony is the head of security for CentraCare. With Brad and Evan, Tony discusses his career and current role, what being a CISO (and similar positions) in healthcare is like, cyber attacks on healthcare, some of the industry’s biggest security challenges, and advice for healthcare security colleagues. The three of them also touch on the vCISO Handbook, the CISSP Mentor Program, and some industry news. Give this episode a listen or watch, and send comments, questions, and feedback to unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning and welcome to another episode of the unsecurity podcast. This is episode 120 the date is february 23rd 2021. I’m your host, Brad Nigh and joining me as always, is my good friend and co host Evan Francen. Evan how are you doing?

[00:00:37] Evan Francen: I’m doing well man. I think it’s Tuesday already.

[00:00:41] Brad Nigh: Uh, it’s already the end of february shit.

[00:00:45] Evan Francen: I was on a call late last night till about midnight and I was like, holy crap, this is just monday. Uh huh. Yeah, I’m really ready for a nap. Yeah.

[00:00:56] Brad Nigh: Yeah. And I’m gonna guess you have a full day meeting, so that’s not going to be something that happens.

[00:01:03] Evan Francen: Yeah, I had a meeting at 4:30 this morning and I actually, and I postponed it because it’s like there’s no way of making it.

[00:01:10] Brad Nigh: Yeah, yep. Yeah, he catches up to you.

[00:01:16] Evan Francen: It sure does man. How you doing

[00:01:18] Brad Nigh: overall? Pretty good, pretty good. Working on that. I, our maturity assessment. Really happy with how that’s going. Hello. It does give me a whole new level of respect around all the work that went into us to try to figure out weightings and scoring and how it’s all laid out and I probably reorganized it. I don’t know 10 times as I’m working through it. Yeah, we did the first one, we was just gonna dump everything and then organized the first time and then we went through it and actually did the assessment on ourselves and was like, oh yeah, no, we ask things, these questions that were true false instead of just saying statements way to go through and rewrite and rewrite every control, which wasn’t bad. But it just changes the tents right

[00:02:09] Evan Francen: right

[00:02:10] Brad Nigh: there. And it’s instead of saying like, is there this, there is a whatever and uh, yeah, organizing it and then working through this, the waiting and it’s rolling up, going to shoot, I need to do this here and do this. And uh, Yeah, whole new level for where that as two is.

[00:02:33] Evan Francen: Well, it’s funny because I don’t work in that, you know, every day it was different when I was in it every day. So when you reached out to me last week and asked me how the math works, I was like, crap. I can’t remember all of it. So, you know, I had to dig in? And I’m like, yeah, okay, here it is. And yeah, once in a while, you know, you’re looking, uh, you kind of surprised yourself like how the hell did I get there?

[00:02:58] Brad Nigh: Yeah.

[00:02:59] Evan Francen: But uh, yeah, I’m excited that, you know, we’re working on Revision three of the best words. Yeah, yeah, that’ll be a lot of fun because, you know, up until now it’s, there’s been little sprinkles of, you know, I think helping content and things like that. But now the teams always stepped up taking ownership. I mean last week, Megan, you know, emailed me with the, you know, the s to audit, you know, piece that was really, really cool. I’m excited to look at that. And I saw your follow up.

[00:03:31] Brad Nigh: Yeah, I think I would make it so much easier to get in the tool.

[00:03:37] Evan Francen: Right, Who’s this other guy? What the hell is he

[00:03:40] Brad Nigh: doing? Some some guy with another beard?

[00:03:44] Evan Francen: Yeah. Who is he going to work out? He’s going to work out a little bit.

[00:03:48] Tony Alsleben: Yeah. Shave it too often.

[00:03:50] Brad Nigh: He keeps it clean. So yeah, this is uh told me, Oh, as well been like, how do you say your last name? I’m sorry If

[00:03:58] Tony Alsleben: my wife was here, she would phonetically spell it out for you all slay Ben. I’ll save it. Ok.

[00:04:04] Brad Nigh: We’ve talked, I don’t know how many times and I don’t think I’ve ever had to say your last day before. So I apologize.

[00:04:11] Evan Francen: I have to play back that audio. I’m gonna start,

[00:04:14] Brad Nigh: Oh no,

[00:04:16] Evan Francen: I’m gonna start calling him that.

[00:04:18] Brad Nigh: So Tony is the seat. So for centric hair, which is the one of the larger integrated health systems here in Minnesota. So welcome Tommy. How are you doing?

[00:04:30] Tony Alsleben: I’m good. And uh, the first thing we should probably cover is my title is not see, so, so I noticed in the notes we have in a few places. I do the job of the sea. So I am Head of security for centric care um centric care does Cover about 50% of rural healthcare in Minnesota. So we also um cares health is part of our organization cares health just started a new hospital down in Redwood Falls this week just open the doors on it. So brand new facility down there. Pretty cool. Um and then you know the thing about that some of the notes I see you have here. I mean those are our facilities we provide um the EMR electronic medical record for a lot of other facilities in rural Minnesota. So we have other other locations like in alexandria where they use epic. Um and we supply that to them. So I mean they’re considered affiliates of ours. So you know, there’s a lot, a lot to worry about when it comes to not just our data and our patients, but I think there’s something like almost, I think we’re just under a million lives that were responsible for in the state of Minnesota, wow,

[00:05:44] Brad Nigh: no pressure.

[00:05:46] Tony Alsleben: Yeah, no pressure is all right.

[00:05:48] Evan Francen: You took time out to come hang out with us.

[00:05:51] Tony Alsleben: Of course. Any time every

[00:05:54] Evan Francen: day. Well, okay and how many employees in center care roughly?

[00:06:00] Tony Alsleben: So centric care has? Right around 13.5, 14,000 employees. Um when you look at our active directory structure with all the facilities that we have, we have almost 30,000 users. So I know brad brad probably remembers that we were giving you guys some headaches when we were Um doing the 80 health check because of the number of users that had to turn through the number of pieces of equipment we have.

[00:06:29] Brad Nigh: Yeah, it was choking up on some of the share brandishes because there were so many users that they had to try and turn through. Yeah, we got to figure that out.

[00:06:43] Evan Francen: That’s right. So big health care. And so you said your title is not officially. See, so what is your title?

[00:06:50] Tony Alsleben: Senior Director Information Services. Okay.

[00:06:56] Evan Francen: So you don’t have security in your title, but yeah, you’re responsible.

[00:06:59] Tony Alsleben: Uh well, wait Senior Director Information Security.

[00:07:03] Evan Francen: Okay. Okay. Sorry. It’s the saving. How would I know,

[00:07:08] Tony Alsleben: you know, the title of our group is information services. And how often do you have to tell somebody this is this is what I am. This is what I do.

[00:07:18] Brad Nigh: So funny we were talking because they uh here we realigned and kind of give people better titles that are more accurate and internally it’s like whatever. I don’t care. All right. Everybody knows what everyone does, but you know, it’s it’s that external piece. So yeah, I get get where you’re coming from. I was like, yeah, what is it?

[00:07:42] Tony Alsleben: Well, some people get really hung up on titles and I don’t so much right. Like I know my job, I know what I have to do. Um for me, it’s not, I’m at a point in my career, it’s not about what they pay me. I mean, hopefully my boss doesn’t listen to this, but you know, it’s it’s money is just putting food on the table and supporting the family, Right? Evan? I know I’ve heard you say this before, but my somehow work is just an extension of who I am, right. Like, I love this thing I do. Um and every day I get up and I don’t really look at this like work. So even now with Covid, right? Like I come down here early in the morning and get on probably my best hours early in the morning when I’m all by myself just pounding away at this stuff. So it’s good.

[00:08:32] Brad Nigh: Yeah, I’m with you.

[00:08:33] Evan Francen: It is kind of, I mean, it is such a privilege and an honor to do what we do for a living. And I think the loose sight of that sometimes, if you don’t feel, you know, if you don’t feel some semblance of what you just described, maybe you’re not doing the right thing. You know, I mean, because you think about, like in your job Tony, you mentioned a million lives, but you’re making decisions about information that isn’t yours, but has the ability to affect a million different people. Uh and they don’t even know that, right? You do this job thankless job, you feel the weight, but we love it. Right,

[00:09:14] Brad Nigh: yep, it’s one of those jobs where, you know, it’s like, well, what are they doing unless something goes wrong? And it’s like, what were you doing? So, you know, there’s very little, a lot of times there’s very little praise about it or, you know, appreciation, but if anything goes wrong, man, you’re right in the firing line there. Mhm.

[00:09:38] Evan Francen: Well, at least in 2021, it’s it’s it’s a it’s in vogue to blame other people. So, you know, you have that on your side.

[00:09:47] Tony Alsleben: Yeah, I don’t do

[00:09:47] Evan Francen: that, because when you look at your face,

[00:09:51] Brad Nigh: mm

[00:09:53] Tony Alsleben: So no one of my golden rules for my kids is own it. And I hate excuses. So, I mean, if you’re going to pass the buck somewhere else, it’s not the right thing. So, and we can’t fix things if we’re not going to actually focus on the problems and what the issue is. So you’re not going to get very far with security, if you’re just trying to pass the buck and make it somebody else’s fault.

[00:10:16] Brad Nigh: Yeah, very true.

[00:10:17] Evan Francen: Well, that’s so for our listeners, I mean, that’s a great tip. Right? I mean, that’s a really good thing to have as a c settle or as a senior director of information security, is that like, no, the buck stops here, I make decisions, not because I’m authoritarian, but because somebody has to be accountable for this. Mhm.

[00:10:38] Brad Nigh: Yeah and always you know if something goes wrong, don’t just go and say well what are you gonna do? Try and figure out a solution and say, hey this happened, here’s what we gotta do to fix it. Yeah, like all too often it’s yeah, like you said the blame game of this happened that it’s so and so’s fault or whatever. Yeah.

[00:11:00] Evan Francen: Yeah. Yeah. Master Tony. How did how did you get to become you?

[00:11:05] Tony Alsleben: How did I get to become me? Yeah, we only have an hour. Right. Right.

[00:11:13] Evan Francen: Yeah. Oh, meaning like like in your position, how did you get to become one of the questions we get, I don’t know, brad you get a lot too is how how do you become a C. So how do you become somebody who’s in charge of information security for a 14,000 Airplay Company?

[00:11:34] Tony Alsleben: Yeah, well not very many people are going to have the path that I had to get here because my job prior to this one was Chief information Officer. So you know to some people that would be a step backwards for me it was a lateral move, right? Um However, I am going to say that I in my I. T. Career. So I’ve been in I. T. I think roughly 22 years now and in about 12 years of that it’s been in management mostly in health care management, right? So but I started at the bottom I started on the help desk like any other I. T. Guy right taking calls, working night shift doing the things that led to being assist admin. Um You know I used to make the images that we put on computers and deploy them and package the software and you know I did all the stuff that you have to do to put your chops in. So um I was even an internal auditor once upon a time which is what really kind of some days helps me with this security thing, right? Yeah. And the reason it was kind of funny because the first time I dabbled in this when I was an internal audit um the thing that drove me nuts is that I phoned issues but I couldn’t fix them. I presented them and they did exactly what we do right? Like they either mitigate it or they accept the risk and they move on and it drove me nuts when they would say yeah we’re going to accept the risk on that one. And I’m like but but but I just I just showed you this thing here like you need to fix this. It’s really important. I spent all this time. Yeah no it’s not that big a deal to us so that I was like all right, I can’t do this anymore. I need to go back to you fixing things right? And now I’m at a different point in my life right? Like there’s there uh probably after going back to school and getting my Master’s degree and you know, that probably helped a lot with the business acumen side of it that you understand the business side of accepting risk. Right? And so that’s really at the end of the day, even though we’re covering a million lives, right? We’re running a business, right? And there’s certain things that business has to do this stay afloat and some of those things are things people just don’t, I understand right? When they see you do something and they’re like, what do you, what do you mean you’re doing that? Well I’m sorry, but this is what we have to do to stay afloat and to be able to continue to care for people. So um at any rate, so that that was kind of ultimately um A lot of my time was spent manufacturing. I used to work for Hutchinson technology, incorporated 14 years. Um I spent most of my tech life at the beginning there and then ended up Glencoe Regional Health Services as their I. T. Director from there, I went to affiliated community medical centers where I became the Ceo and we merged with Rice Hospital degree cares Health which was purchased by emerged into centric care. Um And you know, you know how integration goes right? Like we only need one c I o ultimately, you know, work with Amy poor, Well who’s my boss, C I o of centric care. She’s a huge job. Um And the security role at Century Care hadn’t been filled in a long time and they needed somebody to step up and say they do it. And I’m like and I was kind of looking at how we were going to go about filling it and we were going to grab somebody from inside potentially because we weren’t able to find the right candidate externally. And I was like, you know what, I can do that job, I’ll do it and you know, I’m so happy that I did because it’s it’s great. Um One of my favorite things is leading people and to watch these people who have kind of known where they wanted things to go for a long time. Um You know, kind of rally behind me as a as a new leader and be like yeah yeah finally we’re going to do some of this stuff. Yeah. We’re going to turn on power shell logging, we wanted to do that years ago, right? Like it’s just that’s that’s kind of some of the fun stuff. But you see it the hard part about it is a lot of the things that we need to work on. They’ve been harping on people for so long that they’re kind of deflated, right? And like I’m just another guy, the next guy to tell them we’re going to do it. And so at this point I think they’re like yeah, I don’t really think he can get it done. So it’s all about getting it done now. Right? Yeah.

[00:16:17] Brad Nigh: That’s that’s a fun challenge race because they’ve been hearing it. And then now if you get to actually get it done, it’s a pretty nice feather in your cap.

[00:16:26] Tony Alsleben: Yeah, it is. But you know,

[00:16:30] Evan Francen: well, selfishly Tony. I’m glad you took the job too. Because that was about the same time we reached out to me. You know what I mean? And we have these early morning coffees because uh yeah. And then I think we fostered it really, in my opinion, really solid friendship, you know, from, because the first time we met was way back when you were in Glencoe. And that was what, eight years ago? nine years ago? I mean, that was wild.

[00:16:52] Tony Alsleben: Hank. It might have been almost 11 years ago. It was right when you were starting fr secure and you and Kevin and Steve rolled into my office together at that point.

[00:17:02] Evan Francen: Yeah. Early days, man. It’s good stuff.

[00:17:06] Tony Alsleben: Yeah. I was thinking about that too. It’s almost exactly a year since I reached out to you and you and I started uh started having coffee and talking again. And then it seems like it seems like years ago and already everything that we did in the last year, even with Covid. Yeah.

[00:17:30] Evan Francen: Yeah. Good memories, man. I love it. And I and as an added bonus, the fact that you like to ride motorcycles. It’s like security guy who lost to ride motorcycles. Yeah, sign me up.

[00:17:41] Brad Nigh: Mhm.

[00:17:43] Tony Alsleben: Yeah, I can’t wait. I was just in the shed last night working actually. I was I downloaded 3-4 of your last podcast and I threw him on in the shed. And I was listening to those while I was working on stuff. But I was looking at the bike going And 30 days, 30 days and we’re gonna be out riding. Maybe

[00:18:02] Brad Nigh: hopefully

[00:18:03] Evan Francen: you have to get brad on a bike support.

[00:18:07] Brad Nigh: You know, I’ve written in the past, and uh you know, in Virginia, you have to get a specific motorcycle license and go through a you have to go through a state uh drivers class on a motorcycle. And gave me was like, no, because she was, I think she was probably pregnant with happier, I don’t remember. And that she was like, nope, you’re not writing was like, all right, fine, that’s not a fight. I’m well, you know, pick your

[00:18:38] Evan Francen: battles.

[00:18:40] Tony Alsleben: You’re a wise man. I didn’t think I’d ever probably right again. Um when my kids were little, my my wife, I think I had gotten rid of my bike before I met her and I’ve hadn’t have old cars, right. So I’ve had this one old car since before I met her too. And where there was always this agreement between us. You can keep the old cars. We’re not going to have any motorcycles. Well, about two years ago that broke down. I was like, gosh, I’d really like to get a bike and she let me get a bike. And then she got on the bike with me. I never thought she would ride with me. So

[00:19:17] Brad Nigh: that’s cool. Yeah. Maybe when the kids are older is yeah, this is in kindergarten now. So yeah, it’ll be a little while, but maybe right. Yeah. Anyway, um So You mentioned you spent, it won’t roughly what, 10, 12 years in health care where security gone in the, in that time? Where was it when you started? Where, where do you see it now? What are some of the challenges have they changed?

[00:19:51] Tony Alsleben: uh so that’s a loaded question for me because I often, so if I if I look back to 2009 was my transition out of manufacturing and into health care. Right? And I distinctly remember it because, you know, having been an internal auditor, having been somebody who got to understand inside and out what Sarbanes Oxley was and how it drove the auditing and what you had to do as a public traded company when it came to audits And every year you were audited, then take that guy who’s been working in that environment and drop them in health care and go like, so when are they coming to audit us? Oh, um never.

[00:20:38] Brad Nigh: Great.

[00:20:39] Evan Francen: It’s

[00:20:41] Tony Alsleben: on your shoulders to do the right things all the time and don’t screw up because when we screw up, that’s when the auditors show up, they’ll come and look after you’ve actually done something wrong after somebody’s information has gotten out there. So from my perspective, yeah, I still don’t see that having changed a lot, right? Like, so some of these things that have been out in the news, right? The big breaches, the things that have happened that has brought an awareness to it, but I still don’t think our federal government is that much better at auditing, right? Like we still only do it and we still only show up when something’s happened. And I shouldn’t say that either because there are cases where they’re going to come out and just generally audit you and I’m sure we’ve just been lucky, but you know, I think the problem too often in health care is we feel like we don’t need to do anything until something’s happened and even getting funding makes it hard to do that right? Like the other day I was like, we need to, we need to lock down our VPN tunnel more right? When you transition from one network to the next, it shouldn’t just auto join back and leave the VPN tunnel in place. Right? And they’re like, well why has it gotta change? Nothing’s happened when, when have we ever had a laptop stolen? I don’t know. The thief’s didn’t call me up and tell me they stole it.

[00:21:59] Evan Francen: Right. Right.

[00:22:01] Tony Alsleben: You know? So I think the answer to your question brad is some of that um some of those things haven’t changed. Um However, one of the biggest things I saw it happen this last year is that healthcare scare we had, right? Like there’s this ransomware that’s going to shut everything down in however many days and avenue and I we we were we were going back and forth on this thing, right? Like, hey, there’s this thing I hear it’s out there just ahead, blah, blah, blah. And so there’s like, it’s like you think Armageddon is about to happen and it never does, right? But it allows people like fr secure companies. Finally, you guys are being heard right? Like what are the things you should do? So we’ll do the basics, right? Air gap, your backups, um, you know, do you know where all your assets are visibility and control, right? Can you see it? So, and that’s and I know one of your questions for me to brad is what, what’s one of the greatest challenges and that’s it? Right. Right. Right now for me is seeing everything right and probably our biggest offenders, some of our medical devices, those devices, the last thing you want is for a bad actor to take over cT scanning machine or an MRI well you’ve got a patient in there or something like that. Right. Well,

[00:23:24] Brad Nigh: and I can speak from experience when the def con last year. One of the things was the bio hacking village that we did which was hacking medical devices and it was disturbingly easy like I am in no means a, you know, a good pin tester and I was able to do things to, you know uh huh pumps and all this other stuff that it’s like, oh my God if somebody were to get in and do it, it wouldn’t take a whole lot for you know like erIC or one of those guys, they were crushing those things and it’s disturbing.

[00:24:02] Tony Alsleben: Well a lot of those things, they’re not, they don’t mean they’ll do the whole password password thing on there, right? I mean there was a Philips, there was one of the phillips vulnerability releases this last year, that that’s what it was, right, like you had to get a hold of them and have them change the password on your device because they come and set it up and then they just leave it as default.

[00:24:24] Brad Nigh: Mhm Yeah, that was one of the things that was that we did was like, hey here it is, it’s an open ftp to update or whatever it was and it literally was like default password for device. Yeah,

[00:24:40] Tony Alsleben: yep. And so one of the best things I saw this last year that I thought was really cool um that that they’re finally starting to think about it is, I can’t remember the name of the software right now at the top of my head but we have this new backup software that we’re installing right for for backing up all of our data from our arrays. And when they install that software and it goes through the setup it forces them to change the admin password So you can’t leave it as admin admin or admin 1234 whatever it is it’s just not possible for it to be left as standard anymore. And that stuff should have happened a long time ago right? Like people’s home routers should change the day they set it up

[00:25:23] Evan Francen: and that stuff is so easy to script you know as part of the setup.

[00:25:27] Brad Nigh: Oh yeah

[00:25:28] Evan Francen: you know your first log I mean you do that stuff all the time when you reset somebody’s log in you force them to change it right And that’s so easy and yeah just such an oversight for so many years.

[00:25:40] Brad Nigh: You know it’s crazy. You mentioned earlier about how the government isn’t auditing but it’s really around like in health care. That’s surprising because you do have the zero cc. And the F. F. I. C. For banking that go out and you have you know Finra and I can’t think of the insurance one But you know having worked in those industries yet you have yeah leave every couple of years. They’re out. Healthcare is like well we’ll come drop the hammer on you after. It’s too late which is crazy.

[00:26:15] Evan Francen: Well those two yards went, started going down this path, right? Even went so far as to build an audit protocol and I don’t know how many it was. One of the big four accounting firms remember was a Pricewaterhouse. I don’t think you think Pwc, they went out and actually audited 100 some odd entities and then develop the honoured protocol and we’re thinking, okay, good, we’re kind of going down this path. Because I think a lot of Csos would also like the guidance, right? Show me places where I can improve because maybe I don’t have um you know, centric, there’s a large healthcare entity. There’s a lot of them that aren’t a lot of the rural hospitals don’t have any money. You know, they just, it’s always the government has to be healthier. It’s actually a good thing sometimes.

[00:27:03] Brad Nigh: Well, I mean, even for a centric care, anyone getting an independent set of eyes on things because when you’re in their working day to day, it’s so easy to just, I kind of miss things, right? Because you’re, you just, they this is how it works and getting that third party to come in and say, hey, did you notice that you’re like, oh no, yeah, I should fix that. I mean, it’s very helpful.

[00:27:30] Evan Francen: Do you guys know why, I mean, I’ve never really actually dug in and and or heard why the OcR dropped, it was,

[00:27:39] Brad Nigh: It was right at the transition for the from the live in 2016 from the Obama to trump. There was a, during that transition and just kind of went away.

[00:27:49] Evan Francen: Mhm. Because that’s how they operate today too. Right? It’s they only do investigations, they don’t do audits, they do investigations and when they come knocking, there’s two things that are guaranteed corrective action plan and some kind of monetary fine.

[00:28:04] Brad Nigh: Well you’re gonna have a bad day.

[00:28:08] Evan Francen: Right? Well and and it’s funny because I’ve talked and I’ve worked with enough hospitals or health care organizations to go through this if you want to reduce, you know the fine and make that corrective action plan is I think manageable as possible. Just be really nice.

[00:28:25] Tony Alsleben: Oh and comply.

[00:28:27] Brad Nigh: Yeah. Make the auditors life as easy as possible. That is always the rule no matter what.

[00:28:32] Evan Francen: So it doesn’t even come down to security like it’s just like yes sir. Yeah, let me go get that for you. Hold on. Yeah. You know, because I’ve seen it the other way to I’ve seen people that have a lot of pride that you know, kind of stand up to the OcR it doesn’t go well

[00:28:48] Brad Nigh: usually doesn’t when you yeah. Yeah auditors don’t tend to have a good sense of humor in my in my experience.

[00:28:57] Evan Francen: Well they have their own sense of humor. Just like lawyers, they have, I can never understand what that you can understand what they’re laughing at, you know, and I want to be so much of the group, you know especially when you’re working on like a big data breach but I feel like you’re like yeah man routine here and they make a joke and I have no idea what they’re all laughing, I have no idea what the hell they’re saying. But then I wanna be I wanna be part of the group so bad that I’ll see a joke that I thought was funny and they look at me like I’m an idiot

[00:29:25] Brad Nigh: who

[00:29:27] Tony Alsleben: invited this guy.

[00:29:28] Evan Francen: Yeah security guy put him in the corner somewhere.

[00:29:31] Brad Nigh: I’ve been there with the ocr auditors have made a joke that I thought was pretty good. They just dead silence you’re like oh okay

[00:29:42] Evan Francen: yeah I got to the bathroom, see you

[00:29:43] Brad Nigh: later. Yeah oh my phone’s ringing. Got to step out.

[00:29:48] Evan Francen: Yeah. Crazy man. So that is that the thing that keeps you up at night? Tony is it is it or is there anything I guess there may not be anything.

[00:29:58] Tony Alsleben: Yeah. You know you through that question out there there isn’t I don’t have any problems sleeping. And I if anything keeps me up at night it’s because I fell asleep on the couch and I transition from one place to the next and I started thinking about my car and what I’ve I’ve got to do on that or work, you know? But however I did think about it right like so what’s my biggest concern and it’s that one hole we haven’t found, right. That that one thing, that device that’s not patched things that are currently out of my control, but that I need to find an answer to, right. And I think about this like just last week, um my endpoint guy was called me up and he was like, hey, I got this call and they want to set this New system up and they want access to it from the outside. And they’ve been, they’ve they’ve got 20 devices in our facility already. So it starts out like this colic, it’s this new thing, but oh, by the way, there’s already 20 of the month there, we’ve already punched 20 holes. And the reason why I’m calling you is it’s this IOT device and it’s a Windows based IOT device and they don’t turn automatic patching on on it. And so they basically patch it up to snuff and then they leave it and they walk away and they don’t patch it again until somebody calls and says they have to do something. And I’m like, and he’s like, and he’s calling me now because hey, finally we’ve got a security guy, so he’s like, hey, we don’t support that. Right? I’m like, yeah, I know, what do I tell them tell them it can’t be on our network. Well we don’t really have a policy that states that you’re right, we don’t really have a policy that states that, but we do have a policy that states that we patch stuff so we can hold them at least to our own standard. So well, you know, we can’t turn these devices off. I said I get it right. So we we need to work with them on what we’re gonna do. Well they want they want to continue to have remote access. Yeah, not happening. They’re going to go through secure like right like they’re going to then you get on the you get on the phone, the vendor and they’re like yeah yeah we have other places asking for this thing to write. Well we’ll see if we can get secure link to work. We’re having issues. No, you can get secure link to work even if we have to just stand up in RTP station that you secure link into to connect to your devices, we can make it work so but it’s it’s really those things, right? So it starts with that and then you then you you look at supply chain, we all know the big supply chain issue, right? We do have solar winds internally. We’re lucky. And and my my uh one of my right hand guys would Justin would say, you know, I’m saying we got lucky. He goes well we think we got lucky because you don’t really ever know until you know right, but we didn’t install one of the bad patches, we don’t have any IOC s that we found internally, you know, we’ve done all the right things. We we locked down our solar winds environment. So it doesn’t have access to the internet. We’ve been staying on top of all the latest patches lately, but it really makes you look around and go, well, gee how are we evaluating those vendors who’s been looking at that? Right. And so right now I’m looking at, I just bought that site, we’re standing that up Evan and I have talked about this um I’m using as to vendor um not not not hog wild yet, but I’ve been putting companies in S two vendor and and I’m getting to the point where people are sending me a request when they get a new vendor and saying, hey, how can I get them in there? How can we send this to them? So, um but then it’s kind of using those two products hand in hand, right? Because that’s to vendor is a self assessment and it’s only as good as the word they give you and what they sign off on. So, you know, when, when I get an 8 50 it comes back and I’m like, really, you’re that good? Huh? Well, gosh, I’m so glad to be working with somebody. That’s perfect. Well, no, there,

[00:33:59] Evan Francen: you know, we’re going to do, I just thought of a marketing piece when when that integration gets completed, right? Because security studios like we’re like the neutral party, right? We want to consume data from different places to give you a better picture. And uh the marketing piece is going to be vendors lie with the big stamp.

[00:34:20] Brad Nigh: I mean, everybody always gives himself

[00:34:22] Evan Francen: because there’s no way in hell you can tell me that you’ve got this stuff. Even if you say you didn’t understand the question.

[00:34:29] Brad Nigh: Well, yeah. What do you mean? You require domain admin to run your application.

[00:34:35] Tony Alsleben: My favorite was right. Like, so You send them the security suit and you guys know there’s like 400 questions in there, right? I sent one of those off and I got it back in an hour and a half and I’m like, hmm,

[00:34:49] Brad Nigh: I mean, I’m probably about as familiar with that as possible as anyone. And it still took me, I should probably 2.5 hours to go through it. Yeah. Mhm.

[00:35:03] Evan Francen: Well, and you mentioned you’re not supply chain because you still have a blind spot too right? You have a blind spied it wouldn’t do no matter what due diligence you did. You wouldn’t have caught the solar winds because I came in an authorized catchment. How would, you know, you don’t have the ability to check every single patch to see if there’s a back door in that patch. You can’t static code analysis. I mean as a consumer and as a C so you’re stuck with, like there’s always that try, I have to take what I got,

[00:35:34] Tony Alsleben: you know? Yeah, there’s, there’s no way you would know. However, the interesting thing is that when you look at uh bit site trends, these things and you look at their bit site score, it fell off right about the time they got infected. So I mean really it kind of is measuring that some of their security awareness took a nosedive and when it did that made them susceptible. So if you’re watching some of that stuff, you can kind of have an indication, you know, if there’s, if there’s bad actors out there, the odds of them breaking down somebody who’s got good security versus somebody who’s got bad security are pretty good. So I have a have a close vendor. I’m not going to name their name on here, but I know Evans got a story with this vendor to local vendor that we work really closely with and I dropped them in bit site and their their security score just as of like this last month took a nose dive. So it’s got my ears perked and going, well man, what do we all have open to them? Right. And and it looks like some of their stuff took a nosedive because of some of the things they have hosted, but that’s even worse yet, right? Like these are things they’re hosting for other people. So um I I don’t know, I think some of those tools, I’m not into the blinky lights like Evans says often, but there are some tools that are out there that are, are pretty easy to stand up and start using right away. Right. Um, some of the things that you guys have, uh, things like bit site where you know, you stand it up and you can feed in a whole bunch of vendors and you can look at a cross section of them today. So I mean I support stuff like that and not only that, but I think they’re getting some of their pricing model figured out, right. And it’s not so expensive. There’s other things that we have to do that are really expensive, but that still doesn’t mean we don’t do them.

[00:37:25] Evan Francen: So when I think the point is, is as a C. So you recognize where you still have those gaps and then you devise mitigating controls, right? This has never been like one thing solves everything. It’s where I’ve still got a gap is because you mentioned IOC’s right. You mentioned IOC so in a there’s always some sort of signature. So in the solar winds attack there was a call home, right? There were beginning things happening. How many organizations have their egress filtering worth a crap.

[00:37:55] Brad Nigh: Very little.

[00:37:56] Evan Francen: Right? So if you really truly understood your environment really well and I know that this is where you’re going, I would know my data flows, I would know what’s legitimate traffic and what’s not legitimate traffic. So if I see something because it could even happen in a 14,000 complex environment like yours, you can get to understand how things are supposed to be working and you see those beacons, that would be a red flag. Right? And that is unusual because you haven’t seen it before. Mhm. So I didn’t get into that point is it’s Nirvana, but that’s the, I would assume that’s the goal.

[00:38:30] Tony Alsleben: Well, and that’s where like one of the other things because there’s a lot of things like you said, you can’t, there’s so many things, which one do I pick on any given day? Which one? All these balls in the air? Which one am I grabbing today? Right. And so you stand around and looking and we use in four blocks for our DNS. And so in four blocks has a product that is there, it’s DNS security. Right? So, enhanced DNS security, we are currently P. O. Seeing that. And realistically that does exactly what you’re talking about Evan, right? Like they’re watching um what’s going on out there? If it’s a newly created domain, it’ll sink hole it right now, just because it’s not seeing it out there before, until we can authorize it. Right? So it’s not zero trust. Um but you know, it’s it’s getting one step closer to just not like trust, then verify. So um uh at any rate right now and those tools, they’re not, you know, you, there is no tool, you just buy it and stand it up. Right? So that’s part of the proof of concept right now. What do you mean? We’ve got all these logs to look through yet. What do you mean? And then and then you’ve got stuff like the whole D. O. H. And D. O. T. Stuff going on where it can go straight out through that app and completely bypass your internal DNS. So um you know first you’re thinking you’re going to buy this tool and then you’ll be sitting pretty but it’s not really the case right now we’ve got stuff we’ve got to do on our checkpoint firewall and we’ve got to figure out how to break down that um that encryption, look inside that packet and stop that D. O. H. Traffic and bot traffic and send it back through the internal DNS. So really that that’s the type of stuff right now I’m trying to stay focused on because how can I quickly protect all of these devices and it’s in the traffic, right? One of the if something gets in the first thing it does is call out right? That’s where we need to stop it, we need to stop it from talking and then we can find it and then we can kill it um that’s the best we can do right now as we’re getting everything else in order.

[00:40:44] Brad Nigh: Well you mentioned like you know, you’re not saying other blinky lights but there are good tools and I think that’s a really important part statement? Yeah, yeah. Don’t buy something just because it’s got a blinky light, but if you’re going to buy something, utilize it correctly and there are some really good tools out there. Yeah,

[00:41:06] Tony Alsleben: yep, true story. And and that’s the other great thing about my organization. They did make some investments and some tools that we haven’t fully and stood up yet, Right? But uh it’s just investigating which ones we keep, but you know, internally we uh we use Cisco, we’ve got Cisco’s ice product, we haven’t fully installed it. Um you know, we need to get 8021 x stood up um because that’s important part of using ice, we have stealth watch. So I mean we’ve got tools that we already own, we just need to get to a better capacity of utilizing them.

[00:41:40] Evan Francen: Uh Yeah, sure. Yeah. Well that’s one thing I think that makes you a good c so to our director of information, I’m just gonna call, you see, so, so if people get offended with that, it’s easier for me to say. And you serve the role anyway,

[00:41:55] Tony Alsleben: ah and you can do that. I just wanted to call it out so people don’t think I’m running around calling myself something, I’m not.

[00:42:02] Evan Francen: There you go, genuine. I love it. One of the things that Cisco is, is being able to put together this jigsaw possible, right? You’ve got all these different tools, all these different people, you know, your network infrastructure looks like this. How do you fit together the jigsaw puzzles that you started addressing those gaps. Being able to look and see a I’m missing a piece here and then go out and find the tool if you don’t have, you know what I mean? It’s just, it’s cool to watch you work through that because it’s, you know, a central care. I think it’s been about a year.

[00:42:34] Tony Alsleben: Yeah. March 16 will be when I actually first came into the role. Yeah.

[00:42:40] Evan Francen: And you make tremendous progress just in our own conversations in that year. It’s really cool to see. Yeah. Yes patients. Well,

[00:42:52] Tony Alsleben: yeah, I think it’s, I think it’s going good right now. I’m working on um my strategy, right. What is, what is my strategy going forward and so kind of creating that roadmap um and truth be told. I mean the first thing I’ve got to focus on here, there’s some of the basics we need to nail first. Right. We need to do better at our asset management Already found out internally. We can’t continue to call it assets right. They want to use the Iittle term. It’s really the configured items we’re looking for, which is true, right. I mean that’s what we’re after insecurity is the configured items we don’t really care whether or not there’s an asset dollar value attached to it. So I mean realistically we need both. But its asset management data classification, I need that asset management to be able to do better vulnerability management really, vulnerability management is something we need to work on. But as I’ve been picking apart vulnerability management, you don’t have a really good vulnerability management program unless you’ve got good asset management. So and as part of that asset management program, data classification is going to be huge for us. So and especially being healthcare um how long does that data got to live? Um is it how is it classified? Right. Is it public information? Is it confidential information? Um is it financial information? So you know, we need to get that done. We have I’m going to say this tongue in cheek, we have a pretty good change management program and I say that because people are using it right? That’s part of the reason why we were able to track down whether or not we had a solar winds problem because um the version changes had been logged in our change management system and we were able to walk that back. Um However we don’t have a good change management policy that everybody follows to a T. Right. And so that’s kind of the next step, right? Is making sure everybody um knows the policy, making sure that policy aligns throughout all of is and then maybe the greater organization after that. Um but those are kind of the things that are going to be on my strategy For the next year for the next three years.

[00:45:12] Evan Francen: it’s not cool. Mhm.

[00:45:14] Brad Nigh: I mean, yeah, it’s great to hear you mention those things and be aware of some of those uh maybe less mature areas and focusing on them because you’re you’re absolutely right, it all builds on itself. Mhm,

[00:45:33] Evan Francen: totally. Well speaking of hospitals, man, we got a whole bunch of, we don’t have to go through them all because I know that, you know, we’re getting short on time, but in the notes, you know, I just put that was just the last I did with google healthcare breach.

[00:45:49] Brad Nigh: Yeah, I’m sure

[00:45:52] Evan Francen: This is page one

[00:45:53] Brad Nigh: yeah, Mhm.

[00:45:56] Evan Francen: Page one in the news and the 427 that I alluded to, but you know, totally sort of alluded to it as well. It was last summer we had, you know, there was a series of events that took place, you know, I was called in on a breach, called myself on a three am I’m not, you know, your incident response plan, didn’t say to do that, but that’s what happened. So I get called into that and then we start a threat hunting exercise at another healthcare entity, You know, kind of in all of this and Brad, you know about that one. And then, you know, brian Krebs calls and says, hey, you know, you don’t normally get calls from brian Krebs and they don’t like calls from brian Krebs, so We got on the phone with him and you know, found out 427 hospitals. They’re supposed to be hit next week. Maybe it’s like, oh shit, really? At the same time we got to get the word out. So are one, is it true? Right? True to this at all because we’re not going to cause panic if there’s not and two it is, we got to get the word out. So that whole thing led to this thing. But I think one of the things we learned in that is the health care sector. So there’s 16 critical infrastructure sectors in the United States as called out by President Obama back whenever he issued that directive and then on and on one of those sectors is health care. Another sector is water, right? We talked about the water act, Oldsmar In Florida. Another one is dams, another one is on and on right. There’s 16 of them. One of the things that was painfully obvious in that 427, I just called the 427 because I still, I still might be bullshit. To be honest, I have no idea. But one of the things that really raised an alarm with me and and if there was something to keep me up and I sleep well. But if there’s something Is the fact that if that had been true, if 427 hospitals had been hit at roughly the same time with ransomware, we would be screwed. This country does not have the ability to respond to that appropriately,

[00:48:06] Brad Nigh: You know? Yeah, 100%. Yeah.

[00:48:09] Evan Francen: So sorry, I got preaching there, that’s got to be fixed and so on. Another thing we are working on stuff like that because if, if Tony’s get, you know, getting hit with something earlier, let’s say, you know, there’s an incident response in texas, but the hospital’s got hit by ransomware and they’re part of a something where there’s a better information sharing. I know we’ve got messy sack and all these other things, but those things aren’t effective because you don’t share IOC’s on things that are happening right now. I would have no idea of knowing that this hospital and texas is getting hit. But Tony would sure like to know because if his hospital start to see some of those same FCS before something activates before it does cause potential death. Right? Good to know that shit. Since my language,

[00:48:57] Brad Nigh: you know, one of the, I think one of the try to be positive, one of the good things that did come out of this Orion breaches, how open, you know, Microsoft and fireeye and all the more with the IOC’s they were finding, hey, here’s what we’re seeing here is what to look for and hopefully that maybe he starts a new trend of being more public with some of these IOC’s, it’s not like what’s the negative of saying, hey, here’s some hashes you should be looking for

[00:49:30] Evan Francen: right

[00:49:31] Tony Alsleben: health care. They don’t do it though. I mean I just watched one of these things happen because we were helping somebody else through it. I’m not going to say too much about it but we couldn’t get the IOC’s from them right? Even knowing that our infrastructure potentially was connected to this. They wouldn’t give up the I. O. C. S. And why? Because the lawyers get involved and you can’t say too much and if you say too much then you might be telling them something you shouldn’t be telling them. And so even now you know later on you watch what things are going on from afar, they’re still having problems and you’re like so do you have forensic images? Can you hand them over? Can you give them to us so that we can do our own investigation? Well no we don’t have that for everything. You know? And how do you get you know, ultimately in the end they give you some, yeah we can see they were here and they were that and it was our evil and I mean but it’s two or three months later and you guys know as well as I do it’s all about time. It’s all about time. The faster you can do it, the quicker you can squash it.

[00:50:42] Brad Nigh: One of the interesting fallout from the Capitol was the capital one and fireeye that they they got sued and or and they had to turn over their I. R. Report because they had the same 11 of the interesting thoughts and that is now for incidents they don’t want reports.

[00:51:03] Evan Francen: No because they’re discoverable, yep.

[00:51:06] Brad Nigh: And we used to be you had to write up the whole they wanted a full report and knowing exactly what happened and now they’re like now just we’re good.

[00:51:14] Evan Francen: We see that used to be one of the things, you know it was there was always that debate who’s the first person you call in a breach right then you know some people would call the police. I still saw that. I mean one of these breaches here I think it was I don’t know maybe one of them the first call was the Sheriff’s department. No that’s not right. When I got when I got called in that breach that led to the you know uh understanding the 427 when I when I arrived on site, Department of Homeland Security was on the phone, the FBI was on the phone, the local sheriff’s department was there and another incident response firm was there and it was all just like chaos and so you walk in the room you like the hell is going on, what are you guys doing? What’s what’s the direction here? But one of the things that people would say and I still you know maybe is called your lawyer first and the reason why they would do that was so that you’d have attorney client privilege. So my discussions with the lawyer and they’re still protected. But the reports and things. The work products and things are not necessarily. So it changes things a little bit.

[00:52:28] Brad Nigh: I mean as a respondent makes our lives a lot easier because the report writing is the worst part.

[00:52:35] Evan Francen: Right? Yeah. Just just passed my to do the investigation. That’s the fun part.

[00:52:40] Brad Nigh: Right? I mean we still have all of our notes and you know still keep all that information but you don’t need me to organize it into a readable format that everyone can understand. Cool saves me 68 hours. Oh

[00:53:01] Tony Alsleben: yeah it looks like Evan frozen.

[00:53:04] Brad Nigh: He’s deep in thought.

[00:53:06] Tony Alsleben: Yeah at least in. Oh he’s back.

[00:53:11] Evan Francen: Yeah it’s my VPN. It always does that. Even at home I used the piano. My iphone security guy. What do I do? Yeah but the 4 27. So we talk about sharing I. O. C. S. For anybody listening. There’s no really there’s no confidential information in an IOC. No there’s no intellectual property in an IOC. There’s no really incriminating evidence in an IOC. It’s an aisle seat.

[00:53:41] Brad Nigh: I mean even if there was a central repository where you can submit anonymously. There just isn’t anything really out there. I mean you’ve got like you know the virus totals and hybrid analysis and things like that. But you have to know what you’re looking for to see if it’s a problem

[00:53:59] Tony Alsleben: so I agree with you. I agree with you guys. The problem. But the crux of the issue there though is they they have to admit, right, they have to admit that this thing happened and here are the IOC is you need to look out for. And that’s the hardest thing is people just admitting it

[00:54:17] Evan Francen: and I’m okay. I mean I get that but we’re dealing with people’s lives and we need faster response. Right? So maybe you do something where you’ve got some immunity for sharing your IOC’s right. IOC specifically can’t be used two prosecutors, whatever, whatever you have to do. But in health care we have a bunch of incident responders who are not qualified to do instant response. They’re not all doing incident response the same way, they’re not sharing information about the incident response. So health care as a sector is so fragmented and so screwed when it comes to one incident that affects a wide population, which by the way is the scariest thing for uh insurance companies to begin. Well, I’ve got cyber insurance. Great. That’s one way they gotta businesses when you have one event that affects the white population. You

[00:55:08] Brad Nigh: know, interesting enough. I was talking with a healthcare customer last week and they had reached out to their insurance company around their cyber insurance and they go through one of the big players and they were told, yeah, we’re strongly considering just getting out of it and apparently that’s, that’s something that all the big ones are going, yeah, the supply chain thing is way worse than we could have expected were. It’s just we’re gonna lose our s gonna do it. Cyber insurance may become,

[00:55:42] Evan Francen: especially when you set the precedent, they’re just gonna pay these people that was, you know, in my little world, that’s okay. There might be a good decision, but in the big picture, that’s disastrous. But you know, that’s another thing that I think, you know, we can work on is how do we solve that problem? There is an insurance play here, but not the way they do it.

[00:56:02] Tony Alsleben: Well, and I was under the understanding that the FBI was telling people that you’re going to get in trouble if you pay money, right?

[00:56:10] Brad Nigh: We’re not incidents where the FBI came in and said, no, you cannot pay them. They’re a terrorist organization.

[00:56:16] Tony Alsleben: And that’s that’s the key right there brad, Right? Um, we just out of a lawyer’s mouth the other day, right? If they’re not a deemed terrorist organization, if they’re not on the FBI’s list of terrorist organisations, well then it might be easier to pay them. So we’ll do that. Right? So I’m like, there’s this discrepancy why? So instead they’re a U. S. Based terrorist organization. I mean, I don’t know. To me, it’s all the same thing,

[00:56:45] Brad Nigh: right?

[00:56:47] Evan Francen: But at the end of the and at the end of the day, you bring all this stuff back. It’s like the, the hospitals purpose is to serve the patients right to help people. And you’ve got all this other stuff that’s going on. It’s so distracting. It’s just anyway, I’m gonna preach smart. I don’t want to do it.

[00:57:04] Brad Nigh: So, uh, well yeah, Gosh, we’re now thank you Tony before because I know you have a hard stop here. So thank you very much for

[00:57:11] Tony Alsleben: joining change management meeting. Yeah.

[00:57:16] Brad Nigh: You sure you don’t want to say, oh, this this other one went wrong.

[00:57:19] Tony Alsleben: Yeah.

[00:57:22] Brad Nigh: Thank you very much. I appreciate you coming on and talking to us.

[00:57:27] Tony Alsleben: Sure. Anytime. Thanks for the invite.

[00:57:30] Evan Francen: It was a good talk. Yeah.

[00:57:33] Brad Nigh: Uh, so yeah, I know you have to drop that. You can stay as long as you want. But Evan, what’s going on with the BC fell handbook?

[00:57:40] Evan Francen: Oh, this is so I’m like, yeah, we’ll be, we’ll be quick. You can get through this in six minutes.

[00:57:43] Brad Nigh: Oh yeah.

[00:57:45] Evan Francen: Well, one of the first of all, I appreciate your patience brad. I’ve been pulled in like a whole bunch of different directions. I need to get back on that book. But we talked about, uh, you know how we’re gonna segment and how we’re going to break it up. And I think we’ve got some big players who might just insert some things into the book because I think they want to use it to set a standard for this is how BC. So stuff gets done. You know Tony has gotten part of that you know because I think central Care used to be you know CBC’s are like version one with uh you know fr secure. Um There’s so much further to go than that, right? There’s so many more operational things, you know to drive a security program versus just be a resource. Right? Lots of different stuff that’s uh I’m really excited about that book but right now I need to get in the next four days I need to get to a point where I just hand stuff you know, here’s your here’s your chapter we talked about that. I just didn’t get that.

[00:58:46] Brad Nigh: I was glad to see you go. You said something about it, you’re running late because I was like what did I miss it? I miss his email were ok, good. Sorry we’ve all been super busy. I would honestly I haven’t had wouldn’t have had time to really do anything with it anyway with our three and yeah. CNN

[00:59:05] Evan Francen: C Yeah

[00:59:09] Brad Nigh: you

[00:59:10] Tony Alsleben: guys need somebody to do a read over of that from the shoes of somebody that needs that. Send it my way,

[00:59:17] Evan Francen: look at this. Uh huh. That’s cool. Right. Oh

[00:59:25] Brad Nigh: man. All right. Um Next thing registration for the C. S sp mentor program. Go to our website last I heard yesterday morning we had almost 3500 people signed up like 34 50 something I think.

[00:59:41] Evan Francen: So cool

[00:59:42] Tony Alsleben: so I better go sign up again quick even though I attended last year, uh I still haven’t taken my test. And so last year I was I meant to read the book before I got to the class and I didn’t make it through there. So I was thinking this year I might try and make it through the book one more time and then use it as a brush up before I take the test.

[01:00:03] Brad Nigh: Yeah, I think it’s a good approach.

[01:00:06] Evan Francen: Absolutely. And Heckman, you look close enough to me, you can just hang out with me, we’ll do it.

[01:00:12] Tony Alsleben: Absolutely.

[01:00:14] Evan Francen: Yeah, that’s 35 point. That’s crazy. So last year was 20 Last, little less than 2500. So

[01:00:21] Brad Nigh: 24th,

[01:00:22] Evan Francen: we’ve beaten the crap out of that and I think we’ll get over 5000. I haven’t really done much in terms of socializing other than maybe just a couple of posts here and there. But

[01:00:32] Brad Nigh: I mean, reality is we could possibly have more this year than the previous, But eight years combined. Mhm. Yeah. A little nerve racking. Uh but exciting.

[01:00:45] Evan Francen: Mhm.

[01:00:47] Brad Nigh: Yeah. Yeah. Go to the fr secure dot com and under I think it’s community, can sign up for the mentor program. Totally free

[01:00:57] Tony Alsleben: Evan, you’re a geek with numbers, I’d love to see what that looks like on a graph, right? Because you’re definitely almost doubling year Over year, right? Mhm. Yes, probably have. Is it charted

[01:01:07] Evan Francen: already?

[01:01:10] Brad Nigh: Okay. This will be my fourth year. The first year we had oh gosh, maybe 125 or so that I did it with you. We’ve gone from like 100 and we’ll say 100 and 50 to 3500 and four years. That’s a pretty significant growth.

[01:01:30] Evan Francen: Yeah. When there’s bigger plans ahead, man, I’ve been talking to some other nonprofits, there’s one out of SAn Diego I think uh this is a community thing, right? There will, there will probably probably be a time and we’ll just take the fr secure name off of it, make it truly a community thing will always be that history and always be that tied to it. I want this to be perpetual. I want to do it year round and want others to come and teach and share.

[01:02:04] Brad Nigh: No, I mean it kind of goes in language kind of the fr secure university thing that, you know, we’re with all the content that we’re putting out training, so yeah, getting others to help out would be awesome.

[01:02:19] Evan Francen: For sure man. Yeah.

[01:02:21] Brad Nigh: All right. Yeah. Uh you had a couple of news items I would say, you know,

[01:02:27] Evan Francen: there’s no news.

[01:02:28] Brad Nigh: Go read it on the blog.

[01:02:30] Evan Francen: There’s no news, nothing’s happening, you know, just keep your face, you know, right on the computer, you’ll be fine. Nothing else happening.

[01:02:39] Brad Nigh: So thank you again, Tony appreciate it and will definitely be interaction. You can be the first victim of reading reading a copy.

[01:02:51] Tony Alsleben: Absolutely send it my way, ma’am. And thank you guys,

[01:02:54] Evan Francen: Tony give me shout outs,

[01:02:56] Tony Alsleben: you know, I do and it’s going to be to my wife because I wouldn’t be the man I am today without my wife. So, um her name is Anna and I love her dearly. She she definitely has kept me on the straight and narrow, so that’s mine.

[01:03:16] Evan Francen: Very cool.

[01:03:17] Brad Nigh: I thought

[01:03:18] Evan Francen: you had a dog.

[01:03:19] Brad Nigh: It’s

[01:03:21] Evan Francen: yeah, I’m gonna give a shout out to my dog. She’s a sweetheart. I love her. That’s violet that you’re outside my office store. She sits right here, right next, right behind me and uh yells at me regularly. But she’s kind of my co worker. Now

[01:03:38] Brad Nigh: we have a shepherd mix who shepherds. I don’t know if you know that they talked, they don’t, they bark, but they come up and they’re like and mine will come up and sas and talk back to you.

[01:03:51] Tony Alsleben: We have a Chesapeake and she she does, it’s more of a roof, right? She’ll like rue at you. And so especially if you can get her between two people show back into one person and she’ll start talking to the other person

[01:04:02] Brad Nigh: funny, I’ll just so goofy, I’ll give a shout out to first responders and the job that they do and everything that you know. Absolutely. Especially during the pandemic and putting themselves at risk. So all right, well, in closing, thank you to all our listeners, uh sort of stuff by email at insecurity of proton mail dot com. You’re the social type. You can socialize with us on twitter. I’m @BradNigh and heaven is @EvanFrancen Tony. How can people get a hold of you?

[01:04:35] Tony Alsleben: Uh Probably linked in is the best place. Uh so it would be under Anthony, all slave. And if you’re looking for me out there attached to centric care

[01:04:44] Brad Nigh: you go uh other twitter twitter twitter twitter handles where you can find some stuff that we do is the podcast is @UnsecurityP security studio is @StudioSecurity. And FRSecure @FRSecure and that is it. Talked to everyone again next week.