Unsecurity Podcast

Evan and Brad are not shy about calling it like they see it in this episode of the UNSECURITY podcast about cybersecurity costs. There are a lot of companies and people in the information security space that want your money and only your money. They’re more than willing to sell you things you don’t need and that won’t help improve your security posture, just so they can make a buck.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome. This is Evan Francen. This is episode 65 of the Unsecurity Podcast And the date is three February 2020 in studio with me is none other than mr Brad Nigh. Howdy brad.

[00:00:37] Brad Nigh: Good morning Evan. How are you? I’m good. Are you?

[00:00:39] Evan Francen: not too bad? Are you a morning guy? I’m a guy.

[00:00:42] Brad Nigh: So I’ve always been a night person but with kids that kind of changes things. So now I’m in early in the morning and that way I can have nights and weekends with the kids. So,

[00:00:56] Evan Francen: so now you’re mourning guy.

[00:00:58] Brad Nigh: I forced myself. I’m still a night owl if I like on the weekends. Yeah, I was up till like 1 30 watching netflix on saturday. 1:30 a.m. Yeah, that’s

[00:01:11] Evan Francen: it’s because it’s quiet sleep Last night. I was asleep by 8:30 last night. Then my wife came to bed and woke me up at 11.

[00:01:22] Brad Nigh: You’re you’re, you’re here like crazy early.

[00:01:24] Evan Francen: Yeah, I’m a morning guy. It’s the only time of the day when I can get something done.

[00:01:29] Brad Nigh: It is true. I have noticed that. So yeah, I usually I’ve been coming in between six and 6 30. Getting an hour and a half or two hours of time. That’s about all the earlier I can come in. I just can’t make myself wake up any earlier.

[00:01:45] Evan Francen: So do you see yourself sort of transitioning into a morning person more and more as you get older? Uh

[00:01:51] Brad Nigh: huh. No, I still don’t like it, but I do enjoy the time to get stuff done. One not worn out from the

[00:01:59] Evan Francen: day. It’s quiet. The thing I don’t like about this time of year is it’s uh it’s dark like the first four hours of my day. It’s dark when I get yeah,

[00:02:13] Brad Nigh: You are up at like three a.m. though.

[00:02:15] Evan Francen: That’s true. I am all right. So uh we’ve got a great, we really do have a great show plan today. I think some passion will come out of today’s talk. We have lots to talk about. Definitely. We’re going to talk about this industry’s money grab and this is something that uh yeah, you’re going to hear me probably, hopefully I won’t swear, but I’ll say some things you know that yeah, it may not be politically correct. May offend some people controversial. Have I ever offended anybody? Oh, I’m

[00:02:46] Brad Nigh: sure all the time not doing your job right. If you don’t offend somebody at some point.

[00:02:52] Evan Francen: So, but before we dig in on that, I always like to catch up with you. We originally started this podcast as an opportunity for you and I to visit and it gave listeners the opportunity to sort of listen in on, you know, what is security people talk about? You know, so I like to catch up. That’s one of the reasons why I catch up, you know, kinda early in the in the show, how you doing good, good week.

[00:03:15] Brad Nigh: I did, yeah, it’s always fun were, I mean, you know, we’re growing like crazy and it’s kind of fun to to go from that, I mean 20 person company to 80 and the differences and we’re finding things that were like, oh well, we shouldn’t have been doing things like just business processes and things that were like, oh yeah, we should probably fix some of that stuff. And it’s cool to find have like the maturity to be looking for those things instead of just kind of like, oh yeah, that’s how we’ve done it.

[00:03:48] Evan Francen: Yeah, well, I I see that to uh, you know, this year was the first year I sort of detached myself from the budgeting process and then uh you know, friday, we had an all, we had the executive leadership team meeting and uh there was some discussion about something in the budget and they looked to me to make a decision and I was like, uh I’m not, I wasn’t prepared,

[00:04:20] Brad Nigh: I wasn’t paying attention. Well,

[00:04:22] Evan Francen: no, I was paying attention, but I wasn’t prepared to make the decision, but then it reminded me that, you know, I do need to stay involved in the business side of things, so I spent the weekend kind of just going through every line of the budget uh just so I understood it more than trying to change it, you know as you kind of figure out what the direction of the company should be In 2021, 2022, 2023. Um You know what is a healthy information security consulting company look like we already know we have a healthy culture, we have healthy people, we have a healthy values and morals. How does that translate into healthy financials?

[00:05:06] Brad Nigh: Right, sustained, yeah like yeah successful growth versus

[00:05:11] Evan Francen: right. So those things, those two things have to play, you know hand in hand, you know that’s what I spent, you know the latter part of last week, I don’t remember the early part of last week I think you

[00:05:23] Brad Nigh: did some travel.

[00:05:25] Evan Francen: Oh crap I did. That’s right, that was last week wasn’t it? Yeah last week I was in Rochester, it’s new york for an hour meeting. Fly out there, have your meeting. Great meeting man, I love those people out there. I won’t tell the company name or anything but uh just really good meeting and then you have to get back quick.

[00:05:47] Brad Nigh: Yeah there’s those in and outs are I don’t know those were being out.

[00:05:53] Evan Francen: Yeah well when you change time zones to because you like left here monday afternoon got there monday late at night you know the hotel right? You know I got to sleep and then had the meeting in the morning. So it’s just you know the night in the hotel, Get up, get dressed, get some breakfast and then head to your meeting and then head back.

[00:06:14] Brad Nigh: That’s the unsexy side of the consulting people don’t call you get to travel to all these places. Yeah. I’ve been to cities. I haven’t seen a lot.

[00:06:25] Evan Francen: Well last week I had a discussion, oh I had a great discussion Ryan and I had a great discussion talking about K through 12 and how we’re going to tackle that Chris Roberts and john crapper camera, john gates. Really good discussion about how we’re going to tackle these issues. I learned some things, you know, I learned things every time I talk with others, you know. Um, but he chris roberts shared his schedule with me. Sounds like holy buckets. Yeah. I got nothing to complain about. That guy is all over the country all the time. I don’t know how you feel. It’s time to write some of the stuff he does for linked in when

[00:07:09] Brad Nigh: you’re on the airplane.

[00:07:11] Evan Francen: Yeah. Yeah. I can’t get myself to work very well in there. Can you?

[00:07:16] Brad Nigh: Oh no. Now just cramped and yeah, yeah. Yeah. I try and it just, it doesn’t work, but I can read books that’s,

[00:07:27] Evan Francen: yeah, you’re a speed reader.

[00:07:28] Brad Nigh: That’s, that’s the one area because then I can have distractions put in headphones and

[00:07:35] Evan Francen: all right. Well good stuff busy busy as always. Uh, so the first thing, the first topic for, you know, for us to discuss is the discussion about this money grab thing, in my opinion, in just looking, you know, we you and I have both been in this industry for a long time and we’ve seen lots of things um in my opinion, the money grab is definitely alive and well, everybody, everybody wants your money. Yeah, it’s not just it’s not just the bad guys. The good guys want your money too, or air quotes good guys. Right? So what I want to talk about in the money grab is let’s talk about some of the things the bad guys are doing, you know, and some examples of, you know, that money grab, which seems obvious to some people to others, even if it seems obvious to you. There’s there are new things happening all the time. Uh and then the good guys, the good guys are after money to and then I wanted to kind of finish up this discussion about us. Let’s look at us, let’s look in the mirror. You know, what part do we play in the money grab? Uh you know fr secure and security studio, because we’re human too. I mean, monies it’s not bad to have money. Money is a good thing. It’s when you

[00:08:53] Brad Nigh: when that’s your when that’s your sole motivation is more money, that’s what you get into trouble.

[00:09:00] Evan Francen: Yeah, so let’s talk about the bad guys. So in 2018, cyber, the cyber crime industry. So it’s it’s now an industry it’s been an industry Was worth at least $1.5 trillion 2018.

[00:09:16] Brad Nigh: Yeah, I mean we know that’s going to what double for 2019. I don’t know if it’s going to

[00:09:22] Evan Francen: Be a little lot 1.5 trillion. Do people even understand what trillion is? I don’t hardly.

[00:09:28] Brad Nigh: Yeah. It’s funny when you start looking at some of the breakdowns on how that is. It’s like you spent a dollar for every minute you had a trillion dollars that would last X. Number of years. It’s like centuries or something. It’s just yeah,

[00:09:42] Evan Francen: just staggering amount of money and it’s not and we’re still fighting the same things. Mhm. Fishing there’s still a problem. There was a problem back in the first time I saw ever saw a phishing attack was 90.

[00:09:57] Brad Nigh: What wasn’t that like something? Yeah, I mean I love you virus that was all through.

[00:10:03] Evan Francen: So here we are. We’ve we’ve lost. God knows how many billions trillions of dollars and we’re still here,

[00:10:13] Brad Nigh: yep. Yeah

[00:10:16] Evan Francen: it’s so what kind of progress have we really made?

[00:10:21] Brad Nigh: You know that’s a good question. I think that that you know the companies that are more successful that have made progress are really focused on that education and almost rewarding the behavior of identifying and not being afraid to say something and not punishing it, but there’s still that I think that a lot of that, well, I can’t say anything because I’m gonna get in trouble, right? And that’s a failure for our industry of not getting that message across better that a good security program and a really good indicator. Is there are more reported suspected incidents that you’re looking at. Hey, I think this was going on or so

[00:11:09] Evan Francen: Yeah, it’s interesting because there’s a lot of finger pointing, You know, there’s a lot of people pointing fingers at the fact that yeah, 1.5, trillion. And then we point fingers while its management management doesn’t take it seriously enough or it’s users aren’t smart enough, aren’t, you know, they say, well, they’re not educated enough.

[00:11:31] Brad Nigh: Nobody wants the same thing, responsibility in any way about it, right?

[00:11:35] Evan Francen: And then we try, well, the human firewall, we’re all in this together. It’s everybody’s responsibility. It’s like, no, I mean, I get paid pretty well to make it sort of my responsibility, right? And and that means it doesn’t mean I don’t get other people involved, it doesn’t mean I don’t, we don’t work together. But at the end of the day, if I’m if I’m the seesaw and I’ve been hired for this, you know, and I like to simplify things. I have two jobs, right, consult executive management on risk and then implement their risk decisions, right. Two jobs, two facets. So either I’m not consulting management. Well, I mean, I like to look in the mirror for our problems first, Right? And I think all of us could probably stand to do that a little bit more in my consulting. Well, because if management isn’t involved and then I won’t take it seriously. Maybe that’s me. Yeah, maybe it’s a reflection of how well I communicate with them, Maybe I’m not speaking their language, maybe I’m not understanding what their motivations are fitting security into it.

[00:12:38] Brad Nigh: Yeah. Yeah. Well, I think so. Kind of going back to our conversation at the last week, I think almost all of it that I found it’s a communication, right? It’s miscommunication, it’s just making an assumption of well, they said this, so I’m assuming this is what it is as opposed to actually taking that initiative and following through an act truly understanding motives and what’s being done and how can I support that? So,

[00:13:09] Evan Francen: if it’s a management issue, that’s me, I mean, I view it that way and if I just have crappy management that just won’t listen no matter what I do? Well then I go find a job somewhere else, right? You know, supposed allegedly we have a talent shortage issue in the industry. What if it’s a user issue is that my problem too.

[00:13:29] Brad Nigh: Yeah. Right. Because

[00:13:32] Evan Francen: the people that work behind the computers are not stupid. No, they are very, very smart at what it is that they’re paid to do right there in their position because they first.

[00:13:42] Brad Nigh: Yeah, Yeah. He would hopefully wouldn’t hire him if they weren’t good at their jobs. Right?

[00:13:47] Evan Francen: And so you look at well then ask yourself why do they keep clicking links

[00:13:52] Brad Nigh: now? I

[00:13:53] Evan Francen: think not just chalk it up as well. They’re human,

[00:13:56] Brad Nigh: Right? No, that’s

[00:13:57] Evan Francen: true. But do you just Okay, well then just accept it or maybe you do accept it? Maybe you know, some certain percentage of people in your company you expect to click links. So then what are you going to do about it as the sea? So

[00:14:13] Brad Nigh: yeah, you have controls. Can you put in there and making sure people aren’t local admin, making sure that yeah, the access controls are proper so they don’t have access to things. So when they click their ransom where it doesn’t encrypt the entire network driver,

[00:14:28] Evan Francen: whatever. Exactly. So and then at the end of the day who delivered the email to their mailbox, Right? It did. Right.

[00:14:36] Brad Nigh: Yeah. Why don’t you have a this, this originated outside the organization or something simple?

[00:14:43] Evan Francen: Well, in understanding how security works too, it’s not all about prevention. So where I can’t prevent something from happening. Do I have something in place to detect it and then respond to it? Right? And nowadays, you know, we’ll get to this when we talk about, you know, the good guys too are involved in this money grab. Um You know, we talk about zero trust. Mhm Great. zero trust has been a concept since

[00:15:08] Brad Nigh: Yeah, forever. Right.

[00:15:11] Evan Francen: But now we’re going to call it zero trust. So hopefully we can sell some

[00:15:13] Brad Nigh: new things. The new marketing phrase for it.

[00:15:16] Evan Francen: Right? You should have always been doing zero trust from a security perspective if you really wanted to do it. Right. Right. But the problem was is businesses didn’t really want to do it right

[00:15:27] Brad Nigh: now and it’s hard to do. Right? I mean that’s the other thing uh we were I was actually just talking to uh somebody last week that they had a an incident and I got their servers ransomed and luckily they had phenomenal. Their backups were all stand alone machines with each had their own uh local admit like user accounts that were completely segmented from the domain. And so they were able to recover and then it happened again so they were able to recover again. So we’re working with them and got it under control sir, their functional but there are a couple of the sea levels met with us and like, well what what can we do? What would be the best practice? And I was like, well just white list only. Right. The problem is if you don’t do it right, It takes down the business or it’s very disruptive. Takes a lot of work to test it too. And even then It’s not 100

[00:16:26] Evan Francen: percent well and why don’t people, I think the biggest reason why people don’t white list is because they don’t understand the environments that they’re even responsible for protecting. If I knew how my application’s actually communicated on a network, who they are communicated with, how often how much traffic if I knew my own environment, I might be able to white list

[00:16:48] Brad Nigh: well. And I think that that’s what turns a lot of people that’s the hard work. Yeah, I don’t hey is working why I call attention to myself when I break something and you know, that’s not no. Yeah.

[00:17:05] Evan Francen: Well and in some cases, you know, I’m working with, I was working with one organization and still I’m working with them. But this this particular project is over, it was, you know, adversary Obstruction, right? And it? S a few years ago wrote, you know, some pretty good guidance on it and it’s essentially Essentially zero Trust, assume an attacker gets in your environment. What do you have in place to obstruct them from getting other places in the environment? Because Attackers, almost all of the sophisticated or sophisticated attacks or pivots, right? They don’t they didn’t just hit the gold mine, their first shot in the environment. So part of the adversary, our adversary obstruction stuff is network isolation. Right? White listing. So in order to do that, I have to look at every one of my applications and figure out how do they actually communicate, you know, are they on their own isolated, you know, segments and

[00:18:06] Brad Nigh: so, you know, it’s funny because I think it’s this week, I think, I don’t even know any calendar is crazy. I have a conversation with a company that is looking to expand to china and they’re like, what should we do? Don’t,

[00:18:21] Evan Francen: don’t spend in china

[00:18:23] Brad Nigh: and well we’re going to, what should we do and the exact, it’s gonna be exactly that it’s going to be complete isolation. You have to have whitelist only, you can’t assume anything you make accessible will be compromised, reverse engineered, whatever. You know what your, what is your worst scenario for your solution, Right? Because playing for that to happen.

[00:18:50] Evan Francen: Exactly. So when you look at the money grab from the perspective of the bad guys, the two, you know, the $1.5 trillion 2018. The saddest part about that is just how easy we made it for them. It wasn’t difficult. It’s not difficult to scam people out of their money. And one of the reasons why that’s true is there’s really no low, that’s too low.

[00:19:18] Brad Nigh: No, for an attacker, they don’t play by the rules

[00:19:22] Evan Francen: and they could just care less. Right? So recently we’ve, we’ve had the coronavirus, you know, out of the Wuhan in china and so you know, you can predict that there’s going to be fishing scams. Uh yeah about that. So that’s, you know, floating around right now. One of things we saw last week and it was roger grimes. It was opposed by roger grimes on twitter where he posted this Dennison extortion. Did you see this?

[00:19:49] Brad Nigh: No, I hadn’t seen that. So,

[00:19:52] Evan Francen: so the attacker set up a website called Dennison extortion is still alive as of right now, even though the timer has expired. Uh and it says this, it says because of robert Dennison failed to take very simple security measures on his devices. I hacked into all employees google accounts and they were hosted under the domain name of Denison Yacht sales dot com. All company leads accounting archives, employee social security numbers, employ signatures including the data that was sent from clients of denison yachting to the mail accounts of the company is under my control. So if you ever conducted business with bob Dennison, your private data might be in my hands right now. What do I ask for? I want Bob to send 15 bitcoins to this Bitcoin wallet address and then he lists the wall to address what will happen if my demand won’t be fulfilled question mark. When the countdown here finishes and so yesterday I was on it goes 11 hours left. It’s over now. When the countdown here finishes all the data that mentioned previously will be publicly available for anyone who visits this web page bob. This was your fault. Don’t make other people pay for your fault for any questions reach me at denison extortion at proton mail dot com. If this website shuts down, you can track the countdown on dennison extortion calm, right? So this is, I assume this is real. I mean, I I didn’t do any research on it, but so robert Dennison who owns a yacht company, you know, I don’t know him either, but you know, just a guy making a living, running a business, serving his customers, doing the best job he can.

[00:21:49] Brad Nigh: Yeah. Yeah. Now

[00:21:51] Evan Francen: this is what some jack wagon does to him. And I get it that it’s easy. It was easy for the attacker to do this, but that doesn’t make it right. And the fact is, you’re ruining people’s lives with this stuff and they don’t care and I wouldn’t expect them to care. But we we have this mentality. Like, do you think bob Dennison prior to this? Do you think he was one of those guys who thought this will never happen to me? I don’t have anything that anybody would want in the common.

[00:22:23] Brad Nigh: Didn’t even didn’t even think about it. Yeah. I mean, that that would be my bigger thing is maybe not so much. Well, well, it won’t happen to me, but just not even being aware that this is an issue,

[00:22:38] Evan Francen: right? I’m gonna go to that website and I gotta Denison yacht sales dot com.

[00:22:45] Brad Nigh: Yeah, that’s tough. I think, you know, not like he said, not knowing anything about the um, that organization. You know, this is a smaller, I don’t know how big they are, but I’m going to guess. Probably not a huge a company. Right? And now they’ve got issues. I don’t know, they actually said, it says they have their 24th office, so pretty, they should be pretty good size.

[00:23:17] Evan Francen: There is the denison yacht sales dot com. Uh, web server cannot be found, but is a legitimate coke dealer in fort Lauderdale florida. Yeah, good ratings. 310 Customers, 4.2 Rating on Facebook. Nice boats too.

[00:23:36] Brad Nigh: So, yeah, I mean, well, that’s tough. You never want to see, you know, business being taken advantage of like that. But at the same time, yeah, that there is has to be some responsibility by the businesses to understand that, that this is a risk and they got to do something, right.

[00:24:02] Evan Francen: Well, in the point, Yeah, I mean, the point is, you know, there’s no low that’s too low. And I think one of the reasons why, you know, bob’s yacht company was left exposed is because I don’t think our industry really cares as much about bab as bab and others might think Because we’re all fighting after the 10% of people that are actually doing security stuff and we’re not really doing much for the 90% who aren’t the basics

[00:24:32] Brad Nigh: and and you know, looking at that site. I mean, these are not, these are expensive boats or yachts that he has. So the, you know, it’s almost more going after his clientele than him, right? People that can afford $14,000,020 million yachts, right? But bob fosse responsibility to his customers. Well, sure. But to take advantage of that is pretty crappy to basically blackmail. Right?

[00:25:06] Evan Francen: One Hindsight’s 2022, right? I mean, I don’t know what Bob. I never interviewed Bob or talk to Bob. Maybe it’d be cool to get him on the show. But it’s the wounds are probably,

[00:25:17] Brad Nigh: Yeah, that’s Cindy. That’s a tough one.

[00:25:20] Evan Francen: The But I think the point is is a lot of times we think, oh, they would never stoop to that level. You know, and they always always, it’s all about the money. They could give two craps about anything, your feelings, business, their livelihood, Nothing. It’s all about how much money can they make off of you in this case trying to get 15 bitcoins,

[00:25:43] Brad Nigh: which really isn’t whole lot when and from what we’ve seen, Right?

[00:25:48] Evan Francen: And what’s to stop? So this is assuming that this attacker even had bob denison’s information. What if he didn’t? Well, if you just made the website Dennison extortion dot com and just put this message up there, you know, maybe, maybe nobody hacked into bob’s yacht company.

[00:26:11] Brad Nigh: Right? He just got the

[00:26:13] Evan Francen: damages kind of already, I mean, could it be already done, right? Because people won’t know that. And if I were bob, but it’s not like I would advertise it. Yeah, it was hacked, you know, customers take your boat to other places. Yeah,

[00:26:28] Brad Nigh: Well, and that’s where you go back to the reputational hit, right? I mean, are those people that could afford those yachts going to want to do business with somebody where this is out there. This happened.

[00:26:44] Evan Francen: Yeah. So two points one, the cybercrime, the bad guys, they’re making boatloads of money. The money grab is alive and well, and there’s nothing that they won’t do to get at your money, including, and one of the things we don’t talk about much is human trafficking. I came across an article in Forbes magazine that the human trafficking industry itself is worth over $150 billion. And this is, I don’t know, this all pisses me off, but this one more so because, you know, it’s more than money, right? If you stole my money, I can make more money, right? And you steal a child’s innocence. They don’t get their innocence back.

[00:27:33] Brad Nigh: Yeah. Yeah. And yeah, there’s a bunch of stories out there about what, how this happens and, you know, even Quote unquote legit sites that turned out to be not legit. There was one um I saw a story about, over the weekend that basically had blackmailed a bunch of women who had gone in and thinking one thing and now they sued the company and have taken control of all the assets, but for however many years basically women were being blackmailed into and the porn and so

[00:28:11] Evan Francen: description. It’s ridiculous. Mhm. And so this is the reason why this affects. So here’s the deal with information security, information security, privacy and safety can no longer be separated. They’re all interrelated. So to think that human trafficking, human trafficking isn’t an information security issue is wrong. Yeah. Because these things are being tracked. These things are happening online. And some of the people that are involved in human trafficking, either on the supply side or on the use side right there, they’re going to porn sites on a regular basis which feeds this whole industry or they’re engaging in prostitution or whatever, Right? That’s what feeds this. If there wasn’t any money to be made in human trafficking, you wouldn’t have human trafficking. Yeah. And some of the some of the people that are doing this kind of work are people that sit in offices and they sit in your office. Yeah. And you have no idea. Right? And something as simple as, you know, web content filtering, something as simple as, you know, egress traffic filtering might tip you off on something. I’ll give you a story. One of the time I worked at a very large bank and it wasn’t human trafficking, but we saw a bunch of weird things on our web content filtering and I worked in the threat and vulnerability team. So we had incident response, we monitored and took down fishing sites, you know, that thing. This is back in the early two thousands. And so we started this investigation of why are we seeing this unusual traffic going outbound weird websites. Right? So you back it out to, you know, found out it was a senior vice president of one of the bank branches in California and what he had on his computer was, and this is back, you know, when gigabytes were like, that’s a lot of data had a gigabyte of animal, right? Animal human being, right things. And so, and I don’t know how much people know about, you know, just deviant behavior, but it’s like an addiction, right? It’s like a drug addiction. You did it once you got your high,

[00:30:45] Brad Nigh: it was good

[00:30:48] Evan Francen: and now you want a little more because the high you had last week ain’t the same as the one you’re getting this week from the same amount. So you get a little bit more, get a little bit more next thing. You know, you find yourself so far and so deep into this and that’s what happened with this person, right? They didn’t, he didn’t start with animal pornography

[00:31:07] Brad Nigh: and just uh, yeah, it’s interesting. You know, I think anybody who’s been doing this for any length of time, has those Has seen something like that? I know I’ve gone through the same thing, we’re putting some web filtering and it was somebody who’d been with the company 25, somewhere like a really long time. And yeah, you start seeing the trafficking, like why is that getting flagged, You start looking into it and, and then the worst, I don’t know the worst part for me is always going to going to HR with a documented case and having to explain to when

[00:31:44] Evan Francen: you can’t unsee the stuff you saw the investigation, right? I can still remember some of the pictures I saw 15 years ago, 16 years ago.

[00:31:52] Brad Nigh: Yeah, kind of, you know, we kind of joke about it to some extent where it’s like, you know, I think that’s kind of a coping. Oh absolutely, you have to, it’s like, huh, why would, Oh God! Right,

[00:32:06] Evan Francen: So $150 billion dollars and this is one of those things and the reason why I bring it up here is to support the fact that there is no low, that’s too long.

[00:32:16] Brad Nigh: No, for peace all about the bottom line, can I get dollars

[00:32:19] Evan Francen: exactly their entire, I know an entire town, I can’t remember the name of the town but in Mexico and one of our listeners might want to email, there’s a town in Mexico that is all about sex or not? Sex human trafficking. Like the whole town is established, wow around that and the police protected. I remember I saw it, but so what can I do as an information security person. Well under one understand that this is an issue, it’s a real issue and be on the lookout for it, be aware of it. You know, if you have um the time, if you have the skills start getting really involved with ascent. You know, I know there’s all sorts of ascent communities that are trying to hunt down these people and work with law enforcement, um because nothing would break my heart more than uh you know, my daughter. Oh yeah, falling prey as a parent, but watch what your kids are doing,

[00:33:22] Brad Nigh: it could never happen to me.

[00:33:23] Evan Francen: Exactly, bob. Thought that maybe. Yeah. So as a parent don’t just don’t be ignorant about this. It’s a thing and it’s getting worse and it’s getting worse and as long as we continue to just allow it to get worse, meaning we’re playing ignorant. It’ll just get worse, more victims, more money. Uh and it makes everybody’s job harder, right? Because if you’re not protecting your Children and their successful, they they’re just more resources that they can use to get after my Children. Yeah. So anyway, I wonder, you know, nice cheery monday. I was gonna say,

[00:34:03] Brad Nigh: nice light topic. Right?

[00:34:05] Evan Francen: But is it this is all around the moneygram. It’s all about dollars. All of it. Uh There are other things or other motivations for stealing information. But by far and away the number one motivation for stealing information. And that’s just one way, right? Also changing information. Let’s not forget the basics, the fundamentals of what information security is, It’s not just confidentiality, it’s also integrity and availability, right, right? C I a all you security experts out there

[00:34:33] Brad Nigh: is my bank account. Actually what it says it is. I’d love

[00:34:36] Evan Francen: to add a few zeros to mine. Somebody would have to pay for that too. All right. So the bad guys, we know the bad. We don’t know them, but we we know that there what motivates them, but this is one of the parts where I don’t think we think about it often is or maybe we do. Maybe that’s why. Um Yeah, maybe we do think about this. But the good guys too. There are and I say good guys in quotes because the good guys come off as good, they think they’re good. Maybe they think they’re good, maybe they know they’re not good. But it’s under the premise that they’re

[00:35:11] Brad Nigh: good. Maybe maybe more like legitimate business versus Yeah, like the legal business.

[00:35:19] Evan Francen: Even some of the legal business stuff though, when you look at what our industry does in any other industry would be illegal.

[00:35:27] Brad Nigh: I’m not going to argue that I would agree, but we try to better define

[00:35:31] Evan Francen: weeks toward each other to in this industry or borderline extortion for sure. Uh huh. All right. So this year or in 2019 Gartner estimated that That industry spending was $124 billion. So if you put that into context with, you know what we what the bad guys took 1.5 trillion. Uh we spent $124 billion 2019. And by some estimates, we’re expecting that to grow to $170 billion 20 22.

[00:36:09] Brad Nigh: So yeah, I mean, you can understand why people would be in it for some money, right? There’s a lot out there.

[00:36:16] Evan Francen: Well, and I added a note to the show notes too, because I add this for context only. No, I don’t mean to imply that all of that is wasted money. Some of the money is very well spent. There are great companies in this industry. So I don’t want to, this isn’t a condemnation of all of our industry, but what it’s a condemnation of is certain motivations of dollars that are spent in our industry are completely wrong. Yeah. And so what I talk about is, you know, what I’d like to talk to you about is, you know, fud, fear, uncertainty and doubt. You know, just scare the crap out of somebody and they’ll buy something. You know, if you can hit that nerve and then the sexy and stuff thud, insects, both cell

[00:37:02] Brad Nigh: and, you know, to me being in talking with customers, that’s a heart, it’s a, it’s a tough line to right? Because people are maybe is educated. So what you’re coming across with is, hey, here’s the realities of the situation there. Like what you’re scaring the crap out of me, right? Well,

[00:37:23] Evan Francen: well, there’s the, there’s the good scare, there’s the moral scare and then there’s the,

[00:37:28] Brad Nigh: I mean if you don’t do this, you’re if you don’t use this, right, this is going to happen to you.

[00:37:33] Evan Francen: Well, behind all of it is my motivation when I talked to somebody, I know what my motivation is. If my motivation is purely selfish, meaning I just want to I just want you to spend some money with me. You know, I got bills to pay baby needs a new pair of shoes, you know? Right? That’s one motivation. Another motivation is this is what’s right for you. I know that it’s what’s right for you. I’ve been in this industry for a long time. I know you I care about you. Yeah, it’s going to cost money, but that’s secondary,

[00:38:05] Brad Nigh: right? Yeah.

[00:38:08] Evan Francen: You know, so if I use fear knowing that my motivation is that like look johnny, you’re going to get hacked like guaranteed, right? I’m not telling you this because I’m trying to actually here’s a free tool, there’s something free if there’s something available that’s different than, you know, Yeah, scaring the crap out of somebody and then saying, hey, you know, by this quarter million dollar thing that I got, it’s got a I right, Well it’s machine learning Blockchain. Thanks. You need to have yeah, it implements the zero trust that we’re all

[00:38:44] Brad Nigh: bingo. Yeah. But yeah, no, I’m with you? I think it is. It is, yeah. It’s what you’re your motivation is what what is the kind of the mission that you’re trying to right advance? Right. Is it just simply dollars in or is it right.

[00:39:08] Evan Francen: Something else? Well, some people I get are because people in this industry, you know, it’s confusing. Especially for non security people who haven’t been in this industry for a while. It can seem really confusing. Right? And you’ve got so many buzzwords floating around so many different things that I need to be concerned about. You know, I go to one vendor and he’s telling me I gotta buy this thing and it does all these things. And if you don’t have these things then you know, you’re just up due to the creek. Then I talked to another vendor and he’s like, no, no, no, no, that’s yeah, that’s good stuff. But you’ve got to put this stuff in first because this is way more important than that stuff. So it doesn’t even matter if you have a budget that you need to do this as an off budget expense. I mean you’ve read the news, haven’t you? I mean are you living under a rock? I mean,

[00:39:56] Brad Nigh: and it comes out that they don’t even have a inventory list.

[00:40:00] Evan Francen: Right. Right. When it ends up being all this lipstick kind of pick stuff. Right? I keep buying a bunch of stuff and then, and then how many times have we done an incident response were so many were executive management is like I thought we were covered for this? We’re

[00:40:14] Brad Nigh: spending X amount in a year. How did this happen. Mm Because it was not set up. Right. Because you didn’t have anybody monitoring it because Right. No network segmentation doesn’t matter.

[00:40:29] Evan Francen: And you don’t even know yourself. Right. You don’t even know yourself. You don’t know what applications you have. You don’t know what hardware you have. Why is

[00:40:38] Brad Nigh: this application running his administrator on every workstation?

[00:40:41] Evan Francen: Because I didn’t know any better.

[00:40:43] Brad Nigh: It was hard. Right vendor said that’s the way to do it. Did you

[00:40:49] Evan Francen: question that? So I’d love to see. And you’re starting I think in this industry to see more people starting to focus on the fundamentals. I hope because that’s your answer. Well, I mean it’s absolutely 100%. No doubt your answer. Yeah.

[00:41:04] Brad Nigh: Right. And here’s the thing. I guess it goes back to motivation. But you know, we’re do it all the time. Like if I come in as your because like the RBc so program is very popular. It’s one of our fastest growing. Well, what does this include? Well, it’s the base level at a minimum. I know you need this, but until I do that risk assessment and figure out where you’re at. I don’t, I can’t I’m not going to sell you whatever I our plans and all this other stuff. Why? Why are you going to have a pin test if you’ve never done a vulnerability scan let’s start and understand where we’re at and that’s going to define and drive where we’re going from there

[00:41:49] Evan Francen: and there’s so much wisdom in that, I mean take cyber out of it. Take information, security out of it in anything. The better, you know yourself, the better you’re going to be able to protect yourself period. Yeah, yeah, I mean it’s been that way since ancient times, since the beginning of humans and yeah, I mean it’s like great blinky lights, got it, fear, got it. How well do you know, you right, look in the mirror, you know, deep. So that’s the part that really frustrates me, is because you just keep putting band aids on bullet wounds, you just keep putting lipstick on the pig. You just just, it’s not fixing the fundamental order of the problem.

[00:42:31] Brad Nigh: No, well, like you say, if insecure at the core doesn’t matter what you layer on top of

[00:42:36] Evan Francen: it. Right. Right. So companies that really, I think serve you well and, and it’s funny, I’ll talk about this when we talk about, you know, advice to give to boards. Uh, I was in a board meeting last week and I gave three bits of advice to them. That was it. Just three bits, give them an update on where they’re at and all that other stuff. But then those three bits of advice, I think are really important and it plays into this. Another point, you know, with the good guys, is it seems to me like everybody is fighting for your money first and foremost over your security. And I bring up conferences here, you know, next week, month, whatever. I’m going to RSA and I was gonna write a blog post that I’m going to our essay next month and I already regret because it is, in my opinion, is such a money grab. I mean, it’s expensive to go there. It’s expensive to attend. It’s expensive. Two. If you’re a company that’s got a pretty cool, innovative product that you want to display their, well, it’s going to cost you $80, $100,000 to get a booth and put it in there. You know, I mean, a lot of companies don’t have that. And what if my what if my thing, my technology is the basics, so on the fundamentals, the unsexy. Right, Right. Are you going to stand out at our say that’s the number one thing that we need in this industry, but

[00:44:07] Brad Nigh: no. Yeah.

[00:44:10] Evan Francen: And you go to our PSA and last year I went to Rs adjust to see Roger grimes give his talk. And so I flew in, Got there about 30 minutes before his talk, attended his talk, went out to launch with him and his wife and then flew. Oy, that was all I could handle. Actually, I was, I was in Tina fey’s, I did visit Tina Fey’s keynote. Okay, Because that was more entertaining than anything else, right? They’re not going to sell anything Tina fey’s, I’m going to sell me a security product. But man, there’s so many booths and there’s so much money being flooded around there and it’s like for what? Right? You actually fixing anything? I don’t know. Doesn’t seem like it. Yeah. And black hat, you know, I I used to love love love black hat back, you know, in the earlier days when you learn stuff there,

[00:45:03] Brad Nigh: it’s funny you mention that and I’m just thinking how many times we talked to somebody to try and understand and scope it out. And it’s like, well, how many devices do you have? Like routers, switches, workstations, servers? Uh huh. I mean it’s got to be 85, of the time. They’re like yeah,

[00:45:24] Evan Francen: about how much,

[00:45:26] Brad Nigh: Gosh, let me think about that.

[00:45:28] Evan Francen: And then you ask, let’s give me a ballpark, is it more than 500 or less than 500? Oh man, jeez

[00:45:34] Brad Nigh: Yeah, it happens all the time. And then it’s

[00:45:37] Evan Francen: Probably more, and then you find out it’s like 22,000.

[00:45:40] Brad Nigh: Right, Right. And it just, it continuously blows my mind. And then we find is, you know, there’s there’s some correlation for a number of employees with devices and typically with pretty, you know, most of time. And so start doing that and you just, it does blow people’s mind, they’re like uh you know, that does sound about right? And then I would want to just bang my head on the door, the desk like sounds about right, how, how how are you buying and buying protection? How are you buying any of these things? If you don’t know or if you bought it, how do you not know how many licenses you have or what you’re using like

[00:46:21] Evan Francen: or five of them go out the back door. Right. Would you even do

[00:46:26] Brad Nigh: you have any sort of Yeah, it just blows my mind. Yeah.

[00:46:32] Evan Francen: So anyway, I’m not gonna rip too much on conferences, but I do remember the day when you could go to conferences in the primary thing was learning stuff, not buying stuff and selling stuff, you know? Uh and I miss those days, you know, I know that there are still conferences out there like that, but these two are the biggest two conferences in our industry and there’s many, many millions of dollars beaten floating around out there. And that wouldn’t bother me too much either. But going back to the motivation, the motivation isn’t too do what’s best for you. The motivation is to get you to buy something which may or may not be what’s best for you. I don’t as the salesperson. I may not even care. Yeah, I mean songs, songs that make my quota, right? So companies uh to, you know, we have in our industry uh you know there’s lots of new companies popping up all the time. We knew consulting companies. Um The sad thing is is sometimes, oh, sometimes they’re giving bad advice right? They’re not taking people because we already know what the biggest part of the answer is to focus on the fundamentals, to focus on the basics of information security. That’s not the blinky light. It’s not, it’s not compliance. It’s start with how well, you know yourself. Um, So there’s a lot of companies out there now. I think that, but they come and go. I’ve seen this since we started far secure in 2008, you know, we’ve seen some start, they fade away.

[00:48:14] Brad Nigh: Yeah. It’s uh, it’s always interesting that again, that is one of the things I do enjoy talking with the customers and stuff, you know, hearing what they’re hearing from other people and other companies and there’s a lot of

[00:48:30] Evan Francen: turn. Yeah. Well, so be careful. Uh, you know, and I did put borderline extortion there. There are a couple of companies, I’m not gonna mention them by name. Uh but you know who I’m talking about. Probably uh, where you’re forced to do things. Um, If you want to do business with me, you’re forced to do this forced to get this certification forced to do that. Um Or I could run a scan of you and tell you that your score really sucks. And if you want to get your, if you want to get the details about your score, it’s going to cost you,

[00:49:04] Brad Nigh: but in the meantime we’re gonna, or if you, even if you want to challenge it or it’s like, hey, that’s not right. You still have to pay and you’re getting dinged for something you yeah,

[00:49:16] Evan Francen: in other industries. That’s illegal. Yeah. Just saying in information security, we be accepted for whatever reason. All right. So, um, anything else to add on that?

[00:49:30] Brad Nigh: We could talk about what we could, we could probably, that would be, we could get controversial on that

[00:49:35] Evan Francen: one. Well, I’d love to talk specifics. You know, I really would. Um, I think when I retire in a few have been a few years and I’m not tied specifically to, you know, where I can be a little more off the cuff. Uh Yeah, I definitely want to, I’d love to call it some people. Yeah, specifically. And I’d love to call it some companies specifically. Oh, it just makes everybody else’s job harder. Yeah, we have to go in behind and clean things up. It’s, it’s sad because who ultimately suffers isn’t me? It’s not the person who gave the crappy advice. It’s the customer that really, really makes me pissed, right? So it’s a dangerous world. And people, non non information security people and I have probably some security people to are generally confused. Uh, but you know, and even that point, I wonder how much that is on purpose. I keep you confused. Then chances are probably better if you’re just gonna trust still some fear

[00:50:39] Brad Nigh: you’re just gonna take my advice. Right? Yeah.

[00:50:44] Evan Francen: So uh enterprise organizations, they can afford, you know I think in most cases to make mistakes or they can afford highly skilled people that with tons of experience that can make better wiser choices on information security. So it’s not the enterprise that I’m really all that I think enterprise organizations most that I speak to, you know have pretty good controls in place. There’s a lot of bloat maybe in politics and some of those but in general uh but where my heart goes out is certainly the smaller players who kind of left out in the cold mm. Um And they’re suffering because a lot of these cool things that people are buying or creating and selling into our industry, the S. And Ds can’t afford it anyway. So they’re not really focused on SMB and S. And B. S. Are the ones that you know the underserved markets like the Snb, local state and local government. Most cities don’t have enough money to buy the latest ml thing. Yeah. Yeah. And

[00:51:49] Brad Nigh: uh on 12 and that’s not where the dollars are. So don’t focus on it and then it’s just mhm nasty cycle that they get they get left behind right?

[00:52:01] Evan Francen: And so what I would like us to focus on is these underserved markets to figure out how to serve the SNB as well to figure out how to serve because most of the market is there Figure out how to serve um you know, state and local governments K through 12. Yeah,

[00:52:19] Brad Nigh: I mean, yeah, I was talking to somebody, I don’t even remember last week or the week before the last couple of weeks and they were asking about, you know, what’s our clients size? And it’s like, you know what, here’s the thing, if we start with the fundamentals, You know, there’s what we keep talking about between that 20 and what, 2000 employees, there’s three million companies. Well, let’s focus on the fundamentals for those and then scale up that’s easy. But if I take an enterprise solution that a Fortune 500 or fortunate 1000 is going to have And try to shut it down the throat of a 75% company is never gonna work. But those fundamentals that work at 75 are going to work at 75,000. Exactly. It’s that doesn’t change. So let’s focus on building this correctly and then scaling it as we go.

[00:53:12] Evan Francen: Exactly. And the sense of urgency that comes with that is we need to help these people because before the money grabbers and it’s not that we have all the answers, but we know for sure that our heart is in the right place right with respect to the money grab. So and that’s where I close off the money grab pieces, you know, and if our security security studio we’re humans too, I mean barely but we are

[00:53:44] Brad Nigh: we are not robots.

[00:53:45] Evan Francen: No. Dot dot dot um, but one of the things that keeps us honest is mission over money, right? We have this mission to fix a broken industry. We will make money. The company is growing, we will improve and get healthier as we go in terms of profitability and we are profitable. But I’m talking like even better as we figure out scaling things that you’re working on and and those other things, but we can’t ever lose sight of the mission.

[00:54:14] Brad Nigh: No. And you know, the you can tell again, I’m going to go back to recently. You can tell when people get it and when you’re talking to them and they’re like, uh this is great. I love it. And then, you know, you get to the price and I well this isn’t nearly as expensive as I expected. I expect this to be a lot more. You know, you always kind of go and joke and be like, well I can I can fix that. But you know, that doesn’t, that doesn’t fix anything. If you spend all your money finding the problems and you don’t have any money left to actually do anything about it. How have we furthered our mission? How have we made you better as an organization and you know, people, I think it resonates people get it when you’re being truthful and honest. People understand that.

[00:55:03] Evan Francen: It’s

[00:55:04] Brad Nigh: probably the other thing is refreshing to hear because like you said, there’s so much fun out there. That

[00:55:11] Evan Francen: and put us to the test. Right. Right. I mean, don’t just take my word for it because but put us to the test, right. You know, if we’re nickel and diming and all these things that we’re not making a positive impact on your information security,

[00:55:26] Brad Nigh: uh let us know. Call us Tell us. Right. Yeah.

[00:55:32] Evan Francen: All right. And then there’s always the golden rule to write if you sell the customer something they don’t need.

[00:55:38] Brad Nigh: We have told people that really they haven’t had to do it yet. So I don’t know if he’s joking or not. But yeah,

[00:55:45] Evan Francen: you’ll find out. Hopefully you won’t Hopefully nobody will ever find out. All right. So, we have this discussion about uh talking with boards of directors and executive management were we’ve only got about five minutes after the show. So I wonder if you want to take that for next

[00:56:00] Brad Nigh: year. I think it would be a really good conversation. We could spend some time on that. Good to do justice to it.

[00:56:07] Evan Francen: Good. All right. So, there’s brad’s topic for next week. We do get it, you know, fairly often we get the opportunity to talk to boards and other executives. So we can give some some good tips I think in that. Alright, so two news stories I’ve got this week. One is hackers. This one comes from Zd net. And the title is hackers are hijacking smart building access systems to launch DDOS attacks, More than 2300 building access systems can be hijacked and says can be doesn’t say that they have been but some of them have been due to a severe vulnerability left without a fix. These are tax targeting the linear emerge E three the product of Nortek security and control.

[00:57:04] Brad Nigh: So you know, reading this with really bugs me Is that the company was alerted in May of 19 and there’s been proof of concept exploits since november and six of the 10 R a 9.8 or 10 out of 10 on the C. V. S. S like this isn’t

[00:57:26] Evan Francen: the well this is another example to where information security and safety can’t be separated. These are building access control systems. So I’m assuming that there’s something behind the door that you want to protect right physically. Right. And sometimes and I don’t I don’t know all the customers that are involved with this but I’m guessing some of these might be schools, yeah, schools that you know, Children attend. And so when when an attack is dida when Adidas has launched and all the access control systems. No, I’m not as a parent, I would be concerned about that. Just because those access control systems are there to protect my Children that I expect a gunman to come at that time or nothing.

[00:58:16] Brad Nigh: Right. It’s still

[00:58:17] Evan Francen: a safety issue.

[00:58:18] Brad Nigh: Well yeah they get are they configured properly for fail safe or if they go into and get shut down from that is everyone locked inside. Yeah, like you don’t think about Yeah, I’m with you. I don’t think the active shooter or anything like that is going to be the bigger concern. But there are big concerns about on this. Yeah, I’m from a business perspective. I mean, it’s not like it’s real easy to go to switch out a access control system. So if you’re a customer, what are your what your of course of action here, what can you do? You’re kind of stuck

[00:58:57] Evan Francen: when it goes back to one of the basic fundamentals, right? Is to build security in at the beginning of every project every everything. So maybe one of the questions you would ask of linear, You know, there emerged E three devices is what type of security precautions, you know, what is

[00:59:17] Brad Nigh: your vulnerability management for your software products look like?

[00:59:21] Evan Francen: And how quickly, you know, how quickly do you typically turn around, you know, patches because everything, everything everywhere is going to require a patch. There’s nothing, you know? So if you ever get back from a customer or get back from a vendor saying, oh, you should never have to patch this thing. This, you know, How many lines of code is it more than like two, then I need a patch at some point, right? I mean there’s developed by human beings and human beings make errors, you know? So yeah, it’s frustrating. This is c. 2019 7256 exploitation is what you’re talking about. So anyway, if you’re using a linear and check with your building maybe check with your building people Because if it’s affected how many it’s a 2300 building access systems. Yeah that’s quite a few.

[01:00:13] Brad Nigh: Yeah. And it’s interesting because the article is kind of playing that down. Well it’s a small footprint. Mhm. But yeah it depends on on what the value is behind it too.

[01:00:26] Evan Francen: Yeah. So not happy about that. Here’s another one. The other news story. This one comes to us from CNBC. The security experts at CNBC the title is Ashley Madison cyber breach. Five years later users are being targeted with sextortion camps. All right. I’m not going to get moral on you and say well you were on Ashley Madison

[01:00:55] Brad Nigh: after all. But it means

[01:00:58] Evan Francen: you guaranteed that I’m not part of this breach. So I’m not all that concerned

[01:01:02] Brad Nigh: about it. I feel pretty confident on this one. Yeah. But yeah, it

[01:01:07] Evan Francen: doesn’t make it right either. Right? Yeah. So five years this is still living on this brings up one of my concerns about lots of things. But we can all pretty much be rest assured that our social security numbers have all been stolen. Don’t you think by now? 100%. So and why hasn’t my identity been why isn’t your identity been stolen? I mean it was once I know, but why not? Again? It’s still out there. You know I mean this stuff sits out there once it’s out there, it’s out there. It’s not coming back. My social security number is not going to like all of a sudden automatically become confidential again, it’s out there. So now what? Yeah, that’s kind of the same thing with us Ashley Madison. If you were part of that preach

[01:02:00] Brad Nigh: it is what it is. It’s out

[01:02:01] Evan Francen: there. Yeah, I mean it’s not you can’t get it back. So I feel bad for you that you are part of that breach. But yeah, I just assume that maybe now is the time to come clean with your significant other or whoever else might care. Yeah. You know before this extortion things and then you can say honey, I told you already how much changed man it was. It was five years ago and I don’t do that anymore. Whatever it is. Yeah, I get out ahead of it maybe. Mm.

[01:02:36] Brad Nigh: Okay, well it goes back to your you know, there’s no two. There’s no low that’s too low. No,

[01:02:42] Evan Francen: no, it’s all about the dollars. All right, well we talked we had a good talk. I really enjoyed talking about the money grab. We could’ve talked for probably days about that. Uh but that’s it. Episode 65 is in the Bag Brad. You’re going to talk next week about it sounds like the tips for talking to the board. So that’s a good one. That is a good one. So, tune in next week if you want to hear about that. Uh thank you to our listeners. We love hearing from you. When we hear from you. If you’ve got something, look at that. My whole notes went down. I’ve got something to say, email us un security at proton mail dot com. If you would rather do the whole social thing, you don’t you don’t tweet much to you.

[01:03:27] Brad Nigh: No, I said I use it mostly for

[01:03:31] Evan Francen: don’t too much as much as a game for a little while there. Yeah, I know. And I’m busy doing a ton of other stuff. I forget like crap. I haven’t tweeted in like forever.

[01:03:42] Brad Nigh: You know, like what I should do that and then I get busy.

[01:03:46] Evan Francen: But anyway, if you want to do that, I’m @EvanFrancen. It’s just how you spell my name. With no spaces between brad is @BradNigh. Same thing, not same thing but your name with no spaces. Uh if you like uh like company stuff, we work for security studio. That’s @StudioSecurity and FR Secure @FRSecure the company. People post some good things from time to

[01:04:11] Brad Nigh: time. Their better about doing it on a regular basis right there.

[01:04:15] Evan Francen: Their job or something. Yeah. Right. That’s it. Talk to you next week.