Unsecurity Podcast

Brad and Evan take an in-depth look at the state of employment in the information security industry, how to land a cybersecurity job with FRSecure’s CISSP Mentor Program and they chat about the news circulating this week surrounding the cost of a cyber-attack, Google’s GDPR fine, and hijacked Nests.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Alright, we’re back is monday january 28th. This is episode 12 of insecurity podcast from brad and I with Evan francine again. Morning Evan, Good morning brad. How are you today?

[00:00:35] Evan Francen: Doing well, Cold and snowy?

[00:00:37] Brad Nigh: Yeah, I got a bit five to clear the driveway and it’s a good thing because we got about, I don’t know, eight or eight or 10 inches I guess out out there but it’s drifting there was somewhere like into each other so it was like a foot and a half with the drift. Yeah,

[00:00:52] Evan Francen: well you want to hear what happened? So I couldn’t sleep last night for some reason. I’m not stressed or anything. I just couldn’t sleep. So I came in to the opposite about 2:30 PM.

[00:01:03] Brad Nigh: It’s an email from 3:30 when I got up I was like what is he doing?

[00:01:07] Evan Francen: What am I doing? Well, you see I was sitting there and you know, it’s like may as well do something. I’m not getting anything done just sitting here in my room. So you came into the office but the roads were terrible. I couldn’t Tell where the road was. Came Down County Road 10 and

[00:01:30] Brad Nigh: yeah, I came in so I left about six and they will do ploughed so they weren’t bad but there was so much it’s so dry. It’s like pulling everywhere and you can’t see it’s all reflecting back.

[00:01:42] Evan Francen: I have a flight today at 2 45 so I’m hoping that everything goes well hate traveling when weather, thankfully the government’s working again. So that should

[00:01:54] Brad Nigh: be a problem. Take some stress off of the air traffic controllers

[00:01:58] Evan Francen: because last week I saw because I’m going into Newark and I saw that you know they had people calling in sick out in new york so there were huge delays last week and some thankful that our government who can’t seem to agree on anything finally did something.

[00:02:18] Brad Nigh: Yeah.

[00:02:19] Evan Francen: Yes those guys like without too paychecks to full paychecks

[00:02:24] Brad Nigh: now they’re getting their back pay but still it’s gotta be I can’t imagine the stress that I should get back

[00:02:29] Evan Francen: plus interest. So something they worked hard enough. It’s not

[00:02:34] Brad Nigh: a stressful job. Yeah, I wouldn’t want that job that’s that’s tough. So one of the things we’ve been asking for his feedback and we’ve gotten some really good feedback the last week or so over this. One of them is we’ve got an email from somebody uh network engineer, five years experience, has a CCMP with CCN A so more network focused and

[00:03:00] Evan Francen: so this is an email that came into our proton mail.

[00:03:04] Brad Nigh: Yeah on security of proton mail. On

[00:03:06] Evan Francen: security. proton mail. Okay.

[00:03:08] Brad Nigh: Um you know going to go through the CSP mentor program. It’s april so we’ll talk about that here in a second but you know, what else should he be working on? What could we do? Um You know, that would make him stand out and you know, I was thinking about this and one of the things that came up as we had had an interview with somebody who had worked with in the past, who was very worried about very similar, like, well I don’t really have the experience, I don’t have the chops, what am I? And one of the things that I think I was telling his, if you do security the right way and just do some well what I guess what I consider common sense, you know, are you checking for inactive user accounts? Are you looking at who’s in a domain admins? Do you know what ports are open? Do you know who has access to modify these? Just this really basic stuff, You’re ahead of what, 85% of the people out there are the places out there. Sure, I think. Yeah.

[00:04:14] Evan Francen: Well, so they see me. Yeah, I really liked this uh you know, this person’s email um because he wants to break into the security industry, right? He’s been a 90 for a while, you know, 56 years and I really liked in this email to reset, you know, what would it take? Especially for a company? Like fr secure? So it’s like, cool, I mean that right there set you apart, but one of the things that’s always worked for me Even before we started off are secure in 2008 was hiring people for the intangibles. It’s a big one. It’s it’s always served us really well. You know, we can teach you security stuff. Yeah, right? It’s not rocket science and and so much of it is so logical, right? I mean the stuff that you need to mention common sense and I have a saying that there is no common sense and information, but here we do have common sense,

[00:05:14] Brad Nigh: right? Yeah. I guess this goes back to your, you know, we’re not normal. All right. Yeah. Yeah. It was funny that um, we’re going through the interview with the other guy and he comes back and at the end of it, he says he texts me was like, that went, wow, I feel like you guys are like setting me up like when’s the other shoe to drop? This can’t be you guys can’t really be that good and that sounds too good. No, it really is. This is what we do like when you make a difference and you feel like you’re actually making a positive change in helping people, It translates throughout the whole organization. And he went through, well Fish four because he’s been with me but three interviews and it was everything that he got the same message from everyone didn’t matter who it was. And that’s good. Made me feel good to hear that from an outsider who I know would not sugarcoat it. Like he’s definitely called me to the help me out when we were working together before. So that’s cool.

[00:06:15] Evan Francen: So well that’s, that’s one of the things that’s neat for me. You know, I can’t remember what I was I think I was writing this weekend on my blog at Evan francine calm. I was writing a post about, You know, this this crazy mission that we started with and it was crazy when we had three Employees. Now, you know, you have 70 ish and you got 20 partners and you’ve got a book and it’s becoming a lot less crazy. But it’s you guys, it’s that believe in it. And you mentioned that there were three other people that interviewed this person and everybody believes in it. We come here because we love I mean honestly we love people and I said before security isn’t about information, security isn’t about information or security as much as it is about people, people didn’t suffer because we sucked at our jobs. It wouldn’t be a big deal, right?

[00:07:16] Brad Nigh: Yeah. And you know, I think tie back to this email, like it comes back to just do things the right way and and have a passion for what you’re doing and that’s what that’s what’s gonna make you stand out. Like just show you’re doing things

[00:07:31] Evan Francen: right and don’t be a jerk,

[00:07:34] Brad Nigh: leave

[00:07:35] Evan Francen: your ego at the door be a good person. And so for us, that’s what it would take. Just just be a quality individual.

[00:07:45] Brad Nigh: Are you going to be a good fit for the team? It’s good. We’ve got we hired some associate level people that are good fits and are just taken off because they can learn, but they’re not the right fit you. Yeah. It’s not gonna work.

[00:08:04] Evan Francen: That’s one of the the most rewarding things about my job is just seeing people, you know start junior, you know and work their way to becoming rock stars.

[00:08:18] Brad Nigh: Yeah. Yeah. I’ve had a couple That just over the last 6-8 months, one year now it’s just like, Wow. Where they were at a year and now where they’re at now it’s just just night and day. It’s really exciting. I like I like that too.

[00:08:36] Evan Francen: Yeah. So this guy can already, I can already tell from his email that, I mean if it were me, I don’t do hiring anymore, but if it were me, I’d I’d give him an interview. You know? He’s ambitious. He reached out. His email is not full of grammatical

[00:08:55] Brad Nigh: errors, right? Crap. Uh So much of what we do is customer facing, can he communicate well? Yeah.

[00:09:04] Evan Francen: He even says in his email, it’s got very good soft skills. That’s that’s obviously very important if you can’t communicate with uh you know, customers can’t communicate with normal people, then that’s gonna be an issue. Yeah.

[00:09:19] Brad Nigh: You know, and you know, it was fun. I got I put up here on the screen. I’ve gotten a couple of, oh I didn’t copy in here. There it is. I got reached out to a couple of times on linkedin. Uh just because of the mentor program that we did and you know what I’m saying, just found the 18 2001. Looking forward to the 2019 to watch a person I’ve been made aware of it. Can I pretend us and eric remotely? Um And then that one is an actual question that I didn’t look at yet. So we’ll skip that one. No. Uh The question is can you, once you’ve answered it, can you go back? I don’t know. I think you’re on the exam now, the new one. And I meant to ask. We have a couple of analysts who took it since his change that I forgot to ask.

[00:10:10] Evan Francen: Yes. I mean I took the scientists sp in 2005 when it was the fill in the blank with a

[00:10:16] Brad Nigh: pencil. You know I had it on the computer. I did I did have to take the CSM with a pencil and paper. There was no fun. But yo getting these, getting this feedback just from random people on on linkedin and getting some uh it kind of validates what we’re doing and makes it worthwhile. You know, we’re in here at 6 45 on monday morning with a foot of snow outside and it’s like four degrees. We’re doing the mentor program and it’s what is it 6 to 8 I think. Right 68 8 Mondays and Wednesdays this year starting in april and it’s all free. It’s not like we’re we’re we’re volunteering to do it

[00:10:57] Evan Francen: right? And I posted on my linked in I don’t know you probably haven’t seen it but I posted on my linked in on yesterday when you posted linked in on Sundays. You don’t get much of a response. But This will be our 10th year at the C. S. Sp mentor program.

[00:11:13] Brad Nigh: That’s third one I’m doing. Yeah

[00:11:15] Evan Francen: We started six students And last year you know there are 350 who signed up and yeah it’s really really cool and there are no strings attached. I did say in my post that you know that may not be entirely true. We might hire you because we’ve hired

[00:11:34] Brad Nigh: a lot of that students.

[00:11:38] Evan Francen: Mhm. And I think going back to that original question that we got on the un security at proton mail uh for here what it takes to get hired here is just being a great person. Just being a really good person. Yeah we’ll teach a security stuff. We found that sometimes when we hire people that have really solid security skills or at least seem to that we spend a lot of time unlearning you know that habits

[00:12:07] Brad Nigh: and rather higher especially with kind of what we’re doing and how we deal with the consulting side hiring people with the I. T. With the business with the networking what systems administration whatever it may be that are used to dealing with both sides is it’s more successful than So he has been doing security for 20 years already and set in their ways.

[00:12:33] Evan Francen: Yeah I think it’s a lot easier to learn security from a technical background than it is to come from a non technical background. So you were saying to the so the C. I. S. Sp Metro program starts in april so

[00:12:46] Brad Nigh: It’s in April already full for in person seats. It’s already sold out. 30 seats feel good hasn’t and then like mhm. But pushed or public whatever the marketing people do. Yeah whatever they are. What is it what is it publicized? Yeah that one it’s too early

[00:13:06] Evan Francen: right now. It is it is really the and I have so much fun. I mean I I don’t know if this is the 10th year and we have people here that can teach it but I’m still glad that I get to be an instructor to. I mean I wonder if I’ll always do that. I guess there’ll be a time when I just don’t have the skills anymore you know

[00:13:31] Brad Nigh: Oops. I know it is crazy how fast you kind of drop out of some of that stuff as you your role changes.

[00:13:40] Evan Francen: So you’ll be you’ll be teaching this year I’ll be helping and I’ll be teaching this year and then we might have one or more one or two other analysts

[00:13:47] Brad Nigh: helping out with others classroom movement or the, oh, we’re doing the online. Okay. A portion of that. We’ll see

[00:13:58] Evan Francen: in the, you know, what’s the link for that? It’s www dot fr secure dot com slash C. I. S S P. I don’t

[00:14:10] Brad Nigh: know if you go to get, if you go to a more secure dot com and events, events, events, you can, there’s this SSP mentor program, you can go there and sign up, sign up online. I think I think we have up to 500 online. Okay. And we’ve got, I don’t remember how many slots from the left, but

[00:14:31] Evan Francen: be nice to max that out. Yeah, because I’d like to, I’m sure this is you before I’d like to, you know, do this more than once a year at some point, but obviously you can’t, it’s too much to have one person. We’d have to have teams. Exactly, because it does take a lot out of you. You know, it’s 14 sessions, two hours each. And that’s in addition to your normal work week. It’s uh it’s a little

[00:15:04] Brad Nigh: tiring. It’s gonna be a long, yeah, but then we get you get the people writing and you know, hey, I got passed because of it and I got feedback that, you know, the class we did for free was better than the boot camp they paid for and thousands of dollars this boot camps aren’t cheap so

[00:15:27] Evan Francen: well yeah, mentor program we’re trying, we want to give you all the skills are not all the skills, all the knowledge that you need to pass the exam, but then also tell you what it’s really like,

[00:15:38] Brad Nigh: right? I think that’s the difference. Right? A lot of the boot camps are just reading it out of the room. It’s just here, here it is, out of the book, out of the book. There’s not that real world like interjection that makes it like stick

[00:15:56] Evan Francen: as soon as you’re done with the exam, you can forget this. You’re never gonna

[00:15:59] Brad Nigh: do it again. Right. Right. Or even even with like I know you go off on tangents shockingly in that class where it’s like, well here’s what I’ve run into this here and like making it relatable so people can can understand like these really, but not off the wall concepts but unused or uncommon things that you have to learn about the rainbow series.

[00:16:27] Evan Francen: What I’m scared Bella

[00:16:28] Brad Nigh: Padula. Yeah.

[00:16:30] Evan Francen: Yeah, I’m gonna forget about that. So I did last year, the University of Miami hired us to do a boot camp for them. Just them and I went down and did that and that was four days and it was sort of hell, it’s so much stuff so you

[00:16:51] Brad Nigh: didn’t want, I didn’t win last year before anything and yeah, I was so friday at the end of the day in

[00:16:57] Evan Francen: four days. Yeah. And if you don’t take the exam right away because you can’t retain it, you can’t take that much information in and retain it for a month and then take your exam. It’s like if you’re gonna do the boot camp one, do your exam like

[00:17:16] Brad Nigh: look right away the next day. I felt bad. Yeah. You probably had the same experience where like I was fried at the end of those days. Like just, and then you start looking at the people in the class and you’re like, oh yeah, no, I can only imagine how they feel trying to absorb all this. I’m just talking about it. That’s, you know, that’s the easy part. But yeah.

[00:17:41] Evan Francen: Well yeah, I don’t know if I were you losing your voice at the end?

[00:17:45] Brad Nigh: Oh, so many like cough drops and water. I went through so much

[00:17:50] Evan Francen: water because those dates are like 10 hour days and it’s four of them in a row. Yeah. So you’re talking for like 30, some odd hours. Yeah.

[00:18:01] Brad Nigh: If you’re not used to it, it’s uhh it’ll tear you up. But we got, so I had six or seven in that class and one reached out and asked for the sponsorship, which yeah, you know the others, I think they said that it was going to be a multiyear long term thing. But they wanted, this was gonna be there start. So only one was ready to go hammer away at it which made me feel good.

[00:18:32] Evan Francen: Well I think most people if you haven’t, if you don’t have any security like real security chops you know it’s okay to go through a CSP metro program or go through a boot camp and not take your example. Oh you know and then do it again

[00:18:50] Brad Nigh: with the preparation the second time you’re like that’s your

[00:18:54] Evan Francen: I’ve had students in the fr secure CSP metro program. Multi year students. Just kind of cool. Yeah.

[00:19:04] Brad Nigh: You always surprise me as we started to see more like management executive sea level attending with no intention of taking the exam simply to get a better understanding of what what’s going on. Just a and yeah I could ask and it’s like no you don’t have to. There is value just it and I want to say it sounds kind of off but it changes how you think right? And that’s not a bad thing. Especially around security.

[00:19:39] Evan Francen: Yeah. Oh yeah, for sure. The so many different kinds of people. I mean like you said, you know, C level execs, salespeople, I people, college students.

[00:19:55] Brad Nigh: Yeah and all over the world to

[00:19:57] Evan Francen: oh yeah that’s one of the questions I get asked all the time is can I take this online. Yeah absolutely. It’s a You know like you were saying up to 500 people online last year we had 3.50. Yeah

[00:20:11] Brad Nigh: So you know maybe it turned up now with 350 just over 350 and we had about 100 and 75 that actually went the entire all the way through. Yeah which is for free thing that’s actually live listening I would be willing to be a lot more signed up listen to the fewer like okay and then downloaded the you know the recordings and listen to it when it was more realistic for them. But I was really that’s really good that we kept that retention rate given how super exciting the material is. I’m

[00:20:52] Evan Francen: telling you man when you get when you get towards the end of the classes you start I start running out of gas you know oh my God

[00:21:00] Brad Nigh: I’m tired. I was like this it was way it is way easier to do those two clocks like the to our process and when we’re alternating or you know you’re there to even if I’m leading it just to be like uh because you get you run into just those blocks were just like I hey Evan help. Yeah just interject every now and then

[00:21:25] Evan Francen: it’s really valuable. So and I’m hoping that a lot of these C. I. S. P. Students as they begin their careers or improve their careers and information security that they’ll do the same thing, we’re doing that they’ll get back. You know we have this huge huge shortage of talent in our industry and you know the way we solve it. I think one of the big things we solve it is by continuing to give two people, but then somebody having to pay 5 $6000 for, you know, a class, do this one for free. I don’t have to get my employer to pay for it because your employer probably knows that once you get your CSP, you’re going to need to give you a raise. Are you gonna leave?

[00:22:09] Brad Nigh: Right? So they’re not unless you’re in a security role. Yeah. You’re not you’re not gonna. Yeah. Yeah. And you know, I think part of it for me is is exactly like giving back and being there to kind of mentor and people throughout my career that have, you know, helped out and just little things that were like how that really made a difference and yeah, yes, give back and hopefully help someone else out doing the cybersecurity mentor program at one of the local school districts again. So that will be Yeah. I just got the email last week. That is just kicking off. That’s clo

[00:22:54] Evan Francen: when I remember when you, the first year you, you know, you started helping, you know, buddy, I didn’t even ask you, you just did it and that goes back to those intangibles that we were talking about, right? I mean you epitomize that here and uh yeah, and then you got roped in now you can’t say no

[00:23:14] Brad Nigh: anymore. I know, okay. Yeah, it’s like really come on,

[00:23:18] Evan Francen: you’re careful what you

[00:23:19] Brad Nigh: volunteered for, right? But it’ll be good. Take a we’re taking a little vacation before the uh program this year. So yeah, it’ll be you find a come back and get into it. Make sure that everything hasn’t fallen apart World war. All off. Right?

[00:23:37] Evan Francen: So Mondays and Wednesdays starting April eight and going to May 29,

[00:23:43] Brad Nigh: 6 – eight Central.

[00:23:45] Evan Francen: Yeah. So uh again, go to www dot fr secure dot com and click on events and you’ll find the metro program listed there. Register. Because I’m guessing I would guess that we’re gonna top the 500 and we’ll probably have to cap it there.

[00:24:03] Brad Nigh: I’d be crazy. And going back to the question, what do you do to stand out if you are listening and kind of nodded along and enjoying us and are still listening. That’s probably a good sign. Right? You can put up with our banter here. This is who we are. So at least

[00:24:22] Evan Francen: we spent a lot less time talking about. I don’t know, just kind of daily stuff. I mean, so which is cool to him and I like talking about. That’s good stuff. We are when you got to keep it in balance to right? Yeah. I don’t work 24/7.

[00:24:41] Brad Nigh: Really accepted 3:30 AM.

[00:24:44] Evan Francen: Well, but I can’t

[00:24:45] Brad Nigh: sleep. Yes, but yeah. Well, you know, I think that’s foot. I think it’s fun is this is even are very similar in that we just this is this is us. This is who we are. It doesn’t matter when you talk to us, this is this is what you get. So

[00:25:05] Evan Francen: yeah. Which just makes it easier to write. I was talking to my wife actually, now you something came in my head. So I’m writing a second book, right? I wrote this uh I was writing this piece about cyberwar and whatever and how it affects people and things like that. And in there I quoted a conversation I’d had with Peter and Peter asked me one day and I was in a mood, he asked me, is there anything I can do to help you? You know, he’s always asking about anything I can do to help you? I said Peter Yeah, just do your blank. Right? That’s word. I don’t want to get the explicit thing on our podcast. So he’s like, and he gave me this puzzled look. Like what? Because I don’t normally talk like that. And I said, yeah, man, just imagine how great life would be if everybody just did there their stuff, their stuff. Right. And uh so, you know, I was so I I shared that with my wife. I said, hey, read this, tell me what you think is sometimes I’ll just because she’s a normal person, mm hmm. You know, I’m like, does this resonate with you. And so I gave it to her and she goes, yeah, but you know, I don’t like the sweater work and I’m like, but that’s what was said I am. And she goes, well, yeah, but you know, it be nice if you, you know, kind of curb them like, but that’s who I am, right? That’s what I said. That’s who I am. And I would be hypocritical if I do you something else right? It’s the same way with like everything. You know, I don’t want to be somebody. I’m not, I want people to you like me, you don’t like me for who I am not because I’m trying to impress you. Yeah.

[00:26:55] Brad Nigh: Yeah. It’s funny like yeah, I agree.

[00:27:01] Evan Francen: We’ll use the same way, right? You know, this is who I am if you like it great if you don’t. Well,

[00:27:06] Brad Nigh: it’s funny like we were in talking with potential new customer and we’re just talking about the services and they said, well what about security policies? And just kind of went off and I’m like, well, so it was a lawyer that were the general chief counsel or whatever. And I was like, well here’s the problem with policies, Right? Average reading level in the US is what like eighth grade between 89th grade, What’s the average level of these policies? And because they said, well we got downloaded these well known set of policies. And look, it’s graduate level, how are you expecting people to understand this and do. So what we’ve done is going through our whole approach of trying to simplify this? Obviously you can’t be totally simplified, but then we pull everything out into acceptable uh the whole thing and she goes, I don’t think I’ve ever seen anybody get that animated fired up over policies. And and I was like, well, I didn’t tell you we’ve got five people in the world that like to write policies or that’s why it’s

[00:28:10] Evan Francen: perfect this week because you fill in for me, you’re filling in for me twice us this week, one for a a board presentation on an assessment that we did a super appreciative. That But then the other one, which I totally drop the ball. And my advice is there will be a day bread when, when you have an admin and when you do let the admin do the admin stuff, because I tried to schedule this myself thinking, oh yeah, I can’t do that. And then my admin says, well, but you’re in New Jersey crap. So you’re filling in on this panel, 300 lawyers. Um But the coolest thing, not me, not. The coolest thing, The cool thing about it is you get to talk about policy, you’re a natural for that, That’s going to go.

[00:29:00] Brad Nigh: People are perfect. They make it too hard.

[00:29:02] Evan Francen: What do they say in the UK is swimmingly. That’s going swimming.

[00:29:05] Brad Nigh: I’m excited to get people just think it too hard. It doesn’t have to be complicated Anyway, we’ll go see now you can get me going off. All right. So should we talk about some news? Sure. So the first one, the first one we had is off the threat post this uh threat list. $1.7 million is the average cost of a cyber attack. So this was out of a survey by rad wear their 2018 19 Global application and network security report analysed vendor neutral survey data from 790 80 exacts. And what they said was when people have a click on this, The cost of an estimated a cyberattack with no formal calculation process of if you were just ask someone and they don’t really have any formula, they’re gonna guess it’s around $880,000. If they have a average cost was 1.1 million. And then the cost of an cost estimate of a cyber attack. With a formal calculation process. So they’re actually having some Some uh formalization around this was $1.7 million. So

[00:30:18] Evan Francen: they did some math

[00:30:19] Brad Nigh: thing, they did some mapping. So quantitative quantifiable monetary loss. And what’s interesting is that uh The main impact is revenue killing operational productivity loss, which is just 54% and then negative customer experience of 43%. So, you know, what do we try to do is minimize that risk of that happening. And this is interesting because to me it is a different one than what you see out of the opponent study. So it’s we’re starting to see more uh more of this type of data come out, you know the how how full or how how comprehensive is it? I don’t know but honestly it probably isn’t bad and realistic when you consider reputational loss and loss of business and stuff.

[00:31:16] Evan Francen: Read wears interesting. Um I go way back with red wear. Yeah, red were started in 1997 and we bought one of their first products, it was a web load balancer. Okay, so it’s funny when you chose the stories like red, where the hell do they know about security because I haven’t done anything with red wear since those days and yeah, anyway, so yeah every one of these studies, you know, I I take it with a grain of salt because one of the, one of the issues I have is just the sample error rate, you know what I mean? There’s just not good, there’s not one like centralized location where you can actually capture all this data and mine it for really good conclusions. But I think this is one of the better ones, it seems like they, you know it’s a pretty good

[00:32:10] Brad Nigh: job, you know, I think 790 is a decent size but when you consider you know how many small businesses million. Yeah it’s still pretty small. So but you know I think to me what was encouraging is at least somebody is looking at it now we’re trying to, there are people looking and trying to quantify this a little bit. What we see so often is is companies say, well it’s not an issue for me until it happens, then it becomes a priority. So maybe if we start, you know, it’s not that, you know, you don’t want to spread the fear or whatever. But maybe if you get people to start seeing and understanding, hey, there’s, there’s a legit cost associated with this,

[00:32:55] Evan Francen: right? Well I think one of the um, I think maybe probably not next week, but maybe the next time I lied I might have a guest in who uh was victim of a rock ransomware attack and that this is a, they would be there a classic example of an organization that didn’t think of it until until it hit him right now. It didn’t cost them Like this red wear study, it didn’t cost them $17 million. It it probably close to a million because we talk about, you know, I think they spent maybe a quarter million dollars just on us

[00:33:39] Brad Nigh: just on remediation. Yeah.

[00:33:42] Evan Francen: And then when you consider the downtime and they were down even I never down for like a

[00:33:48] Brad Nigh: week. They didn’t, they

[00:33:50] Evan Francen: were to be some lost revenue there. So yeah, there’s definitely, you know, prevention, what do they say an ounce of prevention is worth a pound of

[00:34:01] Brad Nigh: cure. Yeah, I’d rather spend a little extra time on the front end than trying to figure it out later that the one really good quote out of this was from the CMO for ride where anna con very O. T. A. Maybe what’s called a that that’s called for that. I apologize for mispronouncing her name but it’s a really valid point. Well and she said well thread actors will have to be successful once organizations must be successful and attack mitigation 100% of the time.

[00:34:31] Evan Francen: Yeah, common

[00:34:33] Brad Nigh: quote. I mean it’s just good to see it out there again. Right? It’s just it just kind of drives that point home especially when you’re looking you know looking at these numbers. So

[00:34:43] Evan Francen: yeah it’s true. I mean Attackers can afford to make mistakes, we can’t afford to make mistakes what we do. So that’s why no matter what there’s going to be breaches that occur. It’s also interesting that’s one way our hands are kind of tied in this game that we play with Attackers. And the other one is we have all these laws, Attackers don’t give a crap about loss right? We have to play by the law. So we play we play the game with rules, they played a game without rules.

[00:35:13] Brad Nigh: So it’s not wondering. Yeah and they can if they mess up they just move on to the next letter. Right? If you mess up once you’re in the news. Yeah. Yeah. So

[00:35:26] Evan Francen: yeah good study though. So threat post um what’s the name of the article again?

[00:35:33] Brad Nigh: It was the threat list, 1.7 million is the average cost of a cyber attack.

[00:35:38] Evan Francen: You know, I wonder if that resonates with anybody. I mean, I wonder if a ceo sees this email or he sees this post if they just because in my mind what I think they think is like just more fear tactics more.

[00:35:57] Brad Nigh: I don’t think they pay attention. That’s the problem. It’s, that’s that fine line of, hey, no, this is somebody have to be aware of versus isn’t just somebody selling more fud. Right? So

[00:36:12] Evan Francen: unfortunately a lot of these, a lot of these studies are done by product sellers. Yeah. So mm they have a vested interest in this being as big a number is impossible.

[00:36:24] Brad Nigh: Absolutely. Yeah. So it’s kind of well again, but I think you said it, you know, for a data driven industry we have really poor data

[00:36:36] Evan Francen: cramped for data. So um let me ask you. So you’ve been insecurity for a long, long time. Have you ever taken something like this and tried to get budget from a, from your executives stories like this? The

[00:36:51] Brad Nigh: only worked well the only one I’ve done was around mobile device management and there was like, you know the average, it was the parliament study because that’s all that was out there. This was, it’s been a while, But it’s like, you know, hey the average cost of a breaches whatever $200 a record it causes us Whatever. I don’t $4 or $5 per device is going to cost us in order for that. MDM. Right. Right. For the indian for the devices We would have to have our MDM for whatever nine or 12 years. Mhm. Or we have one breach, like the cost of one breach, we would have this MDM for. So if we could prevent one breach in 12 years we had a return.

[00:37:38] Evan Francen: So you you put it into context for them really? Well I mean get because I mean if you just show that if you would just take this article. Right.

[00:37:47] Brad Nigh: Right. Oh yeah, no

[00:37:48] Evan Francen: into an email and send it on to your seat because

[00:37:51] Brad Nigh: that’s going to work

[00:37:52] Evan Francen: right, it doesn’t work out. They get bombarded with

[00:37:55] Brad Nigh: this. Yeah. No. Yeah you would have to put it into into context and apply for them just yeah give them some sort of

[00:38:05] Evan Francen: and I think even within our industry and then we can go on to the next news thing. I think even within our industry we’re so tired of seeing these kinds of posts even though this is a good 11 of the better ones. Yeah, I mean I’ve seen so many news articles of it’s gonna cost you this much and it’s this bad and there’s so many attacks every year and dotted added a and after a while I think it just doesn’t

[00:38:30] Brad Nigh: collective. Yeah I think you need you need that context. Right, Okay. million. This one was good because it does break it down by um you know by industry and it has, you know what they just find as uh an incident and so you know https flood growth DNS attacks burst attack. So you know, they didn’t break it out pretty well. But

[00:38:59] Evan Francen: Education costs the least. Yeah 310,000 for an education

[00:39:06] Brad Nigh: breach. So anyway. Right. Good. Good conversation. Good. At least we’re starting to see if we could talk for hours to give me more more more data out there. It’s important. Uh Next one we had was the from info security magazine, google’s €50 million. GDP are fine herald a new era. So I got a 57 million U. S. €50 million flying in France for failing to notify users about how their data was used. So apparently this was filed the day after GDP are went into play. And you know they’re saying they had an automatic check box for like an opt in, it was automatically checked which was the big no no in G. D. P. R. So we’ll see what happens. But it’s related to the creation of a google account on android. Um

[00:40:05] Evan Francen: Yeah this caught a lot of buzz this week this past week and when I saw a lot of twitter posts. I saw a lot of talk about this one and you know, most of them were, It’s only $50, some million dollars for Google. You know, they don’t even care, but it’s the same thing that we were talking about last year with GDP are you don’t know the intent, true intent of how GDP are is going to be used until you start seeing enforcement. So it’s not the dollar amount, don’t get wrapped around the dollar amount for this.

[00:40:41] Brad Nigh: This is setting the precedent.

[00:40:43] Evan Francen: Exactly focus on the precedent because that’s something that you can use your right. It’s not going to hurt google at all. But it does set a precedent. Yeah. That I need to follow. I know how they intend to enforce this part of GDP are now so I better Yeah, I didn’t do my opt my options correctly.

[00:41:04] Brad Nigh: I like the quote from the Javad Malik from alien vault about, you know, when you’re dealing with customer data, what is the purpose for the data is being used for and how long and have the users given informed consent? Either answer is unclear should not go ahead with it. That’s pretty easy to follow. Like what are we using this for? We’re gonna sell it and make money time out. We got a problem. Why do we need it? How long we need it? And are we clear that they’re feeling consent. So it will be interesting thank to see how this plays out long term as there’s more of these obviously google is going to fight this in court and you know how long before it’s actually applied or if it’s reduced or anything.

[00:41:55] Evan Francen: I don’t know if they will fight it. I don’t know. I guess it depends on I don’t know, Is it? I mean if I were Google, I’d be like, all right, fine pay the 50 million. It’s a drop in the bucket. Focus on

[00:42:08] Brad Nigh: well again, but it’s the things the president too.

[00:42:10] Evan Francen: Right. But I think the president already been set even if they do appeal and when

[00:42:16] Brad Nigh: Right, Well, I guess that would be what are they going to appeal it on?

[00:42:20] Evan Francen: Right. And if it’s like, and I don’t know that part of GDP are very well, but I know like in the US when you’ve got administrative law, you have an agency who creates those rules. So like to say the FTC for instance, um and if they’re going to find you and you appeal, who do you think you’re appealing to? Your

[00:42:46] Brad Nigh: appealing to them. Yeah. We talk about that in the

[00:42:50] Evan Francen: program. You’re sort of just take it, just take it because the game is rigged against you.

[00:42:58] Brad Nigh: Yeah, it’ll be interesting to see how that because on google is studying the decision. My guess is they look to see if they Yeah, alright are able to, you know, because obviously that companies don’t want that precedent set against them.

[00:43:15] Evan Francen: Yeah, but this google care, I mean google google is like, I don’t know man ever since that,

[00:43:24] Brad Nigh: well they changed their logo from

[00:43:26] Evan Francen: in the breach on google plus where they just kind of hit it and yeah it was like well you’re lucky we told you about it kind of mentality it’s just like google pisses me off. Sorry. Yeah but there is a quote from a lawyer in from Dorsey and Whitney and I think Dorsey and Whitney is a local, their headquarters is in Minneapolis isn’t it?

[00:43:48] Brad Nigh: I don’t know I thought so. But yeah I could click on the link and and see

[00:43:58] Evan Francen: you know lawyers Dorsey and Whitney is a very well known international they

[00:44:02] Brad Nigh: are in Minneapolis

[00:44:04] Evan Francen: you know that’s their headquarters. There’s yeah they’re huge. Mhm. So anyway. Yeah GDP are and I read somewhere else in a different article, not in this one that there’s like hundreds of investigations currently going on. They have received thousands and thousands of complaints.

[00:44:25] Brad Nigh: I’ll be honest. I’m a little surprised we’re starting to see this this fast. I thought it would take them longer to investigate. Um And finalize us that this has been Lightning fast compared to I expected to be in that 12-18 months before we started seeing some of these big ones drop but

[00:44:45] Evan Francen: well I think you’re going to see a ton more. I mean I can’t for some reason the number 695 is stuck in my head but there are hundreds of investigations active right now. Uh what’s the G. D. P.

[00:45:00] Brad Nigh: R. I mean that’s why you’re seeing, you know we’ve got we’ve talked with companies that are here in the US. They said you know what we’re just geo fencing and they just drop a page of its outside the US and the Eu iP address.

[00:45:17] Evan Francen: Sorry. Yeah. Yeah that’s your prerogative

[00:45:21] Brad Nigh: because they don’t know and to them they don’t they don’t do enough business to justify risking. They’re just like nope sorry.

[00:45:32] Evan Francen: When you see where GDP are fits into information security versus the other way around is, you know it starts with the asset management, right? So I’ve got hardware software and data assets and so this is so much of this is around data assets, data flow diagrams, where is that coming

[00:45:50] Brad Nigh: to, you know what you have and where it goes. Do you know where it is? So

[00:45:53] Evan Francen: if you’re doing this if you’re doing security really well, fundamentally GDP would be

[00:46:00] Brad Nigh: Well that’s the problem. Well it’s a good deal. That’s what I said. Somebody said can you talk to about GDP are in front of people like mm no I’m gonna go up there and say look it’s about you know what data you have, do you know where it resides at all times And do you know who has access to it and can you justify why you have it what’s the business case? All right. Nice talk. Yeah. I mean at the end of the day, that’s really what it boils down to

[00:46:27] Evan Francen: for sure. If you want to get more into the details, start there

[00:46:30] Brad Nigh: and then get more. Great. Okay. Are you getting consent together and then we’ll get into that. But uh it is it Yeah. Well, unfortunately we know not many people are doing not enough people I should say are doing uh doing security properly.

[00:46:48] Evan Francen: Right? And so but here’s here’s some advice if you’re in the United States start doing security properly because it’s only a matter of time before GDP are ish California’s

[00:47:01] Brad Nigh: is coming in. Massachusetts

[00:47:02] Evan Francen: has some California has 25 I think data privacy laws.

[00:47:07] Brad Nigh: You know, they just passed that big one that

[00:47:10] Evan Francen: there’s a huge push right now From a federal level to have one federal and overarching data private school about what you think they’re gonna do. I mean why not just take GDP are and put, you know, the U. S. Stamp of approval on it. I mean it’s coming right. If you haven’t done data inventory. If you haven’t done those things that you just said do it now. I mean it’s a lot better when you get to do it your way versus being forced to do it in a short time frame.

[00:47:42] Brad Nigh: Yeah. Alright. Last one. This was this was a little bit more lighthearted but still and I picked the source just because I know Evan loves it. It’s from naked security by so foes hijack nest cam broadcast bogus warning about incoming missiles. So this one, I mean it’s so we keep talking about IOT and needing, there’s a push from IOT to get it out to market first. But then there’s nothing around. How are they going to maintain updates? What is the security around it? So apparently this in this case a hacker took over a nest security cam to broadcast a fake warning about three incoming I cmbs I C. B. M. Intercontinental ballistic missiles launched from north Korea sending a family into five minutes of sheer terror. So uh, for alliance out of California. So they were, she’s preparing food and it sounded like the emergency broadcast alert blossom from the living room followed by a detailed warning about missiles headed to los Angeles Chicago and Ohio. And it turns out her attack Ohio right. It turns out her nest cam got hacked and they turned on the tv and we’re confused why the, it was here in the NFC championship game football game instead of the emergency broadcast. I think what really bothers me is the response on this. You know, like there was a related story that somebody hacked into a nest camera in october to ask a five year old if he’d taken the school bus home and you know, talking about broadcasting sexual explicit ibs but oh good. No,

[00:49:34] Evan Francen: I’m just because how many of these were actually hack or was it I set it up with defaults.

[00:49:40] Brad Nigh: well in but it says death doesn’t come with default logins that users need to change. So you need to come up with when you set it up you have to set up your initial password is not a default.

[00:49:55] Evan Francen: I wonder if they set up weak ones. You know what I mean? Because I didn’t see anywhere in this article that it was an actual vulnerability in the nest,

[00:50:05] Brad Nigh: it sounds like hardware or software was just being it’s out on the internet force. And then yeah, that’s my guess.

[00:50:13] Evan Francen: So this is an article actually that I’m writing this 2nd book and its information scared for normal people right? And normal people are putting these devices in their homes Alexa and you name it for I. T. We’ve talked about that before too and this is you know it’s a classic example of you know being careful so now try to explain this because you know this is an article that is written but the only one only ones who are ever going to read it, our security people. Right, I tried writing, I wrote two paragraphs on what iot is and then I gave it to my wife, she was my test, she’s my guinea pig. I said does this make sense to you? She’s like oh that’s what that is like yes, people don’t even know, they’re just go out and they see this cool thing, they go and buy it the new nest thermostat at target. I gotta have

[00:51:15] Brad Nigh: that great

[00:51:16] Evan Francen: via it put it in.

[00:51:19] Brad Nigh: Uh huh. Yeah and you know so they changed their password added to factor what you know make why don’t they make two factor default by turned on by default have to turn it off

[00:51:32] Evan Francen: because that will make it harder for people to use and then you’ll get worse reviews online and people won’t

[00:51:36] Brad Nigh: buy your seat. That’s and that’s the problem with with IOT everybody. Oh we gotta sell sell sell and then you get this and I yeah I said I I have the I. O. T. Thermostat but it’s a lot of security isolated I’ve got some DNS black hole and going on so and Alexis turned off so even if it were listening those requests are just black holes so it doesn’t actually get out.

[00:52:07] Evan Francen: Yeah we have we live in this world where people just keep adding more and more and more complexity to their lives and just makes it more and more difficult to secure it and you mean. Yeah it’s sad to see because people are just exposing themselves to all kinds of

[00:52:27] Brad Nigh: things. You know we talked about it. I bought a house or you write a

[00:52:32] Evan Francen: book about this.

[00:52:35] Brad Nigh: It’s but how social and one of the things is it came with the builder grade appliances that were five years old or whatever and so we’ve been slowly upgrading some of that and you upgraded the refrigerator and washer and dryer and the next is the dishwasher. My wife was Looking at it and it’s like 25. What do you what do you need an alert on your phone that the dishes are cleaner? That the what if you’re not home, what good is that gonna do? You change it yourself? What what value can you possibly get out of? Yeah, if you, oh I’m downstairs and it alerts me on my phone that the washers done okay.

[00:53:16] Evan Francen: You see I’m maybe it’s just the age that I’m at or maybe it’s my age combined with you know the paranoia of being a security guy. But uh man, I just keep trying to simplify it changes,

[00:53:33] Brad Nigh: it changes how you think

[00:53:35] Evan Francen: I simplify it? I’m trying to simplify like everything. Even like my dishwasher went out at home, so I’m just washing dishes. I mean I can totally afford a new dishwasher, right? That’s not the problem. But why I’ll just wash dishes by hand.

[00:53:52] Brad Nigh: I Yeah, well if you’ve got only like three of you at home now, I don’t have a whole I think I think my wife might, you know I mean that survived if I told her No, we’re doing dishes by hand with three kids and all that anyway.

[00:54:11] Evan Francen: So anyway, if you have a IOT, Okay, first of all, if you don’t know what IOT is, learn what IOT is stands for internet of things. That could be any number of things but the point is you put something on the internet that controls something, right? And uh if you have a IOT do some research to find out, you know what security features your IOT device has, find out, if it can be updated, find out how you would update, it is automatically updated and just find out all these things and if you are going to put an interface because you do, you can’t have, you can have a IOT devices that don’t have an interface, don’t have a log in from the internet or maybe just a one way to a cloud strategy or something like that. But if it does have an interface and you’ve opened up a hole in your firewall to that interface, Secure two Factor authentication at a minimum.

[00:55:09] Brad Nigh: Yeah, right now,

[00:55:11] Evan Francen: I mean these are basic things that I think a lot of people just, you know, I don’t think of unfortunately. Yeah, it’s gonna get worse. I mean this is, this one is kind of just prankish,

[00:55:24] Brad Nigh: right? But I think it’s because that is proof of concept.

[00:55:29] Evan Francen: Yeah, interesting you say that because as I was writing about the cyber warfare thing, there’s a lot of proof of concept, things that are going on right now and I think a lot of it is and I’m gonna sound like some conspiracy theorists or whatever, you’re gonna lock me up,

[00:55:46] Brad Nigh: but the logo for this episode will be grandpa Simpson yelling at the clouds with your face on it. I

[00:55:54] Evan Francen: think, you know, our adversaries are doing a lot of information gathering in their collecting

[00:56:05] Brad Nigh: assets and being this be honest, it would be foolish to think that our government isn’t doing the same thing. It just kind of is the accepted. Hey, this is

[00:56:16] Evan Francen: what’s going on. I just don’t want my computer or my IOT devices or my house being used right

[00:56:22] Brad Nigh: in this war. Well, again, it’s all about minimizing risk and managing your risk. So do what you can

[00:56:29] Evan Francen: Fine. So this was very close to me because obviously I’m writing about it. Yeah,

[00:56:35] Brad Nigh: Good. This is fun. This is a funny episode. I had fun today.

[00:56:39] Evan Francen: I always have fun with you, ma’am. I honestly do. Okay. Alright. Next week’s my show.

[00:56:45] Brad Nigh: Next week’s your show. Any questions or anything that anybody wants to uh send us unsecurity@protonmail.com

[00:56:51] Evan Francen: Yeah. And you can follow brad @BradNigh

[00:56:58] Brad Nigh: H And now you’re going to test me and Evan @EvanFrancen. Yeah, yours is harder. It

[00:57:08] Evan Francen: is. It’s longer have less followers than

[00:57:12] Brad Nigh: Yeah. No, not likely. Alright, man, Have a good week. All right, Thank you.