What Goes into Cybersecurity Penetration Testing

Unsecurity Podcast

This week’s episode includes a look at cybersecurity penetration testing, featuring special guest @vimk1ng (Eric Hanson), FRSecure’s Penetration Testing Lead, joining Evan and Brad from Reno, NV.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:19] Brad Nigh: Good morning everyone And welcome to another episode of the insecurity podcast. This is episode 51 I’m Brad Nigh, your host joining me today is my good friend. Evan Francen. Good morning Evan.

[00:00:29] Evan Francen: Good morning Brad. I like when you call me your good friend. I feel like you mean it. So it feels good. I do.

[00:00:37] Brad Nigh: So

[00:00:38] Evan Francen: yeah, you see the Doves Flying

[00:00:40] Brad Nigh: Rainbow does uh joining us this week as a special guest is far secures lead pin tester. Erik Hansen Morning ERIC.

[00:00:50] Eric Hanson: Good morning guys. Thanks for having me on the podcast.

[00:00:54] Evan Francen: Yeah, he’s in reno and it’s early,

[00:00:57] Brad Nigh: early early.

[00:00:58] Eric Hanson: Huh?

[00:01:00] Brad Nigh: And we owe ERic a special thank you on this one because you know, full transparency. We tried this on friday because I was traveling yesterday, we had some technical issues with the recording. So ERic’s up really early doing this again with us. So thank you ERIC.

[00:01:16] Eric Hanson: Yeah, no problem. Technical stuff. I’m on vacation this week. So it’s like I got nothing else to do later later today. So it’s fine. I’ll go back to sleep. There you go,

[00:01:25] Evan Francen: podcasting is harder than I thought.

[00:01:28] Brad Nigh: Yeah, security is easy, podcasting is tough.

[00:01:32] Evan Francen: We’re learning every time.

[00:01:34] Brad Nigh: So today. So we’re going to talk to ERIC here. But before we do and talk about a lot of pin testing stuff. Let’s catch up because you know, we really haven’t seen a lot of each other over the last couple of weeks. You’ve got the road show going on. I’ve had some stuff going on. So yeah, why don’t you catch us up right now with a week for the security studio roadshow? How’d

[00:01:54] Evan Francen: it go? It’s a lot of

[00:01:55] Brad Nigh: pressure. I know

[00:01:56] Evan Francen: uh it was week four last week. So uh out in san Diego, I was out in san Diego, john was out in uh besides west Virginia Virginia, but western Virginia, Charlottesville area wise. Do you know why is this?

[00:02:11] Brad Nigh: It’s done by U. V. A. That’s what bristol and yeah kind of the southwestern tip down

[00:02:17] Evan Francen: there. Okay. You via that’s University of Virginia, correct. Yeah, that’s where he was. I was in san Diego met some awesome people I think in terms of, you know, so what we do is we go out on the road show really the purpose of the road show is uh just established new relationships. I told you know the I. S. S. A chapter out there on thursday that hey, I’m here, I’m not here to make friends, you know, make friends, learn more about, you know what you’re doing in your business. Uh you know honestly take some of that and learn, you know apply it to our own business but you know, we’ve been doing this since Like 2008, right? So we’re kind of old hat in in some circles with uh you know security consulting. So it was taking what we know and helping them grow their business. I mean I think we’re seeing some good results in some of these smaller consulting companies and helping them sort of find their way using the tools that we that we have. So it’s good. It’s awesome. Yeah. I think nine people, what what I do is when I get back uh you know, I forget things really fast. Uh So yes, you’re laughing because you know it’s true. Very so very much so. So I took uh take the context that I made while I was out there uh and then put them into our crm. So I remember who you know who they were and where they came from. Uh so last week uh nine. So you know I have nine new contacts in that serum. The contact would be somebody that I actually had a substantive talk with, right? Um yeah learning about, you know their business, learning about. And it’s funny because we’ve got a lot of people coming up to us now to that want to start their own business. One guy, you know works at A T. And T. It’s tired of the whole Fortune 500 thing. Uh You know, you can tell his heart’s in the right place, you can tell that he really wants to help small businesses like dude, you know, I don’t know your circumstances but something I mean this is a thing you got to do it so do it

[00:04:18] Brad Nigh: will help you. That’s good. Yeah so uh yeah we’ve definitely been doing a lot of preaching lately. Um I just got back yesterday afternoon from D. C. From the A. S. P. O. International Association of School Business Officials, their national conference schools do business. Yeah so Cfos and Proctors and administrators have more of the business side of school districts all over the country. Talking to them about your risk management and um some kind of some training material that they can take back to their staff and tips and tricks and mentioned you know kind of helping out with the road show a little bit there uh to talk about the s to Oregon. It’s free. Yeah just go do it starts somewhere even if you can’t if you don’t think you can afford it just start somewhere it’s free and then if you have questions, we’re here to help, who can’t afford free. Right? So it was interesting. That was fun. Um The only bummer was it, it was just really bad rain and storms we spoke. I spoke our obsession with sunday afternoon sunday morning, I couldn’t even see the other side of the potomac river from the hotel room, it was raining so hard so just nasty and gross about noon it cleared up and by 2 45 when I spoke it was like 72 sunny and low humidity. So all the afternoon sessions had, you know, a quarter to a third of be expected, so kind of a bummer. But I can’t say that I blame anyone

[00:05:53] Evan Francen: when it was, you were speaking on a sunday,

[00:05:55] Brad Nigh: it was a four day conference, friday saturday, sunday, monday

[00:05:59] Evan Francen: Sundays are sort of unusual. So for speaking, I remember the last time I spoke on a sunday.

[00:06:05] Brad Nigh: Yeah, this is kind of weird. This is the second one this month because I did that board meeting that was on this sunday

[00:06:11] Evan Francen: board meeting. Board people are

[00:06:12] Brad Nigh: weird. Yeah, but it was good um got a lot of, I think I got through to several people kind of the talking about. Just started with the basics and yeah, so

[00:06:24] Evan Francen: it was good. I was putting together the roster of, of speaking engagements I’ve done this year because it just seems like holy crap right? You’ve done a lot. Yeah, It was like 30 speaking engagements this year. I did one yesterday, uh Minnesota, the cybersecurity conference or cyber security summit was down town at the Minneapolis convention center and very well attended one of the people, I ran into their shout out to peter martin Martinson. He was my room monitor. Okay, is that what they call those people?

[00:06:58] Brad Nigh: The,

[00:06:59] Evan Francen: the

[00:07:00] Brad Nigh: bouncer.

[00:07:01] Evan Francen: Yeah, yeah and they’re in the back, you know, and they flash the

[00:07:05] Brad Nigh: five signs, whatever. Yeah,

[00:07:07] Evan Francen: You flashed five minutes, sounds like I still got like 12 slides to do. I should yeah, speed this up. I sort of was getting in the flow and then yeah, and then he did that thing and then he said two minutes, I was like, No, we’re going like 10 more, but it was good, good, good talk. It was about that the talent shortage problem in our industry, assuming there is such a thing, but it was taking it from three different perspectives. The perspective of the industry itself, you know, because you see like We’ve got 3.5 million openings and people are using words like catastrophic and epidemic and you know, all these big scary words. So that was one perspective, the other two perspectives. One was from the perspective of somebody who’s hiring. So if you’re a company looking for talent, these are the ways that we would, I would go about it. Um you know, you have options, right? I can either by talent go to the market by talent, I can grow talent, which is one of the things I think eric will be able to give us some insight on how he grows, maybe how he grows penetration testers. And then the third option is to outsource it, they all have their pros and cons. Then the third perspective was what about somebody who’s in the market, I’m trying to find a job, Right? one of the common things we get all the time is, You know, they’re asking for experience, but I can’t get into the industry to get the experience right? So it’s just kind of catch 22 thing. There’s a good discussion. I think most people stayed awake so I think it’s good good talk.

[00:08:43] Brad Nigh: There was a insurance convention

[00:08:46] Evan Francen: at the same time that would have been exciting. They drink a

[00:08:49] Brad Nigh: lot. I don’t know. So uh sunday was grabbing lunch and just sitting watching the football games and the guy next to me we just started talking and you asked what I was you know general conversations and uh turns out he went to school for information security and stuff but now he does he’s like a investigators some sort of something for insurance. So if like you file a claim and they think it’s fraudulent he’ll look at it. But it’s like well if you ever decide you’re bored with that, here’s my card. If you got a security background. Right? Let me know. Yeah that’s cool. So that’s interesting. Um So get arrogant in the loop on this now eric have you done or do you do any speaking engagements?

[00:09:35] Eric Hanson: You know? Up until now. No not really. Um But I’d like to I’ve been trying to kind of take a route more towards that lately, you know I’ve I’ve been reached out to the local school district and um to you know another contact I know with the J. R. O. T. C. Here and I want to start speaking to kids actually Um it’s really important to me, I think to educate, you know, young people um on kind of security cybersecurity and kind of, you know, career options for that and kind of ways to, if they’re interested in that kind of thing. Like I was when I was a kid to do it in a legal and responsible matter that there’s only resources now, what you can do those things, you know what I mean? And and teach them that, you know, it’s not just an illegal hobby, something that you can actually get into and do his career that people are needed for, you know, so in the process of trying do that.

[00:10:23] Brad Nigh: Okay, no, I was gonna say so that would that be like things like bug hunting, think those types of activities.

[00:10:30] Eric Hanson: Absolutely, absolutely. There’s, you know, plenty of bug hunting programs out there that would be a great place for someone to get started if they were interested in learning more and, and being involved and they had a passion for this, but you know, didn’t have an outlet for it, you know. Um and then on top of it there’s so many just, you know, um, you know, hack the box type places, you know, who to root systems and stuff that people, you know, test their skills on and learn a little bit more, some of them are specifically oriented to learning about, you know, new vulnerabilities and stuff so they can stay current and active for that matter, that, you know, take routes, uh, you know, packing certain types of things that are going to be more harmless, single player video games and stuff like that. Can teach you a lot about memory analysis and reverse engineering and all kinds of stuff like that. There’s a lot of outlets for it.

[00:11:14] Brad Nigh: That’s very cool. So real quick. Excuse me. Uh, no, you know who Ben is? Right. We won’t use his real name. Uh, he’s been doing some cool research I think, do you know when he’s gonna be speaking at Osaka in Chicago? Do you know when that is? Or don’t talk about that at all. It was,

[00:11:34] Eric Hanson: it was either yesterday or today. Oh, there you go. Yeah, I know. He was in Chicago yesterday. I just don’t know if he was speaking yesterday or for us today.

[00:11:42] Brad Nigh: That’s very cool.

[00:11:43] Evan Francen: I’d love to get a recording of that.

[00:11:46] Eric Hanson: Yeah, he’s been doing some cool research. You know, basic research and stuff. It’s a kind of thing. You know, sometimes research is one of those things that, it’s just, you got to kind of be alert enough to say, hey, this, this might be a big deal. Right? Um, and give him some credit there, you know, he’s doing some basic enumeration, like you could do it any pen test, but he started started looking at it and going, hey, this stuff here that it’s actually kind of a problem, right? And so now he’s been kind of traveling around and talking about that stuff.

[00:12:11] Brad Nigh: That’s pretty cool.

[00:12:13] Evan Francen: I think it was at B sides in Minneapolis a few, maybe a month ago. And that was, that was they had him talking. I hate when we have to. So talking on this whole speaking engagement thing. one of the most difficult times to speak is after lunch, you know, in some conferences, there’s a morning break out and then an afternoon break out our morning keynote in an afternoon keynote. And if you have, if you speak in a breakout after the afternoon keynote, it’s hard to keep people awake man. They’re sort of grumpy. They’re groggy

[00:12:46] Brad Nigh: where they just don’t show up because it’s nice outside.

[00:12:49] Evan Francen: Well there’s that too. But that’s good to know. Uh eric that that’s one of the things you’re looking to do is do more speaking because you’re definitely somebody personally. I would love to be in the audience just to hear what you have to say because I’ve seen the work that you do. And I see, I love the way you think, you know, so it be, yeah, we’ll have to get you in front of more people. That would be fun.

[00:13:12] Eric Hanson: Absolutely. And I appreciate the nice words.

[00:13:15] Brad Nigh: All right. So let’s talk some pin testing. Um, and we’ll start with one area of confusion. We see a lot of, uh, is the difference between a pin test and a vulnerability assessment. Um so I don’t know if you want to start and kind of give your, your take on what the differences between the two and where people should start.

[00:13:36] Eric Hanson: Yeah, absolutely. Um you know, with your vulnerability assessment you’re gonna be, you know, taking a look at um you know, what kind of, what you have out there, what kind of services like that are gonna be doing a lot of automated scanning, right? Gonna be taking a look at just general known vulnerabilities and and then discovering those um the real difference between that and the penetration test is you start to start to get a little bit um more detailed on the actual logic of of an application or a service that’s out there, that the penetration test you’re going to see? Well the penetration test, you’re gonna see a lot more logical flow through something and see kind of how something will impact something else. Right? So an example I’ve given before is um, you know, a scanner will detect if you have something like an anonymous uh log and available on FTP, but it won’t know the severity of that. Whereas a penetration test is gonna be able to say, you know, does this have access to upload Canada upload to an area that’s visible to website and then gets up if so, can someone upload code and executed from website to get remote code execution and that kind of logic that kind of intelligence behind the testing methodologies, it is necessary to find a lot of flaws in the environment. You know, automated scanning and testing and stuff can get you so far. I get a lot of information is a good first step. But the penetration testing is just take a step further than that and actually starts to introduce um, some of that flow

[00:15:03] Evan Francen: Now I’ve seen like two things that seem sort of common, hopefully less common than they used to be. One is companies that sell penetration to ourselves vulnerability scans as penetration tests. That’s one issue. And then the other is companies that go and ask for a penetration test that have never done a vulnerability scan before. Talk about to talk about both of those things.

[00:15:31] Eric Hanson: Yeah, absolutely. You know, there’s a, this is kind of a older school methodology. I think maybe when Fantastic was first kind of kind of getting started where Fantastic probably came from somewhere of doing a bold scan and then just saying, okay, well, you know, I have to have a critical let’s use that to get into a system. Right? And so it was very hand in hand with vulnerability scanning at some point and you still see a lot of um, you know, companies out there and stuff like that that will do that right there essentially just doing a bone scan with validation. Right? Um, they’re seeing what’s on the scan and they’re validating whether or not it’s an actual vulnerability if it’s a false positive and that’s valuable, but it’s just not as valuable as a full penetration test, right? So you get a lot of confusion where you have, again, people selling kind of the wrong thing essentially. Um and then that causes confusion on what people think they want as well. Um Sometimes people are asking for Pentax because they think they’ve been getting in the whole time. Uh and then and then they’re very surprised to find out that there’s different ways of going about this and as such. The other side is that, like you said, there’s a lot of people who are asking for prentice, um, but don’t really even know what it is. They they’ve never had one before. Um and maybe they never even had, you know, scanning before and they’re jumping straight into the pen test and obviously that’s not, not always gonna be your best bet either. Right? Um like I said before, bone scans are a great place to start is a good stepping stone for anything, whether it be your external network, your internal network or web application scanning it for, you know, common vulnerabilities, common mistakes is going to be um, a great first step for a while and then, you know, once you get to that point where you have all that stuff kind of under wraps. You know, you wanna understanding of what your environment looks like going to a penetration test to dig a little deeper and try to find those a little bit more obscure holes is going to be useful. On the other hand, if you go straight into a penetration test, you might end up with just a, you know, floodgates opening on you with way too much stuff to really remediate properly for a proper team. You know?

[00:17:30] Brad Nigh: Well, and I think if you go straight to it, you may not get the true value to write if you kind of, that if the doors don’t shut and the windows are broken and I can just walk right in, it’s not really giving you a lot of value that you could have done some cheaper quicker alternatives to understand that

[00:17:48] Eric Hanson: it’s important to note that there is a pretty large distinction between the cost of a pen test and the cost of a scan. And if your pen test is, we’re giving you back all your scan results basically, um, you paid too much for it. Right? So you want to get those another way. So they’re not finding that they’re finding other things that were more,

[00:18:04] Evan Francen: it seems like vulnerability scans really aren’t skills dependent as much as penetration testing is. Right? So, if I was running my own security program, I could do vulnerability scans myself on a regular basis. And I should penetration testing would be one of those things where there is more expense to it. I do need a higher skill level and maybe I’d outsource that if I can’t afford to keep it in house. Uh, so yeah, vulnerability, I don’t really see any excuse anymore for not doing vulnerability scans on a regular basis internally and externally on all assets. Because we also use that to validate our asset inventory, right? We may have, you know, a firewall change that we made, you know, a couple of months ago to test something quickly. We didn’t follow proper change control, we left that hole open. You do a vulnerability scan. It’s like, oh crap, that’s right. Let’s close that thing.

[00:18:58] Brad Nigh: So

[00:18:59] Evan Francen: I can never find breaches like

[00:19:01] Brad Nigh: that. Right, by the way, never. I’ll use this. I use this analogy this week and on sunday. So part of the speaking was my daughters had a phrase. They wanted me to work into the, to the phrase, Yeah, they had this phrase. So they want me to say peanut butter and jelly sandwich and I was like, how am I going to work this in? And then I had this great epiphany, I was like talking to him about risk management, but I think it applies here too. If you’re teaching a kid to cook the first time they ever cook, do you go with like a chicken cordon bleu or some sort of fancy meal. No, you start with the basics, you start with makeup, peanut butter and jelly

[00:19:37] Evan Francen: sandwich bill some time. There you go.

[00:19:41] Brad Nigh: No, I didn’t. No kidding. But I think that that that does apply, right? The vulnerability scan is the basics and then right. That’s that you’re making that peanut butter and jelly. And then

[00:19:52] Evan Francen: It’s back to Chapter two of the book to write. I mean you have to have this foundation first before you start talking about you know, the colours of your curtains on the second floor, right? You know, so it’s it’s basic stuff. The tell us Erica I’ve always been sort of because I love our team and we have such a great penetration testing team. You know, I saw jake was over at my house yesterday because my daughter was having a her birthday party and joe was also on the team uh came over to the house to you know, celebrate with us. But jake I guess is staying with him for a couple of days while he’s kind of getting back into the flow here. Uh but so I just love love our team. Tell me a little bit about your our methodology. How do we do penetration tests and what do we think makes us kind of special here?

[00:20:45] Eric Hanson: Yeah, we do have a great team. I I agree with that. Um, our methodology that are secure is um, you know, we take, you know, we’re looking to really tackle and and help out as much as possible, right? Um, when it comes to, you know, penetration testing methodology and the way to do things a lot different ways. We spoke of kind of one way of, you know, people will do a scan validation, right? Um we like to go about it in a way that is gonna get the most out of it. So like for an external, we’re going to be, you know, doing a lot of reconnaissance, we’re gonna be digging into that kind of detail. We’re going to be trying to get as much information as we can about what an attacker can get about a company, stuff like that. And then you know, obviously going and do manual testing out the automated commemorations like that really, really big game. Um, and with internals and stuff like that, we like to do what’s called an assume breach methodology right? Where we’re kind of giving were attacking from the perspective of what the average person, the average company is looking to defend against. Right? A lot of times you stayed, people are getting drive by attacks of some kind or they’re getting some kind of fishing breach or or someone’s clicking on something, they shouldn’t downloading something, you know, stuff like that. A lot of times people are walking in and plugging into your conference from wall, right? So we’re trying to really follow the current um, attack methods and then make sure that we’re testing from those perspectives and that we’re giving people the best bang for their buck on that and our team is great because you know, there’s a lot of passion in our team, that’s one of the big things that we focus on for hiring someone, not just what certification you have, um opposite of that, it’s more of a, you know, what kind of a fit are you with this, with this environment, you know, we’re kind of passion do you have about this? Because if you have the right passion, you have the right mindset, you can teach peoples we can grow protesters internally and and kind of teach them, you know the right right ways to go about this and what we’re trying to do and what we’re trying to accomplish.

[00:22:39] Evan Francen: I love that if it’s so much with, you know, my same, my philosophy to write its grow people, it’s so rewarding to see somebody come in and I’ve seen you guys do it, you know, I see how you’re kind of progressing the team members we have today, you know, some of them zero experience, right? Maybe they had a college course or two but and to see them sort of progress and get those fundamentals, you know, sort of established, it’s super rewarding and it’s in line with what we talked about yesterday in my talk, sorry, go ahead eric. Um I think I interrupted you maybe,

[00:23:17] Eric Hanson: oh no uh well let’s just say I do have a little story actually about that in general to, right, like um one of the guys on our team, Kyle, it’s a good friend of mine before coming down far secure right? Um He was in he was in She was doing three D. modeling and cad work uh he had never didn’t know anything about security. If he was looking for a change you need something new in his life. And I said hey man I’ve got a great company that I worked for right now, I’d be happy to recommend you but you’re gonna have to do some legwork yourself some lines and stuff right? And he’s like yeah absolutely I need to change and what you do. Sounds interesting. I’d love to know more about it. So I told him all right you know like work on getting uh security plus right not gonna go for CSS people have the years experience that’s needed. Right? But go for a security plus he took it seriously. He um I told him to do it I think two months later he passed his security plus with zero experience security. Before that he’s very passionate he jumped into and he’s like I want to do this it sounds that’s a great opportunity to not want to take it right? Um It was a while before we got to hire him but now you know we hired him as an associate analyst just coming in and doing a lot of scanning stuff like that but you don’t need a lot of security knowledge for right? He’s been here for a year now and now he’s starting to build up in our I. R. Team has learned so much about the response hunting out threats, figuring things out. It’s it’s amazing to see that you know a couple years ago he knew nothing about security and computers and he was doing three modelling which he’s fantastic at by the way but then like now he’s doing this and that’s what we’ve grown based off of just his passion right? Take his passion bring him in and let’s teach him whatever he wants to learn. And it’s going so well

[00:24:59] Brad Nigh: that’s interesting. I didn’t realize he didn’t have that background because I’ve really only worked with him the last two months or so as he’s moved over to the I. R. Team and yeah absolutely I’ve been really impressed with how quickly he picks things up and just the way he thinks and looks at at these things.

[00:25:17] Evan Francen: Yeah and you can see you can see it on his face you can see the confidence every time you know you see him again because I love Kyle Kyle is kind of this I don’t know he’s just kind of mild mannered just at least the way I see him yeah you know eric you know him better. So you you’ve seen probably the crazy side of him and you know other parts of it but I just love how he’s just this cool cat man but he’s uh you know perfect we hire for intangibles we can teach you stuff right? I mean it’s not rocket science and if you look at you know so much of the technical work we do it’s all logical. It’s all binary. It’s all do this and these things happen right? Much of it is predictable. What’s not is people uh So I just you know I can’t I could we could do a whole podcast on just the quality of awesomeness and the people we

[00:26:06] Brad Nigh: have. I think it goes back to like one of the hard things too. Like when when I was interviewing for I. T. Positions and in the same concept applies here is I would ask a really really hard question and say walk me through your troubleshooting. I don’t care if they got it right or not. I wanted to hear how they thought through it because that’s something you it’s hard to teach. I can teach you the right way or what to look for but I want to hear how your how your brain works to understand right? Do they kind of get it? Are they they’re going to go. I have no idea right? And yeah he’s well and not just him but everyone all the associate and entry level kind of coming in with no experience are all just super inquisitive and willing to learn and

[00:26:55] Evan Francen: well and I’ve said it before. There’s no dickheads here right? I mean everybody is willing to help each other. It’s it’s just really cool the because I get that question a lot everywhere I go, because it seems like the young, the younger crowd, the new crop of security people, which we need by the way, uh, is all more interested in getting in penetration testing or you know, technical things than they are in, Hey, you want to write a policy together, you know what I mean? So that’s another good question for you, eric is you know, what do you tell people when they come up to you and say, hey, how do I get a job, how do I get into this?

[00:27:33] Eric Hanson: Yeah. You know, um, I typically tell people, you know, just start putting yourself out there and display that passion and show people what you have and look for something because there’s a shortage and there’s a lot of people out there who take opportunities on people with me with a little bit less knowledge, but with the right with great passion, stuff like us, you know, um, and then it goes back to some of the things I mentioned earlier, you know, like if you’re just looking to practice hung up on your skills, there’s, you know, vulnerable boxes, there’s, you know, bug bounties, it’s like that to help continue to hone the skills, but really, you know, you don’t necessarily need certification or schooling or specific anything like that for penetration testing at least or that kind of thing. It’s more about just getting out there, putting yourself out there and applying and showing showing your passion, showing your ability in other ways, right? The way you think and stuff like brad. So that’s really big to, you know, I do a lot of the interviewing the technical interviewing for our guys and uh, the biggest thing I do is ask questions that I don’t even care if their answer is correct or not. Right? Just like brad said, I’m sitting there listening to see are they shutting down under that pressure of not knowing the answer to this? Or are they trying to think it through? Are they talking it through? Are they asking questions that they, you know, curious now, are they kind of going into it more? Um, and and trying to find those those was passionate folks. Yeah,

[00:28:46] Evan Francen: yeah. And you mentioned one of the things in the methodology to which I thought was interesting because it takes I think a little bit more work was just the importance of uh, reconnaissance and maybe suppose isn’t, you know, mixing that end at the front end of penetration testing, how important is is that? How important is learning, you know, innocent in your opinion is very

[00:29:08] Eric Hanson: important. You know, there’s a lot, I’ll say this like on the opposite side of things, there’s a lot of lot of external penetration tests that we do where there’s just nothing found innocent, right? That’s very common, but we just don’t find anything very useful. But that doesn’t mean it’s not important, right? You find those occasional situations where um you’re going to find some information. You know, we’ve seen pdf documents actually on a different, let’s say it’s a were pending testing a service provider of some kind, right? And we’ll find a document that another company who is using the service has out there and they have their log in information in this document. So now we can log into the service provider using that person’s credentials or at least create an account. Maybe using their company colour subject. That right? And we can go a little bit further. So finding that kind of stuff is useful, right? Then obviously beforehand would be careful about what access, where you know information we’re accessing, contacting our contact that are, you know, customer and making sure that we’re not going to be going into someone’s personal information, things like that. But um finding that information is very useful and and knowing how to do that and having kind of the right intuition to hunt that stuff down. This is really valuable.

[00:30:12] Evan Francen: Yeah. That’s cool. My uh I tell you about my wife is learning ascent. She had me help her set up a VM on her machine. We didn’t have admin access because it’s a work machine. So we’re gonna have to get a different, we have to go buy a separate computer. But uh it’s kind of cool. She’s doing all set and I’m like every kind of everything. Well, And then she’ll ask me questions. I got like every time you ask me a question about this, do you realize you get just a little bit sexier to me? Yeah, it’s cool because all sent is something that anybody can do. I think, you know, it doesn’t require a ton of technical skill unless you really want to get into it, right? Because then you’re gonna have to learn, you know, some scripting, you might make your own, you know, some of your own tools. Uh but it’s that inquisitive mind, it goes back to I think what eric was saying and we all agree it’s it’s those intangibles. Can you work through problems? Can you find things? Are you curious?

[00:31:10] Eric Hanson: Uh Yeah. Are you are you willing to settle for? No, that’s what a lot of it comes down to two, right? Like I didn’t find it here. But am I going to give up?

[00:31:18] Brad Nigh: Right? Yeah.

[00:31:20] Evan Francen: Yeah. Some pen testers? Yeah. Well that brings up a whole another thing to write in our methodology. I know we struggle with that. We have in the past is just

[00:31:27] Brad Nigh: scope. When do we say stop?

[00:31:32] Evan Francen: Right? If this, this project was scope for 20 hours and I’m at 20 hours, but man, I don’t want to give up yet

[00:31:42] Eric Hanson: scope creep from both sides. Right? Sometimes we’ll have customers who will give us the wrong scope and it’ll start to creep out. But there’s also our side, right? We’re not willing to accept our own failure, sometimes it’s always always a battle a little bit of the film,

[00:31:56] Brad Nigh: I will say, as you know, coming from the senior management side of things, I’m okay with that, right? I’d rather have to rein you guys in and be like whipping to be like, why aren’t you doing your jobs? It’s like, no, no, don’t do so much of your job, right?

[00:32:13] Eric Hanson: Yeah. It allows you to have that confidence that you’re doing a good job, right? The team is doing a good job. If you’re having to rein them in, at least you can’t, you’re not going to say, well we might not have done, you know, a good enough job here. I mean, we know we always have time

[00:32:29] Brad Nigh: and I think Oscar has done a really good job with, with you guys, from what I’ve seen of uh you know, empowering you to to uh no, and what the process is to say, hey, I know I’m kind of at the time line, but man, I’m like five hours from just blowing this open and letting you guys have that leash when it’s appropriate.

[00:32:55] Eric Hanson: Yeah, and a lot of our guys to work within a kind of a, You say, you know, let’s say it’s supposed to be this, let’s say it’s supposed to be, you know, 30 hours, but we’re supposed to have it done this week, right? If we work 40 hours this week as we decided to put in some extra time, you know, extra four hours here and there or something like that, right? Like it’s one of the things that as long as we get done this week, if we want to explore that passion further, if we want to push ourselves, we want to stretch our legs a little bit and really see if we can get this thing um then we’ll do it, you know, and nobody, you know, you don’t feel burn out, no one made you do it and you decided, hey, I’m just gonna get it done this week either way, but I’m gonna put on a little extra time and I don’t really see what we can do here, because a lot of times you get some good information on that like R and D on the job. So

[00:33:33] Evan Francen: yeah, and I love this team because this team never nobody takes shortcuts right? You know, because I know it’s so tempting because I’ve done so much work over the years and I don’t do much anymore. Just kind of you just travel now. Yeah, just travel the world. Uh but I know that there’s always that, you know, uh temptation to take a shortcut maybe to leave something out of a report because it’s just going to meet and hold five more paragraphs of writing or you know something, but I see in this team such a good, such passion and such a willingness to do things right? And to be right by the customer that, you know, the quality of the work is top notch? They just don’t take shortcuts. Love it.

[00:34:17] Eric Hanson: I think it sounds corny. No, before I say it, but I think the important thing about that is that you only try to shape shortcuts and things you don’t want to do right? Everybody on this team, everybody, I think we have enough. Our security general wants to do what they’re doing, so it helps, right? You don’t want to take a shortcut if you enjoy what you’re doing and you want to keep doing it.

[00:34:38] Brad Nigh: That’s true, very good point. So I think I’m going to segue off of that and say, I ask you a little bit more about what you do here at what do you do here, what do you say you do here?

[00:34:49] Eric Hanson: Eric uh well, you know, I’ve been a penetration tester at fr secure for a few years now and then just in the last 23 months, something like that, I’ve moved over to a role of just being a responsible for training and team development and uh continue to develop our methodology a little bit of R and D. But mostly just training up um guys on on things that they don’t know yet and they want to learn. So working one on one with, you know, I think four or five different guys right now on trading with different skills that they’re they’re looking to accentuate or

[00:35:25] Brad Nigh: build? That’s cool. So what would be like the path from a pin test perspective? Right? We’ve got uh external internal web ab are really the big three that we do. Um what would be the path that someone would take like from coming in from like as an entry level? Hey, we’re going to where you got the right start, where do where do they start? What do they do, What does that look like? They’re growth, project projection.

[00:35:54] Eric Hanson: Yeah, absolutely. So in the past it’s been kind of a jump in and be kind of like the, like I was talking about with Tyler earlier, start off with like scanning and things like that right with me and the rolling in now, you’ll start off, you mean we bring people in and we’re starting them off right away on kind of the projects like external penetration tests. Right? External penetration tests are typically a little less eventful. Um and they, a lot of times people know how to secure those a little bit better. There’s definitely some big findings and stuff, you see, you know, but sometimes a lot of times they are a little bit more uneventful. So they’re a good place to start for someone who’s getting into it. Um so, you know, we work with people and get them on that right away and give them training alongside me and then we get that going on? Uh then from there, it’s kind of a question of like where do you want to go? You know the external is kind of external phase of things is making sure that you understand the general methodology of attacking something, How to enumerate that thing, how to do reconnaissance, how to be careful about how to reach out to a customer in a sense, the situation. Um and how to speak to customers, how to deliver reports and stuff like that. Right, right. This report that that gets all of those things out of the way. Um and then after that and when someone has gotten really experience with that is the question of like, you know, where do you find your interest life? More web applications and internal penetration and internal network penetration testing are very much different. You know. Um if someone has had more experience previously as a system administrator or something like that, they might lean toward learning to do internal stuff and move toward red teaming things like that of the internal nature. Uh maybe if they’ve had some experience doing some web application creation stuff like that in the past or they’ve done a lot of bug bounties when they were kind of learning and stuff, they might be more inclined to go to the web applications. We try to fill that out right and see more some months ago and then just start taking them down that route after already.

[00:37:33] Brad Nigh: Okay, makes sense. Doesn’t

[00:37:36] Evan Francen: make sense. Like

[00:37:36] Brad Nigh: it

[00:37:38] Evan Francen: it makes me want to start my career again.

[00:37:41] Brad Nigh: Mm

[00:37:42] Eric Hanson: I’d love to train, you

[00:37:44] Evan Francen: know man, it would be so it would be so much fun to be Yeah. You know the way we didn’t have, you know, you just kind of did things, you know what I mean? I mean we were so much more focused on making things work as opposed to breaking things. But I got so good at breaking things that I became better at breaking things,

[00:38:02] Brad Nigh: fixing things and you became better at breaking because you could

[00:38:06] Evan Francen: fix Yeah, like I can remember taking down, you know, enterprise firewalls because I made the, you know, because you entered the wrong commander, you know, I got something like one time I corrupted a picks 5 20 so picks five twenties with a big for you firewalls, you know, way back and there were memory restrictions but there was no bounds. So I was trying to um uh upload a new IOS version for and it was picks us then to the firewall but I didn’t check to see if I had enough memory and the firewall to accept this image that I was about ready to lay down and I was one of those, I’m still fly by the seat of your pants guy. Right? So I was the same way then. And uh and then they were in fail over, right? So I had active passive, which was like totally new then, Right? So it was like, it’s like uh definitely a straw house, right? When you put those things together that way the why the image, the image was too big for the memory. Uh, so firewall crash, right? And like bricked essentially unless I hook up a serial cable and then try to apply a new image the right image through that one way it’s downtime and this was at desk software and so any old time jaspers will remember then probably now because I didn’t really fess up. I didn’t like, hey, I did it, you know, But uh, we were like top 10 busiest websites in the world at that point because we had paint shop pro, everybody wanted paint shop pro because it was the, the paint shop pro or adobe Photoshop and adobe Photoshop is like a billion dollars. So we were about three million website visits a day, right? And I decided that I wanted to apply this patch, I was going to fail over apply this this Well anyway, it took down the firewalls for like three hours. Uh, yeah, but I would have never learned how to deal with that had I not done that, but that was how I learned a lot of security stuff was doing stupid. So now I know the importance of change control. I know why we do things after hours. I know why you always have a backup plan and why we like to test things that you can’t do that everything but you learn, you know through that stuff. I would love to go through kind of what it’s like today where you can learn some of these awesome new skills but then also, you know, tap into some of the wisdom of people that have already, you know? Yeah, got their battle

[00:40:45] Brad Nigh: ones. I’d agree. I think uh given my background I would, you know, you you and I are in the same boat and where you get you get to the point where you’re like, ok, do I go super technical and do the pin testing and all that or do I split to the more of the management, an oversight

[00:41:03] Evan Francen: technology is easier than people and you know, stay in technology.

[00:41:06] Brad Nigh: So yeah, going back I wouldn’t it would be fun to using my background to have their kind of show the the internals and it would be fun but unfortunately I don’t have time for

[00:41:17] Evan Francen: that. No, I’m really happy though about you know, we have these uh we do have some junior, you know, penetration testers here and just knowing that they’re in good hands. So eric just kudos to you. I love what you’re doing with the team.

[00:41:30] Eric Hanson: Thanks man, appreciate that.

[00:41:33] Brad Nigh: So I guess one of the I do want to bring up so we’ve talked about external internal and web application but one of the things that we get asked occasionally, but not a whole lot is around mobile application, pin testing, uh do I talk about that just kind of briefly and what that entails or what that actually looks like?

[00:41:54] Eric Hanson: Yeah, so with mobile applications there’s kind of 22 different sides of it, at least the way I look at it. Um a lot of times what people are looking for is along the same lines, it’s kind of just web application that does a lot of times, that’s how we’ll sell it right if they’re looking at the way an application that they’ve created for IOS or android or whatever is communicating with some in points out there on the web application then a lot of times what we’ll do is we’ll set up, you know, we’ll take our android phone or IOS phone and we will um put a proxy between it and take a look at the request for being made. Well, kind of treated just like it’s a web applications requesting out to some endpoint somewhere, some api etcetera, and we’ll start to attack those aPI and those in points and really go after that and that and that scenario that’s basically a web application penetration test. Um The other side of it is taking a look at the actual application itself, you know, um the the archive that’s being um you know, run on the phones and uh seeing um you know, if that was to be cracked open and taking a look at internally, is there’s some kind of functionality in there that can be um you know used maliciously, is there any kind of certificates or other types of information credentials, something like that that can be used to gain access back to a home server or to gain access to something else or you know just sensitive information in general that shouldn’t be included in there may be the development process was not following the right workflow or maybe they just didn’t realize something could be gained access to. So That’s kind of the two different angles perspective.

[00:43:22] Brad Nigh: That’s good. I think uh the first time you you explain that or we went through it it’s like oh well that makes a ton of sense, I hadn’t thought of it that way, I was like I don’t know how he tested a mobile app but that’s it, it’s logical,

[00:43:38] Evan Francen: you put it in the mobile, you put it in the mobile app testing machine,

[00:43:41] Brad Nigh: let’s go. Well it’s like do you have to have like VMS of different phones and a versions and all that stuff and I guess you know there is that if they’re actually looking for the code itself on the phone and running but I think most of time it’s that communication and how it’s uh working through the back

[00:44:00] Evan Francen: Yeah to the

[00:44:01] Brad Nigh: back end servers, so

[00:44:02] Evan Francen: well I think at the end of the day right, it’s having that conversation with the customer, like what do you actually want to test, define what you want to accomplish first, Right?

[00:44:12] Eric Hanson: Yeah. Absolutely. Absolutely. So the conversation.

[00:44:16] Brad Nigh: Oh good, good, good. Eric

[00:44:19] Eric Hanson: I was just gonna say this conversation we have a lot to from the white box and black box and whatnot. You know, testing methodologies to just trying to figure out what exactly people want to test. Right?

[00:44:29] Brad Nigh: Yeah. And you know that that is a good maybe real quick um explain the difference between a white box and a black box test and which one do we do and why?

[00:44:41] Eric Hanson: Yeah, absolutely. Um you know, white box, black box are kind of the extremes of a spectrum. Right? So there’s no real clear cut way to handle each one. But essentially black box means to have less data to have perhaps no data going into an engagement, right? You have to figure it all out on your own. And then white boxes more toward the open side where you know, the customer of the company organization working with is going to give you as much information as you need to get the job done right? And there’s every variation of shade in between where they’re willing to give you this but maybe not this or you know, you can the white list you on a web application firewall and give you information about their in points and maybe an administrator log in to enumerate that stuff but not gonna give you the source code. Right? So there’s variations there um we tend to prefer the the lighter end of that spectrum, the kind of more white box attack and that’s just because typically that’s what everyone needs, Right? Um there’s definitely other needs out there, there’s definitely good reasons to do a black box test, um but on average, I think most people are looking to find vulnerabilities um in their in their environment and they’re not looking to necessarily find vulnerable vulnerabilities in their firewall, let’s say, or or something else like that. So typically we want to kind of make sure that we’re spending time on the actual resource that is owned by the organization we’re working with, Right? Um if we were to do a black box test, we’re gonna spend a lot more time kind of just generally a new operating some information about it and hitting firewalls and hitting different things and backing off and it’s going to take either longer or we’re just not going to get as much actually to the environment of the organization, we’re working with, we’re gonna be testing the firewalls, more of the web application firewalls, we’re testing more of the devices and the, you know, things that intrusion project protection and prevention and detection systems that they have things like that. So, um if that’s what someone wants a test by, all means will test it, but realistically, most of time we want to see where the actual vulnerabilities lie in the configurations in the development, you know, things like that,

[00:46:37] Brad Nigh: So as to say, so white box is really going to give probably more bang for the buck because you know, you’re guaranteed, we’re gonna test exactly what you need tested. They’re being black box. The reality is as good as you are. You might miss something.

[00:46:53] Eric Hanson: Yeah, absolutely. I mean, even on a white box, you might miss something right there. That’s the nature of the engagement. But at the end of the day, it’s a question of where, you know, it’s an expensive engagement. You’re typically paying for. Where do you want that money spent? You want to testify while if you want to test your devices themselves, you know, or your configurations themselves, right? You actually have control over

[00:47:13] Evan Francen: well in some and, and don’t get wrapped around the axle either. Right? I mean, cover your, cover the basics, you know, of, of, of security. What are your most significant risks and really focus your time and your money there if you can. I mean, if you understand what those, what those things are. Yeah, it’s always been that argument back and forth. Like box, Black box, Pink box, yellow box, green box,

[00:47:36] Brad Nigh: which rainbow box do you

[00:47:37] Evan Francen: want? Just do a

[00:47:38] Eric Hanson: test. One thing we see sometimes, like I said, there are good reasons for black box. I would never devalue that there’s, there’s some good reasons, but um, sometimes what we’ll see is people want to do black box because they just don’t want to get the problems found. Um and that’s true, something I definitely steer people away from, you know, it’s one of the things that pen test was not trying to look make you look bad, it’s trying to make you look like a hero that found your problems is gonna fix them.

[00:48:03] Brad Nigh: Right? All right, well, that was a good discussion. Um Hopefully we answer because some common questions and clear up misconceptions people might have about pen testing. Uh you know, it is serious business, and kevin, you know, the show notes say we’re we are very grateful to have, you know, such a highly skilled team here doing the work that they do. So before we wrap up, we’ll dig into a couple of news stories here. The first one is a vast and nord VPN breaches tied to phantom user accounts. This is on Krebs on security, and uh you know, the vast breach was linked to a um stolen credentials for a VPN service configured to connect to the internal network uh and did not have M. F A configured. So they found an issue where a temporary VPN profile had been erroneously kept enabled and did not require multifactor, whoops shouldn’t do that. Uh And then the nord,

[00:49:06] Evan Francen: that’s a true report should say you shouldn’t do

[00:49:09] Brad Nigh: that, don’t do that,

[00:49:11] Eric Hanson: don’t do that. Remediation steps don’t do that.

[00:49:15] Brad Nigh: Uh The other one is um on Nord VPN and this was a breach from March of 2018 out of one of the data centers in Finland and the attacker gained access to a single Nord VPN server by exploiting an insecure remote management system left by the data center provider that Nord VPN was uh unaware existed, um And then the provider removed that remote management account without notifying them on March 20 of last year. So there’s a bunch of uh there’s a lot there.

[00:49:56] Eric Hanson: Well they removed it after discovering the breach and just didn’t notify them. Right. Which is yeah. And then, you know, provider who discovers a breach and doesn’t notify you as someone you shouldn’t be working.

[00:50:09] Brad Nigh: Yeah, that’s not going to go well, but you know, and I don’t think nord is completely without blame. You know, how how did they have this breach and somebody in their server for 2, 3 weeks or however long and not have any notification or logs? What was it for? A full year?

[00:50:29] Eric Hanson: I don’t know how long they were in before the, for the data center found out about it? It was a year later that nord found out

[00:50:36] Brad Nigh: about. Right. Right, Right, Yeah, not good. So

[00:50:41] Eric Hanson: well, and the other question is like, okay, fine, I get that someone else is hosting your stuff, you know, housing your stuff in the data center. How did you not know that? They had a a method to log in. Administrate your source systems, you know. Right. Yeah, it’s one thing to be like, hey, we had to do it, we knew it was there. We didn’t know how insecure it was. Some other thing to say. We didn’t know what existed. That’s an interesting one to me.

[00:51:02] Brad Nigh: Yeah, yeah, that’ll be interesting. I think there hasn’t been, I haven’t seen a ton of real details on this and I’m wondering, you know, there’s gonna probably be a lot behind the scenes from a legal perspective.

[00:51:16] Evan Francen: That was interesting right after the announcement was the number of air quotes experts that we’re telling you. Yeah. You know, you gotta drop nor did you go to your own homegrown VPN. It’s like, no, no, no

[00:51:31] Brad Nigh: Chill out one server out of 3000 for right. I’m not

[00:51:36] Evan Francen: because I happen to be, you know, I happen to be a nord VPN user and I’m not, I didn’t drop it. I mean I have

[00:51:45] Eric Hanson: a home girl VPN user.

[00:51:46] Evan Francen: Well then there’s nothing wrong with that. Right? I mean, but you don’t, just because something like this happens, you know, put it into context with everything else and then react accordingly.

[00:51:55] Brad Nigh: Right? Absolutely. It’s not like they publish something or did something like a negligent. Yeah,

[00:52:05] Eric Hanson: I’ll give him some credit to that have been very vocal about it that come out. They’ve, you know, been posting information the most valid information. The most information you can find on the subjects I found is from their own posting their own articles about it. You know, they’re being very transparent translators, they can, you know, so at the end of the day they’re kind of going, hey like we get that this happened, but what came of it, if anything, it proved that we’re not holding any logs, there was no valuable information for anyone to get on your data, right? No one could get into in your stream or anything like that. So it was they’re kind of going like we know it was a bad thing, we got rid of that person, but at the same time it also proves that what we’ve been saying about our service this whole time, is that care?

[00:52:45] Brad Nigh: Yeah. Um so second story uh this week was out of info security magazine dot com, uh senators urge AWS investigation after Capital One breach. So they’re looking at The former aws software engineer page Thompson who has been accused by prosecutors on a tax on capital one and a bunch of other organizations, uh there’s the other reports are, and eric I know this is your favorite, so I’m going to read the paragraph for the sentence reports have hitherto focused on a mis configured web application firewall hosted by the bank in the AWS cloud as the main factor in the attack.

[00:53:24] Evan Francen: Um but it’s the word

[00:53:26] Brad Nigh: hitherto,

[00:53:27] Eric Hanson: Yeah,

[00:53:29] Brad Nigh: but here too far. Yeah. Uh but really what the thought is that they she used this to conduct a server side request forgery attack and that they’re saying what uh Microsoft and google have taken steps to protect customers from those attacks, but a w s hasn’t

[00:53:52] Eric Hanson: uh I think at the end of the day, I mean like a service request forgery attack is an attack where you’re able to take advantage of some kind of vulnerability to have a server do a request on your behalf and potentially return data back to you. Not always necessary. Right. But in this case that was the case and you know, AWS and another cloud host and stuff will have some servers that are available to a host um and only to that house. Right, so the cloud hosted uh device or machine has access to a metadata server within AWS and it can only be accessed from that house from internally. Right. And uh so they took advantage of this request data that they shouldn’t have but there’s a lot of vulnerabilities in general and the application, the configuration of the application had to be present to make this happen. So uh placing the blame on AWS or amazon is a bit that’s silly at the same time though, you know, I I agree. I think if there if there is something that AWS can do, I’m not familiar with what Microsoft or google have put in place but you know, the article is saying they have and if, you know, if there’s something that each of us can do, they should. Right, I would never place the blame on them.

[00:55:04] Brad Nigh: Yeah, I think yeah, that will be interesting to follow and see what happened I guess they’re saying right, if you could have taken these extra steps to prevent it, you should have but um right

[00:55:16] Evan Francen: yeah. So back to your original advice. Don’t do that please, I just don’t do that. I just tweeted

[00:55:23] Brad Nigh: that uh 3rd and 4th stories today are both around some new uh malware and ransomware. So sc magazine dot com new medusa locker ransomware looks to make a monster profit, clever headline. Uh so you know malware Hunter team found this in late september uh there’s a really good write up about what it actually does. Uh But yeah, it’s just a new one that that it’s out there and the you know following encryption, ransomware sleeps for a minute before scanning for additional files and to encrypt increase persistence by setting a scheduled task that relaunches the program every half hour. Um So just some new ransomware there some goodies. Yeah. And then the last one this one is uh that was actually pretty good. Pretty interesting is out of threat, post raccoon malware scavenges 100,000 plus devices to steal data. And I think the biggest takeaway from this one is it’s uh it’s malware is a service. So Now over 100,000 point within a few months, easy to operate for technical and nontechnical individuals. Um yeah, stealer is developed by a team that appears to originate in Russia and his Russian speaking. So mm $200 a month to use and features like an automated back end panel hosting and customer support. So that’s that’s awesome.

[00:56:56] Eric Hanson: Yeah. It is interesting to see where things have gone for now. We’re having professional services offered for malware.

[00:57:03] Brad Nigh: Yeah. And given, given where it’s coming out of it. Yeah, I mean, there’s not gonna be tough to take that down.

[00:57:13] Evan Francen: It’s

[00:57:15] Eric Hanson: just imagine the job job postings hiring a UX designer for malware how as a service site

[00:57:24] Evan Francen: reminds me another story. Have us I’m not going to tell it right now. I was asked to do of an Ir way back when to defend a porn site. Mhm. I turned it down. Yeah. Mhm.

[00:57:39] Brad Nigh: All right, well, on that note,

[00:57:42] Evan Francen: No. Yeah. Uh stick to your to your scruples have some scruples from Milan.

[00:57:46] Brad Nigh: Yeah, we don’t we don’t have to take everything comes in. No. All right. So, after episode 51 is a rap. Like many of you. We’ve got another busy week special thanks to you eric for joining us this week. Yeah,

[00:58:01] Eric Hanson: yeah, Thanks again for having me. I feel like it went really well. I think you guys are like the jelly in the peanut butter with grape jelly sandwich.

[00:58:07] Brad Nigh: Hey, nice right there.

[00:58:09] Eric Hanson: Yeah, I’ll make sure they listen.

[00:58:11] Evan Francen: I was going to lick myself to find out what kind of what flavor jelly I am, but I’ll save that for later.

[00:58:18] Brad Nigh: All right. Thank you. I appreciate that. Uh, thank you to our loyal listeners. Thank you for the tips and the feedback. Send us wisdom, questions, advice, whatever email us at unsecurity@protonmail.com. If you’re the social type socialize with us on twitter, I’m @BradNigh and Evan is @EvanFrancen uh @StudioSecurity and @FRSecure.