Evan leads the discussion in a jam-packed episode 23 of the UNSECURITY podcast. This week, the guys chat about the FRSecure CISSP Mentor Program, Evan’s new #100DaysOfTruth concept, what it’s like to have a cybersecurity podcast and the recent stories in InfoSec. Give it a listen and let us know what you think at unsecurity@protonmail.com

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hello listeners. Here we are. Today is monday april 15th 2019, april 15th. That’s taxing. Holy crap. It just hit me right there.

[00:00:33] Brad Nigh: I followed my last night. What?

[00:00:35] Evan Francen: Hopefully I filed an extension anyway, we’ll find out. Uh but this episode 23 the insecurity podcast. I’m Evan francine and I’m your host for today’s show joining me is my favorite security and I should have underlined favorite uh Brad and I say hi brad.

[00:00:51] Brad Nigh: Hi, you did it that time. I did at that time for the listeners. We had a technical glitch of a patch is forcing a reboot. So I followed the script this time, patching.

[00:01:01] Evan Francen: Yeah, we have a bit of IT security stuff I know, right. Always getting in the way business. We got money to make here. Uh yes, we have a very busy day today, the offices hopping. Uh, today’s are we fly everybody in uh kind of from wherever they live. Do we have the Tennessee people in Kentucky people?

[00:01:20] Brad Nigh: Everybody’s, everybody’s in nice.

[00:01:23] Evan Francen: Uh, you’ll hear some background noise even though we’re in the studio. Uh the walls aren’t thick enough for all the people that are walking, you know, by uh, so you’ll hear some background noise. That’s cool though

[00:01:34] Brad Nigh: It’s crazy. It’s now it’s 7:20 and yeah, just the number of people walking around already. So cool.

[00:01:43] Evan Francen: I think everybody is excited to see everybody.

[00:01:45] Brad Nigh: These are big, big almost, it’s almost a party atmosphere. It is.

[00:01:49] Evan Francen: But who chose uh what are we having for lunch, pasta bar, what bob meat bar? Mhm. All right. We’re taking control all the time. Who runs this place anyway, it’s a good question, yep. All right, so how was your week? Last week?

[00:02:08] Brad Nigh: It was good. Good. Uh The big highlight was going out and getting to speak to some high school students that were focused on uh network and computers this year and then moving into cybersecurity next year. So it’s kind of a two year focus program. Um Yeah, it was that at, at Rosemount High School. So they get, they pay the school go, you know, the kids go through the program this year, they’re going to get there from to a plus and then next year they will be able to go through it and potentially get either their network plus or security plus, which yeah, the teacher was asking about that, like, you know, it’s a great starting point, especially for high school student. They just get a fundamental grasp of what it’s at those aren’t the be all and dolls, but it’s a good start.

[00:02:54] Evan Francen: One of the things I really admire about you and from, from the day we first met was you just have this heart for helping people, you know, helping kids helping. I mean, one of the first before we ever met, you were working on the squared thing where you keep safe and secure online. Right? So, you know, we really benefit from having people like you and our industry who go and reach out to people who aren’t being served, you know, kind of in this social security thing. So good for you, man. Thank you. All right. What else? Anything else? Cool. Last week

[00:03:29] Brad Nigh: mostly just being home and trying to get caught up on email and obviously as well talk about the CSP mentor program,

[00:03:38] Evan Francen: right? Yeah. That’s another example of where you’ve been. Such a big help to me and the mission just, you know, in that and we’ll talk, we’ll talk about the mental program too. Uh yeah, you’re right being home. Holy crap.

[00:03:51] Brad Nigh: Yeah. You didn’t far more travel than I have.

[00:03:54] Evan Francen: Yeah. And last week it was like, I don’t know the first couple of days, well, the mentor program got in the way, but you know, when things settle down a little bit towards the end of the week, it was, you know, you look at your wife and you’re like, hey, you’re not bad looking.

[00:04:09] Brad Nigh: It’s cool. Wait, I remember you, yeah,

[00:04:14] Evan Francen: kind of like your smell, Let’s hang out. So that was cool. Uh yeah, so last week for me was just kind of a whirlwind. Um, I’m thankful that we write these meetings. Are these uh, meeting, what do you call it? The podcast notes beforehand kiss. We record these on a monday morning at 6:45 a.m. When we usually start. And so you haven’t even gotten into your week yet and then you’re trying to recall what I did last week and I don’t know. But so I have a list just quick the CSP mentor program. We’ll talk about that later. That’s one of the topics for today because some, some people don’t may not still, you don’t even know what the C. I. S. T. Mentor program is. So we’ll talk a little bit about that. I had lunch with a C. So of, you know, now that, you know, we’ve been growing so much part of my job now is reaching out of the company, not in the company’s much but more out. And so I get to meet, you know, a bunch of really cool, talented smart Csos, you know, more so than ever.

[00:05:20] Brad Nigh: Almost wrote moving into like that evangelist yeah. Type of yeah. Role. It’s very cool.

[00:05:25] Evan Francen: It’s super cool because, you know, these people are fascinating and I sat down with, uh, I don’t want to give her name because I didn’t I didn’t ask permission first. But uh, you know, large large organization, tens of thousands of employees and she’s a C. So she’s been there for maybe a year. And you know, it was just, it starts out, she started it off awkward because she was like, she invited her whole team, we had lunch and she’s like, all right guys, you know, we’re really grateful to have Evan here, You know he’s traveling all the time, he’s busy and wrote this book and you know, she’s just kind of talking me up to her team and I’m like what the hell? Yeah, I mean I thought, I mean coming into this meeting, I thought it was much, much, much more of a privilege for me to be there versus her having me there, you know what I mean?

[00:06:15] Brad Nigh: Yeah, totally on the same page, you’ve seen it so weird people coming up and saying love, love what you guys are doing or you guys are great. I what have I worked with them before? I don’t know who that

[00:06:28] Evan Francen: is, it’s

[00:06:30] Brad Nigh: weird. So but yeah, it’s it’s exciting. But yeah, I’m not used to the

[00:06:36] Evan Francen: uh well she was awesome and you know every time I meet with somebody it’s an opportunity to learn something. That’s one of the cool things about being a consultant is I’m not super skilled as a consultant as much as I am super skilled at stealing other people’s stuff. You know, I mean because you go to like once you, so and you see the way they’re doing things like dang, that’s really, really cool. I’m putting that in my tool belt, right? So that’s what I say by stealing stuff because I take the best of what I see in other places and make them my own

[00:07:09] Brad Nigh: and what’s what’s amazing and I’m with you. I love that. And seeing all the new things and what’s amazing is that people willingly share it because they know it’s coming back the other way. Right? So it’s, it’s just really were almost this knowledge exchange, challenge

[00:07:26] Evan Francen: bridge. Yeah. Yeah, I agree. And I think it helps everybody uh you know, Yeah. Anyway, really good. And even when you don’t see eye to eye, it’s the respectful discussions that come from it. It’s almost like a little mini mini think tank. And uh, we need more of that to, I’m really hungry for more collaboration in our industry more just let’s just sit and talk. We don’t see things eye to eye. That’s cool. Let’s look at this problem from different perspectives because one of things that really hit me and I’m getting off on a tangent, but that’s what I do all the time. Uh saturday. It hit me. Uh I was driving with my wife going to micro Center,

[00:08:07] Brad Nigh: You know, that’s the only way I’m allowed to go as well, going

[00:08:10] Evan Francen: to my toy store. And uh I just, I just went silent, I was driving, I went silent for like 10 minutes and I was deep in thought my wife says, are you thinking about work? And I kind of cracked out of it. I go, no, I’m not, you know, believe it or not. I’m thinking about how beautiful and I’ll write something or think of something here. But how beautiful the word why is? So I think it’s the most beautiful world in the dictionary because I was sitting there, I was thinking how this word why and uh Simon Sinek I guess originally kind of opened my eyes to it, but one it drives us to purpose like you ask why, why am I doing this? Why am I doing that? So your purposes behind it? But then it’s also it pushes you to learn, you know, when you want to ask why, why does it work this way? Why does that? You know? So all of that really hit me. And then I had some good discussions this weekend just with other sort of security people who don’t see things the way we see things, you know, that’s cool. I mean they didn’t see things the way I see something. So you back it up to why? What’s the purpose? What problem are we trying to solve? Because we’re coming at it from two different angles and if you can have get emotion out of it and not rip each other, you realize you have a valid point and so do I maybe we can bring our valid points together and create a really cool solution. So I want to do more of

[00:09:44] Brad Nigh: that And I think you know that’s what’s so great about so many of the people we have or while everyone we have working here and is they’re all still really hungry to learn, right? And it’s yeah, Hey, you want our advice? Sure. Here it is. What? Where are you coming at from this? And then learning and yeah, doing that. It I enjoy doing it. It’s fun. I do too. But that’s a really good Yeah. Like

[00:10:08] Evan Francen: That takes a lot more. Yeah, I’m going to write something because it just hit me. Like I said, silence for 10 minutes. I was just so deep and thought about

[00:10:14] Brad Nigh: this. That might be a new record.

[00:10:16] Evan Francen: Yeah. Right. Thank you. All right. What else happened? Launched 100 days of truth campaign more on this later. So there were two reasons why I wrote actually started that one was to educate and I wrote a blog post about this. One is to educate, the other is to collaborate. I want people who don’t want everybody to agree with what I write as these are the truths. I want people say I don’t I disagree why exactly why. And then let’s talk about it. So, I want to have this dialogue. We’ll see what comes of it. You know, it’s 100 days and I’ll talk a little more about that later to made five of my six coffee meetings this week. Coffee meetings for me are every morning I have a coffee meeting with a different leader here at fr secure security studio. I hate missing them. But you know, when you’re traveling, you’re traveling this last week, I was able to make five of six. The only one I wasn’t able to make was rene. And yes, I’m calling her out on the podcast because she wanted to go. I was in the song somewhere.

[00:11:16] Brad Nigh: She uh yeah, she got her flight changed for the blizzard to avoid the blizzard. I can’t really blame her. No,

[00:11:22] Evan Francen: I don’t blame her at all. But that doesn’t mean I’m happy about it. Uh No, I’m actually not unhappy. I’m glad that people get to get out and get healthy. It’s really important. And then I wrote a research survey. So last week, I guess it was kind of busy. Uh you know, I’m writing the second book, Information security for normal people. And I’m writing it. And one of the things I’m ripping on in the book is how we as security people just assume, we know assume we think what they’re thinking the normal people. So, I’m writing this book saying, yeah, you know, we assume this, assume that. And then I’m like, who hold up? I’m assuming did I ever ask anybody what they actually think about this? You

[00:12:03] Brad Nigh: were you’re so geeked up on this on friday. It was, it’s funny because, you know, I like data. I know the same

[00:12:11] Evan Francen: way. So, I wrote that survey. Right? And then I had you guys tested and then I was like, all right, I’m watching this thing and I paid for 250 responses, right? Plus, which would give me an error rate of plus minus margin of error. 6% plus minus. You know? So I was just Jack. So, you know, we send the survey out and I started seeing results come in and that’s when you saw me just getting like all dickie. Because I’m seeing data. I’m like, oh, this is what they really think. Yes, it’s coming. So then uh saturday morning, you know, the first thing I do when I get up was log in to see what are the results do I have? What other data? They paused my survey. They paused it because The abandoned rate was 42%. And these are people that get paid to do something, right? So I’m like son of a Oh, I think it’s the open ended questions. Yeah. Or maybe people don’t want I don’t know what I mean. There’s something in that there’s something that tells you something just in the fact that that abandoned rate was so high.

[00:13:15] Brad Nigh: I think yeah, there’s valid data there. Right? Yeah. Something only Now is it a question of people are it’s the topic and security and they don’t understand. They don’t want to admit. Yeah. I don’t know my wife did it. So I had her. You have to see if you can figure it out. It’ll be it’ll be the only other one with your spouse is a security person

[00:13:39] Evan Francen: or put on brad’s wife in there

[00:13:41] Brad Nigh: somewhere. Yeah I don’t know. Um No the and the only question she had was around the hacking and have you been hacked and you know we had our texas fraudulently filed several years ago out of name one of the breaches. Does that count? Well wasn’t ah so it wasn’t anything we could have controlled. So no we were the victims of identity theft but we weren’t hacked if they got into our account or you know transferred money out because we did something stupid. Then you asked.

[00:14:16] Evan Francen: Well that I even made that question a little bit excessive scammed or had and so that might have confused some people too. But anyway we’ll we’ll retool reset that survey and get it out again because I still really want that data. Uh So anyway that’s cool. Uh What else do we have? We have some topics for today’s show I picked out three. We I could’ve picked out a billion. I mean what do you want to talk about with security? Right. But the ones I picked out for today’s show are the the fr secure C. S. Sp metro program. We’ll talk about kind of where that started, where it’s at and what it means to us and all that good stuff. We’ll talk about security podcasting. This will be kind of short one of the things uh you know I’ve learned and this is our 23rd consecutive podcast. So 23 straight weeks we haven’t missed a single one. And you know, now we’ve got some data in terms of like uh, you know, listeners and you know, a number of listeners. We don’t get a ton of feedback still from the listeners about specifics what we could change. But here we are, sitting in a studio now with some actual podcasting equipment and where we started to, where we’re at. I mean, it could be a pretty cool discussion. We’ll talk about the 100 days of truth because I’d love to get your input, you know, because maybe some of those things you agree with, maybe some of them you don’t, that’s fine. Uh but we’ll start off with the CSP mentor program. So monday, we kicked it off last week. Right? That was cool.

[00:15:46] Brad Nigh: It was, here we go again. Right here. I’ll be honest. I got home monday night, it was like, I forgot how exhausting this

[00:15:53] Evan Francen: is, standing up in front of somebody and talking for two hours after that. A long

[00:15:58] Brad Nigh: work after all day. And you know, we were in it. What, six both of us were here about 6 15 this morning. It’ll be 8 38 email I’m speaking tonight. So I’ll try and keep it to eight, but You’re looking at eight or 8:30 and then 20-30 minutes for everyone to leave afterwards because there’s always follow up questions and you know, I don’t mind. It, it’s good, right? But good to be a long day and then caps are playing tonight. So I have to go home and watch that on recording. So I’ll go on radio silence.

[00:16:28] Evan Francen: Well one of the things I like about us doing, you know the way we’re doing it this year and it is I like both of us being there because we can play off of each other, you know? And I so that that to me is different.

[00:16:43] Brad Nigh: I’ve gotten I’ve actually gotten some feedback that it’s really good compared on people that have been repeat watchers that it’s it’s a little bit easier to good. Yeah, because there is that dynamic, it’s not just one person talking. Uh Well, interject with some non sequitur smart alec remark. Sure,

[00:17:04] Evan Francen: security people one and tonight. So I prepped the slides for tonight. And you haven’t even seen Elliot. No problem. And you haven’t even seen him yet. So you’re gonna probably want me there

[00:17:16] Brad Nigh: that haven’t changed that much last year. Right.

[00:17:19] Evan Francen: Well, I don’t know, you have to check the slides out. Maybe I threw a couple of easter eggs in there for you. Like wait

[00:17:27] Brad Nigh: what? That’s what it

[00:17:28] Evan Francen: was. Right. So for those listeners who don’t know the CSP mentor program, this is our 10th year straight of doing the mentor program. Uh and it’s completely free, there’s no strings attached. And in today’s society, everybody always thinks there’s some strings attached to something. It’s free, come learn uh come interact, come give feedback. I mean, it’s just about reaching out to the community and getting more security people. One of the various entries, cost intimidation, don’t be intimidated, don’t worry about the cost is come and learn with us.

[00:18:03] Brad Nigh: And like I said, we’ve just mentioned, we have people that have done it multiple years and they’re still feeling like they’re not ready. That’s fine. Go at your own pace, do your thing, right? Even if you’re just learning, I’ve told, you know, non security people and businesses that I’ve worked with, even if you have no intention of taking the test, that’s fine. Listen, it will change how you think it will change how you look at things for the pot for a positive. You know, there’s a benefit to it.

[00:18:34] Evan Francen: Absolutely. And everything in the classes free, Right? We put we post the videos, make the slides available and you can take the slides if you want to make them your slides, if you want to start your own information, security training company using our slides

[00:18:48] Brad Nigh: feel free under that you’re releasing them under was a commentary are common. Creative commons, yep.

[00:18:54] Evan Francen: Creative commons. So you’ll have to you can and and you’ll notice in the creative commons license. I didn’t prohibit commercial use. You just have to keep it open. Right, Right? So that means somebody you’d have to still tag it and you’d still have to allow us to use it. But you can start your own business if you wanted to using our material. I don’t care. It’s about getting more people

[00:19:15] Brad Nigh: right again, we’re doing it for free. It’s

[00:19:19] Evan Francen: still free, right? And now I can’t even tell you how many times over the years I’ve had business people try to make it not free, right? I mean even from and and they were like, and I get it. You know, they’re sneaky the way they do it too. Well. How about if we just charge them like you know 500 bucks like how about 100 bucks? No, it’s free. It

[00:19:41] Brad Nigh: Will always be free. Well and I think I like that. And I think the argument to flip back at the business people is how much does it cost to find a new employee? I think the average is $40,000. I heard 60 60 now. So Either way, I mean that’s all split the difference. 50 grand, right? If you get one person out of that, what is not far outweigh we’ll

[00:20:06] Evan Francen: look at our own company. How many of our analysts came went in or came through the mentor program, awesome people to man. I mean so

[00:20:14] Brad Nigh: or associate level or junior more junior people that have gone through it in past, right? It’s it saved us that money. So I’m with you keep it free.

[00:20:26] Evan Francen: You know, being uh you know, and I know some people get offended maybe or not, but me being a man of faith, truly believing that God is the ceo that jesus, the ceo of this business, I’ve received so many blessings from this. And you don’t blessings doesn’t mean money. You know, there’s peace of mind. There’s uh uh just just really, really good feeling this joy that you helped other people with their career. I mean, it’s just stuff that you can’t pay

[00:20:56] Brad Nigh: me for that when people give you the email. Hey, I passed. Thank you. It’s like, yeah. Right,

[00:21:03] Evan Francen: wow. That’s awesome. Yeah. So so much more to the Metro program I’m really excited about this year. Um, we’re starting week two and for people that are listening that, that didn’t get in to the mentor program, all the recordings are online. You can go to f are secure dot com under events. You’ll see the Metro program, you’ll see the slides and you’ll see the class materials both posted, their help yourself.

[00:21:27] Brad Nigh: Our first break is this Wednesday. So monday,

[00:21:31] Evan Francen: I think 20 seconds. Is this

[00:21:32] Brad Nigh: This 1 2nd? I don’t remember. Whatever. Yeah, it’s coming up. You have a chance to get caught up,

[00:21:39] Evan Francen: right? You may not be able to sign in or get an account anymore because

[00:21:43] Brad Nigh: we know, but with the youtube and on stuff. Yeah.

[00:21:49] Evan Francen: Yeah, because we started with 60. Yeah. We started with the six students and now we’ve got over 500 registered

[00:21:56] Brad Nigh: Nuts, right? I think it was 200,153, the first in 2017 the first year I helped.

[00:22:04] Evan Francen: And then there was 350 something last

[00:22:06] Brad Nigh: Year. And now we’re up to 500 is a pretty good road growth.

[00:22:09] Evan Francen: Yeah. Well hopefully let’s get 10,000. I mean whatever whatever it takes to, you know, Let’s get let’s get more security people. Yeah, I’m with you. I’m with you. Even if it’s 10,000, I’m still speaking into the same microphone.

[00:22:22] Brad Nigh: Well and I think you know, somebody at one of the listeners had asked about, you know, imposter syndrome and I think with that I feel like sometimes it’s like are we really this is kind of just what we do. Is it really that valuable? And yeah it is from what I hear, but it’s still weird

[00:22:42] Evan Francen: when you even, like you said when you know that it’s valuable because you get those emails for endorsement and even if you just get one.

[00:22:52] Brad Nigh: Yeah, we’re We probably had plenty 20 last year at least ask us for endorsement.

[00:23:00] Evan Francen: And I assume that there’s probably another some number that

[00:23:03] Brad Nigh: we know there’s others had passed and I didn’t need it got others. But yeah, it’s

[00:23:08] Evan Francen: exciting. It really is. Yeah. It’s dry today is a dry night

[00:23:14] Brad Nigh: for you.

[00:23:14] Evan Francen: Thanks. Yeah, yep. Uh So what else? Okay so the mentor program? Good stuff. Yeah and I do talk too much. I want a half an hour over 2.5 hours on Wednesday. I don’t think anybody got too mad.

[00:23:28] Brad Nigh: Uh I was watching online. We only lost Maybe 15% of the people from the scheduled into when we actually ended it. So it wasn’t people stayed with it to the end, which is

[00:23:43] Evan Francen: we try to make it entertaining too. Right? I mean some of the material and the C. S. Sp is like uh huh. You know, it hurts. You gotta be, you know, take my fingernails please. Yeah. Yeah. We try to make it fun because security is fun. It’s one of our core principles.

[00:24:01] Brad Nigh: It is, yeah.

[00:24:04] Evan Francen: All right. So our podcast, let’s talk about that quick. So our podcast, we started out in November of 2018, 2018. Um and I, you know, I pulled data uh towards the end of last week just to see kind of the trend, you know, has it grown? And how much in terms of the number of listeners? And I was really surprised.

[00:24:26] Brad Nigh: It’s amazing to see. Right?

[00:24:30] Evan Francen: So 23 weeks, we haven’t missed one which in and of itself for a guy like me is like incredible.

[00:24:37] Brad Nigh: I’m so it’s so easy to just be like, I got other things to do right? Or I don’t want to come in it, right? 6:15.

[00:24:46] Evan Francen: So it takes a real commitment. You know, and it’s a it’s a testament to, you know, your commitment and you know, I’m supposed to be committed. You know, like I think it’s committed to a, an institution.

[00:24:58] Brad Nigh: I said it, it’s not work though, right? This is fun. I enjoy doing this. I do too. So it makes it a lot easier when it’s something you look forward to. Yeah, it’s

[00:25:10] Evan Francen: two guys and that and I said that when we started the podcast, it’s an hour a day or hour week I get to spend with you. So yeah, who cares if anybody listens this is just bonus time. Right? So, uh yeah, we surpassed. So we’re, you know, hopefully going to be trending here uh 400 plus listeners uh a week, which, you know, to some of the more established podcasts, probably some of the more entertaining ones. That’s like a drop in the bucket. But to us, we started with none. So

[00:25:41] Brad Nigh: I’m cool. There’s no no real marketing push, there’s no anything behind us. Just that organic growth,

[00:25:50] Evan Francen: yep. And you said you were asked uh recently whether we’re going to get sponsors,

[00:25:57] Brad Nigh: you know, are you guys going to put ads and get sponsors and right,

[00:26:03] Evan Francen: yeah, probably not because we’re not doing it for that. Uh I mean, I guess if we had to have some way to sustain it or something, we would, but we don’t have a problem sustaining it. The, but it’s funny too because when we first, our very first podcast, so people will listen to our very first

[00:26:20] Brad Nigh: one. Don’t listen to first like 10.

[00:26:22] Evan Francen: Well, yeah, unless you’re gonna, you know, listen from there and kind of listen to the progression through. But you think of all the stories of just in the 23 weeks, we started off doing our podcast on sunday evenings. It was you at your house, me at my house on zoom, right? We recorded it. We had no idea what the hell we were doing. The qualities just sucked.

[00:26:42] Brad Nigh: It sounded like we were calling in

[00:26:45] Evan Francen: and we had no uh, no real format and she’s talking about news and whatever. And then he started to get better. And then we had travel. Remember all that? Just all the travel things. Like I was down in Mexico and I couldn’t get

[00:27:01] Brad Nigh: called Starbuck

[00:27:04] Evan Francen: Bad come from a Starbucks in Cancun. You know, that was fun. And then, yeah, just so many stories. And then now we’ve remember when we first got our mixer Yeah. Or first started coming here, We didn’t have, we didn’t have a mixer. When we first came in here, we were doing it in the boardroom, right? With just the the

[00:27:21] Brad Nigh: Yeti Yeti Mike. Yeah.

[00:27:23] Evan Francen: And then we went from the Yeti too. A mixer. You know, not high end mixer. Just a mix mixer. Uh and then now we’ve got, you

[00:27:32] Brad Nigh: know, some stands. Yeah, we’ve got yes on acoustic foam right? To help with the echo.

[00:27:39] Evan Francen: So it’s cool how we’re not only were progressing in the number of users, but we’re progressing just in our understanding of how the hell this works. So I don’t know, there’ll be a now. They want the marketing people want to put video,

[00:27:52] Brad Nigh: but why would we do that to people?

[00:27:54] Evan Francen: I don’t know. It’s entertaining. It is people people like look at us and go if that’s what they look like. Well, I don’t have to be intimidated at all.

[00:28:03] Brad Nigh: That’s what I joke about is, uh, I get to wear this scraggly beard and look like this. So people, when you walk into like, oh, well if he can get away with looking like that, he must know what he’s talking about,

[00:28:15] Evan Francen: right? And if we, if we, if we told people the truth that we, most days we don’t even wear pants. Right?

[00:28:23] Brad Nigh: I will say I was talking to john the other day and I said I’m, I was doing, I did something. He’s like, it’s kind of like, I was like, well, I did look at like some office slippers a

[00:28:38] Evan Francen: couple times. I’ve come in here and I forgot that I still had my slippers on.

[00:28:41] Brad Nigh: You’ve been walking around and

[00:28:43] Evan Francen: yeah, it’s like noon and I looked down like holy crap, I’m still wearing my slippers. I didn’t put on shoes this morning, the life of a security guy. So yeah, so we, we see more and more people coming in the office. I know I’m so jazzed to see these guys and hang out with the man, all the,

[00:29:00] Brad Nigh: all the remote people. It is fun. I really enjoy seeing these everyone for the week

[00:29:05] Evan Francen: dude? Yeah, me too. All right. So our last bit of discussion before we get into some news and close this thing out. Uh 100 days of truth. Uh what it is is every day at eight am central I post um to my lengthen and to my twitter a truth about information security now, is it a truth or is it just Evans truth? You know? And that’s kind of the that’s part of the whole stick to it, you know, Right? Because on the one hand, I want to educate because some of these things may seem obvious to people, but they may not be either or their obvious, but they’re so obviously just don’t even think about it and you don’t practice it right? And on the other hand, uh you may not agree with it. What I’m saying as a truth is my truth and maybe you don’t agree with that.

[00:29:59] Brad Nigh: No, that’s fair. And it goes back to that, having an actual discussion and you know, not just arguing because I don’t agree with you.

[00:30:08] Evan Francen: I know yeah. This society today needs so much more disrespectful discussion. Stick to the y and stop very, you know, excuse me. You’ll see that today so much where we’ll start discussing a certain topic and then the next thing, you know, you’re arguing about five other topics. You totally lost track of the why we were talking to beginning. So bring it back what’s the why? You know, and if we want to have all these other things, if we don’t agree on these other things, we just have more wise, let’s get to those later. So yeah, I’m hoping that we’ll have more discussion. You know, it’s only been the first week and I’m not a marketing genius. Right? So I have no idea. Who knows or who even cares about this thing. I was more interested to see, You know, you started a day one by the time we get today 100. Did we satisfy those two wise? Did we educate? And did we get some dialogue? Did we get somebody talking about

[00:31:03] Brad Nigh: this? I think I think I’m going to go back to like with the podcast. Just just doing it, putting yourself out there and win it. It’s yeah, if nobody listens nobody listens. But you’ve grown from it.

[00:31:15] Evan Francen: Dude. That was the wisest thing. I think you said no, I mean, it’s totally the truth. Right? All right. So, uh, so here are here they are for a week. Once a week one. We started this last monday. So that would have been the first to know the eighth. So day one was information security isn’t about information or security as much as it is about people. And so the point here is, and I’ve made this point many times and a lot of these things you’ve heard before because I’ve been pretty consistent um that if nobody suffered because of a loss of information, then nobody would care.

[00:31:52] Brad Nigh: Yeah, the people are the, why we do this.

[00:31:54] Evan Francen: Exactly. It all comes back to the person and I always not always. But you know, when I see a healthcare organization for instance, that has just a terrible security program and risk through the wazoo, I think of the, you know, just walk out the front door of the hospital and watch the people that come in and out of the main lobby, it’s their information. So, you know, and we score things obviously 308 5300 being like super duper risk and 8 50 being done until you never 300 you never in 8 50. But let’s say that a hospital or healthcare organization scores of 4 50 Could I go to the people that are coming into this hospital and say, Hey, are you cool with the 450 or the sick? Uh You know, child up on the 3rd floor? Yeah. Well, and so then it gets real personal for me

[00:32:47] Brad Nigh: and I was thinking about it because again, uh well talking in the, the students were talking about incident response was part of just kind of what, what is involved in information security and you know, that company that had, It was 40 employees 50 employees. That was potentially gonna be shutting down. What’s the average family size four people That’s 200 people 150 at least that are going to be negative negatively impacted that had no control over this because somebody didn’t do security correctly. Right? So yeah it’s the those days those innocent bystanders that get you know kind of caught in the collateral damage. Just

[00:33:31] Evan Francen: yeah they get jacked man. Yeah so that’s one of the things you know and it’s a truth that I hold dear and that’s why that’s the reason why it was number one because at the end of the day it’s the purpose for me. Day two truth. Number two is information security is a business issue not an I. T. Issue. Uh And believe it or not this is one, excuse me I’m gonna cough. This is one where I’ve gotten considerable disagreement um with I. T. People you know which really you know it’s weird and I haven’t been able to figure out the logic like what’s your argument? Why would you think that it is an I. T. Issue? Not a business issue if you’re gonna argue it that way or do you think it’s a business issue? And when I say it’s not an IT issue. Are you saying that it is also an IT issue?

[00:34:26] Brad Nigh: Yeah that’s good. That’s a good question

[00:34:28] Evan Francen: because it is it’s when I say business I’m thinking the entire operation rain. Uh not you know so when I say it that way I’m not excluding it it just don’t treat it like it’s an I. T. Issue versus a business

[00:34:44] Brad Nigh: issue. I wonder if it’s you know I’ve met people that don’t want to ever give control of anything so they’re thinking oh well that means I I’m not going to do this but it done correctly the business sets the the risk and what the requirements are and then a lot of yeah I. T. Has to then implement and do the things right? So yeah it plays a huge role in information security but it should be the business deciding the risk. There is tolerance. How were you know kind of what we need to do All right now go figure out how to actually do that. Maybe they just don’t understand that.

[00:35:21] Evan Francen: I agree. One we’ve struggled for years getting time with the board of directors getting down with the ceos and we still have so far to go just in that and that’s why it’s one of my pet peeves you know when we call information security, cybersecurity and vice versa because cyber is if you look up the definition because words have to matter because we’re not not everybody’s thinking about it the same way. So let’s go back to definitions what is cyber cyber is of or pertaining to computers. Well crap that just puts me back right back into the I. T. Bucket again

[00:35:58] Brad Nigh: right And it’s only a portion of right information security it’s a third of it clearly important but it’s not the whole thing.

[00:36:07] Evan Francen: Well that’s why, you know, and I know it maybe I’m splitting hairs but we worked so hard to be to get bored time. And then we started, you use a word like cyber. I get it because it’s sexy. It sells, it sells stuff but it’s not it’s not the same thing.

[00:36:25] Brad Nigh: Yeah. And I’m with you. I think the resistance to get us in front of a board is that really blows my mind. Right? Hey, we’re here to, we’re on your side on this. We want to like this is what we do. No, I’m good. Yeah. Yeah.

[00:36:46] Evan Francen: Oh okay. Well I think still there’s this old ingrained thought in some boards that if I don’t know about it, I can claim that I didn’t know

[00:36:56] Brad Nigh: which is not the case. Right?

[00:36:59] Evan Francen: And so until until I think boards of directors are held more are held liable more, you know, because we’ve had there’s been a few derivative lawsuits that I can recall and I’m not a lawyer, but there was the target derivative lawsuit and I knew about that one because I was there, but that one was dismissed. So the board was not held accountable. There was no, you know. Yeah. And I think uh if I’m not mistaken, the Home Depot breach, there was a derivative action and I think the board was found liable? But I don’t think there was really any penalty. Yeah

[00:37:34] Brad Nigh: slap

[00:37:35] Evan Francen: on the wrist, right? And so and then, and now you’ve got this call and I’m not going to belabor this point too much. But now you’ve got this call from Senator Warren who you know, wrote a bill that wants to hold ceos and natural ceos, but business executives criminally liable for breaches. It’s like, whoa, you went way too far the other side, you know what I mean? He started with like hardly any liability to like we’re going to execute you.

[00:38:02] Brad Nigh: Right? Well, you know that’s how the laws work, right? You start with the extreme and kind of work back towards the middle. But

[00:38:08] Evan Francen: especially in election,

[00:38:10] Brad Nigh: it’s got to be something because dad, we’re seeing it boards just uh in the programs that are successful have bored by in absolutely have executive leadership buy in and you can absolutely tell the difference.

[00:38:25] Evan Francen: Yeah. Yeah. I wonder if there’s some way we can push force the issue, but I can’t think of it right now, the no, you’re not gonna say anything because I don’t want to be held anything. Uh Alright, so now day number three data breaches are inevitable, no matter how good you are, it’s truth, how you can debate that one. So we were people don’t like to hear that one. That was the one that got the least amount of likes.

[00:38:51] Brad Nigh: It’s gonna yeah, it’s gonna happen, it’s just how long can you kind of avoided or what can you do to mitigate it? Um I asked the students, you know, how long do you think it takes for a data breach to be noticed? Mm 10 hours. Three days Like Jaws drop at six months because people don’t, it’s going to happen. So do do some basics make yourself not the low hanging fruit

[00:39:23] Evan Francen: Well, and I think people don’t like to confront the truth. Yeah. I mean people don’t like to say, well data breaches are inevitable. This executive management know that does the board of directors know that a data breach is inevitable? Just expect it. It’s going to happen

[00:39:39] Brad Nigh: at some point, something’s going to happen. Somebody’s going to email something. They shouldn’t. Data breach doesn’t mean you have been hacked

[00:39:46] Evan Francen: right? It might be that you have been hacked to. You could be but yeah, I agree. So it’s like just let’s tackle it from that angry.

[00:39:56] Brad Nigh: Right. Well, and you know, going to kind of previewing the news like was it Amazon email like 1700 recordings to the wrong person that’s a data breach but there was nothing malicious was an accident. Yeah, it doesn’t have to be so well we’re going to be hacked. Well no, no.

[00:40:15] Evan Francen: Right. I’ve gotten from so many ceos that I have talked to. You know because I asked I’ve asked them simple questions because you know we just forget about the why God she’s going to go back to that all the time? Like I go to the Ceo, what do you expect from me, right? You know, what would make me successful in this job? You know, as you’re seeing as you see. So, and usually what I get is, well, keep me out of the news, you know, keep the bad guys out. Well, I need a better answer than that, right? There needs to be more education because I can’t keep the bad guys out, not in all circumstances

[00:40:50] Brad Nigh: if they want to get in, they’re going to get in right

[00:40:52] Evan Francen: one way or another. So, you know, yeah, there’s just so much education due to do still for uh, for executives, which drives home that that second point still right? Information series of business issue. And so the sad thing is, is you have a lot of CEOS and boards of directors who are making big important strategic directions without adequately accounting for information, security risk, their accounting for financial risk, their accounting for strategic risk, their accounting for operational risk, their accounting for reputational risk, but security risk,

[00:41:25] Brad Nigh: it still blows my mind the amount of acquisitions that God, right? And then they’re like, nuts, you’ve acquired a breach, like there’s an active infection, active malware going on. Yeah. And you didn’t do it, it’s yours, you now own this if you’ve done some basic security, not just when we check the financials,

[00:41:47] Evan Francen: but even then, you know, you wonder, you know, how much we hold people accountable, I mean the Marriott breach, which is a classic example of that. Yeah. I mean, what’s, what’s ultimately going to happen? You know, it’s people, you know, the normal people are just like a bunch of, I mean, I hate to say it, but it’s like a bunch of sheep. They, they have such short term memories and they just feel helpless and so they just ignore it.

[00:42:12] Brad Nigh: Yeah, I think that’s a good point. I think there is, it’s that almost a breach fatigue, right? There’s just always something going on and nothing ever ever happens. Just accept Equifax. Well, hey, we’re going to give you our service to protect you as payment for like losing,

[00:42:31] Evan Francen: you can make, we can actually make more money off this breach, Right? Uh huh. Anyway, it’s a scam. And then uh well, the bigger grander scale, I mean, it’s hard to deny the fact that we’re in a cyberwar. It may not be an active war where you think in the traditional sense of people are dying, but it’s more of an asset collection, information gathering sort of stage of war where you’re being used and you don’t have, you don’t even have a choice in it.

[00:43:07] Brad Nigh: Well, what’s interesting is there’s that lawsuit around the cyber insurance and they’re trying not to pay because they said it was an act of war. Right? Right. Which is it will be interesting to see, how that gets defined and played out in the courts.

[00:43:22] Evan Francen: Yeah. Something’s got a gift. All right. So anyway, day for, we’ll get through the rest of us quick. One of the best tells of a novice or poor security professionals, their inability to put risk into context. And I think if you’re, if you have experience, you can remember back to the days when you find a vulnerability and be like, oh my God, we have to fix this is the biggest, worst thing ever where somebody who’s more experienced to be like, well actually this door over here is open and that’s kind of the biggest one on my list. Right now.

[00:43:54] Brad Nigh: I have this critical vulnerability that requires physical access to actually exploit. I can anybody can walk in if I fix that. Right. The other one is not a big deal.

[00:44:07] Evan Francen: Yeah. So you can tell a good security professional at least 11 who’s experienced, uh, in their ability to risk rank, their ability to put risk into perspective.

[00:44:17] Brad Nigh: It’s almost a little bit more of that. Gosh, what a columnist a Exactly. There’s just not a, everything is not on fire all the time. Right. Right.

[00:44:31] Evan Francen: Day five was, you don’t need a degree to be awesome at information security. This isn’t saying that degrees are bad. This isn’t saying they’re a waste of time. It’s just saying that there are multiple ways to become a great security person. Some come through degree programs, Some come through trade schools, some come through, no school at all. They read self taught. You

[00:44:54] Brad Nigh: know I mean so many different ways and not, I’m not claiming to be awesome. I have a lot to learn but I think you’re awesome. But you know I went to community college and I did like math and psychology and did the pre vet stuff because I thought that none of it was none of it was what I wanted to do. Uh And so I just dropped out after doing a whole bunch of. Mhm. Yeah I did a lot of classes but it was not not right. Uh And then I went to, yeah it was computer learning centers that’s old old story there uh to get my Microsoft novell for 11 and Microsoft stuff and like 97 98. So I

[00:45:38] Evan Francen: did they pay big bucks then for that.

[00:45:41] Brad Nigh: I did some so I did do education, it wasn’t a college degree. And then yeah I’ve done a lot of you know, classes and training and things like that.

[00:45:53] Evan Francen: Well there’s so many different ways to learn and

[00:45:55] Brad Nigh: I mean there’s only what you see book smarts doesn’t translate to the real world. So there’s there’s a you can have all the schooling in the world. We’ve seen it with alright Master’s degrees and but they don’t have any actual experience, they come in and it’s like no that doesn’t work right.

[00:46:17] Evan Francen: Yeah, absolutely. I think one of the best places for security people to start as the help desk. Absolutely. You know, I learned so much in, I mean there’s a long time ago cleaning boot sector viruses off the Windows three machines and just

[00:46:30] Brad Nigh: troubleshoot just a humble prioritized and yeah, just some of those things that you can’t hone those skills unless you’ve done it right?

[00:46:41] Evan Francen: And if you, if you’re and that is also education, right? I mean experience and experience, I think bleeds into education more than the other way around.

[00:46:48] Brad Nigh: Maybe a formal education versus on the job. Education. Yeah.

[00:46:53] Evan Francen: Alright, today six cyber security and information security are different things. I’m reading this before saturday at eight a.m. You get the scoop. So I was kind of letting the cat out of the bags. I wrote this on friday night. So at that at that time it hadn’t been out. But we’ve talked about that already. Just look at definitions of words, right? Uh, our definition of information security is one thing, cybersecurity itself is a different thing. one fits inside of the other, not the other way around Day seven, there’s a lot of snake oil for sale in the information security industry.

[00:47:28] Brad Nigh: Yeah, lots. I can’t just install that software and be guaranteed to be safe.

[00:47:34] Evan Francen: Absolutely. Can it’s got it’s got a, I’m blocked. Yeah. Right. I mean anything. Yeah. There you go.

[00:47:41] Brad Nigh: Protects me against a pts.

[00:47:42] Evan Francen: Oh yeah. Pts with your ai and Blockchain and next gen. Oh yeah. Well you better get next to you because you’re absolutely the gen you’re on. Ain’t working, right? Yeah. Yeah. It’s just so much snake oil. Um And again, you’ve got to have some experience, you gotta have some education to know what is actually fixing what, I wouldn’t know why anybody in the world would ever buy something if you don’t know what the hell it does.

[00:48:06] Brad Nigh: Yeah. Well, and, and even if it’s a good product because there are some really good products out there, but people don’t know how to use them so they get installed, never configured, never customized. They just off the shelf. Hey, I’m protected. I’ve got this right. Great software. That’s not doing anything

[00:48:27] Evan Francen: right. Yeah. I mean there are tons of, you’re right. There are tons of awesome products out there that um also, I don’t know how they work. I’m not experienced enough or educated enough to know all the capabilities of this thing I just bought and so I maybe even be using it, but just using it for just such, you know, such a small portion of what it can actually do for me. And I think that is also a snake oil. It’s snake oil when I sell something to somebody that doesn’t do what it’s supposed to do, but it’s also sneak off. I’m selling something to somebody and I don’t, and I’m not, my skin is not in the game enough to make sure that they’re using it the way it’s supposed to be easy. You don’t just make the sale and then walk away. You have to teach

[00:49:13] Brad Nigh: well and you know, I think nothing that yeah, the sim solutions, those log aggregators, people put them in there like sweet Unprotected, but they don’t have logging or not anywhere. They don’t have. They’re not, yeah, they’ve got the log aggregator, but it’s not, they don’t if they don’t have it set up on the in points on the servers, on

[00:49:32] Evan Francen: garbage in garbage out. Right. Yeah. Yeah. So anyway, those are my seven truths for last week. This uh, this week I think, uh, you’ll get what you get. I like it.

[00:49:44] Brad Nigh: I like it. You know, it’s, I think it’s good. You’ve said it right. You don’t, you’re not a big itself publicizing or self promotion, but you know, it’s really stretching and putting yourself out there and

[00:49:58] Evan Francen: yeah, I want to start these discussions, man. It’s good. So one hopefully. Yeah, I just want us to work together more to help people more. I think we can do so much better. All right. So news. Yes, lots of news. Uh what did I choose this week for news? So the first one which, you know, I wanted to start off on a positive note from dark reading dot com. There was discussion I square did there The title is women now hold one quarter of cybersecurity jobs. So on the fact that you’re using the word cybersecurity. Um, it’s very positive news.

[00:50:38] Brad Nigh: Yeah. The only thing is, well and I think it’s good overall, they change their metrics and how they measured that. So it’s a little bit misleading. But at the same time they changed it for everyone. So hopefully this is a positive trend

[00:50:54] Evan Francen: and you know, on the surface, you know, this, this is a study done by iC squared, you know, um The number of women was 11% in their first study, in the number of women in their second study. And you’re right, they did change the way they did it Uh was 24%. So that’s definitely a positive trend even if the numbers are plus minus, you know, a few percentage points.

[00:51:19] Brad Nigh: And again, they changed it for everyone. True. So I think one of the things I’d like to see is Is it actually net new women in the workforce or they now changed it to at least 25% of your job is dedicated to this. So maybe women are doing, you know, were they doing kind of part time security that they are now getting credit for or is it again, we’re actually hiring more in? I don’t know either way. Like it’s a good trend.

[00:51:49] Evan Francen: It is a good friend and I like how my concern is that we’ll keep, we’ll take our foot off the gas and I don’t think we will. But

[00:52:00] Brad Nigh: let

[00:52:01] Evan Francen: me see good news. You’re like, oh yeah, look, we’re good and then you start focusing on something else and then that

[00:52:07] Brad Nigh: and there is that there is that good old boys kind of attitude. A lot of places, the bro culture, right? And I don’t get it like our Megan from my amazing to work with her because she looks at things completely differently than I did and Lori and just keep going down the line and it’s so good. It’s not to say that men, the other guys here don’t look at things differently, but they have a different viewpoint. They’re coming from a different place.

[00:52:42] Evan Francen: Absolutely.

[00:52:43] Brad Nigh: It’s

[00:52:44] Evan Francen: well, yeah, we don’t hire women just for the sake of hiring women, right? The fact of the matter is they provide a different value that we didn’t have before. Because if you’ve been like, I’ve been married dated women, been around women enough times to know that they think differently than I do. I have. I think this way and my wife will look at the same problem and come at a totally different angle, right? Be like,

[00:53:12] Brad Nigh: oh, I’ve

[00:53:13] Evan Francen: never even, I didn’t see that, right? And so it’s not the diversity of people. It’s the diversity of thought that changes things. And so you’re right when I sit with Megan and she gives, you know, her perspective on something and like, absolutely,

[00:53:29] Brad Nigh: that’s that’s a really

[00:53:30] Evan Francen: great Yeah. If you embrace it, if you embrace it, it makes everybody better, including myself.

[00:53:36] Brad Nigh: Yeah, I think part of it is, you know, just knowing continuing to want to learn and having the right attitude, right. Some people are stubborn, very territorial

[00:53:46] Evan Francen: and that’s usually a sign in my mind. That’s usually a sign of weakness. And um, yeah, you’re hiding insecurity, right? You’re hiding something, right? That’s a good trend. It is a good trend. And I’m happy about it. And you have to be intentional about it too. I mean, I know that I don’t know if it’s I mean, there have been times when we’ve specifically looked for hiring a female,

[00:54:11] Brad Nigh: you know, and I yeah, I don’t know legality. Our lawyers are going to yell at us. But I mean when you look at sea and say, well, we need more diversity in the workplace, how old are you going to get it?

[00:54:25] Evan Francen: Well, I think a lot of people, a lot of times, people will just say we need more diversity in the workplace, but they don’t ask why. Yeah. Why do you need

[00:54:32] Brad Nigh: more? Why are you doing this? Because we need people like we don’t want everybody don’t want yes men, right? I want people that are going to challenge

[00:54:40] Evan Francen: different perspectives.

[00:54:41] Brad Nigh: Actually challenge me. Let’s let’s figure this

[00:54:43] Evan Francen: out. When you asked me that. Why, Why isn’t Well, because we need more women, That’s not why I mean, that’s what

[00:54:50] Brad Nigh: we need. We need to how Yeah, that’s a good point. I think that’s a really good point. We need more people looking at it from different, we wanted, I wanted many inputs as policy. Absolutely.

[00:55:00] Evan Francen: I want more minorities to the same reason, different perspectives, different ways of thought, you know? So anyway, Homeland Security and the second piece of news and then we’ll kind of drive quick here. Homeland Security warns of security flaws and enterprise VPN, yep. And this one is all over the place. The one that I cited is the one at TechCrunch. Uh, that’s the title of the story. Homeland Security warns of security flaws and enterprise VPN apps.

[00:55:30] Brad Nigh: I think that’s the takeaway from this is this is why you don’t let people use their own devices, use a managed work device to VPN n because it’s storing the credentials and tokens on the local machine. People at home never get their machines compromised. Never.

[00:55:49] Evan Francen: Yeah, So yeah, you’re right. Really closing up kind of the entire ecosystem.

[00:55:54] Brad Nigh: Yeah, I get asked all the time too. Right, but why are you managing it? Do you know what’s on their machine? Who else is using it? Do they leave that open while their kid plays whatever

[00:56:05] Evan Francen: for sure they do or a kid wants to go and you know, jump on what’s the, there’s like that school app school a school and yeah, they went up on school the real quick to download their homework or something, you know, the so anyway, I guess the point here is um no matter what you’re using, you’re never going to be, I mean you can never just say, okay, we’re good, we use VPN great two factor authentication is important. Your VPN software itself is important. The configuration, the system that it’s riding on is also

[00:56:38] Brad Nigh: important to patch all those VPN clients.

[00:56:41] Evan Francen: Yeah, so on this one in particular, um, do some research, see if you’re affected by it, if you are affected

[00:56:47] Brad Nigh: by it, there’s a lot of big names in

[00:56:49] Evan Francen: there, yep. And if you are affected by it, which you probably are if you’re using VPN um, yeah, fix it. Hackers published personal data on thousands of US police officers and federal agents. Uh huh. This is also from techcrunch more pisses me off I think than anything else when you have guys and ladies and uh, you know, sacrificing their lives every day for us for our safety and you know, some Jackass.

[00:57:19] Brad Nigh: Yeah. Well and wasn’t it like in spreadsheets on some FBI site?

[00:57:26] Evan Francen: Yeah, there’s that part too. You know, we just, they deserve better protection. Yeah. So you know, anyway, the attacker released the information, um, it’s bothersome but not, not unexpected. I don’t think so. But another thing that we hear a lot of is, well I don’t have anything that anybody would want or you know, there’s already out there. Yeah, if Attackers are money motivated, there’s no money here, you know, for them. But the point is you never really know what the Attackers motivation is going to be in this case, the Attackers motivation probably wasn’t money because they didn’t make any intimidation? Yeah intimidation or just cause chaos sometimes. So you know you never really know what your Attackers motivation is. So when you’re doing your own risk assessments and risk analysis take into account your threats. You’re trying to identify who your threats might be. You can you can assume some motivations but be

[00:58:31] Brad Nigh: careful. Right? Yeah. Yeah.

[00:58:35] Evan Francen: So uh last one is this one came from you bread auditor amazon auditors listen to echo recordings report says this came from threat post.

[00:58:44] Brad Nigh: So yeah that was basically they were saying they were using this to listen to the recordings and correct and improve voice recognition but it’s not clear like it’s not spelled out in any of the terms of service or anything that people will be listening to this and

[00:59:08] Evan Francen: right. Yeah. I don’t want you listening to my recordings. Sorry. Right. Unless explicitly authorized you to do that. This is sitting in my living room. I’m having private conversations with my,

[00:59:20] Brad Nigh: well they’re saying it was only done after the keyword. Yeah right. Only after. But you know they say at the end that there’s some certain things around where was it uh I got to find it now but Children calling for help and you know criminal and sexual assault stuff if you’re I don’t know people that go hey Alexa I’m being assaulted? Like how did how did Alexa turn on right when a child is crying for help

[00:59:58] Evan Francen: Is that what a parent’s job is for?

[01:00:00] Brad Nigh: But well but even if what if you know if the kid is being abused by a parent, how are they recording? Right? That’s your problems in Alexa then. But that’s what they’re saying. They’re hearing, well they’re hearing that. Yeah that was in the article that you would hear potentially you know unsettling criminal, potentially criminal things of Children calling for help or sexual assault. God so you know

[01:00:25] Evan Francen: but I don’t want Alexa.

[01:00:26] Brad Nigh: So is it are people calling saying Alexa and then calling to get it recorded? But there’s that opens up a whole another thing of how do you what’s your responsibility amazon if you’ve heard criminal activity and you’re not reporting and are you not reporting or how you determine if it’s criminal or not and then some of the stuff is being done overseas and yeah

[01:00:51] Evan Francen: what a mess. So in my house there is no abusing of anybody. You know and I also don’t have Alexa or google home. I don’t fault people who do but it’s just

[01:01:05] Brad Nigh: I don’t trust a risk. I’m

[01:01:06] Evan Francen: willing to I don’t trust it

[01:01:08] Brad Nigh: yet.

[01:01:09] Evan Francen: You know and it’s just me I know that there are probably plenty of ways so I could do a bunch of research and really lock it down and do all kinds of other things that other security people have done. I don’t have time to do it so if I don’t have time to do it I’m just not doing it. I don’t mind getting off the couch and like doing stuff either pushing a button on a remote control to change my tv. Yeah it’s funny how we went from remember the days when you had to actually get off the couch and go and turn the knob on the T. V. Then we went to remote controls and then that’s still way too much work. I gotta push buttons on our control. Why can just can’t I just asked the T. V. To change channels for me. It’s like I don’t we just keep getting lazier and lazier.

[01:01:52] Brad Nigh: Right let’s be. And what is it? Um Oh my gosh

[01:01:56] Evan Francen: Wally.

[01:01:59] Brad Nigh: It’s good it was going to be a prophet prophet prophecy or whatever. Yeah.

[01:02:07] Evan Francen: All right. Well that’s the that’s the end of the show. We went through a lot of stuff. I kind of knew that we would um Any wisdom parting words brad.

[01:02:16] Brad Nigh: No no I’m looking forward to this week. I’ll be next week. It will be good to have a recap of of all the good stuff that we’re doing with everybody

[01:02:23] Evan Francen: here. Oh yeah I’m excited to. It’s gonna be a fun day. All right well don’t forget you can follow me or brad on twitter my my handles at fr I’m sorry Evan francine uh and brad’s at brad and I email us if you want to talk to us or give us some input feedback or something in particular you like us to talk about? We we’ve done that before two UN security at proton mail dot com. That’s it for episode 23.

[

What It’s Like Hosting a Cybersecurity Podcast

About

Work with Us

Resources

Contact