Cybersecurity Risks with Remote Workers

Unsecurity Podcast

The challenges of working from home extend far beyond our kids bugging us, the dog needing to be let out every five minutes, and a constant urge to go to the fridge. Working from home poses security challenges. We discuss the cybersecurity risks with remote workers.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, Welcome back. This is episode 77 of the unsecurity podcast. I’m your host this week Brad Nigh, today is april 28th and joining me this morning as usual is Evan Francen. Good morning. Evan.

[00:00:34] Evan Francen: Good morning. Well actually I’m so say blah blah blah.

[00:00:37] Brad Nigh: Yeah. Uh, you know, it’s a good start.

[00:00:41] Evan Francen: Yeah. Right, Blah blah blah Tuesday. Here we are.

[00:00:45] Brad Nigh: Yeah. You know, we have a jam packed show I think this week it’s we got, you know, it’s interesting. We’re trying to come up with the different what we’re going to talk about. And I was like, you know, let’s talk about what we’ve kind of touched on. So, but before we get going, um, you know, let’s catch up what’s been going on.

[00:01:05] Evan Francen: Yeah, man, it’s hard to believe it’s 40, I think today is 42 or 43 Day 42 or 43 since our office has been closed.

[00:01:15] Brad Nigh: Yeah, March 17 was the last day. We had people and we all went home that day,

[00:01:21] Evan Francen: six weeks. Does it seem like that long

[00:01:24] Brad Nigh: longer? I don’t know everything. You know, that’s the piece that’s been really interesting to me is everything just blurs together.

[00:01:35] Evan Francen: It does damn on.

[00:01:38] Brad Nigh: And so I’ve had to make a like a conscious effort to like on the weekends like could shut the office doors at home and not, you know, like forced separation just because if you’re here, you’re always in the same, you know, area. Yeah,

[00:01:59] Evan Francen: yeah. And all my friends are digital now, you know what I mean? I haven’t so many of you, you know, live, you know, in analog. I haven’t, you know, just, you miss shaking hands, bumping fists, you know what I mean? It it’s been weird, but you know, I’ve been finding therapy and doing stuff around the house, you know, I built all kinds of stuff built like 10 shelves in my garage and built a chicken coop, put on new exhaust on my Harley yesterday got like 200 miles of, I called wind therapy.

[00:02:41] Brad Nigh: Nice. Yeah, yeah, this weekend, uh was finally nice out Uh here. So I actually detached my yard, filled up 32 of those paper yard waste bags of batch and dead grass and it it needed, it, it never had anything before. We lived in a couple years ago

[00:03:04] Evan Francen: now. Where do you get rid of those

[00:03:06] Brad Nigh: uh with the trash company has the yard waste subscription. So it’ll take, it’s gonna take a couple of weeks to to do all those. But

[00:03:16] Evan Francen: yeah, my wife got tired of, I mean, looking for me plus I don’t do a very good job. So she hired that out, paid a couple 100 bucks to how I came home. I come home, I came home one day last week and uh there was all kinds of, there’s like a whole crew out there man and I had no idea. And I was like, what the hell is going on? And they’re all detaching my art.

[00:03:40] Brad Nigh: Nice. Yeah, it was a lot of it was a lot of work, but you have your motorcycle and get your, your wind therapy to me like working out in the yard and gardening and landscape and stuff. That’s kind of the same for me. It’s like so different than what I do on a day to day basis. It’s

[00:03:59] Evan Francen: a

[00:04:00] Brad Nigh: therapeutic to get out and

[00:04:02] Evan Francen: yeah, my best buddy are really good buddy is uh you’ve seen him, He’s bobby, he’s a big ironworker, manly man, spent like 20 years and hells angels. I mean just a biker exactly what you think of. He’s a botanist.

[00:04:21] Brad Nigh: Nice. That’s awesome.

[00:04:23] Evan Francen: I know it’s totally cool man. Uh he’s a fashionista too. So yeah, I think I got the biker mentality. He got the biker body. If you put the two of us together, it would be pretty bad ass.

[00:04:36] Brad Nigh: He definitely has. He definitely has the looks right. But he’s, yeah, he’s a just chill. Nice guy.

[00:04:44] Evan Francen: Yeah, he’s a teddy bear.

[00:04:46] Brad Nigh: That’s too funny. What about work? Everything, What’s, what’s, what’s been going on?

[00:04:52] Evan Francen: I got too much going on man. I got, That’s to me, version two comes out this week. So you know, you talk about that in the podcast next week. Um lots of partner community stuff going on. We got the uh mentor program going on. I got tons of documentation. I’m supposed to be writing that I haven’t gotten caught up on, just fixed, you know, not really fixed, but we work the math on the external vulnerability skin. So in the new system it will match the old system because I think a lot of the fr secure people were running those skins and you know, not migrating off the old system because you know, the skins didn’t work the same way. So I think we got that figured out very cool. Yeah, just tons of stuff man, good stuff. Just probably too much of it. How about you?

[00:05:47] Brad Nigh: Yeah, same. Um you’re doing a lot of stuff for like C. M. M. C. And getting ready for that to ramp up. We’re seeing a lot of uh questions and interest about that as it starts to. So even though there’s nothing official out there yet that I’ve seen For like £3 and how to get certified, but you can still help people with readiness uh for that? Right? We know it’s going to take some of these companies quite a while to get all these controls in place. So doing that, you know, how do we continue to mature and improve our current services and yeah, so it’s been it’s been busy. It’s nuts.

[00:06:33] Evan Francen: Yeah you showed me before we started the show, you showed me the C. M. M. C. Mapping the progress you made and really jacked about them and you did a good really good job on that. Thank you said good to see it.

[00:06:44] Brad Nigh: Yeah it’ll be uh it’s been it’s been a while since something new has come out like that to map. So it’s kind of fun. The hardest part’s been like just get what you do those you can’t just Do it for like a half hour or 20 minutes here there it’s like you got to just close down everything and you know realistically for me at least it takes at least a half hour to get into a groove and you need a minimum two hours to get anything accomplished. It’s just so frustrating.

[00:07:16] Evan Francen: Yeah it’s just I work the same way man. If you interrupt me you may interrupt me for just 10 seconds. Yeah that’s it’s gonna take me probably 45 minutes to get back into whatever group I was in.

[00:07:31] Brad Nigh: Yeah and like if somebody ask a quick question that’s one thing for me right? But a half hour meeting in the middle of a four hour block just completely destroys I’ve lost and the hour of my time or like plus a half hour it’s like a third to half of the time. It’s just shot.

[00:07:52] Evan Francen: Well as to as to orig mapping that to see MMC. That’ll be that’ll be really really cool man. I’M excited to see to see that. That looks like stone.

[00:08:01] Brad Nigh: Yeah, hopefully get it done in the next couple days

[00:08:05] Evan Francen: and I know you’ve been working on maturing the VC So secure. John Herman gave me kind of a little bit of a low down on that. Let me know if I think I can do to help because I know that you’re, you’re swamped swamped as Iron Man.

[00:08:23] Brad Nigh: Yeah, no, I think, you know, using this is our daily catch up since we don’t see each other anymore. My, my plan is like we’ve got an internal committee of some of the analysts were all working together and coming up with ideas. Once we, when I put together that final, here’s our proposal for moving forward, I’ll definitely bounce it off you and cool. It’s a it’s been a little bit trickier than probably it sounds like for for that one in particular, you know, like how do we get an assessment to be better and more consistent? That’s easy. That’s, that’s not hard. But the VCS is such a nebulous thing. And you know, a lot of times we’re going into a company that they don’t know what they need or what, where they’re at. So how do you tell them something that is what they need but isn’t like just overkill. Right? Or it’s not enough because, you know, so it’s it’s it’s been an interesting challenge.

[00:09:27] Evan Francen: Taking notes because I think. Mm this is, I mean, we’ve got another podcast topic right there about, you know, maturing the VC. So because I think, you know, when we started the VC so program back in 2010, probably the first version. Um you know, it was what you’d expect that of the first goal of something. It was kind of crappy. There was no measurement in place. There was people paid for it. I mean people would pay you five grand month to basically do nothing. You know, and you tell them, hey, you know, I’m not doing anything. They’d be like, yeah, but it’s just nice having you around. It’s like but I’m not fixing the broken industry, I’m just taking your money right. You know, I have to provide value. So we took that thing back and then deployed this version of the the V. C. So program um which has done you guys have done amazing work with it. It’s cool to see it. And then now, you know, this is the next generation. It’s like

[00:10:34] Brad Nigh: yeah, I mean, we’re only coming up on this this current version I guess of the program is really just about two years. It’ll be two years this summer that we’ve been doing it with this methodology. So, you know, I think with some of the stuff you it takes that long to actually get the data to understand what’s working and what’s not just because, right? It’s these aren’t quick fixes. These aren’t like a pin test where it’s in and out. This is these things take a significant amount of time move programs forward. So now. Okay, okay. With me. No. Kind of, we have enough data to know what’s working. What’s not, how do we improve it? What what what are the pain points? How can we eliminate those or minimize them? So

[00:11:21] Evan Francen: yeah. And I’ve always been a big believer that if you’re not in a consulting company, if you’re not innovating, you’re dying. So if you wait for a customer or a, you know, a group of customers to tell you, hey, you need to change something. I think it’s too late.

[00:11:37] Brad Nigh: Yeah. And that’s exactly we’re trying to avoid is hearing that. You know, I think um Sean did some really good analysis and interviewed the analysts and sales about Oliver BC. Someone. You know, we’re not seeing people not renew. So there’s still see value. But it’s like, okay, but then what they signed a two or a three year engagement, what’s next?

[00:12:01] Evan Francen: Yeah. That’s one of the reasons why I love, I love our mission. And because if our mission is to fix a broken industry, we’re not, we’re always going to continually push ourselves to provide more value,

[00:12:16] Brad Nigh: right? Yeah. Pc. I the other big one we’re working on and how do we make that less painful for customers and I think we’ve got some really good ideas there. I’m excited about what’s coming for that.

[00:12:28] Evan Francen: Stop taking credit cards. That’s how you do it.

[00:12:30] Brad Nigh: Yeah well unfortunately, but uh and then I think the only other one was we have a pretty big incident response that came in the end of last week. Um They got a letter from the FBI saying that they saw ah package or uh traffic going to no malicious ip with some files and stuff and they called us immediately and we were able to put stuff that we’re seeing powerless or uh Power shell encrypted, power shell file, this malware getting dropped and we were able to like from what we’ve seen, it was probably max of days before they got ransomed. Uh huh. So far knock on wood um So far so good. We haven’t we’ve been able to contain uh pretty quickly. It’s amazing. I was talking with Oscar but just the the growth of that i our team in terms of like even in the last six months just watching these guys become more confident. It’s it’s awesome.

[00:13:43] Evan Francen: It is awesome, man. And if if the FBI is notifying you, it’s probably part of a another investigation that they’re working on and this was sort of yeah, breadcrumbs from somewhere else, you know.

[00:13:55] Brad Nigh: Yeah. Yeah it was interesting, they were saying we got a little bit of detail but I guess each of the different field offices for the FBI focuses on a different type of of attacks, right? So this one, you know, came from, I don’t want to say anything because I want to give too much away about that but you know one of the officers I was like why why would that one be contacting this company with given location but it’s it’s not regional it’s based on you know the team the thread actor or the attack the attack factor. Yeah

[00:14:30] Evan Francen: wow. Well yeah and that team the penetration, I’m sorry technical services and the I. R. Team you know I know that that’s a huge focus for our secure going forward to. So the team that they’ve they’ve come this far in six months. He can be compared to the next six months man.

[00:14:48] Brad Nigh: Oh no it’s awesome. Just continue to mature that and grow it and

[00:14:54] Evan Francen: yeah I remember a couple years ago we were talking about the I. R. Team

[00:14:59] Brad Nigh: yeah or yeah even was it 22 year ago it was like you and me.

[00:15:09] Evan Francen: Yeah I’m glad I don’t get cold anymore man

[00:15:11] Brad Nigh: this is way better. Oh yeah I didn’t have to do anything this weekend. They got they handled everything and got contained Bruce. Fantastic.

[00:15:20] Evan Francen: Beautiful.

[00:15:21] Brad Nigh: Yeah

[00:15:22] Evan Francen: we’re too old man for this.

[00:15:25] Brad Nigh: It is on moment the monday through friday during the day. That’s awesome that I wouldn’t mind doing it then but it’s those nights and weekends and you know as they like to say all that suit work we have now right? It gets in the way of the fun stuff.

[00:15:43] Evan Francen: Yeah. Well that’s the thing I mean it’s never convenient right? I mean when you have a family and you know you take on more responsibilities and just management and everything else. You know it uh Ir has always happened at the most inconvenient

[00:15:58] Brad Nigh: time. Yeah. Yeah. Yeah it is what it is right? But

[00:16:06] Evan Francen: yeah that experts who who enjoy it and are great at it so

[00:16:11] Brad Nigh: yeah and it’s fun to still poke around if I have a little bit of time and you know there’s always like little things you’re like oh hey did you see this or do you look at this and they’re like where did you find that like wanting to learn and continue to grow? So it’s it’s just so much fun. Yeah. Yeah. All right. Well that was that was good with uh gotten they’ve been able to really catch up but that’s been the weirdest thing I think is right. Those little just going and catching up so

[00:16:40] Evan Francen: All right, I could talk to you all day. I mean there’s so much stuff to talk

[00:16:43] Brad Nigh: about. Um Yeah but according to show notes we have to shift gears and talk about remote worker security. So yeah I suppose we have to follow that.

[00:16:55] Evan Francen: Yeah that is a thing

[00:16:56] Brad Nigh: remote. So we have we’ve kind of briefly touched on it with some little like pieces here and there and some notes and things like that over the last couple of weeks. But I mean from what I’m seeing this is going to be a new norm for quite some time. So let’s actually spend some time and actually talk about this and you know, try and help people prepare and be safe. Um, so the first one I saw this article mala risk triple and work from home networks threat post had a podcast on it, which I thought was pretty uh interesting to read. But the actual information came from bit site and obviously bid site is, yeah, it is what it is. Right. It’s just going to be looking at public traffic. Um, but for this use case, you know, I think this is actually a very good use case forbid site. Right. What is the malicious traffic we’re seeing from corporate IQs versus home IPs for over the internet. You know, they’re, what they found was the home or remote office networks for 3.5 times more likely than corporate networks to have at least one family of malware and 7.5 times more likely to have at least five distinct families of malware. Um, Marie trick by uh, and if you got tricked going, it’s, that’s a that’s not a good

[00:18:28] Evan Francen: day.

[00:18:30] Brad Nigh: Um uh huh. So the actual information is on the link to it is on the blog. It is actually a pretty interesting reading. What did you think of it?

[00:18:45] Evan Francen: No, it makes sense. I mean, it’s nice to have the data to support it. I enjoyed the the percentages. I mean it just confirms, I think what we knew one of the reasons why we created as to team was for this reason, right. If you’re taking a home, even if you’re having a computer that’s provided by your work and you plug it into a home network, uh, this data supports the fact that most of the home networks have infections have all kinds of crappy stuff going on and you’re just taking a work network and putting it on that same network. Most people don’t segment their Wifi segment networks. So you’re just putting, it may be a pristine machine, Right? And putting it into just a pile of mud,

[00:19:39] Brad Nigh: you know, and one of the other things go back to that. I are that surprised me or was interesting was that even though they have tools to push our to our threat hunting tools and everything out there, having issues getting it to work with all the remote machines over the VPN. For whatever reason, it’s not, you know, there’s a little bit more struggle there than if they were in the office. So you know, this is something that hey, you’re more likely to have this and you don’t already have a tool to push it out. Have you tested the tool, you have our patches being applied? Right? So there’s this whole new level of management headache for urine points that I think a lot of people just haven’t even considered

[00:20:30] Evan Francen: right. I mean, and ever since we’ve done teleworking, which has been kenna forever for teleworkers, Home networks were always in scope, not just the home network, but also the home itself. Right? Because we’re talking about technical risks, but what about physical risks? Right. Right. So, and now you just exacerbated the problem because what we used to have, I don’t know, maybe five, 10% of the workforce was remote and now it’s Over 50, 60, 70. I mean, I don’t know what the percentages. So you just took what was always a problem and just made it a bigger problem. Hopefully people will take it more seriously. You know, again, this is why we created what we created was to try to get people to learn good security habits at home without violating the privacy? Because the last another thing I don’t want to do is if I’m a C, so I don’t want to know all the stuff going on in your homework, that’s your stuff,

[00:21:28] Brad Nigh: Right. Well, that’s what’s crazy. I think that and I get that this is unprecedented and stuff, but you know, hey, we’re going to use your personal machine to connect into work. What happens if there is an incident? Am I now going to have to manage and clean a personal device, whatever. What do I find on that was the legal implications of that. You know, there’s, it’s a, it’s a lot of mhm additional stuff that I think, you know it’s just it’s not fun sucks.

[00:22:03] Evan Francen: Well it’s definitely it’s definitely a challenge and it’s not going to get fixed overnight. There’s there’s not gonna be a silver bullet. There’s not gonna be an easy button. There’s no one piece of software you can put on a on a workstation at home and it’s now protected magically. You know it’s a combination of things right? It’s a combination of technical controls. It’s a combination of people write teaching them better habits, motivating them to learn and apply good habits and yeah man it’s uh but this stuff confirms it right. I mean we got kind already knew.

[00:22:38] Brad Nigh: Yeah I hope you know I’m hoping that we don’t, we know we’re gonna see a rise in incidents and things like that but I’m hoping that long term this is a net positive. The company’s gonna start going okay. We can’t just be like it and emphasize a car cost centers. We can’t just barely fund them. I think it would be eye opening for a lot of companies in terms of what the true risk and cost is of not doing it.

[00:23:11] Evan Francen: Yeah I think cos you know some of the newer companies that kind of grew up as remote. Uh they’re not struggling nearly as much as the ones that this is a new shift for them.

[00:23:24] Brad Nigh: Well yeah it’ll be interesting too because a lot of those companies that refuse to do it that were forced to how are they going to now stop that, plug that leak, right? Everybody’s saying, hey, we could function remotely. Everybody did their jobs. The company didn’t, you know, grind to a halt. How do you now say no, no more remote work. Right. And what’s that going to mean? So,

[00:23:45] Evan Francen: yeah, it’s crazy how many I’ve talked a lot of other security people, you know, I’m up there in age now, getting up there in age. So a lot of security people I talked to are also kind of getting up there in age and uh, there’s still that old school mentality too. I think that exists where I don’t trust people to work at home. I don’t trust that they’re going to actually get their work done. You know, they’re going to be messing around, playing around and I’m going to be paying them for what, you know, but now, I mean, the way management works or should work, it’s, it’s based on what you produce. It’s based on, do, I don’t care when you do it. I don’t care how you do it. You’ve got these 25 things that need to be done. Do you get them? Yeah,

[00:24:30] Brad Nigh: you’re getting them done or not. I’m with you, I think, you know, Well, everybody say seems to say that that, that other approaches me on bad management, right? You have a, all these bad managers that don’t trust their people. We’ve got a reflection on the, on the manager.

[00:24:49] Evan Francen: well. And it’s bad management, but, you know, I think for a lot of people it’s traditional management. Yeah. That’s just the way they were taught, you know, manage people by what you could see, you know, um, but now, you know, you can’t see them anymore and now you’ve got all these other risks. So I’m afraid that some of these older school managers will just use this as justification to not allow what’s sort of naturally happening covid to continue. Because I don’t think people are more productive at home, at least having the flexibility.

[00:25:23] Brad Nigh: Yeah. I think it’s been interesting for me personally, if the kids were in school, totally different story, Right? Yeah. But you know, it’s it’s been a little bit more difficult, a lot more stressful for sure. Uh, you know, with kids at home, not not so much the older ones, but, you know, having a kindergartner and trying to get him to do anything for school work is good luck. I guess you’re able to do what they don’t want to do.

[00:25:57] Evan Francen: Well, that’s easy. And that’s another thing, right? Is in the office, my computer isn’t on the same network as my kids. Yeah. You know, we’re not contending for bandwidth, we’re not contending for, you know, whatever else is going on on the network. Um, That’s just another thing, you have to account for it at

[00:26:17] Brad Nigh: home. Yeah, Yeah. And you know, not everybody, like I have separate networks, I have, you know, the wifi for the kids ipads, the wifi for the laptop that uh my wife uses for when she gets to work from home one day a week. Um So that has its own uh my work is on its own um Everything there’s no it’s all isolated. There’s no cross talk. Yeah. And but we I mean most people just use whatever their I. S. P. Set up And it’s all one and.

[00:26:55] Evan Francen: Oh yeah it’s the traditional it what works?

[00:26:59] Brad Nigh: Yeah. Well and they don’t understand it either. And there’s not like there’s a bunch of resources out there uh to go to. Yeah. Absolutely. Even even as far secure employees are not analysts but supports that half an administration, all those type feel they’ve asked how, hey can somebody help, what do we do, where can we go, how can we like fix this stuff Help me set up my network. So it’s more secure.

[00:27:31] Evan Francen: Yeah, I think, you know, and that’s where we’ll be going. You know, for sure with security studio. I mean, you’ll see a lot of content on, you know, you talk about segmenting, you know, your home network, 99.9% of the population has no idea what the hell you’re talking about.

[00:27:49] Brad Nigh: You

[00:27:50] Evan Francen: know what I mean? Or if they do, they’re not doing it. Well, it’s the right thing to do. So let’s take what we got in your brain put it into some easy documentation that people can follow. It was going to start right?

[00:28:04] Brad Nigh: Yeah. And that’s one of our our big pushes this quarter is we’re going to start getting more quick hit educational uh, restore videos and uh, how to shoes and things like that. Getting pushed out here, um, ramping that up now, so,

[00:28:23] Evan Francen: and that’s another great idea. Um,

[00:28:26] Brad Nigh: I got a whole series planned out, so keep him

[00:28:31] Evan Francen: one of the things we’re trying to do it, Security studio is create a partner community, a community of partners working together or the common good. And obviously they benefit to write, you know, they get business and marketing and all that stuff. But if fr secure as a partner of security studio creates content, can we take that content and put it insecurity studio giving credit to our preferred partner fr secure. You know, I mean, it’s just another way to get the word out with your, you know, with our security name associated with it. So they get more, you know, more business because at the end of the day, um, you know, businesses are in business to make money, does feed the mission. It’s always mission before money, but they each other, you know what I mean? But there’s there’s some opportunity there, I think to be more collaborative in the content that you create to make it more known to other people.

[00:29:33] Brad Nigh: You know, we got a really good uh blog post. I worked with Brandon and he, I think he got some stuff from Ryan as well cola but your brain and I worked on it quite a bit for like around zoo because we still hear all this stuff about him. So there’s a really, really good, he did it. Brandon does a great job of taking what we say that security people understand and translating it uh for everyone to understand. So he’s funny what that whole marketing game is just a great job on that stuff.

[00:30:05] Evan Francen: Yeah, actually he showed me, I think what’s coming for that, it’s pretty cool. Your zoom stuff that you guys put together.

[00:30:13] Brad Nigh: Yeah, I think that we did, it was pretty good, basically took my internal email that I sent to the to the company about it and took it and made it for everyone. So there’s not big scary words or you know, any of that type of stuff in there.

[00:30:33] Evan Francen: Cool man.

[00:30:34] Brad Nigh: So you know, along those lines in the blog uh showing up today, um I did go and yeah, there’s so many, there’s so much out there uh in terms of resources and what should we be doing and all that. And I sifted through a lot and I was so I want to say, I was surprised that I wasn’t, I was disappointed about the amount of sales, marketing focused, free stuff, Right? It’s not really free. It’s like, hey get this 30 day trial of this and and then we’ll do, you know, here’s how you can do it. But you have to like, you know, I didn’t, I didn’t like a lot of the stuff that I saw trying to find some good like truly free, like useful resources. Obviously if our secure, I think we’ve done a pretty good job of, and that’s going to continue. So you know, we’re going to continue putting out like truly free. Hey, here are useful things that you can use, right? Um Not just like trial software but like actual documentation and things like that. Um So that’s out there. Um

[00:31:53] Evan Francen: Yeah, those things piss me off man. I mean they really do because they make everybody’s job harder, right? If you, there’s always strings attached. If there’s always an ulterior motive. There’s such a freaking ulterior motive in our industry like here, free stuff. But you know in the back of your mind that now I’m on a marketing list, I’m gonna get blasted all the time about every single thing I’m not gonna be able to unsubscribe from all your crap. Yeah. And what the thing that you’ve given me is so sticky that I’m using it regularly in my business and then all of a sudden you’re gonna start charging me for it. You know what I mean? There’s just this catch. Yeah. It makes our job so much harder when we try to give something away without a catch.

[00:32:38] Brad Nigh: Yeah, we have that anywhere readiness tool, remote work security checklist to like once you download it, it’s yours and then there’s obviously a ton of like videos and other stuff that’s out there. Like once you get it it’s too go to town,

[00:32:59] Evan Francen: right? Yeah, I guess to me the same way it’s like so many of the things we’ve done so many things, you know, at fr secure that have been done that if people really believed you when you said it was free, I think you’d have 10 times the amount of adoption, but people don’t believe you because of all these other jack wagons who you know, have an ulterior motive.

[00:33:22] Brad Nigh: Yeah. Yeah. Well said I can’t add to

[00:33:27] Evan Francen: that. I mean even the CSP mentor program, I mean I know he had 1444 students, which is just amazing. People actually believed you that you know, you can sign up for the program and like we’re not going to sell you anything ever unless, unless you want it. But I mean we don’t talk sales and stuff. The slide class number one was, we did an introduction to fr securing an introduction to security studio and the things that we do and that was

[00:33:58] Brad Nigh: it, yep. Yeah, this is not intent, which I think is for you’re getting something that’s what anywhere from 3500 to 5000 plus. So you get, you know, 30 minutes of, hey, here’s who we are as a company and why we’re doing this? Right? That’s it. The rest of it is just, it is interesting to see I’m going on that the, the chats and people are like, I can’t believe like there’s still with what? Four classes in and they’re still going, I can’t believe this is

[00:34:27] Evan Francen: free is free. Like what was happening? But what’s the catch? There’s no kids,

[00:34:32] Brad Nigh: no catch. Um, so yeah, on this, on the thing, I’ve got the Department of Homeland Security’s, um, defending against covid 19 cyber scams. Really good resources there. The SiSA alerts and recommendations around coronavirus absolutely should be looking at those FTC has got two parts for tips for avoiding the coronavirus scam and then missed has a telework security basics. Like pretty solid stuff if, if nothing else, get read this stuff. And like this one I thought was actually really well done in terms of like get this to your employees. You know, it’s got like a little printable like uh tip sheet and that kind of, that covers the tips and yeah, yeah, you can’t just like cover your head and go, nope, everything’s fine.

[00:35:29] Evan Francen: Great rescue ignorance that’s frustrating to.

[00:35:34] Brad Nigh: So anyone. Yeah, I think, gosh, yeah. What can you do as a company? I think there’s something because they were going to work on some stuff, know what your employees are doing? Offer them help be proactive reaching out to them. Hey, do you need, how is your setup? Do you need help? Configuring anything. You have questions. Um Yeah. And and get out the use of these resources that are, you know, pretty good quality.

[00:36:01] Evan Francen: And and it is okay for people in our industry um who are giving away free stuff. It’s okay to give away free stuff and have it be free to just let go of it. Yeah. That is totally okay Without any ulterior motive whatsoever. Do that stuff, man. It’s kind of part of our common good. It’s part of our community. It’s part of what we do, you know, and and keep doing it. You know, I know that there’s been so many free things since Covid and we’ve always been doing free things and it’s not to boast about it. It’s to encourage other people that after Covid after we get back to some sense of normalcy. Don’t stop making free stuff. Keep making free stuff. Keep pushing out because people need help. And I mean, people at home, we just talked about how many people don’t segment their network at home, right? I mean they need help. So let’s just do it. I don’t need help. I need help. Shoot just a bad word.

[00:37:01] Brad Nigh: We’re gonna get our rating adult only. Right? I

[00:37:06] Evan Francen: didn’t do it. I said shoot

[00:37:09] Brad Nigh: you thought it. Um Yeah, I’m with you. Uh Yeah. Mhm man, I’m not gonna say anything on it. We’ll leave it at that. I agree.

[00:37:22] Evan Francen: You move off to do an adult version of the podcast because man, I get funky then for sure. There’s all kinds of things I’d love to say.

[00:37:29] Brad Nigh: Yeah. Yeah it would be uh that would that would that would get some attention and I think calling that good or bad.

[00:37:40] Evan Francen: Yeah, we have chris we have to have chris roberts on.

[00:37:42] Brad Nigh: Yeah,

[00:37:43] Evan Francen: sure because he’s good at do not very well, he’s good at just you know, laying it out there, I don’t care what you think about it, it’s just the way it is, you know. Yeah.

[00:37:55] Brad Nigh: So uh yeah, so anyway, great resources though, what you have said you had an announcement there in the notes.

[00:38:04] Evan Francen: Oh yeah, so as to me, Version two is releasing this week, we’re pretty excited about it. We’ve you know, done revamped a lot of things, merely ai and workflow things and recommendations and u. I.

[00:38:17] Brad Nigh: Um is it next jim?

[00:38:19] Evan Francen: No,

[00:38:20] Brad Nigh: God.

[00:38:21] Evan Francen: Uh It’s uh but it is sort of a limited release. We’re not limiting, eliminating, we’re not limiting how many people can use it or sign up for it, but we’re not blasting it out to everywhere yet. Right, this is a full Version two, so, you know, we’re expecting a few kinks, you know, things to work through, but it’s a really really good release, I’m excited about it and I think maybe next podcast we’ll talk about this to me how to use it, we’ll talk about s to me and S Two team, they’re both free right now as to me will always be free? Almost right. As long as I’m in charge, I guess, you know, it always be free as to team, um, is free for now. We haven’t made a decision on whether we’re going to keep it free or not, but we’re open and honest about that. Right? So it’s going to be free at least until the end of june, but how do these tools work together to tackle some of these remote work things that we’ve been talking about? I think it’ll be a great discussion next week. So I’m excited about it because I love helping people. I mean, honestly, man, it’s security is all about people.

[00:39:32] Brad Nigh: Yeah, yeah, I mean, well, like I said, you’re at the end of the day, you know, business is in business to make money. How realistically how do you make money? Your people, right? The work that they’re doing, you can’t have a business without people. I guess technically you probably could,

[00:39:48] Evan Francen: but well, and the way in in full transparency in the way you make money on something that’s free to consumer, I guess to me is the church, one of the things that consumers told us that they wanted in the tool was specific product recommendations.

[00:40:06] Brad Nigh: Yeah. You told me I’m doing this poorly. What do I do about it?

[00:40:09] Evan Francen: Yeah. Give me, what should you say? I need to get a password manager. Which one?

[00:40:14] Brad Nigh: Yeah,

[00:40:15] Evan Francen: get dash lanes to get, you know, should I get last pass, I mean, which one? So many? Yeah, so the way we’ll monetize to make money to keep the mission going is not by charging people, it will be by charging whoever’s tools we’re gonna put as recommendations in the s to me. So yeah, it will

[00:40:35] Brad Nigh: be interesting to see That would be a good conversation.

[00:40:37] Evan Francen: Yeah, it sounds like you have endless, you know, supply of money, but we’re really focused on helping individual people at home. Normal people.

[00:40:49] Brad Nigh: Yeah,

[00:40:50] Evan Francen: not people like you and me, you know how to segment the network, I know how to segment the network, the other people, you know, who

[00:40:57] Brad Nigh: don’t like segment. What does that mean?

[00:41:00] Evan Francen: Right, Because it’s their family, it’s their privacy. It’s they’re the ones who suffer. It’s pissing me off.

[00:41:08] Brad Nigh: Yeah, yeah, I’m with you. Um Yeah, actually that would be fun. I’m looking forward to uh to talking about that next week.

[00:41:18] Evan Francen: Yeah. Being that we’re doing, you know, we’re recording our podcast now in zoom for for the time being. Um And we’re also recording video. I can’t even take us through the s to me version to sharing the screen. There you go. It might be

[00:41:35] Brad Nigh: for me. Yeah, I mean, I’d be into that. All right, So uh yeah, that’ll be fun. I think that’ll be a good conversation. Uh so quick zoom update. Uh you know, we’ve we’ve touched on this? A bunch zoom has been all over the news. If they went from, you know, 10 million users a day in December to over 200 million in March. I haven’t seen the April numbers, but I’m assuming it’s probably ever on that same number and they got just hammered. Well, it was like the end of March, early april. Haven’t really heard a lot in the last couple weeks, it’s died down. Um, but they were just getting skewered, which was interesting to me when right Microsoft teams had a suit pretty significant vulnerability where a single attack could be, if you trick the victim interviewing a malicious gift, they could take over the entire teams. Organizations, organizations, team account. Um, that what was, I mean, that’s a huge risk. Right? And Yeah, there was nothing. And they were alerted on March 23 and it came out on April 27. So they, they had a month lead time to, to patch it. Now. They did patch it and they took got it corrected, which is good. That’s what you expect. But why are we not seeing that same outrage of? Well, you can’t use teams because they could, this patch could, or this flaw could have had your entire organization taken over. Right. And then, uh, you know, the other one I had a little bit older from, you know, slack of line remote file hijacking, you know, Webex had one in March I believe early March that allowed for, you know, total takeover. And so it I don’t know, it’s interesting to see kind of how zoom got just hammered when, you know, when these other things are not, you’re not seeing that that kind of same kind of uh Right.

[00:43:56] Evan Francen: And I think uh you know, I think there’s some envy here. You know, I mean there’s other motivating factors for why, you know, let’s tear down zoom. You know, because um every piece of software everywhere has vulnerabilities, right? And zoom had their security issues. They still have security issues, right? Every piece of software has security issues. The thing that I really admired about zoom was their transparency with me as a consumer as somebody who uses the product and um their responsiveness two, what we were asking for? Right. Patch this stuff get better security features, Get some security representation to leverage and setting up that committee. I mean what they just in my opinion, they just solidified me as a customer. Mhm. Yeah, I’m not going anywhere. Unless unless they stop. Well,

[00:44:59] Brad Nigh: as I say, unless something Yeah, exactly. Right. There’s gotta be something worth worse that comes out, you know? And so I put in there an article to Czech Republic obviously who are directly to zooms blog post. But I thought they had a good write up of it. You know, they’re upgrading to finally to a s to 56 GCM encryption. Um which is good, they’ve got additional security controls that they put into place. Um You know you can report participants and then you can get reports out of it and um you know that waiting room is gonna be on so a lot of it you know we’re seeing I’ve got but the majority of the issues or configuration, right it was things that zoom couldn’t control. Now obviously yes the hole in the end encryption and a S. 1 28 that’s that’s on them. There’s no question but they’ve addressed it and they’ve appear to put fixes in place. Um Yeah well one of the you know it was interesting I was working with And education K through 12 and they’re they’re still using them and they’ve got I was talking to them about how they haven’t configured they’ve got the passwords for the meetings and they’ve got the waiting rooms and they were still having some issues with the zoom balmy. And what can we do? I’m like well what do you have and get caught? They’re like technically you’ve got everything set it’s a teacher. It’s got allowing people into a zoom meeting from a waiting room. How do you prevent that? Well how did they get the invite to begin with? Did did they post it somewhere? Did a student poster? You can’t prevent some of that stuff from happening and that would be regardless zoom teams slack webex right. It doesn’t matter if they post a U. R. L. With a password on their social media. You can’t do anything about that. You know. So there’s still I think a lot of this goes back to the working remotely and understanding this is this is so new for everyone that the teachers are like alright well here we go. And uh huh. You got to got to educate your people,

[00:47:22] Evan Francen: accept them. You can’t fix people with technology

[00:47:27] Brad Nigh: so. Uh huh. All right. Anyway, that’s not presume doing it. Well other things have that. There is no uh perfect software like you mentioned nope figure it properly and minimize your risk.

[00:47:48] Evan Francen: Yeah. And do business with companies that actually treat their consumers or treat their customers well in my opinion zoom has treated me as a customer well.

[00:47:59] Brad Nigh: So yeah.

[00:48:01] Evan Francen: Okay. What else can I ask for as a

[00:48:03] Brad Nigh: customer? Right.

[00:48:05] Evan Francen: Listen to me, give me what I need you do all that. So I’m with you.

[00:48:11] Brad Nigh: So hey I’m going to. All right so uh some of the things real quick. We mentioned a little bit the mentor program. We had a break yesterday. Uh looking at some of the chatter on the message boards, it seemed like that was a good time on that. So I think that last last year was the first time we did the brakes. Right? I don’t remember man last

[00:48:33] Evan Francen: year year Before you think this may be the year before. It seems like queers.

[00:48:39] Brad Nigh: I think that that’s a it’s definitely made a difference in terms of keeping attendance up

[00:48:45] Evan Francen: well in keeping your sanity.

[00:48:47] Brad Nigh: Yeah. Yeah that’s just a selfish part.

[00:48:51] Evan Francen: Right? Yeah. I think I’m teaching tomorrow so I gotta get my deck done and get ready for that. Yeah.

[00:48:59] Brad Nigh: Um So that’s going on. We’re four classes in made it through the, I think the absolute worst part of it with the you did it, I’m sorry about that. You know it’s good. It’s all good. Somebody has to

[00:49:12] Evan Francen: it’s true. He took it like a took it like a man.

[00:49:16] Brad Nigh: Yeah I went through it all that like that class never goes short like that one always is so long because everybody has you can see the questions and I just went through it and you know it’s it’s so different teaching online with like the moderators handling those questions. It is I don’t know what they need to focus on or they want something but at the same time moderators took care of it so I don’t need to know

[00:49:43] Evan Francen: right? Yeah and shout out to our to our moderators. You know we’ve got on any given night we’ve got But four or 5

[00:49:52] Brad Nigh: yeah Ryan chad and cola and then either you or myself

[00:49:58] Evan Francen: so it’s definitely a team effort. I mean we’re the ones on the video, you know looking like sometimes looking like idiots. But yeah it’s the people in the back end and make all this stuff work. So it’s cool.

[00:50:13] Brad Nigh: Yeah. To cola for Leaving last Wednesday? 1st time? He had his stream crashed and

[00:50:23] Evan Francen: yeah, if you haven’t seen episode for, did we edit that out or

[00:50:27] Brad Nigh: I

[00:50:28] Evan Francen: hope not either. I got to go look at that because when he took the phone call while he was live streaming from you, that was, that was priceless.

[00:50:36] Brad Nigh: I was like message texting him and calling him and I was like, I don’t know if he turned everything off and all of a sudden I get a call back and he’s like, I’m not on, I’m like, no, we just put you back on your all good, can you go back? And he’s like,

[00:50:48] Evan Francen: I watched, I watched all that unfold. I didn’t try to call anybody or anything. It was just like, it’s just funny. He was good.

[00:50:55] Brad Nigh: He also, I’ll give him, I mean it’s stressful enough teaching it for the first time. I think we all kind of, that imposter syndrome kicks in and then to have that happen and how well he recovered. I think he did a phenomenal job. So

[00:51:08] Evan Francen: absolutely awesome.

[00:51:11] Brad Nigh: And he still finished on time.

[00:51:13] Evan Francen: He did, yeah, that’s crazy.

[00:51:14] Brad Nigh: Um, the safety and cyber security at home one oh one webinar series is going there to Youtube, the security studio partner channel and then the daily insanity check in. You’re not doing that. It is fun. It’s, it’s that office talk that just kind of like, hey, how’s it going? What’s going on? Not it’s not there’s some work stuff like you know, hey how do we do? But it’s more but you to hear about, you know about water cooler talk like it’s kind of nice to have. So

[00:51:45] Evan Francen: yeah, I love it. And I’ve grown the really admire the people that I see regularly in those daily insanity check ins, they’re open to anybody and everybody, so it’s not exclusive and I love seeing people dropped in and you know, and then you see them go away for a while and then come back and yeah, it’s been awesome.

[00:52:05] Brad Nigh: Yeah. So yeah. Yeah, it’s gonna be it’s gonna be a while I think to before we fully ramp back up. So I think it will still be, you know, it’ll be critical to yeah, make a focused effort to continue doing this type of stuff.

[00:52:22] Evan Francen: Yeah. The school with my wife song there too. And I see my wife on there regularly, don’t get to see her much, so she’s pretty good looking. I was surprised like my dad worked out, I did a pretty good job on

[00:52:35] Brad Nigh: that. Mhm. I think I don’t know how to react to that. All right, so a couple of news stories uh real quick and I’ll be honest, victoria does our weekly internal stuff and I just poach these directly from her because I thought she did a really good job.

[00:52:58] Evan Francen: She’s been doing that regularly to

[00:52:59] Brad Nigh: so pay open database exposes 2.5 million transactions. Is it payers will pay key a a y and it promotes itself as providing extra security to online transactions. Uh Yeah. Mis configured data base, exposing 2.5 card transactions. Whoops. Um credit card numbers, expiration dates and amounts spin back to September one. Mm. Mhm. So they faced uh city PCR compliance is mandatory. Data breach occurs. It’s gonna be fines ranging between 5,500,000, so not

[00:53:45] Evan Francen: Least, it’s only 2.5 million.

[00:53:47] Brad Nigh: Yeah, it’s not 100 million. True. But as you’ve seen, you know, it’s going to be like who was using this event? Seeing that list. Yeah. But uh yeah, it’s a lot of out of cards.

[00:54:05] Evan Francen: Yeah. Yeah. Yeah. And you know, just basics. Right. I mean you test before you roll to production at least, you know, running security tests,

[00:54:17] Brad Nigh: nobody does that does that first to market, man. Yes. My next gen ai machine learning solution is first to market.

[00:54:26] Evan Francen: It’s true. Yeah. You want on that?

[00:54:29] Brad Nigh: Yeah. Uh Anyway, do you do the basics before we preach that uh another one, a hackers, so that’s on sc magazine, That article, this one is from the hacker news, private equity firms. Fall grade, a business email compromise. Three british private equity firms Uh sent $1.3 million dollars to fraudsters learn, They said at least 700,000 or nearly 700 is permanently lost and the rest is recovered Luckily they got to say we’re able to recover almost half You still lost $700,000. Yeah.

[00:55:13] Evan Francen: Yeah. That’s not gonna fix me off to man because it’s so preventable. There’s numerous ways you can stop that type of an attack from actually succeeding. Um, every finance department everywhere in every company sure follow, you know, dual control for transactions like this. Dual control for account changes. Yeah.

[00:55:37] Brad Nigh: Hey, we ain’t $500,000 wired. That shouldn’t just come over an email. It should be something great, something a little more form all the tracks, some of that stuff

[00:55:48] Evan Francen: and we, you know, speaking of that, we’ve created a free training deck for this, that you can have all of your um accounting personnel take it’s free. Right? I don’t know where that deck is right now, but

[00:56:05] Brad Nigh: I’ll have to find it and get that out

[00:56:08] Evan Francen: because business email compromise is one of the most common forms of financial fraud um, for businesses. And it’s just very, very preventable. So,

[00:56:22] Brad Nigh: I mean, honestly, I would say, Gosh, 95% of the incidents we see are start with with an email compromise. I mean, it’s not always the case, but the vast majority with running is even close.

[00:56:44] Evan Francen: Yeah. So if you, if any of the listeners, you know, want a copy of that deck, just email us at un security at proton mail dot com and we’ll get you a deck. Maybe we’ll put it up there to Brandon’s listening. He can publish it somewhere

[00:56:58] Brad Nigh: for us. Yeah. Yeah, maybe I add that to our I wonder if it’s on that. It might be on the resource page. Yeah, it might be. Yeah, we should probably know what’s on uh my job

[00:57:11] Evan Francen: stuff going busy.

[00:57:13] Brad Nigh: I just create the stuff to put up there. I don’t know where he goes. Uh last one is off of dark reading. BM wear critical room where vulnerability patched on april 9th. Um get admin creds in three steps. I get a good job on the BMR from getting that patch pretty quickly. So if you’re running BM where I’m trying to find the vulnerable version on there. I just saw it. Uh

[00:57:41] Evan Francen: no matter what version of the m where you’re running

[00:57:44] Brad Nigh: and patched V center server 6.7 and external 6.7 platform services controllers that were upgraded from earlier versions? Yeah.

[00:57:58] Evan Francen: Cbs. A score of

[00:57:59] Brad Nigh: 10. So that’s

[00:58:00] Evan Francen: a bad one.

[00:58:02] Brad Nigh: Yeah. Yeah.

[00:58:05] Evan Francen: CV 2020, 52. Yeah.

[00:58:10] Brad Nigh: So an attacker with network access to port 389 on the deployment could steal information such as administrative account credentials I’m gonna go with. Yeah. No, not good.

[00:58:23] Evan Francen: Yeah. Well let’s not do that. What what

[00:58:27] Brad Nigh: What Part 3 89.

[00:58:29] Evan Francen: Okay. Hold down.

[00:58:31] Brad Nigh: Yeah. Which you kind of need your so I can’t really shut that one down. No. Yeah. Alright, well that’s it. Episode 77 is a wrap. Thank you to all of our listeners. Hope you enjoyed the show. Evan shoutouts

[00:58:50] Evan Francen: to quick one is Richie uh Richie from our unsecured. I’m sorry from our daily insanity check in and uh somebody haven’t heard from for a while, but I was thinking about him this morning. Jason dance. I just shout out to those two. Hope they’re doing well. Keep up the good work.

[00:59:09] Brad Nigh: Yeah, Yeah. You know what? That’s right. He he has been quiet please.

[00:59:13] Evan Francen: Yeah, for some reason, I was thinking about him this morning. So I hope he’s doing well.

[00:59:17] Brad Nigh: So uh personally, you know, I think I don’t have anyone in particular, but you know, we have to to all the parents and going to go through this and maintain sanity. And you know, I think our our son’s kindergarten teacher uh had said it best right to shoot. She lives in our neighborhood. We’re really lucky. She came by for a social distancing visit to see him because he was he was really struggling couple days of this. And you know, she she said it right, just just do it right for your kids, right? If you can do the work, do it. But don’t don’t burn yourself out trying to force them to sit down and do something if they want to play outside and explore the woods or do you play with their siblings? All right, let’s everyone stay healthy. So, shout out to all the parents and all the teachers and uh you know, trying to get through this. Mhm. Right. All right. So keep the questions and feedback coming. You can email us at unsecurity@protonmail.com. Social type. You can socialize. This should ban socialize with us on twitter. I’m @BradNigh even is @EvanFrancen and you can follow security studio @StudioSecurity and if our secure @FRSecure. All right, that’s it. And we will talk to you more next week.

[01:00:42] Evan Francen: All right. Take care.