The guys are joined by Wade, a K-12 Director of Technology at a mid-sized public school district. They discuss what they’re doing to fill the cybersecurity skills gap, the Equifax data breach, Australia’s new encryption law, and a 12-state lawsuit against a medical records.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:01:31] Brad Nigh: We’ll get this back on track here before we go to off the rails way because I want to talk to wade. All right. I think this is gonna be good. I’m excited for this. So one of the big reasons that you know you want to have you on is you guys do have a cybersecurity program at your high school. So I want to talk to you about that and just, you know, where did it come from? Where what, what was the driving factor around it? Like what? Why did you create it?

[00:02:05] Wade: Yeah. Yes sir. Again, thanks for having me on. So, uh, we do have a, we do have a cybersecurity um course at, at our high school. It’s actually part of a program called compass and a compass. If you don’t know what that is. It’s a program for mostly like juniors and seniors who are really highly motivated and they are looking for a program that kind of guides them um along a career path per se. So, so there’s a couple different offerings within our high school. We have like a graphic communication course, ecology and nutrition, this management and Nikon and then we have this this cool new chorus around cybersecurity and applied math and it’s really um we’re going into our second year of the course. So last year was the first go round of this and the next run about here is going to be starting in january.

[00:03:08] Brad Nigh: Uh that’s cool. I know uh was a mentor for one of the students in that I didn’t realize that was your, you had it. So yeah, very

[00:03:17] Wade: cool. Uh in company. Yeah, The compass program has been around for probably since 2009, at least in the district that I work in. But the cybersecurity applied math last year when you mentored and I’m entered as part of that course as well. Was the first time that we offered that course.

[00:03:33] Evan Francen: Is this part of a nationwide, is the compass program a nationwide thing or is it just your school?

[00:03:40] Wade: Um, I know, I know that it’s at least regionally why because there’s other district within Minnesota who I know participate in it and it’s, you know, you have a partnership in a connection with like a local college. So our cybersecurity correspond applied math. I think we’re connected to century College here locally because they help with the development of like the coursework and some of that and that as a student within the course, you’re actually getting credits from high school level and you’re, you’re like currently enrolled, um, students who you’re getting caused course credit as

[00:04:15] Brad Nigh: well.

[00:04:17] Evan Francen: Uh, so like, um, you know, we’re here in the, and I live in the western metro of Minneapolis and I have a eighth grader now she’s going to be, you know, in high school next year. Um, how do I know, you know, as a parent, How do I know if my school offers something like this?

[00:04:40] Wade: Yeah, that’s a good question. I don’t know that she’s in eighth grade. She’s going to go out in ninth grade. I think 9th and 10th grade, you’re, you’re really probably focused on your core classes. So something like this will typically pop up, like I said, your junior senior year, uh, and you’re, you know, they’ll probably a lot of opportunities to see offerings like this on the web page or through guidance counselors or other, you know, posting within within the high school, but you typically don’t get an opportunity and to kind of gone through those core classes and then you get something like this which is part core and impart electives.

[00:05:24] Evan Francen: Okay. I wonder if my school, so when I, when I talked to like the, well I suppose I’m just wondering who I should ask, You know, when they get, she gets to that age, I’m like, how would I know? Like I’ll just go out and say the school district, It’s, it’s Laconia. So I don’t know Vulcania offers a program like this or should I ask the principal?

[00:05:47] Wade: Yeah, I’m not, I’m not sure if they, I’m not sure if they do or not. I would say definitely go to the principal or the assistant principal or have your child go talk with their guidance counselor just around okay. What are the, what are the pathways um kind of through the college and, and every year much like our high school they come up with. Yeah. Actually around this time, what the handbook with all the course offering the kind of the progression of things. So you could probably get that online as well and see what kind of offerings at the house.

[00:06:21] Evan Francen: So bad. You were in the you were in the program or you were helping

[00:06:26] Brad Nigh: last year last year and I already signed up to do it again this year. And so is making um and we mentioned it to five or six of the other basically all the you know most of the B. C. So I think it was all about so nine people, eight people uh that we suggested trying to get get them to do this so we’ll see if we’ll see how many sign up. It’s it was I learned a lot myself last year. I yeah it’s working with a high school student is very different. I don’t know I’ll be honest. That’s a totally different animal from that perspective than working with businesses.

[00:07:06] Evan Francen: Uh What’s different?

[00:07:09] Brad Nigh: Oh I think from my standpoint right when when I email somebody or if I ask for something or I expect any answer fairly quickly from a business perspective. Right? Hey here’s some suggestions around what a question that he asked me a question about what books should be read or something. Uh And it was you know I mentioned joe crabs and I mentioned um oh my gosh I totally blanking on the uh book. Hey recommend my book and then we’ll years wasn’t out yet this wasn’t like March and then your books laying

[00:07:47] Wade: all over my office

[00:07:48] Brad Nigh: Evan. But you know and but then I didn’t hear anything from him for like two weeks about it and I was like emailed him a couple times and said it, what did you pick, what did you end up doing? And I just, I think it has to be more guided rather than what I would expect from a business relationship where they’re gonna, you know, just do something and get back to you right, there’s there’s different expectations.

[00:08:17] Wade: Yeah, brad. I think, I think that’s a cool the cool thing about the course. I mean there’s this evidence that you know, I’m listeners as well. There’s kind of three components at least in the cybersecurity part that were involved in with, you know, them learning some of the core concepts around a cybersecurity program, which is probably like the meat of the course, but then you also have this this relationship where um individuals and and the chorus came up and they are responsible for creating like a business charter and going out and working with local businesses and trying to identify, you know, with a real relevant problem that they can work on and then you like brad is metric mentioning then you have this this business relationship really with this high school level individual or team of individuals kind of work through a problem. That’s that’s an interesting dynamic, You know, we’re talking to 16 or 17 year old saying, Okay, I need you to do X, Y and Z and then waiting for our response and trying to, you know, work them through the process of doing business.

[00:09:23] Brad Nigh: Yeah. And I think what made it a little tricky for me was, I mean these kids are clearly smart too, right. It’s not, there’s no question about that. It’s just they’re not used to maybe not having some of the drive or that responsiveness that you would expect, you know, being old like we are now

[00:09:45] Wade: highly motivated

[00:09:47] Brad Nigh: your old. So no, that is a word that is not used to describe either of the seven. I think that’s a safe bet. Well,

[00:09:58] Evan Francen: yeah. But yeah. Ok. Another conversation brand.

[00:10:02] Brad Nigh: Yeah, I think that’s a safe one. Um, so, you know, you mentioned kind of the core in the meat around that. And I know one of the things that uh, that the student I worked with was mentioning, he was, he got really excited about was that you were teaching Cali Lennox to the students, which is awesome. But I mean, how much did that keep you up at night?

[00:10:28] Wade: Yeah, kelly Lennox. I mean, there was one component of their learning and then in, like I had mentioned before, they had a bunch of other things that also kept me up at night, you know, from the forensic tool set to, you know, social social media work and social engineering and things like that. But I think we, you know, is our first year that we went into the program, um, and we really wanted to with their eyes wide open and we tried to, you know, think about, okay, what are all the costumes we have to, you know, put in place. Um, and I’m sure at one point we probably over engineered if you experience the learning experience in a way for them and we, you know, we use, you know, a lot of the best practices and your lover seems like AWS and your virtualized things. Um, just to try to put as many barriers around the kids as we could from a technical point of view. Um, but I think probably the more, probably the things that we got more bang from our book was the facebook face, my team myself. Um, you know, individuals like you throwing up in class, letting them know kind of what their role was in this, in this learning environment and what our role was and trying to, you know, have a respectful, trustful team in a way. Just around the course work, I think set us up a little bit more for success and if we were to come in and say, okay, you can’t do anything thing, then you can’t use real tools like kelly Lennox or other tool set, um, where we’re really trying to create a relevant and um, real learning environment for those kids.

[00:12:13] Brad Nigh: That makes sense so much. Yeah. Hey, we’re giving you pretty powerful tools, we’re going to trust you to do the right thing. And once that if something bad goes wrong, everything, everything goes away,

[00:12:24] Wade: right? Yeah. And that’s, that’s a big part of what we had to and we had the kids go through its own contracts about, you know, the conduct, their behavior, what their expectations were. Um, and I remember when the first meetings I had with them is around really, you know, laying the foundation about. Here’s what the course is gonna look like. You are going to make mistakes. Um, you might get yourself, you know, down the road or into a rabbit hole you shouldn’t be in. And it’s really that, that next step behavior that’s going to determine, you know, your future. Um, do you do back out? You alert somebody. Um, and, or, or don’t you and you try to hide it? We really try to build that build that up and say, hey, you just got to speak up and let us know happened and we can deal with problems like that as long as we know about. Yeah,

[00:13:13] Evan Francen: dogs.

[00:13:14] Brad Nigh: All right. Dawg.

[00:13:17] Wade: We got four kids and a dog. So I’m surprised that the first time we heard any of

[00:13:20] Evan Francen: them. Yeah, Well I record this, we all, we’re all recording at home. Right? So it’s just a matter of time before somebody comes walking in.

[00:13:29] Brad Nigh: My wife was listening and and heard my son and she goes, oh, I hear him listen and she would kept replaying it. You could just hear in the background a little bit. So

[00:13:39] Evan Francen: yeah, that’s how we, we have real lives too. Absolutely not security all the time. Right? Or is it, well, I mean crap. Maybe it is

[00:13:49] Brad Nigh: probably more often than our families would like, but not all the time.

[00:13:55] Evan Francen: So you have this program. Uh how did, how did you start it? Who started it?

[00:14:01] Wade: Yeah, that’s a good question. So this backtracking a little bit, like I mentioned, the compass program has been around for quite some time. So there is the structure of leadership around compass. So individuals who have the connections with businesses already and have connections with the local colleges and stuff. So I think a sense there, that team is always on the lookout for, okay, what are the topics, what are the like industry needs out there? What are people ask him also From AK- 12 perspective to begin to develop from a skill set point of view in our program. So kids can lead either being college career ready or being able to enter the workforce as they go out. So I think that team was instrumental in getting it started and we have these uh, to just, you know, really substitute teachers as part of this program who who are willing to partner out from a math perspective and then a cyber security perspective and come together and pick up, you know, really a new curriculum and kind of go out on the edge a little bit say, hey let’s try this and see how it works. So I think those two started it but ultimately comes down to okay, the students interested, you know, are they gonna sign up and really um maybe in their senior year where they could be doing all kinds of other things, dive deeper into something like um advanced statistics or um you know, complicated applied math and then also do things like cyber security. I think his brad mentioned, you know, these kids who are in this class that um you know, boys and girls which was awesome to have girls who were really interested in cybersecurity as well, but they’re they’re highly motivated typically and they’re they’re really looking to try to figure out if there’s something I want to do and actually begin to take the next step as they, as they leave high school program and go into something down the line. Mhm. Just kind of those different components and then, you know, finding partners, you know, good partners like you all who can help make it happen because it’s really not real envelopment from us, we have business partners and people are willing to mentor, show up, do you know, co teaching and things like that.

[00:16:20] Brad Nigh: Yeah, so my question is, do you, it is um should I not tell you, we’re gonna show, have a lock pick uh table

[00:16:29] Wade: when we have our, I want to know, I want to see the lock pick actually if you’re gonna if you’re gonna bring the lock pick back into the class, you need to invite me so I can learn a few things to,

[00:16:40] Brad Nigh: maybe that’s maybe I’ll talk with with matt or uh yeah we still have that right from the hacks and hops. Yeah, so they put together like a table with like the airport locks on it, a varying difficulty that you can sit and pick. Mhm, yep, disturbing to see how quickly you can pick a standard like master lock, How old is

[00:17:04] Wade: matter how long it take it? Oh master

[00:17:07] Brad Nigh: lock. Well hits on which one you get, but they’re not, if you get the cheap ones, they don’t take long. How old is meant some

[00:17:15] Evan Francen: five or six? Right? Yeah and he did it. Uh he’s got a video of him doing it in 56 seconds.

[00:17:21] Brad Nigh: Yeah, like under 10 seconds.

[00:17:25] Wade: What do you need? Like a bobby pin in the like a pencil?

[00:17:27] Brad Nigh: And he does have a full like lock pick set. So he did have a Reagan key and detention bar. But

[00:17:36] Evan Francen: yeah he had no problem at all. So the Minnesota compass is that uh so I was while while you were talking I was looking online m encompass dot org, is that the same place? You know?

[00:17:50] Wade: I don’t know. That’s a good question.

[00:17:53] Evan Francen: Yeah, it looks like you know I’m there because one of the things I’m hoping is uh you really set an example, uh you and your school district because we have the severe shortage of information in our industry. So, you know, we’re super supportive of what you’re doing there. I think it’s great. And so I’m hoping that there will be somebody listening. They will be inspired to start this or do something similar in their own school district, because there’s plenty of room for everybody here.

[00:18:27] Brad Nigh: Absolutely. Yeah. What? Yeah. And and actually that’s one of the reasons that that first news story, I saw that and said, oh, I’ve got to bring that up. Mhm. We’ll talk about that when we get there. Little teaser.

[00:18:41] Evan Francen: Yeah. Well, I had one last question for weight, uh how many students were in the program last year? And and how many do you expect this year?

[00:18:50] Wade: Uh That’s a great question. I don’t know if I know the specifics, I think 30 to 35 the course last year, just judging by the classes that I was in and I know there is a get a strong desire for this year. So I think they have a full full class as well. Um like I said, this is going to start up in january, so I always know about this time when the course is coming around because my team starts to a little bit nervous and everybody starts checking, you know, checking to make sure that we have all of our yeah, all of our cyber security processes and protocols in place. And we started rolling up some things ready for them to go. So we’ll just get kicked off in january.

[00:19:30] Evan Francen: You bring up a good point. I mean, this is what a great way to test your own security, right? Great,

[00:19:36] Brad Nigh: awesome. I,

[00:19:42] Wade: well, it’s always fun to walk, you walk through the hallways and the kids knew who I was and there. But hey, we’re just doing this. Hey, we’re not. It would be just like the right amount of scared and worried about what they’re doing, but it’s good to have that relationship with those kids.

[00:19:58] Evan Francen: Oh, for sure. I mean, you’re making such an impact on their lives. And like I said, if they decide to take this career path, I mean, there’s, there’s a bright, bright future ahead of them. As long as they stay on the good side of things. Right? I mean, we start messing around with things that are illegal. I mean, you’ll ruin your career pretty quickly. So it’s good stuff. One last I said, one last question, but then I think another one. So Evan, that’s what I do. Can you give me an idea? I’m just curious. Uh, and I don’t need, you know, hard numbers, but what percentage of people, you know, there’s 35 students last year were, uh, girls compared to boys,

[00:20:42] Wade: I would say the majority, uh, as you, you know, as numbers and statistics will probably say today the majority of men um Boys in the class I would say probably out of The whole class maybe six were girls. And I had a cool opportunity to actually mentioned one of them. Um And I think brad it might seem to before who who is just astonishing. I mean she was brilliant and I think I probably got more out of the experience with her and and the things that she was working on and learning about and pushing me to think about. So it is just a cool experience. And it’s good to see girls who are interested in um attack in general and then something specialized outside of security.

[00:21:24] Evan Francen: Yeah I mean there’s really underrepresented in our industry and it’s not so much just you know it’s not just for this you know a woman or a man for the sake of being a woman or a man but they bring a different their different styles of thinking different perspectives to solving really difficult problems. uh you know I think in the general workforce 45% of the general workforce is female. But In the information security and IT and and probably technology in general it’s like 20%. And

[00:21:58] Wade: yeah I got I have two girls who are coming up in one who’s in fifth grade who enjoys tech and coding and I tell her the same thing and like it’s a bright future and bring a different you know thinking and mindset to an industry where they could use some of

[00:22:13] Evan Francen: that. Absolutely. You see Megan and Lori and

[00:22:17] Brad Nigh: yeah that was awesome. I love having them on the it makes my life so much easier because yeah I look at it one way and then they’re like well what about this? I’m like oh wow. Yeah that’s way better

[00:22:31] Evan Francen: different perspectives man. We’re solving we’re solving really significant difficult problems to solve. If they weren’t difficult then they would probably already be solved right? Uh you know things like asset management in a large organization, you know how to get your hands around that knowing that it’s so dynamic. But then when you sit in a room with people of different perspectives and different backgrounds, you really do come up with some pretty creative solutions so that’s cool. Alright sorry brad I’m taking I just had those questions that were killed.

[00:23:01] Brad Nigh: It was gonna be a good guess. I knew that I keep asking whatever you want to know. So well we’re gonna transition a little bit here. Um And Evan already said he hasn’t been working this week. So uh no uh working on this week I think you know realistically we’re coming up to the end of Q. For for us and it’s just doing whatever you gotta do to stay above water at this point to be honest. It’s a little bit crazy but it’s been good. I’m excited for what’s coming.

[00:23:32] Evan Francen: Yeah we had a really really good year um personally I mean I’m not even supposed to be working on projects and I think I have two projects to for the end of the year I’ve got a an assessment uh in a data integrity audit. Both of those need to be finished up soon.

[00:23:50] Brad Nigh: You wanna hear something mind blowing? I didn’t do a single assessment this year. What? I know

[00:23:57] Evan Francen: oh dude

[00:23:58] Brad Nigh: I don’t know how that happened.

[00:23:59] Evan Francen: We have to get you something because you know you gotta keep your skills up what I’m

[00:24:03] Brad Nigh: saying. It was I was I was I got through it and I was like wait a minute hold on a second. No I don’t think I did I don’t think I did one.

[00:24:12] Evan Francen: You went to bed one day you woke up hey I’m not a security guy anymore.

[00:24:15] Brad Nigh: I know it’s weird

[00:24:17] Evan Francen: you have to do assessments to be a security.

[00:24:20] Brad Nigh: I am looking forward to doing. I’m gonna do a couple next year with a new version so

[00:24:25] Evan Francen: I’m working through the first one of the R. 2 um about halfway through it and I think I think you’re gonna like it it’s a lot.

[00:24:34] Brad Nigh: That’s good. Yeah I know it it was fun working I know we didn’t get as much collaboration around that as you were hoping for originally with with you and the team but I think moving forward with having that process a little bit better to find after this last go round it will be good uh and getting getting more people’s input again just makes it better process overall.

[00:24:58] Evan Francen: Yeah. Yeah I had some really good discussions this week. Um One was about how do you make faces score? You know more standard as opposed to you know, even though we’ve got you know 2215 100 fighters scores you know on the street. It’s it’s about getting us to speak the same language. And I had a really really good discussion with a guy from a pretty large CPA firm. Uh and and my question to him was how do I how could I get the A. I. C. P. A. To use Fisa score or something similar because it fits so well at that audit sort of mentality. I mean it’s flexible enough to do that. Um And he explained to me how things become standards at the I. C. P. But he made this great suggestion. He said why don’t you make a nonprofit uh Gift Fisa score, you know itself to the nonprofit and then have uh you know leadership from the I. C. P. A. The A. B. A. The Bar association bankers Association so on as board members right to govern it. And then um I mean it was just a really good idea and so I was thinking it through that you know I think there’s a possibility there may be for next year. Um It was good discussion. I had a discussion with Aaron call at the sea. So for the state of Minnesota on friday, uh, have you ever met him?

[00:26:31] Brad Nigh: No, you’re going on big time and name dropping now. Got a book out. Why

[00:26:36] Evan Francen: don’t think anybody knows? Not at all.

[00:26:37] Brad Nigh: I don’t, I don’t know.

[00:26:40] Evan Francen: It was, you know, that’s what I did last week.

[00:26:44] Brad Nigh: I know it’s funny how the, how your role is transitioning. So that because I know what’s funny is people don’t know this, but you like talking to you like talking with people, but you’re not a, I don’t want to, I don’t know the right way to say you’re not like a social butterfly by any means, an attention whore. Yeah. No, you’re not by anyone in No way. No. But

[00:27:09] Evan Francen: there was a great discussion. We were talking about some of the challenges at the state and uh, you know, I’m one of those guys who I like, I like simple, right? I mean, I preach it all the time. Keep it simple. And so I asked him, I said, so I, one of the things I haven’t, I can’t figure out, you know, as an outsider at the state is what’s in scope for you as the sea. So for the state of Minnesota, what things are you responsible for securing and what things are other people responsible for securing? And he was trying to explain it to me? And I was, I still wasn’t getting it. So I said, well, how many is the executive branch? That’s what he’s responsible for securing. He and his team, 60 or somehow, you know, security folks. And uh I said, so, how many I mean, and so he said their agencies there 90 ish agencies. And we said 90 ish. I was like, well, I think you should, I mean

[00:28:07] Brad Nigh: it seems like you should know that

[00:28:09] Evan Francen: he might, but I didn’t want to call it out, you know, in the first meeting with him. But how many agencies do you actually need to be responsible for? And then is that like uh business units in a corpse in a company? In a big corporation? Is that how it works? Because these agencies have agency commissioners and heads anyway. It was really fascinating discussion and I maybe I’ll get him to come on the podcast at some point. You know, I don’t know what he can say politically and you know, whatever. But it was good conversation.

[00:28:42] Brad Nigh: I can see where if if he maybe doesn’t even have control over some of those agencies that they’re just reporting up, where you wouldn’t know that. Look what a mess.

[00:28:51] Evan Francen: Well, right, Because the theory is, and I think it’s it’s a sound theories, I can’t secure what I don’t know, I have. Right? And so I don’t know how many agencies I have. I don’t know how many applications I have. I don’t, you know, all these things I don’t know. Yeah everything else is just kind of a crapshoot,

[00:29:10] Brad Nigh: especially if each agency is acting on its own doing its own thing, trying to wrangle that.

[00:29:17] Evan Francen: Right. So anyway I think uh I think there’s a good opportunity would be working together more but it was it was a good conversation. That was probably the highlight of last week profession. Anyway

[00:29:30] Brad Nigh: that’s very cool. Trying to think. I had a story or uh I was gonna and I’m just completely went blank on it. Um We we talked no oh you know what this was we talked about this but not on the podcast that happened last week. We had the a potential incident that we were talking um and where the ah and yeah they got they got compromised The Attackers

[00:30:03] Evan Francen: you had me look at last week.

[00:30:05] Brad Nigh: No this is a different one. Okay so they got compromised. The Attackers set up rules to intercept email between the CFO and certain individuals. Mhm. CFO sent an email saying I need you to wire transfer this amount to this account. They called the CFO to verify it. The CFO said yep that’s throw them out. So they said the transfer and a couple days later they came back and we’re like where’s the money? Well that’s when they found the rule and they went and checked and they the Attackers had changed the bank information in the email. Oh boy. So

[00:30:46] Evan Francen: so when they that’s what they called? The validate with the C. C. The CFO it was actually the CFO,

[00:30:52] Brad Nigh: yeah it was they called it was the right amount. They validated it they followed that protocol to to actually call and verify the amount but didn’t validate the account information just called and said hey did you send a wire transfer for this amount and see if I said yep that that was me

[00:31:11] Evan Francen: wow. So that’s a different twist.

[00:31:13] Brad Nigh: Yeah. So well see there they’ve engaged legal and law enforcement and stop self. That’s a that’s about all I know on that one. But I was an interesting I was like wow that I think that’s the first time I’ve seen that twist on it. Right

[00:31:32] Evan Francen: Church today I got my buddy came up to me you know when when somebody hears that you’re the security already you know security stuff. I mean I just I don’t know they ask you to fix the Vcrs and stuff like that but um you’ve got a call from you know that robocall. You’ve probably gotten it yourself where they’re going to call the cops on you if you don’t pay up and whatever. Have you gotten that one? It sounds like it’s a bill collection.

[00:32:00] Brad Nigh: I hang up as soon as I know it’s a robocall.

[00:32:05] Evan Francen: He went to voicemail. They left a voicemail and his wife got the same call. Right? And so I said well what’s your what’s your number? What’s her number? Well it’s it’s the last digit and the phone number is just is one. Right? So it’s just calling through the phone, the phone, you know the robot color. Ah And I’ve got the recording I was going to, I won’t play it here. But I wonder how many people actually know because I mean he’s a friend of mine, he knows I’m insecurity and he’s asking me, hey was this is this is this real like, come on man. Really? I mean that we’ve had these talks before anyway fix my fix. My father in law’s printer today too. So I did work.

[00:32:54] Brad Nigh: But that’s exciting. No, it’s not. My sister actually asked me about the Disney circle home, which I hadn’t seen. And so I told her we would do some studying on that for a future podcast. But it’s a device that you plug into your wifi that basically does like a ARP poisoning to monitor your kids traffic and set some rules and stuff. But shockingly vulnerabilities around it. My wife are what the

[00:33:30] Evan Francen: heck yeah. When you put it on your network and it will attack your network but doing a poisoning attacks. So that affords all the traffic to it as well as the outer. They

[00:33:40] Brad Nigh: are basically there

[00:33:44] Evan Francen: isn’t there a better way to do this.

[00:33:46] Brad Nigh: We’ll talk about that one. I haven’t really looked, I only saw, showing texted me about it a couple of hours ago. So I haven’t really had a chance to look into it, but that’s fun. At least people are thinking about it.

[00:34:01] Evan Francen: Yeah, I think awareness is higher than it’s ever been, but not high enough. No, not even close.

[00:34:09] Brad Nigh: How well.

[00:34:10] Evan Francen: All right. So wait, what about you insecurity stuff to do any cool security stuff this week?

[00:34:16] Wade: Uh No, cool stuff this week. And it’s funny listening to you about to think that happened and the things you should know better about. I think this week I got one of those, hey, it’s an email that comes in says hello about a conference. Um send me, can you send me like 15 $100 Itunes gift cards and a picture of them. It was uh, you know, I should know better. Right? So I get this email and it comes in from somebody who I know and I looked at him like, okay, it’s a legit and email and I’m responding like one or two in before they asked me for Itunes cards. I’m like, how you know, even if you know, and you know, you should know, it’s so easy to, you know, to not pay attention to it for 30 seconds and all of sudden you’re having a conversation with somebody who’s trying to stand there.

[00:35:04] Evan Francen: Yeah. Our own our own HR person. I’m not going to mention his name. Peter Vinci, but

[00:35:12] Brad Nigh: hell no, if he listens or not.

[00:35:15] Evan Francen: Well you will and he deserves it, right? Uh sort of, I mean he’s a good guy thankfully he didn’t fall for it. But it was the same thing. He got emails for me asking back and forth and he was legitimate talking. And then he happened to see me in the hallway and he goes, yeah, where did you want those gift cards sent again? I’m like, what are you talking

[00:35:34] Wade: about? What are you

[00:35:35] Brad Nigh: talking about? So mad at himself to for falling for that?

[00:35:39] Evan Francen: Right. And I’m like, peter, have I ever ever asked you about anything about money? Everybody and everybody in our company knows that I suck with money. So I’m not, I don’t touch money. I don’t, yeah, you ask for money. I mean if I do, it’s going to be in person. So if you ever get anything for me and has anything to do with money at all, it’s not, me definitely

[00:36:03] Wade: speaks, definitely speak to the problem though, that if you know people who know what they’re doing this fog is a tiny bit parade to, you know, the business of life and then answering things like that. If you’re not paying attention, it’s so usually easily your scam, yep.

[00:36:21] Evan Francen: That’s it too. I mean, I think social engineers, uh, one of their favorite things is, well, it’s lack of awareness and then I think the other is um, kind of related to that. It’s thinking that’s not going to happen to you thinking that you’re above that, right? Because you let your defenses down?

[00:36:39] Brad Nigh: Yeah. Start to become complacent and that’s that’s a bad time.

[00:36:44] Evan Francen: Well and truly every, every one of us as a human being just because I’m an information security and I’ve been doing this for a long time, doesn’t mean that I’m not susceptible to the same thing. I mean I’m human mistakes. So I think it’s when people admit that and try to learn from it makes it better. Uh huh wow. What else we got brad? I

[00:37:08] Brad Nigh: don’t know. I think we should go back to wait because this is this is uh yeah, I want to talk with him

[00:37:15] Evan Francen: well kind of a segue to in

[00:37:16] Brad Nigh: your do so that first so first news article that I brought up there is from information, their info security magazine was the out of the black hat europe um discussion of updating cybersec education to develop more security experts. And You know, talks about the Malcolm Gladwell’s rule of the 10,000 hour rule is Basically you have to practice it for 10,000 hours to be an expert. Um and that you know, we need to start adding practical cybersecurity to schools as early as possible, which I think you know we’ve talked quite a bit about the compass and the cybersecurity. I think that’s a really good start um you know getting more girls in into cybersecurity um has there been any talk, do you think down the road you might start looking more towards that middle school age to to start putting more, you know, technical cybersecurity practical into place or do you think you’re gonna leave it more at that higher junior senior level?

[00:38:29] Wade: Yeah, that’s a good question.

[00:38:30] Evan Francen: I think

[00:38:32] Wade: it’s hard to predict, you know, where we’re going to go um in the future I think in the, you know, in the middle school level and then even in the lower high school level, you know, unfortunately things are still, you know, prescriptive around core classes and you know, you have your math and language arts in spanish and those pieces. So while we have, I think, you know, we have of course offerings like Cody and um you know different programs around around that, you know, where cybersecurity would fall in at a lower level, not quite sure. Um So it hasn’t been much talk on that yet, like I said, we’re only about a year and 2nd year into the high school model and you do need A level I think of maturity um to begin to really work on it from that side. But yeah, I’ve had my share of middle school and even elementary hacker wannabes, which it would be great if we can get them on the right side of,

[00:39:37] Brad Nigh: you know, the

[00:39:38] Wade: playing field, it really as opposed to trying to come at them from a okay, you did the wrong thing. How do we turn this thing around?

[00:39:44] Brad Nigh: Yeah, I think one of the interesting points in the article was, you’ve got, you know, teenagers building web apps like the tools are out there. They’re so prolific for games and different apps, you know, but there’s no uh teaching about, you know, how to do secure coding, how to look for vulnerabilities, you know, any of those kind of core functions of, you know, the secure development life cycle that we would look at. So, you know, maybe building into the coding, how you can do some code checks or something, I don’t know.

[00:40:21] Wade: All right. All right. I mean, it’s it’s it’s awesome that, you know, we have kids out there who can program and build an app and working like, you know, in those languages and do that stuff, but you’re right, you know, to we then how to do it correctly and how to do it securely and how to do it. No way. That’s like enterprise ready and just not something your rollout for your friends to see if. Again it’s the middle school level, it’s probably hard for them to to think about that. Um Yeah, but it has a good conversation have at some point,

[00:40:54] Brad Nigh: you know, I know, I do the I. C squared safe and secure online um for kind of around, you know, just being safe online and and kind of that higher level conversation around how to keep yourself safe and passwords. So, you know, doing, I think maybe more of those and having the right people come in and teach that, answer those questions is, you know, it’s a good start at least.

[00:41:20] Wade: Yeah, I think those are good programs for having kids be aware of what their role is, you know, on the internet with their devices, with the use of technology and yeah, these days and aid, you know, kids have access to technology on the phone, school shoot ipads, Chromebooks, what have you? I think we’ve we’ve probably been better about that and trying to teach digital citizenship and being responsible online those types of things.

[00:41:53] Brad Nigh: But you know, I think that really plays into that next level. So as long as you’re getting them that that’s a good start. So I will say the last one on there, I’m hopeful. I’m not the only one pedagogical concepts. I had to look that up because I don’t deal with that meant

[00:42:12] Evan Francen: we like to use big words and security makes us seem smart. I was

[00:42:16] Brad Nigh: like, what

[00:42:18] Evan Francen: do you

[00:42:20] Brad Nigh: mean like teaching? Okay.

[00:42:25] Evan Francen: Well, and I think the article is I mean the article is good and I think the talk is good. Uh and it’s not so, you know, our mission brad is to fix a broken industry. And one of the things that certainly broken is this lack of talent uh in our industry and we’ve done the mentor program ourselves our own d f secure mental program for I don’t know where we’re going on year nine now. Uh And then, you know, supporting school districts as they’re trying to uh you know kind of mature there educational process because really it’s three things that are really really important. And we’ve said it before to making information awesome, information security people, you know, one is uh the intangibles, the things that we can’t teach people uh being dependable, being honest, being having integrity. I loved hearing, you know? Um Wait, how you you mentioned the net, you know the internet citizen piece? Right. Uh huh. That is super important because we can’t teach those things very well. I mean you kind of have to teach them at at, I think the k through 12, right? You have to kind of grow them up in that because by the time they get to where we usually work with them, they’ve already chosen kind of their path. Right?

[00:43:46] Brad Nigh: Uh Right.

[00:43:48] Evan Francen: And then the other two ingredients, our education and you can get education and lots of different ways you can do it. You know, there’s all kinds of online and free courses everywhere. There’s books, you can you can go to a degree program if you want to, you can, you know, take certifications and No one I think is better than the other. I mean we’re just such an immature industry that just gets knowledge, get understanding. Um And then the third thing is experience and that just comes with time because I’ve seen a lot of younger students get into this industry or they typically take the tech path first, which is that’s legit. Um, but then they kind of lack this patients with their own sort of growth. Um, But the experience just comes a time. So I like the fact that they mentioned, you know, the 10,000 hour rule, that would be five plus years because the thing they said in there too was It’s not just 10,000 hours. All right. It’s 10,000 of the right hours, you know, focusing expertise on a skill. Um so I love what I love what you’re doing there. It’s those three things, those intangibles, uh education and experience. Then they rock everything. Then you get a Megan.

[00:45:13] Brad Nigh: Yeah, absolutely. So now now I want to go to the next story. This is where I get Evan all riled up. So this is your entertainment for coming out here wade. Yeah, I can’t wait to hear it. So we’re talking about Australia’s new encryption law, the assistance and access act, which basically empowers Australian police to force companies that are operating in Australia to help the government hack into systems and play it malware or insert backdoors. So pet crunch ours. Technic of the BBC threat post all of it. I mean it’s all over the place on this. But um, I can’t imagine this is gonna go poorly when they force somebody to put in a back door hold a master key that the government can have because that will never be misused.

[00:46:06] Evan Francen: No government come on.

[00:46:09] Brad Nigh: I mean

[00:46:10] Evan Francen: they have the best security ever

[00:46:12] Brad Nigh: anywhere. I mean even even if they did Good Lord I can’t imagine even, well

[00:46:20] Evan Francen: the tech giants are bad. The tech giants are up in arms you know which is good. It’s good. I mean this is one thing I’m not much of a tech giant kind of guy but this is you know one where I’m really cheering them on uh you know backdoors there should never be back doors. Especially we’re talking about encryption because then I have to trust what happens then if those encryption keys are lost or stolen. What happens if the who has access to those encryption keys? Um There are so many flaws and problems with purpose purposely putting in weaknesses in a security program without really really really strict uh controls around how you’re going to protect that. It would be mitigating controls. And I have yet to see the government in any real play. And this is the Australian government. So I’ve never worked with the Australian government but I know the U. S. Government enough on how they do their own security. Yeah it’s not good.

[00:47:31] Brad Nigh: Well and there was one shooter can’t find it. Now one of the articles was you know Apple basically said we’ve helped you in you know whatever 20,000 cases. So why do you need this? What’s the point? What is the value of this? And of course, you know, all the pro back door, you know, inserting it in or like oh well you can allow terrorists and pedophiles to communicated via encrypted means. All right. All that’s going to do is have them go somewhere else that you can’t get a backdoor into,

[00:48:09] Evan Francen: right? I think their heart is in the right place. You know what they’re trying to do? Uh But where they’re going about it is yeah, it’s crazy because yeah, if I was going to do those types of things, what are you gonna um you can track the more for tour, right? You know, you’re gonna credit back door for my own implementation of A. S. Or I mean, Yeah, it’s a cluster.

[00:48:38] Brad Nigh: Well, and then, you know, there’s yeah, the N. S. A. S. External blue guy that got leaked ones that last year, was that? That was last year? Right. Two years ago.

[00:48:49] Evan Francen: Eternal Blue.

[00:48:50] Brad Nigh: So gosh, that was from the CIA is hacking tools or N. S. A. Is hacking tools got leaked. That’s one of the more secure organizations out there with some I’m going to guess I don’t have personal knowledge but pretty good controls in place and they still got out. So what happens when Yeah, that master Key gets out and how was that handled? There’s just not Yeah. Have a lot around it.

[00:49:18] Evan Francen: Well I can’t imagine that this is gonna, you know, the one thing is, you know, I did read in the article is they’re open to modifications, learning as they go. But you know, I hope it fails.

[00:49:35] Brad Nigh: You feel like it was really push through last minute with with the yeah we’ll fix it later. Let’s just get it in place and we’ll fix it later because again that that happens and works so well.

[00:49:49] Evan Francen: Well there are other ways to accomplish the same thing. I mean law enforcement is able to intercept communications and you know who you know, who’s communicating with who and I mean there’s lots of things that they can do today without having the secret key.

[00:50:04] Brad Nigh: Well, one of the other ones that I thought was interesting was um one of the experts was saying that there’s no way to implement this and be compliant with G. D. P. R. So now you’re okay. So do you go against the EU for G. D. P. R. Do you go against Australia for this rule? Like what is going to happen here? So

[00:50:24] Evan Francen: When the US tried to do this in the 90s? Right. Yeah. Right. In that that failed miserably. So I don’t know, I think this is one of those things where uh cooler heads will probably prevail uh you know, we talked last year last week to uh you know to uh jim nash, you know about sort of the technical expertise or the security expertise in government. You know the people that are making the laws, the people that are, you know, writing these things and you know, they’ll leverage industry experts a lot of times to write these laws but the people that are sponsoring them at the end of the day, I really have no idea what they’re talking

[00:51:04] Brad Nigh: about. So I was watching one of the hearings last week and one of the senators held up. It was always the google when he was

[00:51:13] Wade: google the google where they’re kind of, you, he tracked me from this seat to that seat over

[00:51:18] Brad Nigh: there. Well, I like the part I thought was funny was like he was like, well how come on this device and he’s like the guy from google was like that’s an Apple device, we don’t make that like

[00:51:30] Evan Francen: Yeah, that’s another company.

[00:51:32] Brad Nigh: Yeah, it’s like oh yeah. Anyway that that made me feel good. I was laughing at that when I saw it.

[00:51:40] Evan Francen: Yeah, so I don’t think the encryption, I don’t think it’s I think it’s bound to fail.

[00:51:46] Brad Nigh: Yeah, again, I think the problem is they tried to rush it through and then there so we’ll fix it later. It’s too big. It doesn’t have any controls in place around uh it being abused. So

[00:52:00] Evan Francen: yeah and you’ve got you’ve got lots and lots and lots of money fighting it. Mhm. I mean you’re talking, yahoo you know, amazon Microsoft, I

[00:52:12] Brad Nigh: mean yeah, Apple probably combine be are coming up with close to what Australia’s GDP GDP is.

[00:52:23] Evan Francen: Yeah. Well I’m interested I mean I’m kind of curious on how this got through so fast. It appears from the article that it was kind of fast tracked a little bit because I think it had this been more transparent if people if it would have been debated more I don’t think it would have passed.

[00:52:39] Brad Nigh: Yeah it feels kind of yeah it’s kind of snuck.

[00:52:45] Evan Francen: It’s Australia has nothing to do with me. I’m in I’m in Minnesota.

[00:52:49] Brad Nigh: Yeah until their their backdoor keys are leaked and everybody’s worldwide datas toast. Right.

[00:52:57] Evan Francen: Right. Well that global travel company that I yeah um that I work with they’re headquartered in Melbourne. So uh oh fact down

[00:53:10] Brad Nigh: your problem. We’ll see what happens. Um So I

[00:53:14] Evan Francen: didn’t get that fired up man. No

[00:53:17] Brad Nigh: I’ll try harder here or anything. The last one I think might get you. Um All right. So next one was off of naked security from so photos naked security dot so forth dot com unencrypted medical data leads to 12 state litigation. So 12 states are suing an E. HR provider who lost 3.9 million records in 2015. It was medical informatics engineering and the subsidiary no more clip word basically The in May of 2015 they were stealing personal information. Also the health data social security number all the all the sensitive stuff that should be protected. Um But basically they failed to encrypt the sensitive information even though they said they were and they were using test accounts sharing the passwords of tester and testing. Um So that a client employees didn’t have to log in with a unique user I. D. Mhm. Uh There’s I could go on on this one. It was Yeah I would guess that once. Yeah this comes out through the OCR this could be a willful negligence because they got alerted from like 10 testers. They don’t have any data. Exfiltration alarms in place. He only had a draft incident response plan when the breach was discovered. Yeah, I mean there’s just so many things that went wrong.

[00:54:52] Evan Francen: Yeah so I’m still trying to get past the naked security, I call it that. But uh yeah so negligence. Right? So these are 12 states, these are state uh these are attorneys general from Arizona Arkansas Florida indiana Iowa Kansas Kentucky Louisiana, our home state Minnesota Nebraska north Carolina, Wisconsin. It’s rare I think for, you know, all these attorneys general to get together and sue a company. Uh I haven’t seen the lawsuit so I don’t know you know specifically what’s in it. Um But yeah I would think that this is going to be, you know, in a civil suit like this, it’s a preponderance of evidence right? It’s tipping ill one way versus the other, I don’t know how, you know, I don’t know the details and you know we don’t know the details but if you’re this company, nmC or, and our medical informatics engineering, it’s going to be really hard to pile enough defensible stuff on my side of the scale. Mm hmm. Could not be found negligent here.

[00:56:08] Brad Nigh: Uh, did you see it in their, how they detected it?

[00:56:14] Evan Francen: Yeah. Because it was taken up so much bandwidth like. Yeah, anymore.

[00:56:20] Brad Nigh: Yeah. Oh my gosh.

[00:56:24] Evan Francen: Why is this database server, you know, send up everything gigabytes of data out of the network? Well, Yeah. So 3.9 million. So you try to put it back to 2015, you know, in 2015 and our own practice because we’ve, we’ve seen tons of companies you and I brad the um, In 2015. So try to back up three years. Was it all that uncommon for us to find stuff like this? So do not have the database encrypted to have test accounts still be active tester and testing to have a draft incident response plan as opposed to one that’s fully approved and implemented. Um, Is it uncommon three years ago too, have a database or have the code right piece of people injection attacks, You know, I don’t know today. Certainly this wouldn’t fly Right. I, I say all the time. I think it should be. Well, I’m a security guy, but I think it should be indefensible for you not to have an incident response plan. Yeah. Because logic would tell you, no matter what you, no matter what you do, you will not be able to prevent a breach from happening, right.

[00:57:54] Brad Nigh: Uh And I mean, you see it as much as I do, it’s still incredibly common that they they don’t have anything

[00:58:06] Evan Francen: right. So maybe I could weasel their

[00:58:08] Brad Nigh: way. I don’t know. I think, I think what they’re going to get stuck on is the fact that they said they were encrypting the data and they weren’t. That’s going to be where they get.

[00:58:18] Evan Francen: And I think that they say they were there

[00:58:19] Brad Nigh: not. It says the lawsuit says that they failed to encrypt sensitive information even though they said it did. Uh So

[00:58:29] Evan Francen: yeah. Well, the part that really talk to me about this is because is uh you know, you have these breaches like this where people, you know negligence is that tipping the scale thing, but it doesn’t make it right. Yeah. I mean, so if you look at these things through a different lens, is it right or wrong? Well, the things that they were doing is absolutely wrong, Right? You could make a case for that. But the part that talks me is that you have these calls for stricter federal regulations, stricter data protection laws that have that are going to affect me over here and I am doing the right things right. I am protecting security, but I’m gonna have to pay additional fees to have audits done against this new protection law. You know what I mean? So it ends up affecting that’s the part that torture because compliance is just doing what you’ve been told. It doesn’t mean you have good security or not. So, if you create a law and people are living by the letter of the law, that’s different than the intent of the law. You know what I mean? And that’s where we uh because I’m not a big fan of compliance driven security. And I think this is if things like this continue to happen, and if the federal government or the state government gets their way, they’re going to create more laws and they’re not going to be

[00:59:50] Brad Nigh: followed. All right. That’s why the pc I counsel went and did their thing, right. It’s better to you don’t do it. Then the government will so do it right or do something. Uh

[01:00:02] Evan Francen: So, I’m not happy about this is going to get a lot of attention to. I mean, if you have 12, you know, attorneys general, uh and and the OcR hasn’t weighed in yet on this, that will be a separate action. If the OcR weighs in to see what happens. I don’t it would be interesting to see if this company can even survive.

[01:00:20] Brad Nigh: Yeah. Yeah, that’s gonna be a tough one. Alright, so, last story. This one will ensure you get fired up as uh the Equifax breach was entirely preventable. Had it used basic security measures out of the house report so high level on this one basically they said, yeah, you if you’ve done any sort of like basic security like patch your systems, it would have prevented the data breach. Um The patch was a disclosed vulnerability and Apache struts that there was a warning about months before. And the unpatched Apache struts server was powering its five decade old web facing system. Yeah. That’s nuts.

[01:01:09] Evan Francen: I’m torn about this stuff because they make it sound like it’s so simple, right? I mean basics and basic Yeah. But yeah, they are basics, but it’s a big organization. It’s difficult to do that stuff, right? It’s not just you don’t just flip a switch and it happens.

[01:01:25] Brad Nigh: But that’s I mean to me that’s endemic of a poor security buying from the start. How do you have a system that’s been out that long with like you built this up and built a an attitude within the organization that security isn’t important, right? That’s what that’s showing me.

[01:01:45] Evan Francen: Well, the one thing that talks me about the Equifax breach beyond whatever their security was like was just the crappy business it is, you’re collecting information about me that I never really gave you permission to collect or if I did it was spared in some kind of things somewhere. If I wanted to buy my house, I’m going to have to sign it, you know, it’s stuff like that and they collect this information and they sell it uh without my knowledge, I don’t know who has access to my information. I don’t know how my information is secured. And then when there’s a failure in your security to protect my information, it’s my responsibility to put it back. So he steals my identity. I have to do the credit monitoring. I they have to do the credit freeze.

[01:02:29] Brad Nigh: You get to do the credit monitoring that they offer you through their service that just got

[01:02:33] Evan Francen: hacked. Right? And then and then if there’s inaccuracies on that on my credit report, I have to go through all the hoops to get that fixed. So Equifax isn’t even responsible for making sure that the data they collect is is accurate. It’s just a crock of crap. And then the fact, I mean, oh my God, get me going right, son of a gun,

[01:02:54] Brad Nigh: nailed it

[01:02:56] Evan Francen: right? When the system is broken, right? I mean a much larger scale. We’re using a social Security number one number that I share everywhere. Yeah, authentication and identification, which is a violation of just basic security principles. So,

[01:03:15] Brad Nigh: which by the way we’re seeing with biometrics to

[01:03:18] Evan Francen: right? At least a scary thing with biometrics. I can’t like you and I can’t change it. Right? So a lot of those biometric solutions are actually, you know, they’re starting the menu. Sha not the actual image, but at least that’s what they say. It’s all that implementation

[01:03:39] Brad Nigh: though. Well, I think on this. The Equifax one if you, so one of the articles was from TechCrunch and there was a link in there that where the former uh Ceo what was the name? Richard smith basically said it was one guy who didn’t do his job. That’s how this happened. So there’s a length there were, well, and what was interesting though is in that Linked article from October of 2017, he said when he started with facts, 12 years ago, there was no one in cybersecurity, So 12 years ago they had nothing. And then now he’s saying, Oh well we poured a quarter of a billion dollars in the cybersecurity the last three years and have 225 person team. And I think to me that goes back to what we talked about it. How are you spending the money? Is it the right way? Clearly, what were they doing? Because it didn’t get caught? You know, just bragging, you’re spinning, You know, $100,000 a year on cybersecurity or whatever. $100 million, whatever it is. Who if you you have the largest breach that’s been recorded and it was because one person didn’t do his job, like he just doesn’t doesn’t add up,

[01:04:59] Evan Francen: right, and a lot of time and see a lot of the stuff is in the book to I

[01:05:04] Brad Nigh: know Yeah.

[01:05:05] Evan Francen: Uh I’ve been, I’ve been told that so many times. Well we spend x hundreds of thousands or millions of dollars on information security is like, so show me, show me, give me some evidence. Show me something that uh thank you. Makes me feel like you spent that money. Well yes, I’d rather I’d rather you save your $100 million dollars and not spend on security at all than say than spend your $100 million on Crap. Yeah, because then you’d at least have $100 million. Still

[01:05:41] Brad Nigh: wait, you spend your money. Right, correct.

[01:05:44] Wade: Well we don’t spend 100 million especially that we do, we do try to pare that down and yeah, I make good investments and I agree with what you guys are saying. I think it’s laughable that one person’s, you know the fall guys for for such a breach when it is complicated and our organization is complicated and even small businesses, small organizations is complicated and try to do like you said the simple things well and then you try to figure out what you need to like forecast and and the things you don’t even know that you need to know about and try to figure out how you’re on top of those things.

[01:06:24] Evan Francen: Right, Well and they come up with these reports a lot that say, you know this breach of that breach was entirely preventable. It’s like every breaches preventable, assuming I knew all the avenue, you know what I

[01:06:36] Brad Nigh: mean? Yeah,

[01:06:38] Wade: I knew anything at a

[01:06:39] Evan Francen: time. Right? I mean afterwards. Yeah, I could have prevented this by just applying patches. Simple. They’re easy. Yeah. Right. I mean, how many, how many servers did they actually have to secure? Ah so that part didn’t really tick me off as much as the fact that the way they handled it. I mean I’ve never seen a company handle a breach more poorly. Yeah. Yeah. Equifax did, I think they have a crappy business in general? Um Yeah, I don’t know, there’s a lot of things about this breach that

[01:07:12] Brad Nigh: They said, you know, some of the reports, they had over 300 security certificates that were expired including 79 for monitoring business critical domains. It seems like there’s just a lack of any sort of Direction uh in that security program. It’s like, oh well we’re spending, you know, $250 million dollars though and we have the staff here so we must be doing it right. That that clearly is not the case.

[01:07:41] Evan Francen: No, no, I agree. I agree. Yeah. Susan Maldon, she was the sea. So at the time didn’t she just get like, oh, just raked over the coals and I mean, you don’t know what I mean. I know that she came from Sun uh was a big son crap son bank. You know, big big bank. Uh $10 billion dollar bank. I mean something big before she went to Equifax and she was there for a long time. So she had a good experience. Um but you don’t know that her day to day. I mean you don’t know the interactions that she had to deal with, you know with this Richard smith or um But you know she was raked over the coals because she had a music degree. Like well there’s lots of us, I have a geology degree. So

[01:08:29] Brad Nigh: yeah, I don’t have a degree. I’m totally I neither off scot free or I’m totally screwed. I don’t know yet.

[01:08:36] Evan Francen: Right? But that was that point. That was that second ingredient, right? Education. There’s so many ways to get education in this industry that I’ve seen a lot of the degree programs and I know people that teach at the University of Minnesota Master’s program and don’t be so impressed with a master’s degree. I mean it’s a good program but it’s not the end. All be all, there’s lots of different ways to learn.

[01:09:01] Brad Nigh: Yeah. No I just started working way early.

[01:09:05] Evan Francen: Right? Yeah. We were before they don’t even know what they didn’t really call it security.

[01:09:10] Brad Nigh: No, no I’ve said this, one of my first jobs was going room to room with a clipboard applying white UK patches at a higher education. That

[01:09:24] Wade: was one of my first ones to fly to Cape patches. Yeah.

[01:09:28] Brad Nigh: Yeah. Yeah watch this with Y2K patches and write down, I was told right down the room you’re in the serial number of the computer when you patched it and then that was also there. Their audit asset inventory. So that that’s how we did it, wow.

[01:09:45] Evan Francen: Mine was my first security. Security was a networking guy is, you know, from a Cisco, It was a Cisco Guy. But the uh first security gig was cleaning boot sector viruses off of Windows 3 1 machines. Thousands of them.

[01:10:00] Brad Nigh: Yeah. You got, you got us beat what I think.

[01:10:04] Evan Francen: Yeah. Well that wasn’t fun. So one of the no. Yeah. So I knew dr geometry really well. I’m not geometry uh, whatever Anyway, I don’t do anything anymore. No. Yeah. No. All right. So

[01:10:23] Brad Nigh: that was it.

[01:10:23] Evan Francen: I did get fired up, man. That’s that’s

[01:10:26] Brad Nigh: gonna be fired up. I know that one of them would,

[01:10:30] Evan Francen: Yeah. So wait, I want to, I wanted to get your advice on like, let’s say I wanted to go to Laconia and they don’t offer this kind of program. Can you give me some advice as a parent? Uh, Do I talk to the principal and say, hey, there’s this compass thing. Can, can any school, you know, sort of in Minnesota get involved with this and start their own cybersecurity program. Like you’ve done in your school district.

[01:10:59] Wade: Yeah, I think so. So you have to remember that I’m the tech director for the district. So some of the curricular pieces that are probably not my forte. But my advice if you, if you wanna, you know, get something going. Um, It’s probably always best to start. Yeah, likely again at the high school, so start at the high school level connected. The principal or an Ap or dean. Somebody who has a little bit of understanding about the enrollment. The course offerings may be something that are already there already in place. Um, that take it, I mean, there’s every district has a curriculum director who’s got to be part of the conversation. Um, you know, sometimes superintendent, you know, depending on, you know, their connection on the side will be a good angle as well. Just just have a conversation with and point them at surrounding districts who are doing things like this as maybe a model that they could, you know, maybe partner up and share some information with. Cool.

[01:12:04] Evan Francen: Yeah, it looks like mm encompass, it looks like a good resource to the m encompass dot org website.

[01:12:11] Brad Nigh: So based on what you just say, I’m a little surprised that there doesn’t seem to be a more collaborative approach to, you know, I hear info sec across the different districts. It seems like there’s some stuff out there, but I know we work with a lot of districts around and we get questions all the time. I bounced questions off of you from other districts and I’ve taken, you know, uh, questions that, that they’ve had gone around. But uh, I don’t know, is is there not a more formal newsletter or anything that is out there?

[01:12:49] Wade: Well, I think, I mean, I think district get connected. A lot of different topics is naturally, and there’s, there’s professional associations from superintendents to trick them principles. They all have their, their different, you know, professional organizations. Um, I. T. Does as well. And I think we kind of, we kind of have been flow between structured and unstructured. Um, there’s a couple of groups that we belong to and I know of. So we do, I mean we talk, we’ve had a median about a month back just around. Actually, this topic had come up and multiple districts where on and in the room having a conversation just about what they’re doing, what the programs are. Uh, you mentioned before. Kind of where, where there were the good investments are in the limited, you know, infrastructure dollar, um, budget line item that you might have. And then, I mean, we share war stories and postmortems and things like policy development and stuff like that. So it happens, uh, probably has only begun to pick up in the last couple of years to surround. You. See more and more districts and public sectors get compromised as well. I think people are beginning to pay attention and saying, hey, we’ve got to, we have, we have critical important systems and information that were charged Jack and secure and yeah, it’s our duty, a duty of care.

[01:14:25] Brad Nigh: That’s cool. That’s good to hear. Yeah, absolutely. All right. Well, I think Evan, do you have anything else you wanna grill wait about?

[01:14:35] Evan Francen: No, no, I’ve learned a ton. This is really a fascinating, uh, I’m glad to hear that were involved in it again, you know, next year, you know, we, we, we need to stay committed to this and get more organizations involved because it’s, it’s a problem that, and as I think has much larger implications than people realize, you know, the next battles will be fought online. So I mean getting us in a better position. It’s our, it’s our, it’s her job. It’s, it’s our duty.

[01:15:09] Wade: Yeah, I appreciate you guys being involved too. And I think, you know, kids today. Yeah, I like hearing the fact that you may not have gone the traditional route of school. And I think there’s a lot of kids who are just saying, hey, you know, for your college degree might not be my path and to know that there is, there’s other opportunities out there that, you know, have a, have a promising future and have a huge demand now and into the future and just get connected to that kind of thinking it, it’s awesome. So keep it up. They connected, appreciate the mentorship and you guys work in partnership with the district.

[01:15:48] Evan Francen: Thank you. Thank you. Let us know if there’s anything else we can do to, to help out.

[01:15:53] Brad Nigh: Yeah, we’ll see about beautiful.

[01:15:55] Wade: Yeah, it can be the fall guy if we get great palaces. So you guys your fault.

[01:16:00] Brad Nigh: Thanks. Now. I’m not bringing the lock ticket. Uh Yeah, we’ll have to get that. And and uh what’s that? Something up and bring that out for for one of those classes? Once that gets going?

[01:16:17] Wade: Okay?

[01:16:18] Brad Nigh: All right, well, thank you very much for uh you know, one way. This is a lot of fun.

[01:16:23] Evan Francen: Yeah, yeah.

[01:16:26] Brad Nigh: Yeah. And it wasn’t until next week and we’ll be back in a week and I’m gonna ramble because I’m tired. It’s been a long week.

[01:16:34] Evan Francen: Alright? In december. We’ll see you next week. All right. See you.

[01:16:38] Brad Nigh: Bye.

How K-12 Schools Can Fill the Cybersecurity Skills Gap

The guys are joined by Wade, a K-12 Director of Technology at a mid-sized public school district. They discuss what they’re doing to fill the cybersecurity skills gap, the Equifax data breach, Australia’s new encryption law, and a 12-state lawsuit against a medical records.

About

Work with Us

Resources

Contact