Creating a Cybersecurity Team Mission Statement

Unsecurity Podcast

Evan is back in the U.S. and joins Brad and Ryan in-studio for a discussion about his recent writing getaway, an update to the US/Iran conflict, and creating a cybersecurity team mission statement. Give episode 63 a listen and let us know what you think at

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: Hey Unsecurity podcast listeners. This is episode 63. Even though my show notes the episode 62 the date is january 2020 20 that’s all twenties. I’m Evan francine. It’s good to be back most in today’s show And joining me in the studio is my friendly co host Brad Nigh and my left hand man, Ryan Cloudier, get right close

[00:00:48] Brad Nigh: here, cola cola cola clue ta

[00:00:52] Ryan Cloutier: you know that’s gonna be coming ongoing.

[00:00:56] Evan Francen: Told me on saturday. That’s french. So I think cloudy cloudy, cloudy a

[00:01:01] Brad Nigh: I’m gonna call you a different name every time

[00:01:02] Ryan Cloutier: I love you guys.

[00:01:06] Brad Nigh: I like every pronunciation is different.

[00:01:08] Evan Francen: Yeah, but you guys catch and call them left hand man. You know why I did that?

[00:01:12] Ryan Cloutier: Why’d you do that?

[00:01:13] Evan Francen: Because I called you my right hand man. I can’t have two right hands. That would be super weird that it would be very weird. So I have a right hand and left hand. I’m right handed. So I throw I write with this. Someone have to become ambidextrous. So they call that, that is what they call. Okay, so Ryan’s left hand, your right hand. So I have no more hands. So this is it. So I’ve got all right. So you guys didn’t catch that stumped. Maybe probably not. Uh, stumped. You were stumped. Well this is early for monday morning, right? I’m

[00:01:47] Brad Nigh: I’m still waking up. I’m

[00:01:48] Ryan Cloutier: I’m just thrown by you being in studio.

[00:01:51] Brad Nigh: I’m throwing my

[00:01:53] Evan Francen: Just the first time we’ve actually all been together the crap.

[00:01:54] Brad Nigh: It is okay. So I need you to go stand in the corner and talk directly into the corders.

[00:01:57] Ryan Cloutier: You want me to go?

[00:02:02] Evan Francen: Yeah, we got to go back in my office and I’m calling All right, we have a time to cover today. So we can start with catching up quick like doing that, especially being that I have been out for a while. Uh, so you guys are cool with that? Yeah, absolutely. All right. So back home holiday party. So I got home on saturday I left. Did you see the picture? I didn’t show you the picture. I tweeted it. The picture of the sunrise the morning. Yeah, I love to see that. It was like amazing. And it was 79 degrees when I left. It was not

[00:02:39] Ryan Cloutier: 79 degrees

[00:02:40] Evan Francen: clock in the afternoon. I step off the airplane and it’s,

[00:02:44] Ryan Cloutier: I was like to, yeah, I say it’s about 4° or something and the windshield was like 15 or 20 below and it was snowing and it was ice.

[00:02:50] Evan Francen: The roads were icy. I was even thinking like, I wonder if they’re gonna cancel or cancel postpone the christmas party because the roads were that bad.

[00:03:02] Brad Nigh: They were pretty slick. I, we had a little bit of a fish tale as we were driving over there.

[00:03:07] Evan Francen:  Oh yeah, so I got home, went home, you know, airport home, wife had the shower, I don’t do that, I don’t shower, you guys know that. Uh, and then after the holiday party and that was awesome. So Ryan, this is your first, if our secure slash security studio holiday party, what do you think?

[00:03:26] Brad Nigh: I thought it was really good. You guys, you know, did a good job on the, on the spread, there was decent food deed drinks were flowing. Um, nice venue I think, you know, everybody was having fun. Huh? Did you get to meet everybody? Oh no, not even close. I did get a chance to meet a few new faces and you know, start to have some early discussions. I’ll be a little less shocked as I walk around the office when I see people, I’ll at least be able to, like I saw you at the party, but I still got a lot of folks here to, to really get to know. So that was cool

[00:04:01] Ryan Cloutier: It’s getting harder and harder to like actually get around and talk to everyone so many feet. It’s amazing.

[00:04:09] Evan Francen: I spent two hours I think at that party just going from person to person giving hugs, you know, people, people were, I think shocked. I think some, some of the people that have never met me before or maybe some of the people there are spouses who had never met me because I was talking spouses too. I was like, whatever. It was fun, it was really cool to see everybody there. Yeah, there was that whole place. I mean, we had like, some people were bowling. Yeah, some people, we had to karaoke rooms. People were in there. Did you see that?

[00:04:40] Brad Nigh: I, I saw something on social media. I was trying to drag my wife into the a karaoke room, but she wasn’t, she wasn’t having it. So, so I skipped that now.

[00:04:51] Evan Francen: She’s singing.

[00:04:52] Brad Nigh: Uh, no, no, well she, she sings, but when no one’s around

[00:04:57] Evan Francen: Okay, how about you? Did you go in the copy room?

[00:05:01] Ryan Cloutier: I watched from the outside as we walked by a singer?

[00:05:04] Evan Francen: No, I’m not a singer either. Only one.

[00:05:07] Brad Nigh: Harvard in there at some point.

[00:05:08] Ryan Cloutier: Harmon is a singer.

[00:05:10] Evan Francen: He’s a singer. He’s really good at singing. But then we had people, we had a pool, the pool table, ping bombing palm the bar. We had two spreads of food. Yeah. Did you have both

[00:05:23] Brad Nigh: lines? I didn’t, I thought the second line was a duplicate of the first and then, right at the very end, I was like, do you know, they have mac and cheese over there? And I’m like, what? Oh man.

[00:05:33] Ryan Cloutier: Yeah, it was a fun time.

[00:05:34] Evan Francen: Yeah. Did your wife enjoy yourself?

[00:05:36] Ryan Cloutier: She likes it. Yeah,

[00:05:39] Evan Francen: I finally got to tell her face to face, thank you for the t shirt, t shirts awesome. I’ll wear in one of these days. It’s, but it’s got a big beard and I can’t remember exactly what it says. I

[00:05:49] Ryan Cloutier: have a beard and I know things.

[00:05:50] Brad Nigh: It’s what I do.

[00:05:53] Evan Francen: But so the holiday party was cool that, and that reminded me why I come back. You know what I mean? It’s, if it was, it’s not for the weather helm. Oh no, it’s for the people. You know, I don’t get to see everybody. It was perfect comeback made for a long day.

[00:06:08] Ryan Cloutier: It’s amazing how so many different personalities and people like just get along. Like people are just mingling and

[00:06:18] Evan Francen: you’re not saying here right? No tickets. Yeah, very true. We don’t have any, I haven’t met one yet. And we did have, I was, I don’t want to call Medicare, but the last time I remember, I mean we redid him out or that team waited him out with him.

[00:06:36] Ryan Cloutier: What? Yeah, yeah. They police themselves. Yeah. They let us know. It’s like, hey, there’s a culture issue. You’re, somebody’s not pulling their weight or

[00:06:46] Evan Francen: whatever. That’s cool. So today we have The all company meeting. Yeah. Q 1 2020 first time. We’ve all been together this year. Uh, have you looked at the side deck?

[00:07:00] Ryan Cloutier: You put together a lot of it.

[00:07:02] Evan Francen: I have one slide. It’s just, my name

[00:07:06] Ryan Cloutier: has been so much work.

[00:07:07] Brad Nigh: Just an intro slide.

[00:07:10] Ryan Cloutier: No, he’s like at the end.

[00:07:11] Evan Francen: They sent me to the end because

[00:07:14] Ryan Cloutier: I eat too much and then we have a hard stop. Keep him in check.

[00:07:18] Evan Francen: Yeah, I can see where, that’s usually where they sitting up in the front, you know the front row and she’ll be like, she’s giving me the time thing and I’m just getting started just warming up.

[00:07:27] Brad Nigh:  What do you mean? I gotta stop.

[00:07:30] Evan Francen: Yeah, that’ll be fun to see everybody in the same room. I love that part. You look out in the room and because you know, how many years have you been here now? 3.5. 3.5. So you have grown a lot july 16 double trouble.

[00:07:46] Ryan Cloutier: So actually kevin and I were talking about this on saturday. I want to say when I started always active employee number 16, 15 or 16. Oh gosh. And then, yeah, I actually like employee number whatever was 26 overall. Okay. So obviously just turned over over years, but yeah, 16 to like 70 something. I can’t even keep

[00:08:12] Evan Francen: track, wow. Yeah. And you’re scared studio, but you straddle both lines. I mean you do some are secure work too, so, but I wonder a number you would be because you’re one of the newest hires.

[00:08:26] Brad Nigh: Yeah, I think so. I don’t think we’ve hired anybody since I came on board two weeks ago

[00:08:31] Evan Francen: but I’ve heard we’ve got like three more serious

[00:08:34] Ryan Cloutier: because people starting today. Nice.

[00:08:36] Brad Nigh: That’s crazy. That’s exciting though. It’s good to be in growth mode, right? That’s how, that’s how we’re going to be able to get out there and get the hard work of fixing things done right.

[00:08:46] Ryan Cloutier: We’re going to people, it will blows people away is when we talk, I tell them that and that and then, and then you say, yeah, and it’s all organic is no like investor and seed money. It’s all just organic growth and

[00:08:58] Evan Francen: blows people’s minds.

[00:08:59] Ryan Cloutier:  We have some plans for this year too.

[00:09:01] Evan Francen: I think uh Denver, it sounds like we might be opening an office if we haven’t already in Denver and then I think john got back from Dallas last week and I heard rumors that

[00:09:18] Ryan Cloutier: well, I think it’s because he’s a were there too. He’s a weird cowboys fan.

[00:09:22] Evan Francen: Alright, weird. You know, Dallas gets cold too. So I’m not,

[00:09:27] Ryan Cloutier: there’s another, yeah, several different areas that we’re looking at.

[00:09:31] Evan Francen: What do you guys think about a Cancun office, can either of you speak spanish

[00:09:35] Ryan Cloutier: my daughters can. So I’m in, I’ve got translators at home, so

[00:09:40] Brad Nigh: I got the google app,

[00:09:41] Evan Francen: don’t worry about it.

[00:09:42] Ryan Cloutier: I’ll figure it out the first day.

[00:09:43] Evan Francen:  I sat down, there’s a place I like to write, you know? Um and uh it’s called like, it’s a, it’s a mom outdoor mall and there’s a uh Starbucks there, right? So I sat down, opened my laptop and I’m like, I wonder how many wifi hotspots they’re around here. So I open up nets tumbler and I’m like holy balls there’s like 40 some odd 45 maybe. I don’t know I saved it off but most of them were insecure there were handful that we’re running wep yeah we could open an office here. We should.

[00:10:23] Brad Nigh: Well and you know that’s interesting, you bring that up, you know the international side of things. Right before we started this morning we were chatting a little bit about our friends over in Australia. You know they’re very far behind the curve. I would say that region that asia pacific region as a whole just getting started on their journey. And then we’ve got our friends in the UK who are also a little bit further ahead but still kind of behind the curve. And so live as well as we solve challenges here in the States. You know I think they can leverage a lot of the work we’re going to be doing over the next year internationally since the U. S. Is really seen as a leader in the information cybersecurity space and this is kind of seen as the dominant framework if you will. Um So I think there’s gonna be some some growth potential and opportunity not just in Cancun but other warmer destinations in the

[00:11:18] Evan Francen: world. That’s a long flight, have you ever been Australia? Either one of you,

[00:11:22] Brad Nigh: I’ve been the furthest over that side I’ve been is Malaysia and that was a hall that was that was a serious flight. I went Minneapolis, Tokyo, Tokyo to Seoul solo. The Kuala Lumpur.

[00:11:35] Evan Francen: What’s Happiness? Bulgaria? Shout out to our Bulgarian friends. Hey guys, hey you have a team of developers over there, Alex stars. Pretty awesome. They may need sheep face. Okay. Yeah.

[00:11:49] Brad Nigh: Right. Yeah, I’ve had a similar experience. Was face latin friend of mine made sheep in a trash can. So when an old school metal trash cans, right, remember the classic galvanized metal stuck it on a giant, you know, propane burner filled it up with water, started throwing hunks of sheep in it. And then we had, that was the day I tried blood salsa. That was interesting. Well culture

[00:12:19] Ryan Cloutier: can’t Yeah, I mean it was a good, that’s the important

[00:12:23] Brad Nigh: part. Were different air right now. Right? It was different, was different.

[00:12:28] Ryan Cloutier: You tried it, that’s the important part.

[00:12:30] Evan Francen: They didn’t tell me. She plays

[00:12:32] Ryan Cloutier: you like it. You didn’t like it.

[00:12:34] Evan Francen: I was like what is this? Like they’re laughing the hell

[00:12:38] Brad Nigh: like

[00:12:39] Ryan Cloutier: the best part of that.

[00:12:40] Evan Francen: It’s a market and then see if you can figure it out like okay, but I still don’t like it man, what is this thing? Oh it’s cheap face. Like shut up. What is

[00:12:48] Ryan Cloutier: that? How did that guy thing is, you know like international? Yeah, it’s totally just like you got to

[00:12:57] Brad Nigh: try this Right. Well at least he got, you know the front end of the sheep instead of the back end of the sheep.

[00:13:03] Evan Francen: Right? We all got, well, that’s what they told me, right, there was sheep face. It might have been the back end of the sheep. You

[00:13:10] Brad Nigh: ever had? Rocky Mountain oysters? Yeah, that’s somebody and somebody pulled that one on me. Oh no, it’s good. Ryan, you’ll love

[00:13:17] Ryan Cloutier: it. I am I allergic to shellfish? Sorry, can’t help

[00:13:23] Brad Nigh: you. I

[00:13:27] Ryan Cloutier: know what they are saying. That’s my excuse hell fish. Sorry can’t have it.

[00:13:32] Evan Francen: All right. So, you guys, uh, you know, I went down there, so I originally went down to Cancun too right, I ended up doing a lot more work work than I think writing, but you saw the outline, that’s the first time you guys have actually seen it, you know, and I put it kind of at the beginning of this, of the show notes where its introduction, talking about information security operating system, I was going to call the security operating system, but that’s S. O. S. Right? So what we’re using is sort of the entrepreneur operating system. Gina Whitman wrote awesome book called traction. You know, and it’s become really, really popular, I think for SMB? S uh, in how they run their business. So I wanted to follow kind of that same, uh, you know, framework and create a information security operating system. We have so many good standards, so many, so many good best practices, but I think what people struggle is really operationalize ng it, making it part of their business being part of the day to day. Uh Angina Whitman did that awesomely in the E. O. S. So let’s do it with the security operating system. So it starts with, you know, if you’ve seen that book and you look at the chapter tail, you know, table of contents similar. So we’ve got the information security operating system security America where we talk about small business, local government, education and home. We all have experience there. I think where we really specialize is, you know, small business really, really well and you also have a good overlap into education, some of the work that you’ve done brad, You’re the guy that I would rely on 100% for education but then you also have a nice spillover with local government I think really well. Um, and then I kind of just a jack of all trades kind of, I don’t think I’m super expert in any of those but just good in all of them. Um but the good thing about security is security is security. Right? The basics of the basics, the fundamentals are the fundamentals. It doesn’t matter if your government doesn’t matter if your government or a school, we use different languages, maybe different dialects.

[00:15:39] Brad Nigh: Yeah, it’s a, it’s a dialect thing. Um it’s the biggest differentiator that I see across all the verticals is risk and how that risk is described. Quantified measured and remediated what a local municipality considers to be risks and risk they need to address or not equal to what a K 12 shared systems, shared components, shared security framework and language in need. But as we work with those partners, I think the bigger conversation differentiator is risk, the same thing with our home users, right? Depending on the culture and community that you come from, you could have a different viewpoint on what is or is not a risk, you know?

[00:16:23] Ryan Cloutier: Yeah, I mean they had this exactly it. Everybody would, yeah, I was going to go on it, you know, you know what, he’s pretty well now

[00:16:35] Evan Francen: I was waiting for some more wisdom, you have me on the edge of my seat so I

[00:16:39] Brad Nigh: agree that’s the one for today. I got nothing left,

[00:16:42] Evan Francen: not bad for certain week off with that but you know, securing America so he’s describing really the problems in those, you know those horizontal vertical. So we’re going to call him then in Gina wittman’s book, he has six components that make up the os the entrepreneur operating system. I call out five components so far, you know, in writing this book, the people component, the asset component right at the end of the day, you know, it’s about protecting our assets and assets are tangible and intangible and you know, kind of going through all that, the control components. So you don’t add controls until you understand your assets, right? I can’t secure the things I don’t know, I have. So that component builds on it, the process, component, measurement, component, you know, so on and so forth. But I think the book will be really fun. I’m going to start so I’ve got the outline, I’m starting to fill in the blanks, but then it’s gonna be real soon when they, you know, asking you guys to give me input and take your own.

[00:17:42] Brad Nigh: Yeah, looking forward to a man that is going to be a lot of fun. I’m excited to try my hand at authorship. See how that

[00:17:51] Evan Francen: goes well, the good thing about being an author is you can suck it writing and they have ghostwriters

[00:17:58] Ryan Cloutier: as long as you’re concepts and the like thoughts are there, they can make it look pretty

[00:18:04] Evan Francen: Yeah. And I’m thinking, you know, one of the things that might be fun is how we go straight for each other. So we write, I raised my piece Sure with you guys, you guys are like, oh I communicated this way, you guys end up ghostwriting for me and I will you be

[00:18:18] Ryan Cloutier: cool. Really interesting because everybody has just a slight different take on it. And so look, he said, words have meanings, right, so everybody has just a slight different way.

[00:18:30] Brad Nigh: It’s gonna be fun. I’m looking forward to collaborating with you guys because I think we’re all gonna learn a little bit more about each other and our viewpoints mindsets and how we approach the problem. And I think that’s going to be probably for me, that’s probably the coolest part of this is I love being able to get inside other people’s minds and look at things from a different angle. It’s part of the social engineering work. It’s part of the security work too, is how do you relate to your humans so to get and your guys minds and let you into mine for as much as you can handle. It’ll be it’ll be fun.

[00:19:06] Evan Francen: Yeah, I agree. I think it’d be really cool and it’s a, it’s a good, um, you know, because you can always go off and write it yourself, but then you don’t share in it, you know, the whole experience, that’s my computer. Again, it always does that because it’ll turn off my trap the uh, but this will help get your name out there, you know, establish yourself as an expert in the industry because I know you guys, I know you guys really well, you know, and I would trust my security program with either one of you in a heartbeat. The thing is how many people know brad and I how many people know Ryan

[00:19:43] Brad Nigh: cola cola coca cola. Not enough. That’s my answer,

[00:19:47] Evan Francen: right? But you guys have such good advice to share a good, good perspectives. That’s the second thing I’m looking for it in the book, is it’s not just my name on it. It’s our names on it, right? We did it together. And I think it’ll be really, really cool because I also don’t like being the center of attention, believe it or not. So like when we had the book release party here, it’s like everybody was here and hey, I was like, you are so uncomfortable. Yeah. Right. At least here I can share the stage is like two of my buddies and be like, yeah, yeah, these guys. So that’s critical. All right. So that’s the book. That’s what I’m supposed to be working on. I got some of it done. Um, you know, for people, for listeners who think, you know, or maybe wondering when the book is going to be available, I’m shooting for third quarter. I would love to have it done. You know, that means we got to get kind of going on it, but maybe june will have, you know, draft and go through the process. Maybe september, we’ll have this thing ready. So very cool. Right. So that’s that, what else did we, uh, did I miss anything? What anything exciting with you guys in the last couple of weeks? Can you remember

[00:21:00] Brad Nigh: last couple weeks? It’s easy, busy. Yeah, it’s been a blur. Lots of good stuff. I think I have some notes that we can go over later to,

[00:21:08] Evan Francen: Yeah, you’re going to spend some time with me

[00:21:09] Brad Nigh: to catch up on a few things, a couple new opportunities that are on the horizon that we need to decide how we want to or if we want to approach. But yeah, I don’t, I don’t know that you missed a whole lot. I think it was more just things are things are moving fast so there’s some catching up to do and yeah, I got to spend some time with laura. You miss that? You missed. That was fantastic. Lorries awesome, isn’t she? She’s great. She she did a really good job on articulating the higher level risk question student need to dive into all the details. She was able to kind of frame that out at a single question.

[00:21:51] Evan Francen: See that’s what’s like an

[00:21:52] Ryan Cloutier: artist. Yeah. To watch her work. That’s one of the things I think we do and they always do so well, it’s not going through and asking every question right? It’s let’s talk about this and okay, so tell me about and just that conversation, being able to parse and being able to answer this. The assessment questions out of what people are saying?

[00:22:15] Brad Nigh: Yeah,

[00:22:17] Ryan Cloutier: it’s definitely a skill and I think our team is I feel really good at doing that and not just do you do this? Do you do this that you would see like in an audit? Right.

[00:22:28] Brad Nigh: Well the customer who shall remain unnamed, very cool stuff they do over there. So I got to geek out. I’ve been working in schools for the last few years and I forgot you know that there were other industries out there and so getting to tour the facility do the physical side of the assessment which is something I always enjoy. Um was really cool and getting to help out Lori was just you know the icing on the cake.

[00:22:53] Evan Francen: One of the things I think it makes our analysts so good other than the fact that they’re just super good quality people is what they did last friday. I know they had a we had a consulting incident response tech ops lunch and learn that they did. I wasn’t able to be in those. I love participating in that, you know, just to listen. But I looked at the slides and what was covered. It sounds like it was just an awesome day.

[00:23:19] Ryan Cloutier: It was really good. I think a lot of good discussion. Um it was we had some non operations or non analysts that sat in just to kind of understand more what we do and it’s funny I think we all take for granted, but it’s just a second language to us, right? It’s just native and I got feedback that it’s like it blew my mind like I didn’t understand half of what was being said, you guys are just like bantering around like it’s this is just normal stuff and so yeah it was really good. It was, it was fun to see, you know, the more consulting with the governance and the assessments and BC. So and then in text services and you know, it’s always good to get those guys, both teams really, you know tied together working together and there’s so much good that both can give to each other,

[00:24:19] Evan Francen: you know the collaboration, it’s like my favorite. Yeah. Were you

[00:24:22] Brad Nigh: in on that? I was not but I will definitely the next one that comes up,

[00:24:29] Ryan Cloutier: we’re so we’re going to start doing this quarterly okay when everybody’s in we’re gonna do much and learn and

[00:24:36] Evan Francen: just get people, there’s leftovers in the fridge too by the way.

[00:24:39] Brad Nigh: Well I think friday friday, we were down at uh no thursday, we were down at the Minnesota school board association conference uh that was really great, you got to take Justin with you were speaking there. Yes, yeah, yep. Uh did a series for the folks on cybersecurity is a life skill and really talk to the school board about what they need to do to empower their I. T. Folk um to bring in services and outside expert help trainings, you know that type of stuff. So a lot of fun, I love, I love preaching, you know that would be a stage and I’ll

[00:25:14] Evan Francen: distract and Justin Justin was like Jack because I saw him at christmas party Uh and he was saying how, I mean you were there for another 40, minutes afterwards answering questions. People were cutting, there’s a line of people coming up to talk to you.

[00:25:30] Brad Nigh: Yeah the Q. And a piece is probably my favorite piece. Well, I like to give the presentation at much rather just hear from the individual. What are you concerned about? How can I help you get over it?

[00:25:41] Ryan Cloutier: So we had to really bad storm friday into saturday friday night. They were, that’s what it

[00:25:48] Evan Francen: was. It was great. Yeah.

[00:25:51] Ryan Cloutier: So they, my son’s elementary school is going to show the documentary like, Uh, have you heard of this? It’s like social media and kids and stuff. So it’s gonna show up to the parents 45 minutes and I see you’ve met with the principal. Um, and she emailed me on monday, is it? I’d really like it if you could make it just as a building answer questions and interact and bake up canceled but never schedule that here. I think in a couple of weeks. So I’ll be able to do that. That would be fun to answer questions for parents who are now like completely freaked out after watching the

[00:26:30] Brad Nigh: give them the old digital birds and bees talk.

[00:26:33] Ryan Cloutier: Right? It’s pretty, pretty much what it is.

[00:26:36] Evan Francen: So another thing that happened last week was that we announced we opened the registration in house, the CIA SSP metro program. Now I don’t want to talk too much about it. It’s part coming up later too. But We had over 400 registrations in the 1st 24 hours

[00:26:55] Ryan Cloutier: The on site filled up in under two hours.

[00:26:58] Brad Nigh: That’s awesome.

[00:26:59] Ryan Cloutier: That’s unreal. We doubled the amount we could have, we had from last year?

[00:27:03] Evan Francen: That’s cool. We’re gonna talk more about that. All right. Well, lots of things, man. I mean, we’re all, You talk about going 100 mph when we’re all doing that all the time, which is kind of cool. But it also gets tiring. Um, lots to look forward to. Love being back. Love you guys. It’s awesome being here. It’s uh, means a lot to me. Last week I had to run halfway through the show. I had to take off because I had another meeting. We were talking about the tensions between the United States and Iran and how it affects us all. Uh, there’s this talk of the cyber war between us and uh, but I just want to close the loop. I don’t know what I missed in the last half of that show. There are some new kind of developments, but not really nothing earth shattering. It’s still the same old, same old. Right. Don’t be collateral damage in your own self up. I think you’ll be okay. Did I miss anything in the last part of that show? No, I don’t listen to the shows. You know, you know that. Right? I can’t stand listening to myself. I hate it. Yeah, I’m with you. What, listening to myself. Watching myself stick needles in my eyes.

[00:28:13] Brad Nigh: It’s not so

[00:28:14] Evan Francen: bad for the last half of the show. Things were, Do we discuss anything else about the,

[00:28:20] Ryan Cloutier: I think it’s. Yeah, pretty much uh

[00:28:25] Brad Nigh: I think what we what we talked more about and you know, well well I do listen to the show. Memory is not always my bestest friend. Um One of the yeah I’m so excited. I think it’s more about the end user now, the end consumer small business home user, they’re going to have more actions and activities so as well as ECE and C. I. S. A. And those organizations continue to put out these urgent releases, the Citrix flaw for example. Right? Uh We don’t know the whole story behind that. What we do know is that a hacker gained access to a machine or as I like to refer to them cybercriminals uh and then set up persistence and then patched so that others could not use the same flaw to access the machine. And I think it’s just the rate at which the patches are going to come out

[00:29:21] Evan Francen: what they call that. Not Robin, not robert, I think that’s what you have a name that uh fire I gave it was not Robin this this attack.

[00:29:29] Brad Nigh: Yeah. So you know that’s I think that we’re going to see more patching happening and I think the activities with Iran are going to help raise awareness at the lower levels of business and and just the the end consumer

[00:29:43] Ryan Cloutier: really it’s an opportunity for the small businesses that maybe we’re having trouble getting buy in to now say, hey, right, well, here’s why we need to do this, right? We we may make this one widget for this one piece, but guess what? We’re part of that supply chain, we are now a target. Mhm.

[00:30:04] Brad Nigh: Yeah. And I think the local government is going to be a little more urgent this year to address some of the stuff that hasn’t been addressed just with the wave of ransomware. And you know, I think even you had mentioned on the last podcast about the nuisance attack aspect of it, where, you know, we’re not going to go toe to toe, it isn’t gonna be an outright at battleground. It’s going to be that subversive guerilla style and it’s going to be tipping over cities and tipping over public institutions, business disruption.

[00:30:36] Evan Francen: Yeah. I wonder, um, I just wonder if there’s something in it for Iran to partner with some of the criminal organizations, you know, to, because strategically its strategic and there’s also a monetary gain for them, especially with the sanctions and everything else. And I know it would take it would take a pretty big effort for them to raise the billions of dollars they need, but that’s a trillion dollar industry anyway.

[00:31:06] Brad Nigh: We’ve seen that pattern already in north Korea and Russia china, we’ve seen state sponsored hackers outsourced for financial gain. Yeah,

[00:31:17] Evan Francen: I believe very

[00:31:19] Brad Nigh: much that that could happen.

[00:31:20] Evan Francen: I it’s

[00:31:21] Brad Nigh: already happening,

[00:31:22] Evan Francen: right? And it’s a way around the sanctions, right? I mean, their their economy is in tatters right now. And I know that people get really creative when they’re forced, you know, to solve the problem. Yeah.

[00:31:38] Ryan Cloutier: Yeah. It’ll be interesting to see. I think it’s gonna be a while before we actually truly understand it too. It’s not like next week we’re gonna be like, oh, well now we know months years.

[00:31:48] Brad Nigh: Right. Well, you and I have talked about that Brad as well is that we think are prediction for 2020 is more set up and and persistent watch a lot of monitor a lot of foot hole, you know, getting getting footholds in the in the environment and then waiting and saving that access for something maybe bigger later.

[00:32:07] Ryan Cloutier: Or they can just find open buckets on well on amazon you can

[00:32:11] Brad Nigh: Always do that when looking check S three.

[00:32:15] Evan Francen: All right, well, good. So the I did I did just highlight, you know, four News Articles in the Show Notes. Nothing, nothing Earth shattering, nothing. All that new. Just reiterating a lot of the same things we really talked about. So remember, as of the world will not likely end today. And I say likely there’s always a chance, I suppose that it could So get right, I suppose, but we need we do need to stay vigilant, complacency, ignorance, but those will come with consequences. They they always do. It may not be immediate, but it happens. It’s going to happen. So if you’re sitting on your hands, not taking care of the basics, not taking care of information street and not taking the time to learn it, it’s gonna catch up guaranteed switching gears. Hey, one other thing I want to talk about two, you have a new podcast that you’re going to be kicking off. You got any news for us on that

[00:33:13] Brad Nigh: soon? Uh yeah, I’m gonna be doing a K 12 focused cybersecurity podcast. So it’s gonna be a little bit different from this one. Um, it is going to be more geared towards The K- 12, you know, audience, um, technical and non technical and really going to focus on actions and deliverables of the day. So for example, I’m still toying with what the first episode is going to be, but it’ll be things like how do you do asset management? What are the tools, what are the techniques, what does that look like? So very similar to, I think some of the work we’re going to be doing in the book, but in more of a conversational format with different guests from across the security as well as the K 12 and government industries getting their first hand take on what are the challenges? What are their struggles, you know, what can we do as security professionals to change how we’re approaching the problem and what we’re bringing to the table to make it more accessible, more palatable. So that’s uh, someone really stoked about and more to come as I finish forming my thoughts but ideally that’ll be starting up here in just a couple of weeks. You say it’s

[00:34:23] Ryan Cloutier: gonna be more short form

[00:34:24] Brad Nigh: short hits. Yeah, you’re thinking probably around a half an hour mark, you know, just something sweet short to the point that they can get on their lunch break or on the drive in kind of jack them up for the day and get him get him to

[00:34:39] Ryan Cloutier: finish this one.

[00:34:40] Evan Francen: Yeah, exactly. Excuse me. All right, So good. I look forward tomorrow on that. It’ll be fun. You’ll be the host, it’ll be K. through 12 focused, awesome. We have a name yet you’re thinking?

[00:34:53] Brad Nigh: I don’t yet, I’ve got some on a short list but maybe I’ll bounce that around with you this afternoon. Cool cool.

[00:35:01] Evan Francen: All right. So switching gears again because that’s what we do around here. I want to talk about our mission. You know we talk about it we we refer to it often and I’m not sure listeners may not even know what our mission is. So it’s something for us to talk about here and then we can talk about the C. I. S. T. Mentor program and how that fits into the mission. So open discussion. Uh what is the mission and what does it mean to you guys? So when you hear about the mission it’s to fix the broken security industry right? The information security industry, what does that mean to you guys?

[00:35:40] Ryan Cloutier: I think Well you say just talking the same language, right? Getting the fundamentals in place and kind of helping fix some of this money grab that we’re seeing where everybody’s just going out and spending money on blinky lights and they don’t know what they should be protecting or where their things are, where they should be installing, you know, the latest machine learning ai next Gin solution. All right. So I think it’s getting people to understand the fundamentals and just be able to to talk to each other and understand what everyone what the other people are saying.

[00:36:19] Brad Nigh: Uh for me it is everything that brad said, but it’s also helping the people to understand the digital life component here. That’s why you’ll hear me really push the whole life skills angle, I believe that we have adopted technology into our most intimate parts of life yet we’ve done so without any structure or any uh boundaries of what is good and healthy use of this technology, you know, what’s appropriate, what’s inappropriate. We’ve barely scratched the surface on that. And so for me, part of fixing the broken industry is helping the community at large to become more security aware, to help put pressure on the security industry to nothing motivates like commerce. And so if they start using their vote in their wallet. So the end consumer to demand cleaner, easier to understand, simpler to use solutions. Um, and and that they can start to know the right questions to ask, to hold the vendors they do business with accountable. Um That’s a that’s a big part of it for me, you know, being involved with it.

[00:37:31] Evan Francen: Yeah, and I yes, sir, I mean, in my opinion, because they’re all 100% uh and I just like to think of it as it’s always doing the right thing

[00:37:41] Brad Nigh: for the right reason

[00:37:43] Evan Francen: with people well, and just and that’s just the right thing, right? I mean, people, the right reason that fits into doing the right thing if it’s not. And so the right thing is, you know, it is about people, it’s always about people. Information security is about people. And so one of the things that makes us such a personal thing for me is there’s the thing that I hate in this world is people taking advantage of other people and there are so many ways that that happens, and it’s not just the information security industry could apply this to just about any industry, but when an attacker steals money from somebody that pisses me off, when a vendor sells something to somebody that they don’t need, that pisses me off, it’s taking advantage of people. And so from that perspective, and that’s why I have rules, right. The one rule, if you ever sell a customer something, they don’t need a running over with my truck. I’m serious. That pisses me, I do not want to take advantage of people. You know, we’re here to help people here to care about people to love people to, you know, give them foundational components, things that they can build on. And if you already got the foundation, then let’s go talk blinky lights. If you’ve got asset management figured out, you’ve got governance figured, I got roles and responsibilities figured I got access control, figured out. You got all these fundamental things figured out. Well then, yeah, let’s do something. Let’s cool funky stuff, you know? But you’re going out and buying the blinky lights when you have no idea what you’re even protecting. That’s insane. Right? And so I get pissed off because I wonder who’s worse some days if it’s the Attackers or if it’s the vendors take advantage of. Hard to tell the difference. Sometimes it is taking money is taking money, right? Because every dollar you take from a company is a daughter. They can’t spend the

[00:39:29] Ryan Cloutier: weird heard of uh, a MSP. That was one of our clients that were The defender didn’t have their own 365 and didn’t have methane installed. And so they were working with their vendor and they’re like, oh, well we can upgrade you to the this version to get um, F a wait a minute. Didn’t dug in and there, you had it, but there MSP or whoever was selling on their licensing was going to upgrade under the next here just to get M. F. A. Like you know you have it already, you’re going to turn it on. You need to like there’s just check box what

[00:40:09] Brad Nigh: you want to do is click on it.

[00:40:11] Ryan Cloutier: But those types of things that’s infuriating like that.

[00:40:16] Brad Nigh: Well that greatly it’s gross. The word that comes to my mind is gross. It’s just pick

[00:40:21] Evan Francen: totally. And so yeah because I’ve had people argue with me. Well the information security industry is not broken and I say how So they said well the industry is thriving. There’s millions and millions and billions and whatever dollars being made. But that’s the reason. Yeah. You know we still talk about the same things over and over and over again. You still read everywhere. People are using poor passwords. People aren’t turning on multifactor authentication, people aren’t doing this stuff

[00:40:46] Ryan Cloutier: right. Yeah. The buckets are not being open to the public driver’s

[00:40:51] Brad Nigh: licenses, Personal

[00:40:53] Ryan Cloutier: information, simple things that are not sexy, right? It’s

[00:40:58] Brad Nigh: well what’s sad is, you know, there was just a couple more that happened over the weekend. Right? If you don’t have reach fatigue going google and check them out and if you do have breached fatigue, I’m sorry. Um just don’t get breached complacency. Exactly right. But I think there’s there’s just so much of it is so prevalent and people don’t know what to do. They don’t know what deter even though we’ve told them a million times about MFA. I was trying to teach my father and his sister over the weekend how to use their smartphones and another relative of ours who’s an I. T. Guy tried and failed because he said just go to the settings and then just do this and just do that. Then they glazed over and they went, what’s the settings? Right? I don’t want to what it doesn’t say settings. It’s pictures. That’s

[00:41:50] Evan Francen: why that’s why I love what we’re doing to about meeting people where they’re at right? We’re working right now on the level zero. Uh you know, as to school right? It’s an assessment for schools that level zero, it’s the basic of the basics. And if you can’t answer those questions, you know, will help you get there. But There’s no sense of going with the full S. two or big Asked assessment with 687 questions When you don’t do these 74, right?

[00:42:20] Ryan Cloutier: Yeah. Well I think that’s a big issue with the industry is I think a lot of people in security and it talked over the normal people

[00:42:32] Brad Nigh: well it’s just all or nothing approach, you know like risk elimination has to be. Exactly. And we know that’s not feasible and I’ve run into many a security hole who firmly believes that it’s you know, well they’re not doing this and this and this and this then if something happens is their fault. Well wait a second. What did you do to help get them to what I like to call the start line and that’s what that level zero is all about. It’s about are you you know, we’re going to run this marathon. Are you at the start line or are you still half a mile away from the start line of the marathon? Doesn’t start until you get to the start line?

[00:43:10] Evan Francen: Yeah, that’s what I love about our approach. I love the fact that these people sitting in this room right now doing this podcast are all bought in on this mission because at the end of the day we do love people and we do understand it’s all about people and we won’t take advantage of people. We will meet them where there at we’ll do whatever it takes and that’s what the mission is, Right? That’s why it’s so damn important because I don’t give a crap about your blinky lights. If you keep clicking on links, right? Yeah. You know, I don’t just don’t care if you’re not backing up your

[00:43:41] Ryan Cloutier: data. I have the latest tool that if they click on the link, it’s okay because it’s sandboxes it so that it doesn’t matter. It will back

[00:43:49] Brad Nigh: us all the all the storage solutions being sold right now. It’s being ransomware proof. This

[00:43:55] Evan Francen: is the reason why I left. That’s a big reason why I left, you know the hacking piece of things, right? Because that wasn’t the problem. Yes, that is a problem. But the bigger problem is people, right? And so I spend all my time today, like you do like you do working on the people part of security. What? It’s a new angle. What’s a new way I can communicate this. So it’s a new way that I can figure out how to meet people where they’re at what and it’s not sexy. Right? Your your tweets about policy or whatever the hell you’re writing about are not going to get retweeted a billion times because it’s not sexy, right? You know, a lot of times people don’t even care. But the thing is what these guys do every day and I’m pointing to their technical services team, they find an exploit, you go fix it. It’s broken 66 weeks from now because you don’t have the process of the people right? To keep it the way it’s supposed to be. So, it’s just, it’s just that’s the thing. Anyway, I get kind of fired up about that because well, I mean, damn. So what we do want our lives to Right?

[00:45:01] Ryan Cloutier: Right? Yeah, I’m with you.

[00:45:04] Evan Francen: All right. So, uh, on that point, the CSP mentor program registration we mentioned it’s open what it is. Uh, We started in 2010. We had six students and it was and we had three employees. So we have more students. We’re about ready to have more students than we had employees than now to last year. But we have three employees and we wanted to start this thing because one of the things is broken in our industries, we don’t have enough people practicing the fundamentals, we don’t have enough people to fill the open seats, You know that we have in the industry. So we started with six students in 2010. It’s grown, grown, grown, you’ve been helping me with it the last what, three years this

[00:45:46] Ryan Cloutier: will be your for.

[00:45:47] Evan Francen: Yeah. And I think pretty soon I’ll just hand it off to you know now because Ryan is going to help this year too.

[00:45:53] Brad Nigh: I’m looking forward to it. But uhh I just dusted off the CBK the other day

[00:45:58] Evan Francen: because uh it

[00:46:01] Ryan Cloutier: is exotic. It’s a good, good check of uh yeah, I haven’t thought of that since such a task to

[00:46:06] Evan Francen: build up Angela right, we’re gonna read that again. But you know last year we had 530 students this year we had over 400 sign

[00:46:15] Ryan Cloutier: already. I don’t even know what the latest number is.

[00:46:18] Evan Francen: We only announced it once. Right? We haven’t done any marketing around it, which is super, super cool. Right? Because it’s 100% free. It will always be free. I can’t even tell you how many times people have wanted me to charge for it. You know, our own sales team, you know, vice presidents that work here, We just heard $500 apiece for it. I mean there’s still no, we will never charge for this. Not as long as I’m in charge.

[00:46:45] Ryan Cloutier: Yeah it’s definitely upset some people and not here but that do charge,

[00:46:51] Evan Francen: right? I love it. I do too because it serves a need and it’s a way of giving back. I know this industry has been very very good to me. You know I’ve made a good living being a security person, I will retire being a security person. Um And it goes back to our belief to that if I focus on the mission you’ll make money, be focused on the money. You’re never gonna make the mission. Yeah. Right. And so we don’t need to make money here. We have made if you somehow able to take what we’ve done with the CSP metro program and track that back to the money we’ve made from it. That’s not the think of the people that have come through that program that have become friends of ours that have become advocates of ours that have become employees of ours. I mean you look at like Megan as one example who leads are you know leads, R. B. C. S. And P. C. Self practice. Yeah she’s freaking not awesome. Well I mean it’s like okay I would I would have done 10 years of CSP mental program for that.

[00:47:55] Ryan Cloutier: And yeah for me it’s it’s exactly that is being able to be a you know a resource and a mentor for those people trying to get in that, you know, honestly I didn’t have, I would have loved to have had somebody like you Evan or something as I was trying to break in and it just, it wasn’t a thing, right, it was just tough to do that. It was either, you know, your military or a hacker and that’s kind of, you know, where you got that in and it’s not the case anymore, so just being able to help other people get into it and learn from my experience is that they don’t, it doesn’t take them as long and you know, kind of not having to go through some of the the issues are struggles that we all had to go through to get in. Okay,

[00:48:43] Evan Francen: well there must be a big demand for it. I mean the fact that’s that many people have signed up that quickly, they must be looking for free training. Well, I mean you’re looking for free mentorship.

[00:48:53] Brad Nigh: Absolutely. It’s growing, it’s it’s uh I know I sent the link onto my partnership in alexandria Technical College actually, this friday, I’ll be up there giving three separate talks, I’m gonna be talking to the high school intranet working class, which is a feeder program to the college, I’m talking to the college and I’m talking to the alexandria area. Sure, the human resources association about what does it mean to onboard these kids that come out of college as security professionals was that, you know, and I know a couple of those kids signed up to take the mentorship

[00:49:30] Ryan Cloutier: program. You know, actually had a, I spoke last year at my local high schools and the teacher reached out and said, um, hey, I, two students that I think would be interested, is this gonna be too much for him? Like, well yes, but no do it right. There’s gonna be a lot of stuff that they’re going to be like, I don’t understand what this is

[00:49:52] Brad Nigh: to learn to swim. You got to get in the pool and get by the way Evan

[00:49:55] Ryan Cloutier: uh, as a 15 seconds ago we are ahead of last year’s registration where 541 ft already

[00:50:01] Brad Nigh: awesome. Less than a week

[00:50:03] Evan Francen: hasn’t been a week and

[00:50:04] Ryan Cloutier: no anyway. But yeah, you’re starting to see, you know, more and more people understand, Hey, I can, yeah. And I’ve had people ask, well I don’t want to get into security is it? I just want to understand it like business from a business perspective. Yeah. Do it. Do you have to read the book and take the test now if you guys, it will, it will change how you think, just listening and hearing the concepts and all that. Um, I think the other thing that people get maybe get a little bit confused of, it’s not, hey just do this and you’re ready to go, right. This is a part of it. We’re going to give you the high level here that here’s where you need to focus but it’s it’s not like oh I took the class and so I’m ready to take the test. You know? And I think any of those boot camps or anything that promise you that are

[00:50:59] Brad Nigh: 100% guarantee that

[00:51:02] Ryan Cloutier: pass, you still have to do the work, you still have to understand and study and memorize stuff.

[00:51:11] Evan Francen: one passing and passing the test. So passing the test isn’t the point. The point is and the C. I. S. S. P. And information. Uh The thing I like about the C. S. Sp is it gives you the broad spectrum of what security looks like so you can fit it in its proper perspective. I think that one of the easiest ways to tell a it’s not very good. See so uh is but by their inability to put risk into context so they may get myopic on one specific risk. And this is like the most important thing, we gotta fix this from put all our resources to fix this. But then when you put it in perspective with the rest of the security program, it’s not that big a deal. You know? And I’ve seen this happen over and over and over again, like Most recent one was uh people had the name of the company and a picture of the person on their access patch, right? And somehow this became the biggest risk of all time in this company. And so I sat down with the sea. So, and I said, well let’s, let’s talk about this, right? What’s risk? He’s like, well, it’s, you know what it is, this define it, likelihood and impact. So what would be the threat? Right? The threat would be that somebody would find my card and come and take it break into my building with this card. Right, okay. What’s the likelihood of that happening? You know? Well I live in a low crime area. It’s an, it can speak of him, you know what, when you really talk through it, you find out that the likelihood of this happening is next to nothing. Right? And what would the impact be? Because everything you have is in a data center. It’s not here anyway. Right? So somebody have to roam around and really have to surveil and you know, and you have to be really, really targeted for this to become a real thing and you’re about ready to spend a couple $100,000 to re badge everybody in your company for this. Right. Well, and I think maybe there’s going to spend

[00:53:06] Ryan Cloutier: some go back to people fishing training factor asset

[00:53:11] Brad Nigh: management, get some duo token sweated on that.

[00:53:14] Ryan Cloutier: But if you train your staff, hey, my car got stolen. Exactly. You said it, it goes back to the people and training and like those fundamentals, hey, you know what house got broken into and I can’t find my card when

[00:53:28] Evan Francen: you fit that disabled exactly. And you fit that into the likelihood to write, even if even if I’m not trained to report it, I’m going to go to work on monday. It’s not gonna work and I can’t get into the building. Right? So I’m gonna have to get a new badge. Why are you getting a new badge?

[00:53:42] Brad Nigh: Right well and yeah, I think the theme there is invest in processing over, um, you know, swat swapping the badges, right? What’s that really to your point? What’s really going to accomplish? And if they just spent, I don’t know, just even a couple of grand of that spent on some process improvement around how they track those batches and how they can activate those badges.

[00:54:07] Evan Francen: You find that that’s not, but that’s the thing I love about the CSP mentor program is the fact that you can talk about security the way it’s actually built right? It’s like putting together big jigsaw puzzle. Every puzzle piece fits together with another puzzle piece. And once you understand how it works, it’s really easy to identify when you got the wrong puzzle piece. You got a broken puzzle piece, you’re missing a puzzle piece altogether. So it’s a great, it’s been a lot of fun for me uh, in it as a, as an instructor, uh, with you and excited about this year with you, Ryan, the, uh, the people you get to meet and then you get those emails from people that say, hey, I took my exam when I passed it or can you endorse me stuff like that? Makes it all super worth it. Plus plus whenever we teach the basics, the fundamentals, makes it more part of my own practice. Yeah, I mean I’ve become a better security person every time.

[00:55:08] Ryan Cloutier: Absolutely. Because yeah, there’s parts that you just don’t do on a daily basis that you like. Yeah, you know,

[00:55:18] Evan Francen: I forgot about that.

[00:55:19] Ryan Cloutier: Right? It’s so good.

[00:55:22] Evan Francen: You haven’t something I did for a while and every time I get to that CBK do some nothing again next month due to the expense to

[00:55:31] Brad Nigh: osc. Osc layers. That was, that was the kicker for me.

[00:55:34] Evan Francen: Yeah,

[00:55:36] Ryan Cloutier: yeah, yeah. I did encryption

[00:55:38] Evan Francen: when I never learned to see through the, where they call it. Uh, we make the letters mean something like the sausage pizza

[00:55:47] Brad Nigh: thing. Yeah,

[00:55:49] Evan Francen: What do they call that Pneumonic.

[00:55:51] Brad Nigh: Okay.

[00:55:53] Evan Francen: I never learned it that way. I learned it the hard way because I wasn’t that creative back then. So I’ve always remembered application presentation, session, transport network. Do you link physical? I just know it the hard way, but whatever it is what it is. All right. So things are also about the CSB open to anybody. I don’t care how you have zero experience. You can’t, you don’t even have to know how to spell security.

[00:56:18] Ryan Cloutier: Right. Well income. What’s great is, yeah, buying the book if you’re going to take the test. Yeah absolutely. You should get the book and really study if you’re just starting and wondering is this worth it? Is this something I want to get into? There’s no investment for you? You’re gonna get enough understanding out of the material in the slides and the classes that okay. Yeah. This is something I want to do now. Go by the book.

[00:56:45] Evan Francen: Yeah we’ll teach you everything you need to know to pass the C. I. S. P. Will also teach you all the things that you can forget about afterwards. Right? There’s a lot of traffic much the theory is good but there’s a lot of you know Bella Padula orange book, read

[00:56:59] Ryan Cloutier: book and it’s a lot of you don’t need to talk

[00:57:01] Brad Nigh: about that right? We don’t use

[00:57:05] Evan Francen: that. That theory was honestly. Yeah

[00:57:08] Ryan Cloutier: that’s how we got to where we’re at.

[00:57:09] Evan Francen: Yeah. So if you don’t know where to find it uh you can just google fr secure C. I. S. S. P. Mentor program. You will find it, registration is open. We’re gonna close it at 1000 and I guess we’re already over 5 40 hasn’t been a week yet. The class starts in april We’ll run seven weeks 14 classes maybe eight weeks

[00:57:30] Ryan Cloutier: something like that

[00:57:31] Evan Francen: with a couple of breaks in there. If you get tired of listening to me talk brad will also fill in and I’m tired of listening to me and brad talk Ryan is going to be there this year. And science

[00:57:41] Ryan Cloutier: can we make Ryan to encryption because that’s the worst.

[00:57:44] Brad Nigh: No, you should wait no, no no

[00:57:47] Ryan Cloutier: security state. He’s going to do the Yeah. Yeah. Yeah.

[00:57:52] Brad Nigh: Alright.

[00:57:52] Evan Francen: Alright.

[00:57:54] Ryan Cloutier: Yeah. Yeah.

[00:57:56] Evan Francen: Yeah.

[00:57:58] Ryan Cloutier: Yeah. Alright. Yeah. We’re doing

[00:58:00] Brad Nigh: okay. You guys give me the ones you don’t want today. Well I will try to make it a little bit.

[00:58:06] Ryan Cloutier: That’s the one I think last year I was like, I’m so sorry. Two hours a day of classes like

[00:58:12] Brad Nigh: welcome to the pain session.

[00:58:14] Evan Francen: All right. So we got some news but we’re coming up towards the end of the show the news articles. If you want to see them are on Evan You can check out the show notes for episode 63 and find those. I have four things. One is hacker leaks, passwords and more than 500,000 servers, routers and IOT devices. Yeah hacker yeah, insecurity uh, Windows server vulnerabilities disclosed by NSA. Don’t wait the patch this that was all the news last week. Always patch right. And

[00:58:47] Ryan Cloutier: Patch 99% sure. This is what we’re seeing in that IRQ three last year where we were seeing signed processes from Windows

[00:58:58] Brad Nigh: with

[00:59:00] Ryan Cloutier: weird dates doing things they shouldn’t.

[00:59:02] Evan Francen: Yes, that’s a crypt 32 Dll. We saw that first ourselves in the

[00:59:06] Ryan Cloutier: wild in august september and we could not figure out what in the world was going on

[00:59:13] Evan Francen: in an incident response and it got so bad that the client was calling us out like you’re just making stuff up because nobody ever seen it before. Right? And our team was like, no, we’re not, we can’t

[00:59:26] Ryan Cloutier: see should not be doing launching power shell that makes calls to a no malicious ip right? We don’t know how it’s doing. It cannot track and can’t catch it in the act. But

[00:59:37] Evan Francen: yeah, we recorded that too, didn’t we?

[00:59:39] Ryan Cloutier: We had multiple first in multiple artifacts that had never been seen that we reported and then she started showing up

[00:59:48] Evan Francen: because it got expensive because they’re trying to fight a fire that we haven’t seen before and they weren’t being very longer right? It’s easier reading and google something say, oh that’s what it is and you know, take remediation steps and mitigation, whatever. But here it was stuff you know, so it took longer deeper forensics and he got to the planning,

[01:00:08] Ryan Cloutier: customer memory

[01:00:09] Evan Francen: analysis and the customers like no, this this is all you’re just trying to make more money

[01:00:16] Ryan Cloutier: off. It didn’t help that they had not had a rule in place is basically in any any that didn’t log what was actually happening so fantastic. And their guest wifi was open to their internal

[01:00:25] Evan Francen: oh well, I mean

[01:00:27] Ryan Cloutier: that was open and held up unencrypted was open to the internet, you

[01:00:30] Evan Francen: know that

[01:00:32] Brad Nigh: uh maybe they just want to make it convenient for

[01:00:35] Evan Francen: folks.

[01:00:37] Ryan Cloutier: So

[01:00:38] Evan Francen: in this article it’s network world. The title of the article is Windows server vulnerability disclosed by NSA don’t wait to patch. So just because it was disclosed by the N. S. A. Last week does not mean it’s new uh S. A. Does sit on things and they did sit on this one. They sat on it gave Microsoft plenty of time to issue a patch, which you know, it’s the right thing to do. I think. Um I’m wondering it’s been around for a long time. It has to be some

[01:01:04] Ryan Cloutier: 20. It has to be, you know, because we were seeing artifacts of uh we looked like where ultra polls are too. So, so it had to have been part of the N. S. A toolkit that had been leaked. And that’s

[01:01:15] Evan Francen: I

[01:01:16] Brad Nigh: bet that’s what it was. A little turtle blue still floating around out

[01:01:20] Evan Francen: there. Yeah. All right. So patch that’s the that’s the key and that you should always be patching. If you don’t have a patch management program, well, start with asset management, know that you have systems that need to be patched and then you should go ahead and pass them and that’s not vulnerability management either vulnerability management also has to take into account configurations. So correct. Just basic stuff again, Citric. Citric. Yeah. Abc vulnerability like what what would the name they gave it? Some of the Attackers give it shit tricks.

[01:01:56] Brad Nigh: Yes, I saw that hashtag

[01:01:58] Evan Francen: alright. So critical abc vulnerability exploited in the wild there are exploits it is happening

[01:02:05] Ryan Cloutier: with the I. R. S. Active that were this

[01:02:08] Evan Francen: to I. R. S. Active right now dealing with this exploit. So if you’re if you’re running Citrix um yeah

[01:02:18] Brad Nigh: you

[01:02:20] Ryan Cloutier: can’t the patches haven’t been released yet. I thought they just

[01:02:23] Brad Nigh: they just dropped it. Well

[01:02:25] Ryan Cloutier: Not for everything you’re right. So there’s some today some next week and now they’re saying some on the 31st depending on the model. So it’s it’s almost if you can patch patch there’s some manual remediation. However there’s questions on how effective the manual remediation is for all the models affected. So good

[01:02:43] Evan Francen: luck. Yeah so that’s the shit

[01:02:46] Ryan Cloutier: tricks. Yeah somebody was saying that they basically so I can’t remember who it was what the government would say basically if you’re if you had these shut them down until it’s patched. Like and that was on the 13th two weeks up to two weeks with just your down. You cannot have it open.

[01:03:05] Evan Francen: So this is impacting the Citrix application delivery controller formerly known as the nets killer. NBC. Uh Citrix Gateway.

[01:03:15] Ryan Cloutier: Yeah it’s nuts. You can you can inject code into the U. R. L. For the Xml file and it will execute the code in the file name. So you just make the code in the bombing and it will execute it

[01:03:29] Evan Francen: so on on the on the on the blog, on the show notes. We’ve got nuts the news and we’ve also got uh you know, sands has been you know, the internet storm center has been tracking exploitation, I think at least they’re handled handlers diary, blog post from today, earlier this morning. Has some good information about where attacks are coming from. Mhm. Yeah. So maybe turn it off if you can’t remediated I guess.

[01:04:00] Ryan Cloutier: And the C. S. A. Does have a tool out there to check. So if you do the manual remediation, there’s a lot of steps, you should absolutely um run that tool and actually verify that it is effective.

[01:04:17] Evan Francen: And since then um and one of the other news articles is from Graham Cluley, where he’s the one that, well, he has in his title shit tricks um has quotes from fireeye fire, has evidence allegedly that Attackers are exploiting the vulnerability, closing the vulnerability, planting a back door so they can come back themselves but like everybody else out. And they’re calling that not Robin. Oh, my word, if you want to be about that too. So never ends. It’s good stuff. Uh huh. Last thing in the news, the N. I. S. T. Released National Institute of Standards and Technology released a new privacy framework 1.0. Uh And there’s more to read on that too, privacy is upset of security. So if you treat them as separate issues, you saw your old pearl,

[01:05:15] Brad Nigh: You can’t have one without the other.