Understanding the FISASCORE® Risk Assessment

Unsecurity Podcast

Brad and Evan discuss Evan’s writing trip, the next release of the FISASCORE® risk assessment, and current news topics like the American military, a flaw in Cisco routers, and Apple’s privacy evangelism.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Okay, here we go. Today is Monday 21 January 2019 and this is episode 11 of the Unsecurity Podcast. My name is Evan Francen and joining me as always is Mr Brad and I good morning Brad

[00:00:34] Brad Nigh: Good morning. How are you in person?

[00:00:37] Evan Francen: I know it’s our first time doing it in person. We’ll see how it, how it works out. So it’s great back. Great to be back in balmy

[00:00:45] Brad Nigh: Minnesota if by Balmy. You mean it is currently one with a wind chill of 17 below God.

[00:00:51] Evan Francen: Alright. I’d rather be back in Cancun surprise. Yeah, but actually no, it’s, it is good to be back. It’s, I’m excited to see you and see everybody else here. Um yeah, it was good. It was a good two weeks away, but it’s good to be back to today is my day to lead the show. Uh, how you doing this morning? It’s

[00:01:12] Brad Nigh: early. It is early, but you know, we’ll see how well we’ll see how it goes and how much coffee is kicked in by the end of the show versus the beginning.

[00:01:20] Evan Francen: Yeah, I just filled up before

[00:01:22] Brad Nigh: we got Yeah.

[00:01:24] Evan Francen: So what’s new? What’s been going on since the last time we

[00:01:27] Brad Nigh: talked uh, I mentioned it briefly. I had very important stuff that happened this weekend. I cleared an ice rink on the little small lake behind the house so the kids could go ice skating. So I’ve become officially adopted the Minnesota approach of things here, but it was fun Rather like 6° and clearing it and shoveling. So

[00:01:49] Evan Francen: yeah, that’s cool. And then you said you were saying earlier that a big crack through the middle of the night after you clear it all

[00:01:56] Brad Nigh: off. Yeah, we cleared it saturday and went skating for like an hour, hour and a half and then sunday came out. There’s, it wasn’t huge, just maybe a quarter inch. It was big enough for your skate blade could totally get caught in it and it’s like there goes some ankle. Yeah, So we just kind of took it a little bit easy, but oh well it was fun.

[00:02:16] Evan Francen: I got back on as you know, saturday, sunday went out to go, certainly truck I park outside and Yeah, I didn’t want to start. It. Finally did. But you know, to below compared to where I came from, where it was 72 or 80°, something like that. Uh, but whatever

[00:02:35] Brad Nigh: at the best part, you know what I’m looking forward to. Internally, it’s our quarterly all hands meetings. We bring everyone in is uh, project Manager Tyler coming up who lives down in florida. So he’ll be here all week and the highs are not supposed to get out of like the low teens. So just listening to him complain all week. It’s totally makes it worth it.

[00:02:54] Evan Francen: Yeah, it’ll be cool because I think this quarter or this meeting we’re gonna be talking about What 2018 looked like for fr secure and security studio. So everybody’s here. It’ll be fun. I think I did look at the presentation that rene and john and James put together and then we’ll be talking about I think it’s pretty exciting. A lot of cool stuff.

[00:03:19] Brad Nigh: Yeah. It was fun to constantly be bombarded with requests. We wanted to look at this. Can you find that for us? Oh right

[00:03:29] Evan Francen: well so you’re always like super busy and I’ve been gone for a couple of weeks. I haven’t had a chance to really sit down and you know, feel you out. But how things been really,

[00:03:41] Brad Nigh: it’s been good recovering from it when you do those trips, especially for work. It’s always very, it wears on you a little bit right, drive down work all day and then drive back and then right back to it. You don’t really get a lot of downtime.

[00:03:57] Evan Francen: What you did last week Did you have to go

[00:03:58] Brad Nigh: somewhere? Yeah not last week. The 10th, ninth and 10th drive down to Iowa for a Yeah they said but last week was recovering from Yeah from that one. But you know I don’t mind it because once you get in front of people and you’re talking and you get some interaction it’s totally worth it. That’s cool.

[00:04:21] Evan Francen: Yeah, I know over the course of the last week we’ve sold the number of insecurity books, which is kind of cool. Yeah, I’m a little nervous to see what the feedback will be. You know, once people actually read them, you know, if they read them, I don’t know how many people actually read the books they buy. I know I’ve got up 20 books on my bookshelf that I haven’t I haven’t read yet, doesn’t want to read. Maybe someday when I retire I’ll actually do that. Right. It was cool though. I had a sort of had a routine that I was getting into down in Cancun. There was there’s a mall called La Isla Mall. Okay. And there’s a Starbucks, right? And there’s a couple of chairs outside, it’s just really nice, you know, and It’s about 3/4 of a mile away. So I walk there in the morning uh By the time they opened at 7:30 I was there, I was ready to start writing and I spend, 34 or five hours writing and then walk back and that was kind of my routine and then I do a little bit of work at night. Uh huh. So I I got exercise to for

[00:05:30] Brad Nigh: security. Yeah, that’s pretty impressive. I still think you’re is it who was telling me about it? Maybe matter somebody with your fancy ring And like the first day you’re like halfway through today, like I have 800 steps, maybe I should wait on this.

[00:05:47] Evan Francen: Yeah, it was fun. But so here we are. It’s Monday morning and uh, you know, we’re starting the week off with the podcast. I mean it’s 6:45 this morning and we’re recording this. We’re used to the last, this is episode 11 am already. And so the 1st 10 episodes we did in evenings. Yeah, all of them except for one were Sunday, right evenings. So this is whole change

[00:06:14] Brad Nigh: is totally changing at

[00:06:15] Evan Francen: all. And couple that with the fact that was out the last two weeks. It’s like, I don’t even know where I’m at right now, but I don’t know life is a security guy. Do you have a good weekend?

[00:06:28] Brad Nigh: Just kind of taking it easy.

[00:06:30] Evan Francen: Yeah. What’s good, You have to have some downtime. And that was one of the reasons we wanted to change from sunday night recording is it took away from family, you know, security people. There’s no shortage of work to do. No, I mean, I could easily work. I remember who I was talking to, But somebody was saying they worked 65 hours a week. Oh no, no, it was all right. So I was taking the taxi back from king from the hotel to the airport in Cancun and this mexican guy was telling me how much they make down there, you know, as a mexican, not tourists. So it’s so segmented, you have the tourist area, which is called the hotel zone and then you have like the rest of Cancun and they’re happy. A lot of those people down there that work down there are happy to make five bucks a day. That’s like minimum wage is like 56 bucks a day. And, and so he was talking about how important tips are because a tourist might give a 5 10 $20 tip for the taxi. Right? Right. And then That like if you make $50 a day, he said you’ve got everything taken care of well And he has to work 65 hours a week to do that. We work, you know, and I was thinking, well I work as a security people, we work a lot of hours, but I probably, you know, even me, I probably don’t average 65 hours.

[00:08:08] Brad Nigh: Yeah, it’s a lot you feel it at that point.

[00:08:13] Evan Francen: Yeah. But it’s really important I think especially when you’re passionate about something to keep yourself in check, you know, to ask your wife and my working too many hours going to back off a little bit.

[00:08:26] Brad Nigh: Yeah. Well you know when your kids give you a president and it’s addressed to the workaholic maybe that’s why did you really, Yes, you

[00:08:34] Evan Francen: gotta present address to the work

[00:08:36] Brad Nigh: of, they were totally giving me, they were giving me grief about it. But yeah, I was like, all right, well I’m not, I’m going to take some weekends and it spent some time so I wouldn’t did the ice rink and make sure we spent some time with doing that. But they were giving me grief because like Wednesdays are the one day I can come in early because I have to take kids to school the other days of the week and so

[00:09:00] Evan Francen: yeah, that’s a stinger. I get that.

[00:09:02] Brad Nigh: I was like, okay, alright, wake up

[00:09:05] Evan Francen: call, I was talking to somebody else to about how important it is in life to kind of keep things in balance to really establish what your boundaries are. One of my boundaries is on Saturdays. I don’t work. It’s just a day where I’m not gonna open my laptop unless there’s some emergency, some incidents back please. I typically don’t work from like 6:30 Until 8:30 every night. I’m gonna crack open the laptop at 8:30 for a little bit. Mhm. That is trying to find that work life balance. Yeah, so my wife joined me down in Cancun the second week I was down there and what kind of what you’re saying, one of the things that she had said to me was sometimes I feel like a single mom, I was like go that’s totally something I need to work on

[00:09:54] Brad Nigh: two. Yeah, it’s tough. Yeah, same way like when I get home from time to get home till the time the kids get in bed. I don’t unless there’s an emergency or something. I might check my phone if there’s an email and make sure I hear it come through. But it’s not right. That’s time for the kids and when they go to bed then and I’ll open it back up and yeah, it’s tough to be careful because you know, I get deep into something that’s like midnight. I’m like, oh, shoot

[00:10:21] Evan Francen: right. Yeah, that’s a bummer. All right. So, uh, I was in Cancun. I got made good progress on the second book.

[00:10:30] Brad Nigh: Good. Yeah. So we talked about it when you first get maybe that first couple of days. It was it easier this time after you kind of got into that rhythm.

[00:10:39] Evan Francen: Yeah, well, we started off, right. You know, the first time I went down without

[00:10:43] Brad Nigh: power? You’re right.

[00:10:45] Evan Francen: So this time I had that part. Okay, uh, yeah, this one I think it is a little bit easier for a couple of reasons. One, I’ve already written a book and to, There’s a lot of inspiration behind this one. You know, I never showed you that I’ll show you a picture of my coffee club. Okay. That’s one group we talked about tom a couple episodes ago. When, when, when I think about what would I tell them if I was sitting face to face with them about security? It makes a lot easier to,

[00:11:20] Brad Nigh: I think. So if you can just yeah, be passionate about it versus this is what we need to do and kind of what’s broken with the first one. This is like more of a, it feels like more of a passion project from you.

[00:11:33] Evan Francen: Yeah, it is for sure. And then another thing is I think this is going to be um, not controversial, but

[00:11:47] Brad Nigh: it’s gonna make some waves. It

[00:11:49] Evan Francen: is because I think the security people, I don’t see what normal people see as much, you know, obviously, you know, so you have to think of a different perspective. I’ll give you an example. One of the, the things I wrote about in the book is just this cyber warfare, right, which I don’t want to be an alarmist and I don’t want to be, uh, I don’t want to cause unnecessary fear, but you also have to be real. There is a war being fought and it’s not being fought where like your traditional tanks and people dying, right? Maybe there are people dying, but not that way. But you know, I think right now, you know, there’s positioning happening, there’s a lot of intelligence gathering that’s happening, there’s a lot of assets gathering that’s happening. And so you know, one of the parts in the book I wrote about the importance of, you know, maybe civil defense, you know, we’ve had civil defense over the years and that’s why I go through kind of the history of what civil defense looks like in the United States and and how I think if you were to predict what’s going to happen in the future, people will become victims either collateral damage or their systems will become assets in this several war

[00:13:09] Brad Nigh: against that us.

[00:13:12] Evan Francen: And so because what I’m trying to do there is just kind of paint a picture of reality right? Every time you plug your computer into the internet, it’s become part of this war that’s happening right? Or can easily become part of the war. Well, so I wrote, I was writing that and I had seen a post from Tony cole who’s a person I really admire. He’s actually an endorser of the first book too, um, about cyberwar or something and, and how people will be targeted. Um, and then you saw comments from security people, like, in what way nobody’s going to be, You know, you’re just pure mongering and all this other stuff. And I’m like, yeah, it’s how you say it to,

[00:14:02] Brad Nigh: right? Right? Yeah, man. Yeah. Yeah. Because it is that there’s a very fine line there for that, avoiding that fud fear, uncertainty and doubt versus, hey, this is something you just really need to be aware of.

[00:14:15] Evan Francen: Well, if I’ve got nothing to sell you. Yeah. You know, if I’m just trying to help you, Yeah, maybe people should be a little bit more fearful. Maybe you do need to be a little bit more paranoid. Maybe you do need to think where, yeah, maybe you do need to think twice before you click on a link. I mean it’s Yeah, I don’t know if there’s I don’t know. So that those are things that are challenges kind of fighting through in the book. But it’s fun. Just

[00:14:45] Brad Nigh: maybe I’ll be interested to see how The first one is received and then especially how the 2nd 1 is after.

[00:14:51] Evan Francen: Yeah, yeah, I agree. I think the first one on amazon it was. I mean, I think the books have just now been arrived at amazon, so if the site was already there to buy it right? But then it said it’s like a stock

[00:15:08] Brad Nigh: currently unavailable, right? We’re sold out already.

[00:15:12] Evan Francen: So that’s changed. I don’t know, 5000 books are somewhere Mhm. But I’ve got 47 days to finish this draft. Okay, that’s my my own personally imposed deadline for this side. His first book. I’ve learned a lot too about other from other authors, like one author said, you know, your first draft is crap. Just expected to be crap. That’s what it’s supposed to be.

[00:15:41] Brad Nigh: It’s kind of because I was talking to just the market, our marketing and it’s like, you know, the hardest part for me is I’ve got all these great ideas. I think you’re the same way I could sit and talk for hours, I spent seven hours talking about security policies, right, translating that into what somebody wants to read. That’s not my strength. It’s a kind of this word word vomit just well here it is, just a stream of consciousness

[00:16:11] Evan Francen: and I think that’s where you start to put it on paper and and then massage. Later I wrote a blog post yesterday for vendor risk management policy. So coming what you’re saying, it’s not the most exciting topic to write about. Oh, but it was on my writing calendar. So yeah, I need this marketing

[00:16:32] Brad Nigh: people. I know, I know, I look, they had one for me and I had time on my calendar last week to do it. And uh I went and I was like, all right, what am I writing about? And I missed the deadline by like a week and a half, totally. I put the wrong date on the calendar. I looked at the counter at the thing wrong, oops, apologize. Maybe

[00:16:52] Evan Francen: whoever puts out those, Who is it? Is it? Um Mackenzie McKenzie now maybe if she just put them on the counter

[00:17:00] Brad Nigh: for you? Yeah, yeah, I was just I just totally looked at that because I had multiple things to write and I just looked at it wrong. Okay. I was trying to be, I had time. Yeah, bad. I hate that.

[00:17:17] Evan Francen: Alright, so I got back in the office today and caught up on email. That’s kind of good. Today’s today’s a busy day. Anything you jacked about? Just about excited about? No,

[00:17:27] Brad Nigh: it’s been fun. I’ve been working on, you mentioned generous management and kind of formalizing some of those processes around that getting in. And I’ll be honest, having been working with the then defence stuff from what’s that September of 17 October 17 when reverse really got really rolling on it, where it’s at now. It’s really exciting. It really is. It’s fun to see and get in there and yeah, there’s still a lot of learning to do on on everyone’s side, right, Because you and I have all these ideas, it’s like, oh, well, you were just, you get rid of spreadsheets, you don’t have to remember to email people you can do and and security people that have dealt with it are so excited. But then the non security people that I haven’t had to manage the back end, so we’ll have to classify and the vendors aren’t gonna answer this like no, no, the vendors are gonna be so happy to not be getting a 300 questions spreadsheet that they have to try and decipher. It’s fun to kind of figure that out. And the questions that we’re getting from the customers are just really good,

[00:18:46] Evan Francen: challenging. While I was out. I was just catching up on email this morning, two questions from a from our support from security studio. Support about questions that customers had one and they were both classification or inherent risk questions. The first one was based on company size. So one of the things we built into the algorithm for classification is larger companies have a slightly higher risk than smaller companies if their vendor until they were asking why what’s the logic behind that? And the logic is ah bigger companies, you know, bigger target, more known chances are more likely that a bigger vendor has more customers. So that also increases the exposure. It’s also more likely that a breach of a larger company will become more known in the marketplace which then has a reputational risk impact. So it was cool to kind of explain that logic behind that. And then the second question was uh the industry. Okay, so the algorithm around classifying around inherent risk does take into account the industry. So one was a finance industry, so N. A. I. C. S. Code 52 which is top of mind right now

[00:20:14] Brad Nigh: because that’s a little I saw I just saw it. I couldn’t have a spreadsheet to keep track. I don’t like our own. Well

[00:20:21] Evan Francen: the other one was just was classified as other, so and they had the same answers to the inherent risk questions. Uh But the Finance one was a high impact or high risk and the other one was moderate. So the question was why they answered the same things and so great question. And the reason why is, you know in in the finance industry, typically you have either direct access to or indirect access to the thing that people

[00:20:56] Brad Nigh: want right? So

[00:20:58] Evan Francen: that’s going to make the likelihood maybe slightly higher. It’s also such a heavily regulated industry that there’s this checkbox mentality in the financial services industry that will also sometimes detract from

[00:21:14] Brad Nigh: security. Yeah, yeah. We’ve seen that a lot. It’s like, well just do it so we can say it’s done.

[00:21:20] Evan Francen: Yeah. So it was cool to have those questions because you want to be challenged when you’re, you know, when we’re designing a new solution, we want people to vet it. We don’t want people just to take our word for it that they’re experts. They must No, no, no, no. Ask us. So you understand it better and maybe we’re wrong.

[00:21:39] Brad Nigh: I had a really good one about uh from a customer that that integrated a another third party through their software portal. Right? So, so what is it physical or logical? Or does it third party, you know, who should they be sending the questionnaires to and who do they understand? It was good. And it’s like, I don’t know that third party that you’re integrating, that’s you need to send them a questionnaire even if your customers Log into your portal, but then interact directly with that 3rd party. Because by you saying here’s who you can interact with your implicitly telling them, we’ve done our student allegiance and we’re putting your information in this company, right? You need to know and make sure that we need to tell your customers that because your customers data in that even if if they’re basically interacting directly with it. You don’t get in the middle too much. But it’s really yeah it’s been good. I’ve been really impressed with the questions that have come back from from the customers.

[00:22:47] Evan Francen: Yeah I agree. And so yet last week we also put together uh a couple of fake use one I wrote it to you which was around the fights of score are one vs. Are too and then the other was I think some men defense stuff but on both of those you know we make it really prominent contact support. You know if you have questions let us know we he almost beg for it. It makes us better.

[00:23:17] Brad Nigh: Right? Right. It’s always been my approaches ask a question right? Especially from you know coming up with the I. T. Or wherever I’ve I’ve said it to my boss is if I can’t if I don’t know the answer or don’t know where to go to get the answer that I’m not doing my job right. Ask please challenge this. Yeah.

[00:23:39] Evan Francen: Yeah so that’s cool. That’s a that’s a lot of fun. Uh And I do want to take a minute before we get into news or other stuff um to thank everybody who’s been listening to the unsuccessful podcast.

[00:23:51] Brad Nigh: That blows my mind to see those

[00:23:53] Evan Francen: Numbers. Yeah so it’s really fun. It’s grown from I mean this is episode 11 and uh episode one. Even you’re already even seeing people listening to episode one that maybe just found the

[00:24:05] Brad Nigh: podcast. Initial numbers are certainly, Yeah,

[00:24:09] Evan Francen: yeah. So it’s but the trend has definitely been pretty steep. I mean, I think, and for us we don’t have huge expectations. I told you that I originally wanted to do this podcast just because it was an hour a week where you and I could sit and talk, you know, because I do admire your take on things and you know, it’s important. But I want to thank everybody who’s been listening and hopefully you’re getting, you know, good uh stuff. It’s not a waste of your time. It’s an hour every every week. Obviously you can click stop or pause if you don’t want to listen to the whole thing. So we’re very grateful for that. If you do have thoughts or suggestions about the podcast, if you want to. You know, if eventually we’re going to have a segment where we’re going to start fielding questions. I think now maybe it’s a little early, but if you do have questions, send it to un security at proton mail dot com. Ah We chose proton mail because one the insecurity dot com domain is already taken and I think it’s like $11,000. So we’re probably

[00:25:22] Brad Nigh: not doing that. No, no, no. So

[00:25:26] Evan Francen: we could have marketing at insecurity or podcasts and insecurity dot com, but we’re not going that route. And we really wanted to keep this even though both of us work for fr secure. And our security studio, we want to keep this? This is not really married to that. Right. Right. This is this is brad and I and this is brad and I not brad. And I this is our opportunity just to talk security. Right? We’re not here to sell you anything. Um, we’ll talk about the things that we do and talk about the projects and talk about products that we use. But we’re not selling nothing here. No. All right. Anything to add brad before we get into some news. Some topics.

[00:26:12] Brad Nigh: No, I think that I think we got it.

[00:26:16] Evan Francen: All right. Well, we already talked about the insecurity book. It’s on sale now. It’s not officially launched. I think that official launch happens February seven or something.

[00:26:26] Brad Nigh: I heard rumors. Yeah. The book signing and all kinds of stuff. Have you

[00:26:31] Evan Francen: ever signed a book before? No. Okay. So I had my my wife when she came down because the book was not physically available when I left. So she brought like five copies down. And the people down there that I had started a relationship just getting to know them. Uh, they were just geeked about getting a copy of the book. So I’m like, all right here, I’ve got a cop before, you know, and I’ll sign it for me. And I thought signing books is weird. You know, I don’t know if you’re supposed to write a personal little note to them. Thank you for being you or something. And then do you sign it? Just like, because if you’ve seen my signature before, it’s not, you can’t read it. I have a chicken scratch signature. So mike, am I supposed to sign it? Like just spell out the word Evan or am I supposed to sign it with my normal signature?

[00:27:26] Brad Nigh: I would just sign it like normal.

[00:27:29] Evan Francen: Am I just over thinking this? I don’t know, but it was cool. Do you have a copy? Did you get one? Did everybody hear get a copy?

[00:27:36] Brad Nigh: I, I don’t know. Have you seen it? I’ve seen it. It actually looks really good. Yeah, I like it. I have not gotten a copy yet. What the

[00:27:44] Evan Francen: hell? You guys don’t work here? I should give you copies. Uh, I’ll get

[00:27:48] Brad Nigh: your car. Oh, that’s the benefits of knowing the author. Yeah.

[00:27:52] Evan Francen: Right. And then you can, you can give me feedback. I can trust

[00:27:56] Brad Nigh: you. Well, I mean, I haven’t seen the final one, but we’re doing those hang out. So I’ve seen a lot of what’s in there. So I figured I’d let the people that hadn’t seen it yet get a copy first. That’s what I’ll go with. Cool.

[00:28:10] Evan Francen: I want to. And also, you know, I’m not a self promotion promoter guy and they set up a website Evan francine calm. Hey,

[00:28:20] Brad Nigh: I did go out and grab brad and I dot com after podcast because I was like, wait, it’s not done yet. So I was able to get it.

[00:28:28] Evan Francen: That’s cool. That’s cool. So you’ll have a book on there by the end of the year so fast we can write that third book. All right. So if ISIS car prices score are too is getting pretty close to being released. Are too is, is a release and and, and then the F A Q s that I had written last week about the difference between a Fisa score version and if ISIS score release, I mean, so it’s were limited release right now. I think, I don’t think all the partners have are to I don’t know. It sounded like from when I was talking to terry last week. That’s

[00:29:04] Brad Nigh: probably not. It’s probably you were still like, you’ve, you’ve done the one, we’ve done one other on this side and we’re working through some back end stuff about, you know, just with some of the changes and how that affects some of the other processes we do. Okay.

[00:29:19] Evan Francen: Yeah, I’ve seen Ryan’s email Ryan, someone emailed to you and I about how are you really? I think he really liked the art. Yes.

[00:29:26] Brad Nigh: That’s good. That’s good to hear the downside. Was it totally broke our roadmap. Oh, functionality. So, but it’s I mean, that’s to be expected. Right? Like we knew that was coming. But

[00:29:40] Evan Francen: yeah, we’ll get, I think are the roadmap. So are too is in limited release for security studio partners and clients mm. We’ve also started talking about releasing security studio directly to clients. Is that potential so that they can do their own assessments themselves. And then if you want the validation of a security expert or professional

[00:30:10] Brad Nigh: kind of by engages for that. I mean it makes sense. You could, we’ve done that with the score is turned that into it and use that as the basis for internal audit. Yeah, it’s kind of the same thing. It is a different approach and we do a lot of coaching around. Okay? So if you’re looking at this, what evidence would you collect and look at it to verify? So it is a little different. But it covers everything that you know from a security standpoint. That would be worthwhile. Yeah, that’s pretty cool.

[00:30:43] Evan Francen: Once I think so our two fr secure customers if they’re engaging in new assessments, are they all getting our Tuesday?

[00:30:51] Brad Nigh: Okay. Now, you know, we want to sit down and kind of go through it and train everybody. And so that’s, that’s been what Ryan has been tasked with is all right. You’ve done one. So right up your stuff and you get to present and tell people to problem. Thanks

[00:31:07] Evan Francen: for volunteering. Volunteer told told Yeah,

[00:31:11] Brad Nigh: he’s awesome. He was, he was excited. Yeah.

[00:31:14] Evan Francen: He’s one of the things that’s going to happen today is, and I don’t know if you know this, but there are awards given out

[00:31:21] Brad Nigh: today. Yeah,

[00:31:24] Evan Francen: picks. Did you? You got to nominate folks for that And I’m excited. Yeah, I’m excited for that. That’s always fun to recognize people in front

[00:31:33] Brad Nigh: of everybody. Especially because everybody here is it really is so humble that they all get all it’s all awkward and they’re embarrassed to come up and it’s kind of fun to do.

[00:31:45] Evan Francen: Yeah, we’re none of us. We don’t carry a lot of he goes

[00:31:48] Brad Nigh: wrong. No, it’s put in check very quickly when you realize that Yeah, this is probably the best collection of as a whole people I’ve worked with a lot.

[00:32:01] Evan Francen: All right, let’s dive in some recent news. So one of the biggest things that came across my desk last week or came across the news last week was this collection one. Um do you read anything about this?

[00:32:14] Brad Nigh: Yeah, I think the scary part to me wasn’t Yeah, it’s a lot of records, but they’re mostly, you know, I think it was in the Krebs article and I love reading his articles are so good. But that it was like 2-3 years old. But he’s like, oh well you want one of these other ones that’s not published and it’s like terabytes of data. I know, yeah, that’s the new stuff. You don’t want this old one. This is just old stuff you could use for some, you know social engineering, but it’s not Yeah. This is mostly known, right?

[00:32:48] Evan Francen: That’s the thing. That’s the thing about data, right? It’s got a shelf life. All data has a shelf life. It’s just some of it’s really, really long, some of it’s very short,

[00:32:58] Brad Nigh: right? It was this like 80 something, 86 terabytes or gigabytes of data or 83 gigabytes of data. He’s selling for 40 bucks or $45. And I was like, wow.

[00:33:09] Evan Francen: Well yeah. So for for those who who didn’t catch last week troy Hunt, whose have I been poems dot com and very, very good researcher. Super skilled. It seems like a really good guy announced On January 17. So less than a week ago that uh 773 million uh huh Records were found in collection # one in a data breach. Uh He does a really good right up on troy Hunt dot com. If you’re going out there about kind of what he found and all this other stuff, 1160253228 Unique combinations of email addresses and

[00:34:00] Brad Nigh: passwords. I mean it’s absurd. Yeah. Right.

[00:34:05] Evan Francen: It’s huge. And so when you read his article on his on his website, mm you’d be thinking this is the world is ending, right? I mean it when I first read it, I was like, oh my God, this is a lot of stuff. Then you start thinking once logic starts entering into your brain, you start thinking with logic and less emotion. You realize. All right, well maybe this isn’t as bad as it seems, but man, the news picked

[00:34:35] Brad Nigh: up on a quick, well every got sensational numbers, right?

[00:34:40] Evan Francen: Yeah. And so that’s the bad thing about things like this. The good thing is obviously helping people understand that these things are happening and how to protect yourself. That’s the good thing. The bad thing is this is a great opportunity for people to sell you more stuff. Probably more stuff that you don’t

[00:35:00] Brad Nigh: need. Yeah. Uh you know, I think from my standpoint looking at it, given that this is mostly a couple years old, you know, I’m just like, wow, that’s a lot. My exposure to it is probably pretty minimal. Right? I use a password manager that has The longest password, you know that any of the sites will allow or at least 26 characters that are drained Emily generated. Change it once or twice a year depending on what the site is. And then I changed the master password at least twice a year and have multi factor on it. Uh You know like my my exposure hopefully knock on wood is pretty minimal and you know I give you follow some best practices and don’t use the same password everywhere, change it more than once every decade. You know, it really does reduce your risk, right? And don’t just increment the number.

[00:36:02] Evan Francen: Yes. Yeah. Well this breach was interesting to you because it was actually a collection of many individual data breaches. There isn’t one company to go yell at and wag a finger at his head. It’s this came from lots of different places and it’s a collection which also leads to why it might be so old. Right true. You don’t get collected this much information. Yeah he’s usually

[00:36:28] Brad Nigh: In a short period of time. 21 million plus passwords from collection one has been added to. Have I been pond Yeah however you said yeah works for me

[00:36:44] Evan Francen: so lots of breaches, lots of hashes, lots of email addresses, lots of passwords it’s all been added to H. I. B. P. That have I been postponed website so if you go there you can see if you’re in that data collection chances are probably pretty good just with so much.

[00:37:03] Brad Nigh: Yeah

[00:37:06] Evan Francen: so um what else, password manager? Good stuff. And then was it the day after or was it two days after when Krebs wrote his article? I always admired brian Krebs because that guy’s got some cojones. Yeah

[00:37:22] Brad Nigh: you talked about taking risk and putting yourself out there

[00:37:25] Evan Francen: all the time. He gets death threats.

[00:37:27] Brad Nigh: He tried to get swatted and all kinds of gets crazy.

[00:37:31] Evan Francen: Yeah I remember the first time it was a new york times. I can’t remember what he used to write their he had just a small blog that that’s kind of where he started he left there and started his Krebs on security but he actually reached out to the seller of uh I mean this was originally sort of found I think from Alex Holden from hold security. That’s kind of how I think all sort of started and sort of unraveled from there. Um but I thought it was really interesting because he reached out to the actual person selling yeah this data, so the data was originally for sale um on the I don’t even know if it’s for sale on the dark web web, Did you catch that? It was just for sale on a web site,

[00:38:32] Brad Nigh: you know, I didn’t notice where remember we pulled that from?

[00:38:36] Evan Francen: No I think it is on the dark web if I don’t think

[00:38:40] Brad Nigh: I was on mega mega dot NZ or something. So but I’m sure you had to have a specific link to be able to even get to it.

[00:38:50] Evan Francen: So there’s this character called with the username santic sir, Yeah, who’s selling this data? So I think look at the the last sentence are there? So naturally Krebs on security contact. Well naturally who the hell does that? Most of us don’t

[00:39:09] Brad Nigh: do that. You don’t bring Yeah expose yourself to that,

[00:39:14] Evan Francen: but we let brian do that. So thank you for brian Krebs because that really is a personal sacrifice that he makes to put these things together. Yeah. You know where it’s different, like some of the other personalities in our industry don’t stick their neck out like this, they have the they have an ego, it’s all ego driven where I’ve always felt like brian Krebs is an ego driven. He really does want to help and provide help for people because he puts his life in danger.

[00:39:46] Brad Nigh: Yeah. Yeah like he said his home address has been published on the dark web and it’s been slotted and oh yeah hit when somebody would at one point sent drugs to his house to try and get him framed. It’s like wow. Yeah the

[00:40:02] Evan Francen: ice interesting. So so sanded sir. So you context contacts santic sir And finds out that collection one is for sale for $45. Yeah

[00:40:18] Brad Nigh: At least 2-3 years old.

[00:40:20] Evan Francen: Yeah and it’s not the only collection right? There’s collection one collection to collection three. So the ancient forward collection five and then a couple other

[00:40:28] Brad Nigh: And if you look if you screw up just a little bit on that we’re looking here at the screen it’s just under a terabyte 993 gig. And if you and he says right there he’s like oh this is 2-3 years old. And the article just below that There’s four terabytes more that’s newer right? So

[00:40:46] Evan Francen: Price insane price for access lifetime $45. So collection one. So it’s not like this is like a huge finding either. I mean this is this is a somebody who’s accumulated all this data however they have accumulated it right? And then is offering it for sale. You know putting it out there. It’s not like you know they’re trying to keep it somewhere so nobody

[00:41:15] Brad Nigh: can find it. Right.

[00:41:17] Evan Francen: Yeah. So if you want the data I suppose you could go out and buy yourself uh in this data. So collection one was at 10.2 cents per password. It’s a good deal. You know they used to figure out how much records were per record right in our web and I can remember when credit cards were 40 50 bucks

[00:41:44] Brad Nigh: I think. Big ones. I always health insurance information is the big health insurance. Yeah. Yeah and I think it’s the big value or a big dollar one.

[00:41:53] Evan Francen: Yeah because they’re monetized Attackers have monetized that for getting insurance, getting treatment on somebody else’s insurance and to to get obtained opioids, obtained drugs or somebody else’s insurance been selling that. So interesting story. I like how. Mhm. I don’t know. Once you dig into it when you first see the numbers you’re like oh my God this is crazy. And then went you dig into your like okay well not surprised.

[00:42:23] Brad Nigh: Yeah

[00:42:26] Evan Francen: it’s years old. So if you haven’t changed your passwords you’ve heard this

[00:42:30] Brad Nigh: before, this is a good time to change your passwords

[00:42:33] Evan Francen: and if you aren’t using different passwords for different sites that still if you haven’t turned on. Two factor authentication. Even though I think we covered last week or the week before. Not perfect. Nothing is perfect, right? But two factor authentication well will reduce the risk and that’s what it’s about. It’s about managing risk not eliminating it. Right. So good information. Alright. I thought this other articles. The next one is on vice com motherboard vice com. So we have to figure out how to get my mouse over here. Uh American military sucks at cyber security is the the title of the article and what they’re citing is an internal report. So a new report from us. So if you go to motherboard advice dot com you’ll find the american military sucks at cyber security is the title of the article written by Matthew GALT written about a week ago. A new report from the U. S. Military watchdogs outlines hundreds of cybersecurity vulnerabilities, hundreds doesn’t seem. I mean you and I have been working in security for a long time. We were used to thousands or tens of thousands,

[00:43:51] Brad Nigh: hundreds of thousands and how are they defining it? Right. It’s got hundreds of critical exposures on the outside with known vulnerabilities is different than you know.

[00:44:04] Evan Francen: So the results so that this is based on a Department of Defense uh Inspector general. So the pentagon’s inspector general. The report that they released, The results weren’t good from their report as well depend, good is subjective, right? As of September 30th 2018. So this is the report itself was released recently. However, it’s information gathering and data collection was you

[00:44:33] Brad Nigh: know a little bit yeah it is trying to look through the report most of the stuff I was like who that blacked

[00:44:42] Evan Francen: out? I know there’s a lot

[00:44:44] Brad Nigh: of, well that doesn’t help me at all.

[00:44:47] Evan Francen: You got to be careful which released something like that,

[00:44:50] Brad Nigh: which is good, right? At least I got that, right? And you can’t just highlight it and copy it and face it to get past the redaction

[00:44:57] Evan Francen: right? When the government is such a huge animals, right? Because they’re talking about sensitive but unclassified information and other types of information. So don’t think that this is top secret information or you know Yeah. Isn’t super big deal.

[00:45:18] Brad Nigh: But I mean I’ll be honest, didn’t really surprise me having seen how this works because you have there’s just I mean there’s so much politics at play, right? It’s like you’ve got different factions that want different things and it’s such it’s so big to just the scale of it.

[00:45:40] Evan Francen: Yeah. Oh yeah and trying to figure out so one of the things that I always start with, I’m trying to figure out, you know, as a B. C. So um which I don’t do as much anymore. But when I was was what’s the scope of this, what am I response?

[00:45:58] Brad Nigh: What am I dealing with?

[00:45:59] Evan Francen: And I I’ve asked reminds me of a conversation I had with the sea. So of a state uh and I was trying to understand what are you responsible for as the sea. So for this state. And he was as well, it’s the administrative arm of the government. And I’m like, okay, what does that mean? Because I’m trying to make this make sense. And he’s like, well It’s about 90 something agencies and I’m like 90 something. I mean, that’s not good enough. It’s like, is it 90 395 97? And what agencies are they so that I can get down to the nitty gritty and figure out what assets I’m actually responsible for. I can only imagine in the government who is responsible for what And then like you said the politics.

[00:46:47] Brad Nigh: Yeah, I’m not And there’s I mean, there’s got to be so many, I’ve seen legacy systems that we have to have this to make this work and it’s on, you know, just old old stuff. Right?

[00:47:03] Evan Francen: And so I asked that I also asked him to apply it kind of here. I asked that c so who ultimately is responsible for the security of this? Uh huh. He’s like, well, I’d be the governor. Like, okay, so then is the person who is ultimately responsible for information security in the government? The President?

[00:47:24] Brad Nigh: I mean, I guess that makes sense. Right. Well,

[00:47:27] Evan Francen: I would think so. But I wonder if if if we’ve even right, really figure that out because I know that if you don’t specifically define the responsibility, well, nobody will take the

[00:47:41] Brad Nigh: responsibility

[00:47:43] Evan Francen: in order to fix this, you have to have some serious, serious leadership.

[00:47:48] Brad Nigh: Well, and then you still got the Department of Defense, you’ve got all the different three Letter agencies that all want part of it. And who? Yeah. Yeah. Yeah. I’m not surprised. And I can’t guarantee that we’re not the only government that’s like this are worse,

[00:48:07] Evan Francen: right? But if we’re going to you know what if we’re in a cyber war or the next wars will be fought online. Yeah. We got to figure this stuff out better I think. Yeah. So anyway, as of 30 September 2018 there were 266 open cybersecurity-related recommendations, dating as far back as 2008. So that’s more than 10 years in this report.

[00:48:36] Brad Nigh: Yeah. I mean you said it’s probably not anything that we’ve not seen before. You know Recommended Pentagon take 159 different steps to improve security. They had only taken 19.

[00:48:51] Evan Francen: Yeah. So I saw 140 steps to

[00:48:53] Brad Nigh: go. But that’s so that’s what we see in the private industry as well. It’s like, okay, here’s all your risk and then nobody does anything with them. Right? So it’s not

[00:49:05] Evan Francen: Which is which so on to your point. It’s not surprising. But it’s also not

[00:49:10] Brad Nigh: acceptable. No, no, no. Not by any means

[00:49:12] Evan Francen: because I mean somehow, and I think what it takes again is somebody who has the authority to lead this will actually lead this. It’s the same thing when we’re in private sector. When you’re working with a company. The ceo is not involved. If the if the board isn’t involved well

[00:49:31] Brad Nigh: Do the best you can. Like the one uh below the only 19 of them uh server site connected to the Americas ballistic missile defense inspectors found an unlocked serve Iraq. Despite a posted sign on the rack. Stadium. The server door must be remain must remain locked at all times. I mean that’s exactly what we see all the time. Day to day. Slightly more consequence to that one.

[00:49:55] Evan Francen: Right. Well it’s funny too because you always we also always get the excuses right when we’re making our own recommendations about what’s in the private sector you always get the well but the blah blah blah blah blah. And so you get the same thing in the report. You know the I. T. Security officer says well network operations staff were troubleshooting issues with the server in Iraq. We found unlocked and failed to notify the assistant security manager once they completed

[00:50:19] Brad Nigh: maintenance. So why didn’t the assistant security manager follow up on knowing that this was unlocked for maintenance? You always get excuses. What are you gonna do? Say same stuff. Different industry.

[00:50:34] Evan Francen: Right? Humans are humans. So if you want to copy that. If you do want to see the report. Um It is heavily not heavily it’s pretty reductive. Uh it would be the name of the report is a summary of reports issued regarding Department of Defense Cybersecurity from July 1 2017 through june 32,018. The report was issued on january 9th 2019 from the inspector general of the U. S. Department of Defense. Pretty good. Pretty good. Reading, media debt defense dot gov is where you find a copy of that report? I always find those things interesting much to you. Your point. Not, not not surprising, but still store. I do have like a little bitter rage sometimes when I read those things like go really?

[00:51:28] Brad Nigh: It’s just yeah, yeah,

[00:51:31] Evan Francen: here’s another one that I thought was interesting. Uh Bulgaria extradites Russian hacker to the United States. Uhh I thought this was interesting for a couple reasons. Um one I like when people get extradited um two, we have Bulgarians work for us, You know, we have what 5678 developers over in Bulgaria who are helping us, you know, and doing just great work, they are employees, they’re not contractors and but they’re super fun to work with. Uh that’s why I picked this one. Okay, okay, I get picked anything.

[00:52:14] Brad Nigh: It yeah yeah, it’s fine.

[00:52:18] Evan Francen: So this one is from security week dot com. Bulgaria extradites Russian hacker to us and so on January 18 Alexander Zubkov, he’s in jail in Brooklyn and I think he’s already appeared in court. I think one of the supporting news stories. Uh he’s already made his appearance or one of his appearances. He was extradited. He was the, I think alleged ringleader or one of the people involved in meth bot, which is a that ad scam right Back in 2014 and 2015 where they rented computer servers and simulated humans. So they basically automated clicking of ads and what have you Tricking businesses into paying $7 million €616 million for fake views. The second scheme was kind of similar to that except where we used malware infected computers to do the same thing.

[00:53:23] Brad Nigh: Yeah. Yeah. That was, it’s interesting that it takes dollar amounts of that magnitude from of loss for the, for the action to be taken. Yeah.

[00:53:36] Evan Francen: He was earning about $20,000 a month and his alleged, yeah, you know, this is according to the

[00:53:42] Brad Nigh: indictment. I think that was interesting. Uh, yeah, that they said he stood out on the dark web for being selective. You know, he didn’t do credit card theft and didn’t do any child porn. It was only kind of scamming businesses out of

[00:53:57] Evan Francen: ad dollars. Yeah, it was

[00:54:00] Brad Nigh: kind of like a gray hat almost like, right, he’s a little confused about this. He had his limit his life.

[00:54:07] Evan Francen: He was only partially naughty partially

[00:54:10] Brad Nigh: bed. He probably saw himself as a Robin Hood.

[00:54:13] Evan Francen: Yeah, I was kind of thinking

[00:54:14] Brad Nigh: to accept, you know

[00:54:16] Evan Francen: an attacker with morals, everybody’s got some more else. Ah It’s also covered a couple of other different places cyberscope picked up the news and white ops dot com gives you some background on meth but they’re the ones who I think were originally uh sort of involved in taking down met Baader whatever they have a good right up. It’s a White Ops dot com slash meth. But if you want to read more but that what else we got rico are rico claim. Uh This is the Michael Terrapin. Remember the same swap we talked about a while back?

[00:54:55] Brad Nigh: Yeah it’s gonna be here. It’ll be interesting to follow a tough argument. I think

[00:55:01] Evan Francen: So. Michael Turpin was the guy who sued his carrier and I think the carrier was 18 team filed a $224 million dollar lawsuit. You can go to block tribune dot com is one of the stories in the title as rico claim. Civil lawsuit filed by Michael Turpin. It’s T. E. R. P. I. N. Sim swap token theft case was first lawsuit was against 18 T. But you filed last summer and I don’t think that’s been settled yet because allegedly ATM T because louis sim swaps work right as I would social engineer 18 t to convince them that I really am the owner of this phone but I lost my phone or I need a new phone or whatever. So send me a new sim card will 18 then sends a pre programmed new sim card. I put it in my phone and now I have your phone number so the Attackers did that to get the two factor authentication and whatever to get his is a Bitcoin wallet right? And then stole his money. So first he sued at and T. And then now he thinks or well he thinks he knows who stole his money right? It’s Nicholas, Trulia, T. R. U. G. L. A. 21 years old. Who’s also I think I think he’s in jail. Yeah so now he’s suing they’re not really suing him. Uh But there’s a rico act allegation. Right? We’ll see what comes with that.

[00:56:41] Brad Nigh: Yeah it’ll be interesting to follow.

[00:56:43] Evan Francen: Right? So yeah truly truly a is in jail. He’s incarcerated for a bunch of sin thefts. So anyway we’ll see what happens from that. I guess the key. I think um carriers are much more in tune with sim so theft, car theft. So yeah hopefully they’re not they’re validating the colours much better than they used to write. Certainly they will have 18 t. loses that case. It’s $224 million. That same story is also covered in the register and Krebs on security also has you know I guess he was kind of brought up one of the first yeah about the first case critical unpatched. Cisco flaw leaves small business networks wide open This one kind of got me because Juan Cisco. This doesn’t happen much with Cisco and when it does happen Cisco usually defends themselves much more. This one. They just kind of Yeah, it’s a critical flaw and we

[00:57:48] Brad Nigh: need people, you know what? I’ll give him credit for owning up to it, right? Not making excuses. And the pluses on this one, the workaround to eliminate it is really easy. Right?

[00:58:02] Evan Francen: But if you are a small, because I think the big thing is small businesses

[00:58:07] Brad Nigh: don’t

[00:58:08] Evan Francen: pay attention to all this stuff. And so if you are running Cisco, small business switch software and you’re not sure or you’re not sure double check because there is a critical flaw that does allow admin access to those systems or to those switches and that could take it suck. Yeah.

[00:58:31] Brad Nigh: CVS S score of 9.8 right? Yeah. It’s probably pretty bad.

[00:58:36] Evan Francen: Yeah. So, threat post is one of the news articles that you can read about it. Critical unpatched. Cisco flaw leaves small business networks quite open again. If you’re running Cisco, small business switch software, make sure that you’re not vulnerable to this one and there’s a workaround in a patch. So that’s that. And then the last one which we’re coming up on time here I thought was interesting because I start I’m starting to one of the parts I wrote I’m right I wrote in this book and at least in the draft is how our government has let people down because there is no privacy law in the United States no single governing overarching privacy law. You’ve got states, I mean there’s 50 plus state laws, I think California alone has like 25 privacy laws, it’s like the hell so tim cook uhh Apple’s ceo voiced, he actually wrote a not bad and says it’s time to stand up for the right of privacy. Mm And so this is a mashable dot com. It’s in numerous places, but Apple ceo, tim cook to Congress. It’s time to stand up for the right to privacy. And I think Apple, I don’t know man, every big company has so many legal still on the job for said, nobody ever reads, I don’t know, I don’t know if he’s just trying to make a good name for himself or really truly believes that, you know, I don’t know right if you read if you take what he says and his right up, he really wants us to have a single privacy.

[01:00:22] Brad Nigh: I think, I think part of it also is how much easier would it make for make apples life if there was one thing that they had to try and comply with. So I think it makes sense from a pr perspective for him to come out and push for it because selfishly there is some benefit there, but it does benefit consumers. So it’s a plus,

[01:00:46] Evan Francen: it should be, it should be a plus plus, you know, for everybody, if we had a single

[01:00:51] Brad Nigh: Yeah, Hey, here’s what you have to do and you’ve seen it with like, well google has it and but facebook with their biggest their latest breaches and information and just selling stuff without aggregating data and selling it without getting it okay about it. It’s just there needs to be something in place.

[01:01:15] Evan Francen: Yeah. And I think and we could talk a while for this because when I was doing research, so that the op ed actually originally appeared in Time magazine, but there’s a lot of movement going on here. I mean as I was doing research for the book on kind of the state of privacy in the United States. Uh huh. There’s a lot of things we can spend a lot of time talking about this particular. So maybe I’ll either make that part of mining show or you can make it part of yours to talk about what’s happening in relation to privacy. Yeah, but I think at this point it’s sort of cool that you know, somebody’s powerful least tim cook is saying

[01:01:56] Brad Nigh: something about at least something is happening. Right?

[01:01:59] Evan Francen: So maybe in short order we’ll have something. Yeah, well that’s all I’ve got for this week. You got anything to add before we close this thing out?

[01:02:07] Brad Nigh: We made it through awake.

[01:02:09] Evan Francen: I did make it through a wake on A Monday, early morning after two weeks out

[01:02:15] Brad Nigh: It’s good. It is good.

[01:02:16] Evan Francen: Alright, well that’s it. We’ll talk we’ll talk next week sir

[01:02:21] Brad Nigh: That sounds good. Yeah.