How to Create a Strong Password

This week, they’re joined by special guest, Christophe Foulon, a senior cyber risk management consultant for ConQuest Federal shares how to create a strong password and end with information security news story discussion (per usual).

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Evan Francen: All right. It’s another monday morning and here at fr security security studio world headquarters in uh where we minnetonka Minnesota for anybody ever makes it out this way. He wants to come and visit. Uh, but you know what that means. It’s time for another episode of the insecurity podcast. This is episode number 25 25. It’s like almost a half a year. We haven’t missed a single week yet. It’s crazy. All right. Well, I’m pretty good. If they switch that up at some point it’s monday april 29th 2019. And like I said, this is episode 29. I’m Evan Francen. Uh, I’m your host for this week, Brad is with me. As always say hi Brad. Hello. I like to mix it up. Yeah, 20 years. Why?

[00:01:12] Brad Nigh: Hello because I got a full eight hours of sleep last night because we didn’t come in.

[00:01:17] Evan Francen: I said say Hi Bradley says Hello. You get eight hours of sleep. What is that like? It’s this actually got nine on saturday friday and saturday and then last night I didn’t sleep well, but such as the life. All right. But I’m I’m actually pretty excited that today we have our first dial and guest. And you know, I don’t know if you’ve ever done podcasting before, meaning listeners uh trying to figure out how to do. Dylan is a new thing for us. So we got a little messed up, but I think we got it now if there’s quality issues, you know, cut us a little bit of slack maybe, and give us some tips as opposed to just maybe ripping us. But I am pumped today because today is our first island guest. Uh, we have with us. Today is Christopher Nolan. Welcome Christophe.

[00:02:04] Christophe Foulon: Hello everyone.

[00:02:05] Evan Francen: How are you, sir? I’m good. Did I say your last name? Right?

[00:02:08] Christophe Foulon: Yes. It’s the president.

[00:02:10] Evan Francen: People butcher that

[00:02:13] Christophe Foulon: one.

[00:02:14] Evan Francen: Well, I’m glad that you’re here. We uh, we met on linkedin. Uh, and there was somebody who texted me or messaged me this weekend and said that he was the one that introduced you to us. Do you remember who that is?

[00:02:30] Christophe Foulon: Um, yes, I do recall it. I’m

[00:02:35] Evan Francen: sure she’ll give him a shout out. I can’t remember his name though. Son of a gun. All right, hold on. I have a computer.

[00:02:42] Christophe Foulon: It is, Jason dance.

[00:02:43] Evan Francen: Yes, Jason dance. He’s given some good input to us, you know, since uh, since we started the podcast, just kind of giving us actually, it was his idea to do um, one of our shows on, uh, what the heck was it being healthy? I think information security give us some good tips on that. So, thank you, Jason for introducing us.

[00:03:07] Christophe Foulon: He always sends me interesting articles and uh, comments on some of the articles that I post. So um yeah we’ve been going back and forth for a while.

[00:03:16] Evan Francen: Well that’s one of the things that I’m very impressed with. You know we were talking just before we started the show with you is your active man. I mean I see stories from you coming all the time and you’re just telling me this weekend you went to B. Sides and D. C. One of the one of the ones

[00:03:34] Christophe Foulon: uh they say the sides charm and it’s in Baltimore. Um But there’s three around the D. C. Area there’s uh besides D. C. N. D. C. Uh besides charm in Baltimore and then decides nova in northern Virginia. But um since the area so small you could probably get all of them within like an hour and a half drive so not too bad wow.

[00:03:56] Evan Francen: Yeah like I thought I was busy but you got you must be pretty busy.

[00:04:01] Christophe Foulon: Uh Yeah but I I use technology to help me. So for example for my social media postings I use a service called buffer. Which when I find useful articles um throughout the day I just posted to that and then I can set predefined times to have that publish it for me on both my Lincoln and my twitter.

[00:04:24] Evan Francen: Yeah that’s a good tip I use buffer to uh not not as well as you I think you mentioned using technology I think the older I get, the more I get disconnected from technology But buffer I use I mean I don’t know what they agree on 22 of the 100 days of truth. Uh so I just gave you those up on Sundays. So like every morning at eight a.m. It’s another truth that goes out on my linkedin and twitter. Are you pretty active on twitter too?

[00:04:56] Christophe Foulon: Yeah I mean I I posted both and then I respond on both. Um Lincoln’s more the professional side and then a little more personal personality comes out on twitter. Um but still on the professional side

[00:05:12] Evan Francen: and brad. You’re you’re not as social media. No

[00:05:16] Brad Nigh: because I need I

[00:05:17] Evan Francen: work you too hard. I think

[00:05:18] Brad Nigh: that’s a get home and I’m done. I need to get do something with buffer or something where because I see the articles and then I just don’t think to post it.

[00:05:29] Evan Francen: Yeah I think you have to get into a habit. Yeah. Well that one so that episode 16 when you your wife among me and my wife were here. You know 1 1 of the comments my wife gave to me was brad really seems like he’s got his life in balance hint. Okay.

[00:05:48] Brad Nigh: Although I will say I’m glad you mentioned that I’ve shared a picture of uh your wife posted of the flowers and I was like

[00:05:56] Evan Francen: oh my wife posted pictures I sent her flowers, flowers.

[00:06:00] Brad Nigh: I got grief that you were ahead of me on that one back at you. Yes.

[00:06:06] Evan Francen: Anyway, sorry Kristoff, we’re just, that’s a little spat.

[00:06:11] Christophe Foulon: Yeah, I mean for example, I was that besides charm and my wife came up for one of the night. Um My son stayed in the hotel and I got to see them overnight during the conference and then I went back the next day and kept going and then left a little bit early on the last day to back home to them. So yeah, try as well to keep everything balanced as much as one can,

[00:06:33] Brad Nigh: good for you. It’s easy to, he’s easy to get sucked in.

[00:06:38] Evan Francen: I’d much rather have a happy, happy marriage and home life and be a little less security than the other way around. You know, be a awesome expert at everything security and not and be alone. So anyway, Christoph, so you have this passion for information security. Uh tell me what, what got you into it. And when

[00:07:04] Christophe Foulon: I would say it started Probably around 2007 formally, um I was in a help desk role and I just started seeing how insecure a lot of people were acting specifically on the jobs. And then I was like, well if you’re doing that here, you’re probably doing that at home. So I started sharing helpful tips here and there and everyone seemed to love it. Um like, wow, this is nice to be able to share this information with other people. And then I started just going down the route um getting My certifications heading down that route staying mostly on the side, fell about 2012. Then I started to interject myself into whatever security thing I could um because I never had a formal title until recently of doing something insecurity but I was always trying to be secure wherever I can share the tips and then have the business. Think about doing things securely because most of the times they were always focused on availability.

[00:08:14] Evan Francen: Yeah, I get that. So you mentioned you know, starting off from the help desk, I think that’s and I think you and I had a conversation last week or the week before. I think that’s such a great place for people to start their information security careers because you learn so much about different technologies and you learn so much about people. So would you would you suggest that’s a great place for people to start if you if you’re not in this industry,

[00:08:38] Christophe Foulon: it’s an amazing place to start. First of all, you got to learn the foundations of computer systems, networking, how users react or interact with systems. And if you know those things uh you can come up with ways to medical what you’re doing, educate them on better ways but or even think of how they would react to something before the system is deployed. So you can deploy controls and mitigations ahead of time to try to limit the effects. Right?

[00:09:13] Evan Francen: So you uh so uh well crap. I had a question. I totally forgot what I was going to say. Help desk. Yeah. I had flashbacks when he said help desk.

[00:09:23] Brad Nigh: I alright. It’s funny how like that that’s similar to how I got into it. I was doing systems admin and it was right around that same time and you know, 2000 and 8, 2009 and realizing, oh, I’ve been doing security this whole time without that title without realizing it. It’s pretty good. It seems like that’s a very common way for for people to get in and yeah, I kind of realized without realizing it,

[00:09:54] Evan Francen: right? And we do our CSS the mentor program and I know one of the things that a lot of students have concerns about is if they pass their exam, do they have the prerequisite experience? And a lot of times we can find it because you’ve been doing it without you even knowing you were doing it?

[00:10:09] Brad Nigh: Yeah. I filled mine and I was like, oh man, I’m not going to have because I don’t, I didn’t have the title and I was like, you’ve got 12 years in this and eight years in this and all right, I’m

[00:10:21] Evan Francen: safe. So uh, is there one of the things you said to christophe that resonates with me is you said that these people, you know that you’re helping on the help desk are the same people that are at home, so they’re using the same habits, good or bad in both places. Right?

[00:10:39] Christophe Foulon: Yeah, definitely. And some of the things that I’ve learned along the way is redder than when I was doing security awareness training rather than teaching them to be secure at work. I said okay let’s take a step away from work, let’s forget that we’re here now. Let’s think about you using your Gmail account. Um think about what’s in your gmail account, what’s connected to your gmail account and if you use the same password for your email account on your facebook account or um for the Baskin Robbins ice cream account that you have and someone hacks into Baskin Robbins now they could possibly hack into your gmail, it’s connected to that, banking your taxes, all these things and then right there the concept of password reuse hits them and you’re like, oh okay. Um and then you can dive into different concepts like using um multi factor for most of them. You start off with just sms notifications or um just using the smS pins that you might get from providers, which is better than nothing. Um We’re not going to get everyone to you beaky straight off the bat, but at least if you could do something, additionally it reduces the attack surface drastically.

[00:11:58] Evan Francen: Yeah, for sure. So one of the things that’s interesting is it’s rare I think to see somebody in information security with credibility, I might add, you know, kind of grow so fast meaning you haven’t been in this industry for like I’ve been in this century for seems like forever. Mhm. And I go, you know, kind of at my pace even though I worked my tail off all the time, but to see somebody, I mean I’m really impressed with somebody who hasn’t been in this industry of her super long period of time. Long enough, right? I mean you have the experience for sure, but to just be so you know, kind of passionate about it and getting out there and getting the word out. What is it that’s driving you? Uh you know, do you have a mission? You know, something that you’re trying to, you know, that gets you up every morning, I guess

[00:12:50] Christophe Foulon: it’s fun, I like helping people. Um I’ve for for example, I love learning. Um so one of the things that I do with my long commute have a closer to our community, listen to podcasts. I on my lengthen page, I have a list with 40 50 different podcasts that um I’ve come across across the years and I listened to most of them surprisingly. Um but uh crime in all that information, I listened to speed. Um So I’m always trying to learn, always trying to keep up with what’s happening, it’s a ever evolving industry and I know that not everyone else can do that. So I try to impart knowledge share what I know with others in the community. Help mentor those that are coming in. Um Sure is to where they fit in this industry and they talked to them about transferable skills and try to find out what they like what drives them and then show them that there’s a very path to coming into this field and it’s still such an obvious field as well that you can create your own path. Um There’s people coming in from the creative side that are helping us with the marketing aspects or on the awareness aspects or educators that need to help teach. And um whether it’s teaching developers or teaching users or teaching business there’s so many different things to do. So I just kind of help show everyone that’s interested. Uh Some of the past that are available to them.

[00:14:29] Evan Francen: That’s cool. It’s admirable.

[00:14:31] Brad Nigh: I will say your commute is why I don’t miss the D. C. Area, why I left.

[00:14:36] Christophe Foulon: That spreads from that. Yeah surprisingly um D. C. Is about the same commute I have had in south florida which was about the same. It was just I guess all the areas I’ve lived and just had a lot of traffic. Um But if I’m used to it I guess

[00:14:55] Evan Francen: yeah we’re sort of spoiled out here in Minnesota. I mean we We complain about a 10 minute delay.

[00:15:02] Brad Nigh: I laugh at the people here complaining about traffic.

[00:15:06] Evan Francen: Well you have a big pickup truck man. I’m wasting a lot of gas and do irritates me.

[00:15:11] Christophe Foulon: Mhm. But you guys get like two ft of snow on the average. Right? Oh god

[00:15:16] Brad Nigh: I think this is 4.5 ft of snow in February.

[00:15:20] Evan Francen: Yeah it was bad winter and it’s still kind of like wants to not let go.

[00:15:26] Brad Nigh: We just went

[00:15:27] Evan Francen: south of us this weekend. Yeah we were supposed to potentially get some slush on sunday.

[00:15:33] Christophe Foulon: Um Yeah a couple of the security people I follow like uh in cold water and um steve Buchanan uh that I’ve worked with in the past lived in that area and just seeing some of the snow reports on. No it’s playing out in D. C. It’s kind of temperate.

[00:15:49] Evan Francen: Yeah. Yeah. Well in south florida you mentioned that I mean in february were, yeah yeah we should open an office. There may be. We mentioned, you mentioned Ian uh that’s another person that just rose you know kind of fast and just and I love that because we need more and I like Ian uh Goldwater. Yeah. Uh because of the there’s no ego you know I just there’s so many people in our industry that have been so ingrained in this industry for so long that I think they just have a you know an ego that sort of surpasses their usefulness you know that makes any sense.

[00:16:36] Christophe Foulon: No it definitely does. But that’s the other thing about this industry, it’s ever changing so um containers in kubernetes, that’s a newish technology within the area. So um you’ll find people that following at the beginning and then they master it quickly and there’s not many of us out there who would be able to master that technology so everyone tends to look up to them and if you’re sharing information and being kind and being nice to the rest of the community um they do tend to rise

[00:17:11] Evan Francen: and I love that. That’s uh I love supporting the information is here to people in their industry who are providing value I think whose heart is in the right place. Uh They do so without being a jerk to you know people who don’t get it and that’s you know that’s you that’s Ian hopefully it’s me, I don’t want to be a jerk but brad you bread.

[00:17:35] Christophe Foulon: I’m really good things about your C. S. Sp mentorship programs. So uh you’re doing good work yourself.

[00:17:44] Evan Francen: Thank you. Thank you very much or a lot of fruit. I had to push my button. I found a new button on our mixer,

[00:17:56] Christophe Foulon: your imposter syndrome kicking in a little bit. There. There you go.

[00:18:01] Brad Nigh: See I’ve heard that we talked about that a little bit. We

[00:18:04] Evan Francen: did a couple weeks ago maybe. Yeah we have to talk about that again. Yeah. All right so one of the things you know you mentioned uh Christoph about um just your your passion for helping people get into the industry and once they get into this industry, you know sort of helping them navigate their way. And 11 of the things that you do uh is the breaking into cybersecurity podcast. Can you tell us a little bit about that?

[00:18:31] Christophe Foulon: Yes. So I started the podcast with a recruiter partner of mine Renee small also in the D. C. Area and we were we were connected on Lincoln um we were just happened to be on the same threads and responding to the same types of questions all the time as to how to break in um advice for what they need to do, how they could get in what they could do. And the two of us just teamed up and said okay well let’s interview individuals that have come into the cybersecurity field within the past five years because we wanted to make it relevant, um nothing against you, Evan, but you joined a long time ago and you joined a different way. So I didn’t want I didn’t want to say the word but I feel it now. So we wanted relevant advice for uh those that had come in and what they did and how they did it and it’s one thing to hear from someone that’s already in for a while and they could go, oh yeah well that’s not relevant anymore but if you hear it straight from the mouth of someone that I just did it and you can reach out to them and ask them more questions, Uh sometimes it’s a little more resounding. So uh that was the premise behind behind creating the podcast and they were on episode 26 now, so about the same same length as you guys,

[00:19:57] Evan Francen: awesome. And and is that a weekly podcast monthly?

[00:20:01] Christophe Foulon: Uh we tried to do it weekly, provided that uh scheduling and guests availability goes, but uh we’ve met a couple weeks, I think we started last august um I missed a couple, but yeah, right now we’re booked out through june four guests. So yeah, we have a couple of blind.

[00:20:23] Evan Francen: That’s awesome. Well, one of the things that, so for the listeners, it’s the breaking into cybersecurity podcast and you can get that on crowd cast. Um and I think it’s one of the, so tonight we have class again for the CSP metro program, which is, I think comprised of, what would you say, maybe three quarters of the people there are trying to break into this industry, would you say?

[00:20:47] Brad Nigh: Yeah, that’s probably pretty

[00:20:48] Evan Francen: accurate. Okay, so I think they could really benefit from, you know, knowing about your podcast. So we’ll make it known to the students tonight.

[00:20:58] Christophe Foulon: Yeah, it’s um thanks to the Chromecast, it’s available via the web or via mobile app for um listening on the go.

[00:21:07] Evan Francen: That’s cool, very cool. All right. Well, and I and I we need more people, you know, in our industry and you know, there’s lots of debate on, you know, how bad the numbers actually are, whether it’s 2.5, or however many million short we are. Uh, the point is there’s plenty of opportunity, right?

[00:21:28] Christophe Foulon: Yeah, there’s definitely plenty of opportunity. And the other part of it that I try to work with businesses as well as um when you’re recruiting individuals to think of how your recruiting, how do your writing the job rex? Do they really need all these certifications on there? Or did someone in HR just on site to put that in there? Um, because especially as you’re trying to recruit um, diverse and inclusive population, if they don’t feel like they meet 100% of the requirements they won’t apply. Whereas, um, some guy who’s with the ego will meet three things on there and go, hey, why not give it a shot?

[00:22:12] Brad Nigh: There’s some people that they have the same letters in their name as the certification, so that’s close enough. Right.

[00:22:19] Christophe Foulon: Well, exactly.

[00:22:20] Evan Francen: One of the recipes that’s really worked well for us here. You know what if our security and security studio is hiring for the intangibles, I mean, they’re the things that we can’t teach, I can teach you to be a good person, I can’t teach you to be honest. And, you know integrity. Yeah,

[00:22:37] Christophe Foulon: because

[00:22:38] Evan Francen: we can teach security stuff. You know, I mean, there, there are books, their classes, there’s plenty of mentorship opportunity. There’s internships. I mean there’s all kinds of ways to teach you security stuff. So we ended up, we end up actually growing a lot of our talent here. It’s worked well for

[00:22:56] Brad Nigh: us to associate level that didn’t have a whole lot of experience and yeah, it’s rewarding to see them like have those aha moments and and start to get it and build that confidence. So,

[00:23:12] Christophe Foulon: and I think when, when you grow your talent, you also gain loyalty that way because they don’t feel like you’re just there to do a particular piece of the workload. Um whereas they know you’re going to grow, they’re going to have different experiences and you know, they’ll let you try different things whereas if you come in meeting the exact requirements um either that’s all you want to do, you’ve done doing that, you’re going to leave or if you’re not doing exactly that because that’s where you specifically want to be, then you’re going to leave as well.

[00:23:48] Evan Francen: Good point. Well, in an episode 21 of the things that we covered on the insecurity podcast was uh you know about being healthy, we touched on it just a little bit when we started our conversation. Um you know, honestly, I work too much. I mean, I think everybody would agree. Uh but you know, you mentioned one of the tools that you use, you leverage technology to get the word out. Uh you know with um crap, I can’t remember the name of the buffer buffer. Uh but then you’re also volunteering a lot. I see. Um you do make it to conferences to spread the word, You do the podcast. Do you have any tips for people in this industry once they get in and things go fast? What tips do you have maybe to share about living healthy?

[00:24:43] Christophe Foulon: I would just say try to try to find, find an area that you’re passionate about because if you’re passionate about, it’s not as much of a grind. I mean it will take a lot of your time, but you won’t be as burned out about it. I know I’ve been in roles where it just been too much and even though I’m only working an eight hour day, I would get home until exhausted and then there’s other roles where I work a lot longer and I’m just as energetic at the end of the day because I feel like I’m contributing positively to the environment and I’m doing good things and I don’t feel as bad um outside of that, like you mentioned, um, ensuring that you can try to spend time with your family and um, I have my wife nagging me making sure I do uh spend time with the family. So, um, I have that reminder here and there as well. So um just try my best to do it, I can good. Yeah,

[00:25:45] Evan Francen: I think for me, you know, it comes down to my support, you know if my, if I didn’t have my wife and my family, uh I’d be collecting dust behind a keyboard somewhere because she does keep me honest, you know, she, she will nag me a little bit and it’s not nagging. It’s, it’s a loving like urging that hey, it’s probably good for your health and good for relationships if you step away for a minute or two and so I give her a minute or two and then I get back to work.

[00:26:18] Brad Nigh: I was getting a little bit with the mentor program where you’re at the office more than you were at home. Okay. So yeah, I ended up being able to take off hour and a half early on friday nights so

[00:26:35] Evan Francen: well and we encourage that here, you know, truly, you know, I think it helps when your employer, I hope it helps when your employer really encouraged that you know, don’t you have to keep it in balance. It’s even part of one of our core values. Work

[00:26:50] Brad Nigh: hard, play hard, right? Yeah. Working for somebody who is a seat watcher is just soul crushing.

[00:26:57] Christophe Foulon: Yeah, I definitely agree. Uh some of the other things that I do is um I try to schedule it extra activities within my lunch time, so that’s why my podcast is at noon um because I started it with an employer that kind of did watch um when I was doing things, so I just got in the habit of um doing extra activities like that around noon. Um so it wasn’t an issue because this was my lunch time, so I was not being productive at the time.

[00:27:32] Evan Francen: Yeah. Yeah, I can see that. Well hopefully, I mean and the thing is with our within our industry being that there is so much opportunity, if there’s an employer you’re working for that, it’s not a healthy work environment or it doesn’t fit with your own balance because I think everybody’s balance is different. My balance is different than brad’s balance doesn’t mean minds better or worse, it’s just different. And you know, if culture, if balance doesn’t fit, then go find another job because there are there are other opportunities out there and having the confidence in yourself to to do that because it’s just not worth it. It’s not worth killing yourself where you’re or your personal life

[00:28:13] Brad Nigh: job,

[00:28:15] Christophe Foulon: that’s actually where I started using buffer because um I was working for an employer at the time and you’re like, oh he’s posting too much on social media and I’m like, but I’m I’m not posting offers posting like and they didn’t believe me, so at one point I adjusted, I adjusted the time to look Harris starting at nine and post during the lunch hour it and the post after work, I’m like that’s the most modification I’m going to do because so certain point like I don’t want them uh my social life um That much sure they can have code of conduct where I’m not going to represent them in a negative manner just by working for them. But I’m still going to share useful information and I’m not going to let them control that aspect of my life. Right?

[00:29:05] Evan Francen: When you mentioned the thing to where they didn’t believe you. I mean it’s so unhealthy when an employer doesn’t trust you. Right? I mean we’re adults most in most cases. I don’t think there’s any child labor for security yet. Is there? We are trying to teach kids young but yeah we have boundaries. All right. We’re gonna say some bread. You look like you want to say something you like breathing. No no no. All right because sometimes I cut bread off too because I talk too much but that’s me. Uh any kind of cool things that that you’re working on now?

[00:29:42] Christophe Foulon: Uh No I just finished up charm. I submitted uh talk for D. C. So seeing if that will come through um It’ll be a similar talk that I did at. Um Besides nova which was based on cyber resiliency and um I learned a couple of things from the last stock learned a couple of things along the way that um I could spice up the talk and make a difference. But um it’s more of a one on one on one type talk to show businesses and I. T. People that um that to really do interact and um just thinking of security for security sake but not taking the business into consideration um Is definitely the wrong approach. So when you when you approach cyber resiliency you have to you have to think of how business resiliency interacts with it.

[00:30:38] Brad Nigh: So I’m actually going to be speaking at uh secure 360 In what two weeks the 15 weeks and it’s on you know, D. R. doesn’t have to be debilitating and it’s it’s almost the same thing. How do we get a night version? How do you get the business by in how do you make a successful DDR program? What’s included in it? Because yeah you can’t do it without the businesses. Buy in and support.

[00:31:06] Evan Francen: Yeah. Are you speaking the day we were both speaking the same day? That, wow are we competing for audience? No

[00:31:14] Brad Nigh: I met 10 and thank your three

[00:31:16] Evan Francen: or four in the afternoon In the afternoon. It will be fun. I don’t know what I’m talking about yet. Well I’ll be in next week in Los Angeles. You

[00:31:28] Brad Nigh: Know it’s the same the same week I sent the 12th or 13th. Then you’re flying back and speaking the 15th they asked me if I could do it and I’m like if you need and then

[00:31:41] Evan Francen: you took the bullet. All right. Yeah. Yeah that’ll be fun. Well I’m talking about so on friday I spoke about to the cloud security alliance. Um fender. No third party information, security risk management. I’m a literal guy. So I used the big words. Many use the whole words like third party information security risk arrangement. That’s what it is. Like vendor, vendor risk management. A lot of people called V. R. M. That’s bigger. Right? Usually third party information security risk management fits within risk management. But anyways friday afternoon three. No, like two o’clock in the afternoon. Who wants to talk about third party information security risk management. Very lively crowd. Yeah. And I was like, God. So I had I had I had to do three dad jokes. Take it to them to keep people awake like All right. Anyway,

[00:32:41] Christophe Foulon: well, that’s one of the cool things about like the besides conferences, is that your audience wants to be there. It’s not like they are being paid by their employer, forced by the employer to go there. Your your audience makes the whole difference. And um, and your energy as well.

[00:33:00] Evan Francen: Yeah, for sure. So you mentioned you didn’t talk at B sides nova. Is there a place where people can get a copy that? Was it recorded or anything?

[00:33:10] Christophe Foulon: Yeah, I can um send you the link for the show notes.

[00:33:12] Evan Francen: Yeah. Yeah. I’ll post it in the show. No, it’s kind of an errata. So what they call that when you add something on to the end. E R A T. But it’s a big word. It is a big word, but I don’t know if you knew this, I’m an author so I’m allowed to use big words you’re expected prior to that. No big words. All right well good. Yeah because I’ll post that because one I’d like to definitely see it and I’ll post the link uh you know some of the links to because I want people to be able to find you because we believe I do and I’m sure brad does too, I believe in your mission. I’d like to see it, you know whatever I can do to help. Mhm. We need more more exactly in our industry, one of the things that you posted last week which caught my eye because anything with password in it catches my eye because it’s like what are we talking about now? Um So Microsoft released uh you know on their security guidance blog, an article titled security baseline and draft uh for Windows 10 version 19 oh three in Windows server version 19 oh three. And in the article written by uh Aaron Margo Sis who I had never heard of until then. Um but he writes how Microsoft is planning to drop the password expiration policies out of their security guidance and maybe even out of Windows altogether so immediately, you know, being I am a kind of more of an old school security person, I knew the reason why we had those things, we had those password policies for a reason it wasn’t just because we like making people’s lives difficult.

[00:34:52] Christophe Foulon: Well actually when you talk to the individual that created the original miss guidance um he admits that it was just because he thought it was the right thing to do but they had no studies to show that it was actually helpful.

[00:35:13] Evan Francen: Oh right that it wasn’t helpful to have the password expiration.

[00:35:17] Christophe Foulon: Exactly because it caused users to do all the same things that we harp them not to do create simple passwords um and sequential numbers on them at predictable symbols on them uh write them down things like that that initially when he created the guidance that they had no um they had no research showing that if you had a password out for a long time um that had some of the issues because back then you didn’t have the breaches that you do today. Um So it might have changed if he created them later in life. But back then he said no I just made it up. Well that

[00:36:05] Evan Francen: and the issue I have with the password removing password expiration policies is because people will still choose, it’s the only reason why we would ever have it is if there was reason to believe or a likelihood had increased that the password has been compromised and so meaning I had given it to somebody, I reused it somewhere else where there was a breach and the password has gotten that way or something without a password expiration then that password is still good and it will remain that way until somebody changes it.

[00:36:38] Christophe Foulon: Yeah. And they still has that guidance that if there is evidence of compromise that it should be changed. But how would you know? Well you could utilize threat intelligence, you can have these monitoring the dark web. Um You can use things uh I’ve been on from troy passion that’s word that you can scan your your passwords against to see if you have passwords within your A. D. That are tied to those. But

[00:37:13] Evan Francen: still human behavior is people still share passwords. I mean people like my wife wants to give me your password all the time to things you know,

[00:37:21] Brad Nigh: I think the other issue is is yes you can do those things but we’re seeing most companies don’t work. Cantor don’t implement them correctly. So it becomes

[00:37:34] Evan Francen: more sophisticated security programs might have that. But even some of the most sophisticated ones we’ve seen are terrible at it. Yeah. Yeah.

[00:37:44] Brad Nigh: Yeah. I think the issue, I’ve I’ve been going for pass phrases. I’ve got Things going back to 2011 at previous jobs where I was like we got to go to this, here’s how you do it. So this is something I’ve been on for a while but it still comes down to how long are you willing to be open to a compromise password if you have multifactor enabled. Sure then absolutely. You can go much longer indefinitely but without those additional controls in place.

[00:38:15] Evan Francen: Yeah I mean I can see where they’re going to mean I think

[00:38:19] Christophe Foulon: it’s and now you have conditional access that you can add as an additional layer to even um restrict it down further. So if you’re not coming from a certain I. P. If you don’t have a factor um then you don’t even get an attempt at it.

[00:38:34] Evan Francen: Well assuming people put that in the. Oh yeah that’s the problem. You know I mean the when at least password expiration policies, you know, I would say, you know, more than half of the organizations, you know have that or some semblance of it probably configured uh organizations. You know, if you think just in our own experience that have any semblance of a threat intelligence capability, At least an actionable 1 uh You know, less than 5% maybe. So I think, you know, this probably works really well for organizations that have a pretty sophisticated information security program where they’ve got threat intelligence capabilities, they’ll know with some amount of certainty whether password has been compromised somewhere. Uh But I think for the vast majority of the other, you know, 80, organizations, they’re going to take this guidance and say, oh we can turn off password right,

[00:39:39] Brad Nigh: that’s my concern is exactly, you’ve got Maybe the Fortune 500 Fortune 1000 that could do this. But what about all the small medium mid sized companies that have you? No one person or have an MSP as their only source of anything around it. And they’re going oh well I don’t have to have password expiration anymore.

[00:40:02] Evan Francen: Well that’s one of the challenges to with just security in general is we for some reason I tend to forget that it’s not a one size fits all right. So you turning out password uh expiration in your environment might make perfect sense in mine. Never. And so if you have this just kind of wholesale guidance that that get that can get dangerous.

[00:40:28] Christophe Foulon: Yeah and that’s where the education comes in and I think just by them setting it as um part of their security baseline, there’s a lot of other insecure things that are in um baseline configurations for windows. Um That as most society men’s turn on their systems they change um but like disabling services that they don’t use, that’s where we come in to help educate the business that there should be something that they should do. Um But in regards to past helping set better password hygiene. Um One of the tools that I use is one password and its description service can be for individuals um for families, for businesses and um when you do get their subscription it does have that monitoring of um Troy Hunts database and it can tell you when you log in to go get your password which hopefully you’re using unique passwords. Draw your web. If not it would say, hey, um these are where all your shared passwords are and they’ll tell you every single site that you’re using the same password on um within that password manager. And then they’ll also tell you, hey, these are uh these sites have been recently breached. Um there’s no evidence that your password has been breached but you might want to change it. And even we have seen that this user name and password combination has been found within breach details. You might want to change it.

[00:42:07] Evan Francen: Sure. Well, and I think um, so you know, I always think, you know, we sort of started, you know, some of this discussion with, you know, studies in science and you know, those things and I wonder what percentage of passwords that have been compromised threat, intelligence services even know about.

[00:42:30] Brad Nigh: It’s yeah, it’s only what’s going to be posted

[00:42:33] Evan Francen: because one of the things I know in our industry just over the years is how data poor we still are because people don’t like to share obviously their, you know, their dirty laundry. Uh so that, you know, but again, I’m not against it. I think in certain environments it makes a lot of sense, you know, to reduce our password requirements. You know, certainly if I’ve got multifactor everywhere, which would be awesome, then, you know, it’s even more of a reason that I don’t need to have this control. But the one of the things that I that I that I fear is, you know, I think there’s probably more than half of the businesses or environments need it still as a control. And they’re going to have a lot of consultants out there are going to be saying, hey, you don’t need password expiration anymore. And then you’re also going to have a lot of clients saying, hey, we just read the guidance from Microsoft or read the guidance from N A S. T. Uh we don’t need password expiration anymore. So we want you to take that away from our audit, finding our assessment, finding it’s just like, well, but you’ve got to have these other controls in place that you don’t

[00:43:52] Brad Nigh: and you know, yeah. One of the, there is some good stuff in there. Right? How to make it longer stronger. Things like that. We’re, it’s funny, I’m doing the ways that compass mentor program with a high school student uh for christoph and one of the things we have to do is a shared teaching. Uh, so and he picked passwords so we put together like a slide deck on, how do you create a strong password? How showing, You know, spring 2018 is compliant with your password policy, but it’s not a secure password which by the way Christoph, you’ll get a kick out of this. I did, we do a training around that with Companies and after one I had somebody actually come up and say, so if my password was on the screen, I should be changing it.

[00:44:43] Christophe Foulon: It’s like, oh, but

[00:44:48] Brad Nigh: it’s, there’s easy ways to make it stronger. People don’t realize using proper grammar. Even if you use spaces and commas and periods or whatever funk chueh shin. That’s a really easy way you can put in, you know, to be or not to be with commas and that’s a, there’s an easy way to remember that stuff and they just don’t get that.

[00:45:15] Christophe Foulon: And then in that if you’re a unique word for each site that you use, even if you don’t change it, um, you limit your tech sector. Yeah. You’re using a unique password only. That one password is unaffected.

[00:45:34] Evan Francen: True. Yeah. Yeah. I think there’s definitely pros and cons and I think it’s definitely so I mean you could, it’s worthy of a much longer debate because I would see it working in some places like here potentially. Well even here, I mean we’re a security consulting company and there’s certain people here that I would never trust to not have your password change and me being me and you being you, I don’t mind that my password expires every so often. Yeah. I mean it’s like okay, you give plus I have a nice warning because Microsoft so nice to me. They say, hey, you got, you know weak now you got to do that

[00:46:17] Christophe Foulon: because you probably have great people that have considered that warning or tested and verified that that warning work. Um I’ve worked in some organizations where that warning doesn’t work or it comes up one day before or it comes up that day and they’re like okay let me x that out. I’m in the middle of preparing a presentation right now and then they lost their machine or in the middle of the presentation. Why why doesn’t this power point want to work? Well it was stored on a network drive and you just got locked out from the network

[00:46:52] Evan Francen: we call that we call that justice.

[00:46:54] Brad Nigh: Uh huh.

[00:46:57] Evan Francen: All right. Well good good stuff. And I think like I said, I think you know, I like the difference. I’m a big fan of different perspectives. You know in different opinions and uh and this is one I think I mean the password debate has gone on since forever since we first had passwords. So yeah, I always appreciate it. Um Well we’ve got some news things and then uh we got about eight minutes left because I don’t know christoph you probably have things to do today. Uh I don’t, I’m kind of kind of the boss so I can do whatever. No, actually

[00:47:35] Christophe Foulon: do you have that liberty? Yeah. Well, but

[00:47:39] Evan Francen: you realize that you know one of the things from, I thought when I became this was before I became this was like asking me so awesome. You have so much freedom. You’re going to call the shots. You know, you’d be the man in charge

[00:47:53] Brad Nigh: just totally different responsibilities

[00:47:56] Evan Francen: buckets. Was I wrong? It’s uh, you were, there is no free? T, I don’t control anything. I don’t control my schedule. I don’t control nothing. Anyway, I’m just, that was a little bit of a complaint. All right. So first news Facebook, you know, this was in the news last week. Big fine, $5 billion. A lot of Zeros.

[00:48:20] Christophe Foulon: I don’t think that there was a fine yet. I think what you’re reporting was that they disclosed in their financial disclosure documents that they were preparing for a fine and they were preparing to put aside up to $5 billion dollars on the side And um, I was listening to, I listened to cyber wire and um, some other security podcast. And then in addition to that they were expecting another $3 million, um, from a separate find possibly from Europe for the Cambridge Analytica. Uh huh Yeah,

[00:49:00] Evan Francen: Yeah. It’s a Yeah, billion. What do they have in cash? Like 25 million.

[00:49:08] Christophe Foulon: It’s a drop in the bucket for them. But um, their, their stocks went up I think because they’re investors at least see them being prepared for it. Um, that they’re not too worried. But when you think of all the privacy things that they’ve done. Um, I would hope that more people have been outraged because they said, oh, we’re going to work on it. We’re going to work on it and they haven’t, I think because they have that all that extra cash that they could just drop on fines and just keep on going.

[00:49:41] Brad Nigh: Yeah I saw something, the five billion was like 5% of their projected profit for the year or something like 5%.

[00:49:50] Evan Francen: Well yeah, I’m skeptical because I’ve I don’t know, I’ve seen so many times when big companies have said they take these things seriously and they’re going to change their ways and they’re gonna, you know, they take privacy real seriously and but they don’t

[00:50:08] Christophe Foulon: when they say they take it seriously. It’s usually when they don’t. Exactly

[00:50:12] Brad Nigh: right. That’s when the regulators are looking at them and scrutinizing everything they

[00:50:17] Evan Francen: say. So I’m not a big, I like facebook for what it does in terms of some things, right? But just like any technology, it’s got a healthy side and a really ugly side. And the ugly sides

[00:50:29] Christophe Foulon: ugly. Yeah. Speaking of the ugly side. Um I saw you posted the article about brian Krebs uh doxing a security researcher. Um

[00:50:41] Evan Francen: Yeah, it cost a drama.

[00:50:44] Christophe Foulon: Yeah, he does a lot of good work. But I think this is where one of the times he’s crossed the line. Yeah,

[00:50:51] Evan Francen: I would agree to but you know you have to take into I think the the full body of work. You know I mean we all make mistakes and I and the fact that brian deleted it afterwards shows that there’s probably some regret for having done it but what was done is done. I think in our industry sometimes we’re sometimes it’s hard to forgive people for making a mistake. I don’t think he would do it again.

[00:51:18] Brad Nigh: He’s done a couple of things in the past where he had posted some like CVS of people that have left really negative nasty reviews of his book or is he really? Yeah I did some digging because I was surprised by this but I mean given how public he is and how many just cheap shots he has to be taken on. I can understand why how you could just be like enough and kind of go off but flip side is your public persona you just can’t do that

[00:51:50] Evan Francen: kind of comes to the territory don’t. Yeah

[00:51:53] Christophe Foulon: and then he also uh forgets that the internet doesn’t forget and you have a web archives then you have services that are taking screenshots of everything that goes online. Um and those are harder to scrub. Yeah.

[00:52:11] Brad Nigh: 11 thing real quick you had a couple of the articles but one thing I wanted to talk about that I saw this weekend was with slack did you see in their I. P. O. Posting that they think their target for organized crime and nation state hacking and they don’t have an encryption

[00:52:30] Evan Francen: right? Yeah. Yeah. Yeah sometimes you just don’t know what to

[00:52:37] Brad Nigh: say how many

[00:52:39] Christophe Foulon: companies use. Yeah how

[00:52:41] Brad Nigh: many confidential conversations. Yeah

[00:52:44] Evan Francen: and you can transfer files and yeah, you name it, poof. Well let’s hope God, I don’t know, I wasn’t prepared, I wasn’t prepared to talk about that one. Right? I know, I just saw it this weekend because I don’t know how in something like that you would not build into end encryption into. Right? Right. And and and the fact that we find out about it now, even even I I feel a little guilty because we use slack, right? And we didn’t vet that we didn’t. I know, so

[00:53:18] Christophe Foulon: I think a lot in the security community you’re going to be reeling from that one, especially when they’re like, oh yeah, we used signal and uh as much as we don’t want to use WhatsApp, at least it’s a good alternative because it does provide that encryption. Um and then they gave Skype a hard time when they weren’t doing it. Um but yeah, yeah,

[00:53:40] Evan Francen: I feel kind of guilty that I didn’t know, yeah, oh wow, can’t know everything uh to other things. Uh and well just so one was just the Nigerian ISP accidentally hijacked the internet. That was interesting. It was, you know, it is what it is, but the other one, I think it’s more relevant to, you know, you christophe to me to us is uh you know, cybersecurity job openings boom. Uh so they’re hiring and the pool of us job seekers is shrinking. So we’ve got the gap is widening uh what were your thoughts on that?

[00:54:19] Christophe Foulon: I think it comes back to that miscommunication that we kind of talked about earlier where um, on one side of the house, you have these long list of job requirements that um, organizations are asking for or you’re expecting to have, um talent that’s 100% able to complete the task that they need to get done. And then you have new individuals that are coming into the field or individuals that have been within their for 3-5 years that haven’t had the opportunity to learn of, learn of the new things that are coming along. So then they became become stagnant within the industry and um it makes it hard to catch back up.

[00:55:05] Evan Francen: Yeah, yeah, I agree with you. And it uh because I’ve heard both sides of this too, I’ve heard from people who are trying to get into this industry who can’t get hired and so they’re like, well there’s no way that there’s a job shortage because I’ve been trying to get in, but I think like you’re saying too, the expectations are unrealistic for the hiring managers. I mean you’re trying to hire somebody who and then you go and then you want to pay them half the time. I mean, if you did actually find a unicorn that looked like that, it’s going to cost you twice as much as what you’re willing to pay because they’re in high demand? Uh

[00:55:42] Christophe Foulon: Exactly? I mean, kind of like see those um you have a they fired from one role or let go from one role because they had a breach which may or may not have been in there throw and they walk across the street and they’ll get a job before the day is done.

[00:55:57] Evan Francen: Yeah, that’s very true. Very true. Mhm. All right, well uh this kind of brings us to the end. I could seriously christoph I could uh we could have doubled the time on this. It really is fun talking to you. I like your perspective. I like your Take on things and I like how we don’t agree 100% on everything. That’s what’s beautiful about our industries, this diversity, this different perspectives. So, I really appreciate you coming on today. Hopefully we don’t run over too late and you’re not going to miss a meeting or anything.

[00:56:29] Christophe Foulon: No, No, I’ve had people coming in the conference room, so I gotta go right now, but thank you so much for having me on. And I’d love to come back sometime in the future.

[00:56:39] Evan Francen: Yes. Yes. Let’s keep it going. Thank you Kristoff. Take care. Have a great week.

[00:56:42] Christophe Foulon: Have a good day. Bye bye.

[00:56:45] Evan Francen: All right. So what do you think?

[00:56:48] Brad Nigh: That’s good.

[00:56:49] Evan Francen: That’s cool guy.

[00:56:50] Brad Nigh: Yeah, definitely. In the same vein is what we’re doing just a little bit of a different perspective and you know, again, that’s what you want. You don’t want all Yes men, You want that the variety to

[00:57:04] Evan Francen: be able to. Yeah. And for a guy with, with uh the number of years of experience that he has. I mean he his his experience far far exceeds the number of years. You know, because I think he’s so passionate. He learned so much and a lot in. Yeah. And what he says is credible. You know, I love it. So that was really cool. All right, well that was a full show and again, special thanks to Christopher for visiting. You gave an hour of his data to sit and talk to a couple of yahoo’s like me and you, Yahoos probably had a big breach. Let’s not call ourselves. Yeah, that’s true to call ourselves something else. Uh Don’t forget you can follow me or brad on twitter. My hand are handle. Do you call it handle? My twitter handle is @EvanFrancen and Brad’s is @BradNigh. Also email us on the show, let us know what you’d like to see more of if you like to having christoph on, let us know. So you get more guests like that. Um, insecurity at proton mail dot com and how you can get a hold of us. Uh and we’ll be posting some things on the show notes page on how to follow christoph and you know, see what he’s got going on. That’s it. Right, All right, have a great week.