Incident Response Planning within Local Government

Unsecurity Podcast

Evan and Brad are joined in episode 13 by Jim Nash, who is the assistant minority leader for the Minnesota House of Representatives and also a member of the FRSecure family. Naturally, the state of security in local government and in the state of Minnesota were major talking points this week. In addition, the guys chatted about incident response planning and current events like Apple’s FaceTime bug.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:


[00:00:23] Evan Francen: Okay, here we go. Today is monday february 4th 2019 and this is episode 13 of the un security podcast. My name is Evan Francen and joining me as always is Mr Brad Nigh good morning Brad, How are you?

[00:00:36] Brad Nigh: Good morning, slippery little icy out.

[00:00:38] Evan Francen: It is icy out. Also joining brad and I is a special guest Assistant minority leader of the Minnesota House of Representatives and fr secures chief Storyteller. Welcome jim!

[00:00:51] Jim Nash: Good morning everybody.

[00:00:53] Evan Francen: Jim nash. I should say what jim works around here.

[00:00:54] Jim Nash:  I’m the only one. Okay, but there are Jim’s elsewhere.

[00:01:00] Evan Francen: There are other Jim’s. That’s a, that’s a popular name. Yeah, I should have thought about that.

[00:01:06] Jim Nash: Well you weren’t there when my parents were naming me.

[00:01:08] Evan Francen: That’s true, that’s true. Well, as you know, today is my day to lead the show. We had an eventful week last week I had all sorts of travel issues and you filled in for me and all kinds of different things bread. We have the polar vortex. We all survived the polar vortex. It was pretty sporty.

[00:01:26] Brad Nigh: I heard it might be making every turn next week or something. Oh God,

[00:01:30] Evan Francen: I hope not. Maybe not

[00:01:32] Brad Nigh: as cold. I don’t know.

[00:01:33] Evan Francen: I got back from two days in New Jersey. Uh, so my currently truck was parked outside in 27 30 below weather. And my flight got in on Thursday morning at one a.m. Because I don’t want to spend an extra night anyway if I don’t have to. So I got in at one AM and I’m like oh my god it’s my truck gonna start and I go out there and finally that it turned over, thank god. So then I went back into the I don’t know, waiting area or whatever, let my truck warm up a little bit because it’s 27 below and get back in my truck, go to pay to get out, you know and you put your window down, run your card. My damn window wouldn’t come back up. Yeah 27 below with 1:20 AM. I’m not calling my wife. There’s no way that’s happening because you never go back up. Well so I pulled over in like 20 minutes. I was trying to get back up. Still couldn’t get it back up. So then I thought well What’s it like to drive home on the highway at 27 below

[00:02:42] Brad Nigh: 27 below. Somebody was asking me what’s it like with the wind chill of 50, like the air temperatures 30, it’s just stupid cold no matter what, you can’t get any colder at that point. So

[00:02:53] Evan Francen: I’m at terminal two. Yeah, I’m a terminal two and I’m like well I’m gonna I’m gonna I’m gonna give it a run. So I drove from Terminal 2 to the holiday, which is what may be

[00:03:03] Jim Nash: a third of a mile. Yeah,

[00:03:05] Evan Francen: it’s not very far. And just that small drive, my left side of my face went numb. My hand is stinging my son of a gun. So I pull off at the holiday. I’m like, I’m not gonna make it. Yeah. And I’m really mad now. It’s like almost two o’clock in the morning. So I take my keys, throw them on the, throw them on the dash and go into holiday to warm up, Come back out, start my truck window goes

[00:03:31] Brad Nigh: up.

[00:03:32] Jim Nash: Just need a little bit of

[00:03:33] Brad Nigh: heat. Yeah, he’s sitting in the door, broke it for you. The ice first.

[00:03:38] Jim Nash: It was probably the curse

[00:03:39] Evan Francen: words. You said that scared it back

[00:03:40] Jim Nash: up, man.

[00:03:42] Evan Francen: So that was my poor.

[00:03:43] Jim Nash: We had we had a burst pipe at the house. So apparently the previous owners of our home waved a picture of of insulation over the places that the pipe froze or they thought about the word insulation. So we that was exciting in all the worst ways. Yeah,

[00:04:04] Brad Nigh: I will say my basement stayed at 60°. So my installation. Well, I’m very happy with that.

[00:04:12] Evan Francen: My flights got canceled. So I shut down Chicago. That was just a crazy

[00:04:17] Jim Nash: people. That’s not a bad thing though, Chicago needs all shutting down. I

[00:04:20] Evan Francen: know, but man, I had a really, really important meeting, which will be one of the things we talked about in the podcast today is the importance uh incident response. And so this meeting in, in New Jersey was an incident response team meeting where executives were president. We really had to nail this thing. So I would have walked there. It was really important to get there. Some of my flights were cancelled out. Duh. Anyway, made it through polar vortexes behind us. Until you said next week you’re gonna get a

[00:04:51] Brad Nigh: potentially with the new employees starting and he was messaging me going, what? I thought it was good. I waited long enough heard he’s coming back so kitten, it’s love, it’s never enough. Right.

[00:05:05] Evan Francen: So what else do we have less? We had some board meetings. Travel stories already went into a little bit of that. You had a panel discussion? Yeah, that went well,

[00:05:13] Brad Nigh: 150 plus lawyers, lawyers. You need to chad myself talk about policy and procedure. And it wasn’t, it was funny. It was the topic was policy procedure and it really went to just how do you build a good security program is ultimately what it came down to. So I got my got a couple of jokes in and were they lawyer jokes? I didn’t, no, no. My first one was where’s the safest place to hide a body. Second page of the google search results. So that was what I let off with after we introduced ourselves and got some chuckles. I gotta loosen them up a little bit, but we got some really good feedback and you know, I think we’ve had Cash, 10 or 12 people reach out to us afterwards looking for some policy advice and some help around that. So

[00:06:02] Evan Francen: lawyers don’t typically admit that they,

[00:06:05] Brad Nigh: I told him that I was like, we had in our policies, you must do this, you must do that. And we got tired of fighting with lawyers about saying, well, if you’re saying you must do it, then how are you enforcing it and proving that it can be done. So we’ve changed it. You should be doing this should be doing that. It’s it’s still pretty strong. Well and they do it to the lawyer. Speak of, Yeah, you should ambition to do. I’m like, no, no, that’s where I draw the line. I’ll compromise with you on this. But we gotta keep some teeth when

[00:06:37] Evan Francen: I’ve had a lot of discussions with lawyers on this very topic, we could do an entire podcast just on whether my policy should say should because there’s two schools of thought and I don’t think one is I don’t even ones wrong and ones right. It’s just different.

[00:06:55] Jim Nash: That would be a good thing for me to get as well because later this spring I’ll be presenting to a whole wad wad the collection

[00:07:05] Evan Francen: lawyers group. You use the word Matip foolish

[00:07:08] Jim Nash: mellifluous. Yeah. So anyway I’ll be, I’ll be speaking to a room full of lawyers in California that one of our clients called and ask for me to go out and speak. But um one of the things is the bar opinions on certain things as to what you should or should not be doing. So I’ll come pick your brain has as it gets closer. Cool. And ask for some good lawyer jokes.

[00:07:31] Evan Francen: We were working enough of lawyers that we got some good jokes. All right. So we have a lot to cover this week in this week’s episode. So we’ll dig in. We’ll talk about incident response to the importance of instant response. We’re actually gonna get to that really quick uh really soon. And then we’re gonna turn it over to jim because we have jim here for a reason. I want to talk to him about some of the things that he’s running into or working with his job is I guess. I don’t know. Politics is hard, but can be. Yeah. All right. So, the importance of incident response we have, I have one that I’m working on right now. Did you get one last week

[00:08:14] Brad Nigh: to we were talking to someone about it. I don’t know if they actually ended up with that. Sad I was off on friday. Yeah. He had a day off. Had a day off. Okay. So I have to check on that and see where it’s at.

[00:08:26] Evan Francen: We were talking last week. So one of the incidents that I’m working on is just an employee uh misuse will say, you know, it’s bigger than that and it’s a criminal action. But um, you know, and I had a great meeting last week coffee friday with Markle and german

[00:08:45] Brad Nigh: Mark. He spoke on the 2nd day of that conference.

[00:08:49] Evan Francen: Yeah. And I think what we should have him because he’s very good at talking about forensics. He’s got some unbelievable stories that he could share with the listeners. Uh, but in the calls, one of the things we talked about last week is in the calls that we get for instant response. We get what, maybe two a week.

[00:09:09] Brad Nigh: Yeah. We’re trying to get 46 a month. Okay,

[00:09:14] Evan Francen: partner. And one of the things we talked about and hang out on thursday was how many of those companies that call us with an incident have an incident response plan? Yeah. And I can’t I

[00:09:28] Brad Nigh: can’t think I still I was thinking about that and I don’t think any of the ones that I’ve dealt with had Had one had a formal plan. Right.

[00:09:37] Evan Francen: And so I was out last on in New Jersey last week working with this company, um, who didn’t have an incident response plan. Uh They thought they did right. They had a document that nobody had read that was stored somewhere. Um Well that that’s not good, but we’ve spent it’s a larger company. So we’ve spent the greater part of 56 months building a plan the right way. Right? I mean, it does take work, it starts with a policy which, you know, policy really well, then it’s a plan to support that policy. uh this plan is a 28 30 page plan, uh which is high level guidance on how we’re going to handle these incidents from, you know, initial triage incident classification. I’m a big fan of classification of an incident, but I know that some incident responders don’t like classifications of incidents for whatever reason. I’ve seen other plans from other companies. I like it because it dictates the first response. Right? What I’m going to do from here, it’s not that I don’t reclassify the incident, it’s an initial, yeah, it’s an initial classification so that I know which teams to assemble, who to notify, how to handle communications, um, all kinds of different things come from that. So you build that out and then you train kind of the tactical incident responders, which is one team and we did that over the course of two days, we called it an information security summit. It was really a working session really dug in deep in all kinds of different incidents. And then it culminated with last Wednesday. Now we’re going to get the incident response team because those people are executives, they’re the ones who need to make the decisions, here’s what we’re doing. Yeah, they need to provide direction to the tactical people. Uh and it was funny because when I I get there a day before I get there on Tuesday and we’re sort of preparing people, you know, they hear that I’m there. So they’re like, when they heard that I was there, I think they wanted to come and bitch to me like two hours Evan really you want to spend two hours with us because you’ve got the CFO the chief legal officer of the CTO, the C. I. O. They’re all in this meeting and none of them want to spend two hours on this.

[00:12:08] Brad Nigh: Right? Yeah, busy. And it’s yeah, it’s security.

[00:12:13] Evan Francen: Right? And so I said to the CIA, look, this is your incident response plan, it’s not my instant response plan, right? If blank hits the fan, it’s your problem, not mine consultant, I’ll come and go, this is your plan, You have to live with it. And I think once you kind of, that reality hit them, it’s like, okay, fine,

[00:12:37] Brad Nigh: great, grudgingly accept your neck. All right. Yeah.

[00:12:43] Evan Francen: So we have this two hour meeting Went through the plan. I had 37 slides and that was another thing that everybody was bitching about 37 sides.

[00:12:51] Jim Nash: Well, I would bitch about that myself. Right? But it’s about 15 to many.

[00:12:55] Evan Francen: Well, whatever your instant response plan, so, you know, so two hours is two hours. We go through the slides and the engagement as you kind of went through. This was really, really good, perfect spend of two hours, I think at the end I had a couple of the executives come and say that was really good. Like good because it’s your plan. I’m trying to make this really good. So full circle, this is a good sized organization, right? Been in business for many years. They didn’t have an incident response plan. So even big organizations don’t have these plans. So it’s not just small to medium sized companies that don’t have incident response plans. It’s big companies too. Uh

[00:13:39] Brad Nigh: huh. Yeah. Yeah. I think that that was one of the biggest surprises to me when my background is more in that small to mid size too. Sub enterprise under 5000 employees and working with some of the bigger companies now, it’s just still like really, how do you guys, how did you get to be tens of thousands of employees or hundreds of millions in revenue without some of it? Like, wow. Yeah, it’s universal.

[00:14:13] Evan Francen: Well to me, incident response, having an incident response plan is so important. Usually it’s one of that top three top five things that I’ll do with an organization when you start building the security program with formality because I don’t want to dig really deep into any part of your information security program without without having an incident response plan. Because what happens if I find an incident? Right, well and I got no plan because I do intend on digging deep here. I don’t want to be caught with my pants down not being able to have an effective response.

[00:14:51] Brad Nigh: That’s funny you mention that I just saw this we have today internally an incident response plan and coaching process review today from 130 to 3 with the client or no to train our own analysts on how to go around doing that. Very, very topical topic.

[00:15:08] Evan Francen: Well because yeah, I mean just think all of this through, right. We know that no matter what we do, we cannot prevent all bad things. Right. Right. So an incident is imminent, it’s going to happen, guarantee

[00:15:20] Brad Nigh: nothing risk. Right?

[00:15:23] Evan Francen: Yeah. So you manage risk, you try to make it, you know, is as less impactful as possible. Try to reduce the likelihood. So it won’t happen as often, but when it does happen you have to have something.

[00:15:37] Jim Nash: Well, let me ask you a question though even so you were sharing that somewhere along the way. You were asked if our own company had a fisa score. Um two When did we have an incident response plan.

[00:15:53] Evan Francen: When did that happen? Once it become, once it became impactful enough. So when we were 23 employees didn’t really

[00:16:01] Brad Nigh: spice players ever will fix it. Yeah, he’s got it.

[00:16:06] Evan Francen: But as I think as you know, an organization grows and it becomes more and more complex, you have different people that have to make different decisions. So You know, I would say it was probably 20 fish employees became more and more important and as we grow,

[00:16:23] Brad Nigh: we’re actually due to review and update because we’ve had organizational change over the last year. So yeah.

[00:16:31] Evan Francen: And I think it’s becoming so a lot of the reason why we build security programs to is to provide some defense ability for executives, right? For the people who are ultimately responsible for the security program. You talk about lawyers. Right, right. This is a very litigious world we live in. So if if I haven’t managed risk, well I can be held liable potentially. Right, negligent maybe um in my opinion, knowing that I can’t prevent all bad things from happening. And I mean logically that leads me to I have to have an incident response plan. So I don’t even know if I have a breach and I don’t have an incident response plan. That would be difficult, a lot more difficult to defend. Yeah, I mean I would love, I’m not a lawyer but in that sort of case. Yeah, exactly. But in that sort of case I would love to be a lawyer

[00:17:28] Brad Nigh: on the other side. Right. Yeah. That’s why would you

[00:17:31] Evan Francen: not evidence in response plan? How could that did you actually believe that you were going to prevent all bad things from happening in your organization? No, I guess I never thought about it. So you didn’t give it thought. I mean this doesn’t lead you in a good place. Yeah. So for anybody who’s listening who doesn’t have an incident response plan. Call us. Well, you could call us for sure, get one right? And we don’t and I always have the same two. We don’t work like lawyers, meaning if you call us, we’re not going to send you a bill, right? There’s a lawyer joke, sort of.

[00:18:04] Jim Nash: Yeah. Well, as a recovering sales guy would say, call us. Yeah. So I’m just

[00:18:09] Evan Francen: saying, I’m just saying when we can talk about incident after incident after incident, you know, I have in my notes for today’s show, uh, to talk about an incident or two. And where an incident response plan would have helped. I mean, every one of them,

[00:18:24] Brad Nigh: Right? Yeah, Yeah. I mean, yeah. The most common one we see, I think is we’ve seen a lot of is where the email has been compromised and just having some sort of playing around what, how do we check for this? What do we do if this happens? And it’s getting caught months later, Right?

[00:18:44] Evan Francen: Yeah. And I think the incident response plans to they help if you’re doing it. Well, the last step in the incident response plan would be, uh, we used to call it post mortem. But then people don’t like that word call it what post incident analysis or whatever we call it.

[00:18:59] Brad Nigh: Now, the lessons which

[00:19:01] Evan Francen: would feed back into this loop, right? So, you know, coming out of the gate, you’re not going to have a good plan. Maybe I’ll have a good one, but it won’t be a great, it’ll

[00:19:10] Brad Nigh: be, it’ll be a workable plan.

[00:19:11] Evan Francen: Right? And it’ll be somewhat defensible because at least it shows that you had some forethought here. Um, but one of the things we find often in an incident response is that there’s not good evidence, there’s no good evidence or they notify, you know, they didn’t even become aware of the incident until maybe months past or they tried to do it themselves for a month destroyed evidence. So that plan really helps you get off on the right foot. I think the first four steps of any incident response, anybody can do it when you get to it. Okay. Now I know what kind of incident is. Now I need to call somebody for some expertise.

[00:19:48] Brad Nigh: Yeah, I think that’s kind of a bizarre approach to is do that incident response readiness words, the plan, the architectural review. So looking at your logging alerting standards, what do you have in place around policy? All that stuff are the right things there and then a tabletop which feeds back into the plan.

[00:20:07] Evan Francen: Yeah, I think people get paralyzed to around, you know, we see it with policy where it’s not perfect, keep finding it cheaper finding it cheaper finding and then never actually gets approved.

[00:20:18] Brad Nigh: Just, just start with something right? It’s better than what you had and just improve it as

[00:20:24] Evan Francen: you learn. Even start with like a, a one page document, incident response plan title and that’s it, at least now you got a framework and you start adding stuff to geez, do something. Alright, So that’s my rant on incident response. It’s really frustrating that people just leave them so leave themselves exposed without any plan. All right. So jim what’s happening at the state? Hello, we have a state of Minnesota. I know that tim walz correct Governor. Yeah, I was looking for was having issues or trouble finding a ceo. Yes,

[00:21:05] Jim Nash: he was. And I was, I was honored that he asked for me to consider applying for that job, but because my mom didn’t raise stupid Children, well maybe one I declined, but it’s going to be a very difficult job for whomever takes that on for a couple of reasons. One, there have just been a lot of very high profile failures in the last number of years. There have been breaches that shouldn’t have happened. There have been massive software projects that have impacted everybody that’s gone toes up meddlers and it’s a beleaguered organization that is not able to get the respect of the legislature is not able to get funding easily because of these high profile problems because sort of the natural response at the legislature is when something screws up to deprive them of funding, which has some merit. But then other parts, it’s a really bad idea. I know your least favorite word is cyber security. But when we had a bill to provide more funds to do that with many of my colleagues made it political. So they were punishing one part of the organization for a massive failure on the other end of the organization because in their eyes, um all I. T. Is literally in the same office. They’re all doing the same thing when in reality, you know, there’s the storage folks and the network folks and the database folks and the information security folks. Um so it’s it’s a mess and they have an interim cto right now and they are going to hopefully make that work. Um again, it’s gonna be really hard for one of the other reasons is who wants that job to make what they were offering, which is not a lot. Um to do a really crappy job. It’s a big big role to take on. Well,

[00:23:20] Evan Francen: money’s not everything either, right? I mean you’re walking into a real significant mess.

[00:23:27] Jim Nash: Yeah. My favorite term is a goat rodeo. It is a it is a goat rodeo and I think that it would take almost six years to fully turn the thing around to get your arms around it is probably a two year duration. And by that time folks want things fixed. But I don’t think you can fix it in two years. So by the time you get in and you begin to get your arms around it and you begin looking at what are some of the problems that we can fix early on. People have run out of patience with you and you get fired.

[00:24:00] Brad Nigh: Yeah, that’s, that’s part a 5, 6 years. Oh yeah, long

[00:24:06] Jim Nash: term. Well, so from an information security perspective, They still have 20 something data centers. So in the pre consolidation world, There were 71 different organizations at the state of Minnesota had their own data centers. They have collapsed them and collapsed them and collapse them. But Some of the most recent numbers were like 26 data centers. Some of them are amount as secure as your office. You can break in with a coat hanger and you’re accessing that data centre. Um, so the state of Minnesota and this is not a secret, but the state of Minnesota can’t even get a cyber insurance policy because the exposure is too big. The insurance company doesn’t want to write that because they know it’s going to be, um, they’re gonna be writing checks left and right. Um, so it, it’s a, it’s a, it’s not a good situation. But I also take a little bit of solace in knowing after I got back from a conference of other legislators that we’re not alone in this, but we may be close, we may be close, we may be close to the bottom of this. So a lot of other legislators were uh, they had gotten wind that I had been asked to be the the commissioner and they said, well we are not in a good situation, but at least we’re not, you

[00:25:26] Evan Francen: know, isn’t that great? It makes me feel so good

[00:25:29] Jim Nash: on the inside. It’s

[00:25:30] Evan Francen: that herd mentality.

[00:25:32] Jim Nash: Yeah,

[00:25:33] Evan Francen: at least I’m not,

[00:25:33] Jim Nash: you just have to run faster than the slowest guy. So

[00:25:38] Evan Francen: when I talked to people at the state in information security, you know, and I’m one of those guys where I can’t I can’t figure out how to protect something unless I understand what it is I’m trying to protect. And so one of the questions I had asked is, what are you responsible for like around security here? Yeah. And he said, you know, he said yeah. And he said, well everything in the administrative, All right of of this the government. I’m like, well what’s that goes? Well, it’s 90 something agencies and I’m like, maybe something like If you were gonna protect it, I would want to know it’s 92 agencies. These are the agency heads. And this is how, you know that way I could figure out where the

[00:26:22] Jim Nash: boundary is. And I think you were talking to erin call. Yeah, he was a pretty good guy. Yeah, he is very good. What I will say in his defense is that minute is Is truly designed to provide services to the executive branch and all of the subordinate organizations that fall underneath that, but minute also provides by contract and chargeback the same service to other agencies that were mandated by law. So when he says 90 something, um, it could literally change a couple here and there.

[00:26:55] Evan Francen: So he’s responsible for securing something that changes correctly, which what could go wrong with that, right? That’s an impossible

[00:27:04] Jim Nash: job. It is. And he’s and I will say that the failures of minutes in general are casting a larger shadow on the info, sick people, the info. So people do a pretty good job. There have been breaches, but point to me somewhere that doesn’t have one. Um, and they are taking it more seriously than ever before. Um, you know, we’ve seen, I would say a maturation of the of the information security awareness issue in the general public in the last number of years. Um, but yeah, it’s it’s a mess. And how do you fix it? I don’t well start over, I think that the solution for them is to find somebody like a 60 something former cTO see. So whoever who’s made their money, who has made their name could give two craps less about whether they make money or not, but they’ve got a sense of civic duty and they’re gonna go in and try to turn the thing around. Um, but it’s gonna be a political nightmare. The first question that I asked when I was reached out to is will I have the ability to make wholesale personnel changes without question because it’s a unionized shop. And there was this long pause on the other end of the line and I was speaking to the lieutenant governor at the time and I said, well, Peggy if you’re not going to back me up and allow me to make these changes, then I think I know my answer, right? Because some people aren’t adding value to the organization and to become more nimble and to get through some of that, this is how we’ve always done things. Mentality. You have to let some folks go. Plus some of those people are folks who are supporting applications that are programmed in COBOL from back in the dinosaur ages. And we wanted to talk about standing it down, uh, as a legislator. We want to pull some of that down and move it into a different platform. That’s more nimble, insecure, able and uh, they put up a fight so crazy.

[00:29:18] Evan Francen: I mean, if you were to equate disks that we do most of our work, we do have government work, obviously. But most of our work is, most of my work is in the private sector where you have a Ceo, it’s, I think it’s easier for me to have a, I’m just trying to think it would be easier for me to have a candid conversation with the Ceo explaining that you’re ultimately responsible for this because his job is different than like the governor who would be like the Ceo of the state, right? Because the governor’s job, just like, I think most, if not all elected politicians, their job is really to get re elected, right? I mean often is that what leads to a lot of the whole

[00:30:02] Jim Nash: of stuff? Yeah.

[00:30:04] Evan Francen: Because I think if you were a bold leader and I don’t give a crap about being re elected, I’m going to do what’s best for the state. I’m gonna do what’s best for the constituents. And I don’t care about the politics. I don’t care about the optics of it. All right.

[00:30:16] Jim Nash: I think you would find that most of us who have been elected are not necessarily worried about the next election that we want to go in and do things that are good for the state, but we get often mislabeled as being protectionist to your next election. I think a lot of them are. I’m sure they are. I me I could give two craps less about getting reelected. I’m gonna try to go and do the right thing. We’ve

[00:30:42] Evan Francen: got private sector skills. Well, if you say so, no, you Yeah. Yeah, Well, that’s good. So, you you have some

[00:30:51] Brad Nigh: No. You know, I think we’ve talked with a lot of not some states outside of this sort of a lot of counties and cities and it’s even at the lower levels. It’s the same thing where it’s just you have a turnover. They can’t pick compete with the private sector. It’s a small right work pool has these skills, you know, and that one article says the C. I. O. Making 150,000 year for whether 40 something billion dollars. It’s like what it says in the article Target or three a.m. The target at three a.m. Is not paying $150 a year for the C. I. O.

[00:31:35] Jim Nash: I got I got a couple of calls from people who were in the private sector and they said don’t take that job. And then they read off this litany of things and they say, plus the money sucks. They said, you know, the last time we went out and hired a C. I. O. A couple folks up here in the twin cities are making seven figures. Um So yeah, Plus I couldn’t work with you guys if I did that. So. Well, I’m staying put.

[00:32:05] Evan Francen: I like you’re here. Yeah, you’re chief storyteller and you do a great job. I appreciate that. So you were also jim you’re also that there was a state cybersecurity conference. You kind of alluded to it just a little bit. That’s the National Convention of State legislators. They have a cyber security task force and you’re on that. I am. Tell us about

[00:32:25] Jim Nash: that. So the National Convention of State Legislatures are we call it NCSL it Mhm draws on legislators who have private sector experience or an interest level and puts them on various task force and I’m on the cyber security task force with just a small handful of other folks from around the country And we were in Louisiana talking about different issues and some of the issues I think that are very, very interesting uh brad you and I talked about this and you and I have talked about this, but the american version of G. D. P. R. Is a thing and California has really dipped their toe into that water along with California wrote a bill on IOT policy which again, you know, California and the legislator who authored both of those bills said that she did it because she realized that if they did it first, everybody else would kind of have to follow because California being California, they’re the prettiest girl at the dance or at least that’s what they think and they’re going to set the tone for the conversation nationwide. Uh in my opinion, I think yours as well iot scares the living crap out of me. I mean there’s there’s some stuff that you can, you can hack and I know our little team of hackers could probably have a field day let alone with a larger enterprise that wanted to really make a mess out of things. But um, so those were things that we were talking about. But some two we’re talking about having as the first part of the conversation was um what is your incident response plan and how do you respond to that? Some of the insurance companies that were there were saying, you know, why do we not ensure some states? Because one, they really suck at this, but to um they’re just really bad at it overall. And the thing is so fractured and that’s where people are making Minnesota jokes. At least we’re not Minnesota. Yeah, so, but yeah,

[00:34:39] Evan Francen: that sucks to be the butt of every other states jokes. Yeah.

[00:34:43] Jim Nash: And you know, and that’s the sad thing is Minnesota to so many great things in the information security world and the world and the innovation world. Um it’s it’s sad when you’re very beleaguered I. T. Organization has made the news for well over a year and a half on a weekly basis. Yeah,

[00:35:06] Evan Francen: So there’s 22 22 legislators from various states Minnesota has

[00:35:13] Jim Nash: to correct Representative Garafalo

[00:35:15] Evan Francen: myself. That’s cool. Um and how often do you

[00:35:18] Jim Nash: meet? We will be meeting roughly once a quarter and then there’s email communications going back and forth. And that’s cool. Um you know, we plug into other organizations like uh it’s called natgeo, the National Association of State Ceos. So their president was there and um he was trying to get me to take the job, but you know, they offer insight so that other states, see IOS can use them sort of as a clearinghouse of what’s going on in different states. It’s a really need organization, but states are states are really at the whim of funding by the Legislature? So the executive branch doesn’t get to initiate spending bills that always has to happen in the House of Representatives. So if the executive branch in the previous case, Governor Dayton and now Governor walz wants to make a change and you have a group of legislators that want to be punitive, well, you’re already off to a bad start and I will tell you that there are things afoot that will probably slow things down on the funding front.

[00:36:25] Evan Francen: It’s kind of like what we’re seeing in the federal level too. Right?

[00:36:28] Jim Nash: Yeah. And in the state of Minnesota, it comes down to no one wants to take responsibility for this issue. And I think much like, you know, withholding your kid’s allowance until they clean their room. It’s a lot the same because we just want someone to take responsibility and then go get this thing fixed.

[00:36:48] Evan Francen: That’s good. So iot security California passed a law and it looks like, so I think if you wanted, if you’re a security person like me and brad and others, um we would want to read that, right? Because it’s probably going to be something like that or some flavor of that that’s going to affect us in other states. Right?

[00:37:10] Jim Nash: Right. And The American version of G. D. P. R. is going to be uh it’s gonna be a mess. You know, so you’ve got 50 states each of which are going to add their own little flavor to it or you have a bold federal legislature that lays down the law. But as a guy who has written law, it’s not a quick thing. You don’t just wake up on monday and have it done by friday. This is months, sometimes years to get something done.

[00:37:40] Brad Nigh: That’s an easy secure your stuff. Yeah. What’s so hard about

[00:37:45] Evan Francen: what it goes to the same are same belief and principle is if you manage security, well, you’ll be compliant with a lot of these laws and regulations. I mean, it starts with the foundation of the security program, right? You manage risk? Well, inventory asset management, Right, hardware, software, data assets. If I have that asset inventory figured out pretty well. G. D. P. R. Is a lot easier. So will any law that comes from uh, California or anything else?

[00:38:16] Brad Nigh: Right. Right. Yeah. Because what you’re seeing in the laws, it’s not prescriptive, so to speak. It’s not saying here’s how you have to do it take reasonable measures. What’s reasonable using? Triple Does are you using a Yes. Are you how are you encrypting everything all the time or is it all open?

[00:38:36] Jim Nash: Well, I think for for businesses around the country having 50 individual policies that they have to comply, it’s going to be again my favorite term, goat rodeo. So if your large retailer and you’ve got, you’ve got clients literally in every state of the union, You’ve now got to manage to 50 different GDP are like policies? um, that’s a that’s an inflation of your internal staff alone. How many people are going to have to add just to maintain what’s going on, staying up to date and then enforcing the requirements. To me that sounds like a pain in the butt.

[00:39:15] Evan Francen: Well, I think and I see a lot of people trying to separate out these things. Right. I mean these things really compliance fits within security and so does privacy right? When you take our definition of what security is right managing risk to information, confidentiality, integrity and availability using administrative, physical technical controls. That definition privacy fits inside of that. It’s the confidentiality of one type of information that would be personally identifiable information. So if you, my suggestion is don’t wait for laws to come and tell you how to do this. You already know how to do this, get off your rear and do it get ahead of the curve. You know, it’s coming. It’s so much, it’s so much less painful to do something because you want to versus doing something because you have to

[00:40:08] Brad Nigh: write well, especially around software and services and all that. You know, it’s coming. So now is the time to start building these into your the life cycle. You can see the tsunami coming right at the end of the day. You look at GDP are used that as a high level guide at the end of the day, it covers most of what you’re going to look for.

[00:40:33] Evan Francen: Right to start to do security well. And you’ll automatically be compliant and

[00:40:36] Brad Nigh: stuff. Do you know your data is and who can access it? Can you run reports and tell people where they’re at or what you have about them?

[00:40:43] Evan Francen: Which would all be security. 1 1. Right,

[00:40:45] Brad Nigh: right. Are you encrypting it? Are you protect

[00:40:48] Evan Francen: Grumble? Grumble. All right. So we got some news to get to thank you jim and chime in too. And we’re talking about the news. So, and I also want to remind people if you have thoughts suggestions we’ve been receiving some of those, which is just awesome about the podcast, email us let us know at un security at proton mail dot com. We also take your questions if there’s something you’d like to hear us address in a podcast. Absolutely let us know. All right. So we had some news last week. The biggest of the big news was the whole apple facetime privacy bug issue thing. Man, that was interesting to follow. Right when news first broke the early part of last week about this privacy bug where you can eavesdrop on people’s audio and video calls without them ever even having answered on the other side. Right from that to how it was discovered, which was discovered by a fortnight player, a teenager. Yeah, that was sort of interesting.

[00:41:50] Brad Nigh: That was really interesting to read how that worked.

[00:41:53] Evan Francen: And I wonder if he gets a bug bounty. Haven’t seen anything,

[00:41:56] Brad Nigh: you know, that it had in the news in the article that his mom was struggling to try and get the bug bounty. She reported it through that she wants the bug bounty. Yeah. Well why not? But she did not have the technical knowledge to be able to, I guess as he does. Yeah. Hopefully. I

[00:42:14] Evan Francen: wonder if you just, I mean did I didn’t read everyone because there were so many things about this. I mean once the news broke, I think on monday night ish, Tuesday, something like that. Mm the news just blew up and you had so many different stories written about this or trying to follow along with all the different things that were happening. It would have been a full time job last week just to do

[00:42:38] Brad Nigh: that. Yeah, I’m written

[00:42:40] Jim Nash: by people who literally have no idea what they’re talking about,

[00:42:42] Brad Nigh: right. Yeah, yeah, discerning the from the noise. It

[00:42:47] Evan Francen: was crazy. So first the bug was reported in the first place I saw it reported was beta news dot com, but may not have been the first place to report it. NBC news picked it up. You know, uh, these, if you want the links to all that stuff, it’s on, it’s in our show notes. I post the show notes now, friday’s did you see that?

[00:43:07] Brad Nigh: I did see that you’re, you sent that out. Yeah,

[00:43:10] Evan Francen: yeah. So Evan francine dot com is where you can find the show notes. Uh, hopefully we can get those up there every friday just to give people kind of a heads up what we’re going to talk about. But all the links are there the links that are actually, you know, that we’re going to talk about a little bit. The bug was reported. Fortnite player found it. Apple then disabled group facetime. So because they didn’t have a, didn’t have a patch, they never fixed for it. I know there was a whole bunch of debate about Apple didn’t respond to this. Well, they waited a week before they actually did and everything, whatever, there’s a certain population than any breach that want somebody’s head. Right, right. They’re always looking for somebody to blame

[00:43:53] Jim Nash: except when it happens to them as well. No, no, I have to stay here. I’m important to the organization.

[00:43:58] Evan Francen: Yeah. So whatever you can take that wherever you want with how Apple responded to it. Because now the new york attorney general, they’re investigating. You’ve already got a lawsuit. You know, there’s a texas, there’s a lawyer in texas who, you know, is alleging that the glitch or this bug allowed people to listen to his depositions. Um, just a cluster.

[00:44:23] Brad Nigh: Yeah. There’s stuff that’s gonna be a mess.

[00:44:26] Evan Francen: So what do you, what do you, what would you uh, as I look at all this stuff, I’m trying to figure out what, what’s the lesson, what would I learn

[00:44:33] Brad Nigh: and I’ll be reading through it and how, so basically you call somebody on facetime and while it’s ringing, you call somebody else and it connects the first person really? Like I’m stunned it and catch that. Like that to me is the first thing is what is their testing process? Because that seems like a pretty well,

[00:44:53] Evan Francen: you know, apples testing process has got to be super. How

[00:44:56] Brad Nigh: did that happen? So that’s my question. How did they get missed? Because there overall they seem to be pretty good on this stuff. Yeah. You don’t hear a lot about apple breaches. I think that’s why it’s probably one of the bigger things that, you know, did somebody just not follow a process? Like to me, that’s what’s really, that’s what I want to know is how did this slip through? Because this is a pretty fundamental flaw. And like I’m not a developer and the first thing I thought was, yeah. How did they not test that?

[00:45:27] Evan Francen: Well, this is lends credibility to our assertion that no matter what you do, no matter how much testing you do on an application, no matter how well it’s programmed, no matter what, you can’t stop everything, there’s always something, there’s always some tweak some corner it and look right. You know, there’s always something. Um, so I, you know, I guess I’m in the boat where I don’t really blame Apple. No, they generally make pretty good products I think. And I think pretty secure products. I mean secure as any other. So you know.

[00:46:03] Brad Nigh: Yeah. Yeah. Be interested to see what comes out of their internal investigation and like the, what their lessons learned, you know? Yeah, I’m just, I was surprised how basic it was. Like I heard a facetime bug, I’m like, oh man, that must be what, that’s it. Really.

[00:46:23] Evan Francen: But how many, how many hex are like that?

[00:46:26] Brad Nigh: Yeah,

[00:46:26] Evan Francen: I mean it’s just, it doesn’t take a lot of super sophisticated anything

[00:46:31] Jim Nash: well, but how, how true is that for anything you’ve seen in history, not just technology? What’s the most acute achilles heel of any tech? Um, it’s probably the most simple thing. It

[00:46:44] Evan Francen: is because a lot of times to what do they say the easiest place to hide something that’s right in front of your face.

[00:46:50] Brad Nigh: Yeah.

[00:46:52] Evan Francen: So but in the midst of all this to Apple and facebook privacy battle war things. So I wonder if that was an attempt to sort of distract people and there’s something I don’t know because that whole thing blew up to and that I don’t know where that’s gonna go. But I guess facebook violated Apple’s,

[00:47:13] Brad Nigh: they were paying teenagers to use their VPN so they could see the traffic or something. Yeah, maybe get ugly too.

[00:47:23] Evan Francen: And that’s, and this is a whole another topic that we could really spend a couple of shows on, right, just digging into all the things that happened at Apple, I don’t know if it’s worth it’s worth our time to dig that deep into it. But certainly the news stories. If you want to read them, the ones that we, you know, kind of looked at Evan francine dot com. You can go to I can buy a book there too. Right? You can buy a book. There’s a book, yep, on security. Yeah, it’s about what’s broken in our industry.

[00:47:51] Jim Nash: Again, just like a sales guy always pitching something. There

[00:47:54] Evan Francen: you go. There you go, awesome. Alright, so another thing we have 2.2 billion hacked user details. We knew this was coming. Right. This was all part of the collections thing in Troy Hunt I think, you know, had the first collection collection one and now collections two through five or you are out, you know, is this a surprise to anybody? No, no, no, no. We knew this was coming. But If you want to read about it and you missed collection one, somehow.

[00:48:23] Jim Nash: Is it like a book of the month club thing?

[00:48:25] Brad Nigh: Yeah, that’s the first book of the month.

[00:48:30] Evan Francen: Yeah. And one of the news articles that we have is uh sc magazine’s got pretty good right up about it. To two billion emails found in new collection data dumps is the title uh And again, you can check that out on on my website. And speaking of websites, you’re working, are we working on yours yet? I know we have a domain

[00:48:52] Brad Nigh: about the domain. I just got to work with Andy and Okay, that’s set up. We’ll just do basically the same as yours. Yeah. Just mirror make their lives easier because

[00:49:01] Evan Francen: because we’ll be writing a book together towards the end of this year and yeah, you’ll want that. That’s good

[00:49:07] Jim Nash: doing banjos.

[00:49:08] Evan Francen: Hmm. Yeah, that’ll be the challenge will

[00:49:11] Brad Nigh: be final show first because of alphabetical order.

[00:49:14] Evan Francen: Yeah, that’s fine. The challenge will be like reading a book by yourself is one thing I think I’ve never written anything with somebody.

[00:49:23] Brad Nigh: It’ll be like the college, you know, essays or the college projects. So one person does all, everyone takes credit. I think it will be interesting because yeah, you know, we do see a lot very similar, but from a different angle. So it’s gonna be, yeah. How do, how do we get those two things to

[00:49:46] Evan Francen: that work? Yeah, that’s one of the things I’ve always appreciated about working with you is we do see things, uh, we have the same principles right? From those principles. You know, we have different approaches and solutions to problems, but it’s those principles that we both buy into so much. Another article from motherboard Vice dot com. You know, it’s funny, this one came out on january 31st And I didn’t see anything about it for a couple of days now. I’m starting to see a bunch of news about the SS seven attacks, but a motherboard dot vice com, her mother board, the title of the articles, criminals are tapping into phone network backbone to empty bank accounts And what they’re using is so called SS seven attacks. SS seven is a signaling standard for the way phones work and we work with the towers and all that other good stuff. Um So they’ve been exploiting flaws I guess in SS seven for a while. I don’t do a lot of SS Heaven Stuff, but it’s an interesting article Um how they’re routing texts and calls around the world with SS seven Attackers are tracking tapping into that to intercept text messages and phone calls.

[00:51:05] Brad Nigh: It’s interesting, I I didn’t know a lot about S seven. It’s interesting to see. Yeah, the new kind of approach attacking some of those non traditional I guess. Yeah, um infrastructure or you know, whatever you wanna

[00:51:25] Evan Francen: call this. Yeah. Well, yeah, because I mean this is just another way to where Attackers can get out your two factor authentication potentially um proxy ng is kind of, I think probably the easiest way to do it, but this is just another way. Um and I don’t know how rampant it is. It’s obviously got to be somewhat rampant if we’ve got people draining bank accounts through it. Yeah, but I would expect more news on this and I don’t know how much I can really do as a security professional responsible for protecting organizations. I don’t know how much I can do about this.

[00:52:01] Brad Nigh: I could just goes back to a multi factor. Sure. Outside of SMS make

[00:52:06] Evan Francen: a little harder. Yeah. For Attackers just

[00:52:09] Brad Nigh: And that’s what we keep talking about too, is people keep saying why do we want to do these things if we’re not it’s not perfect Attackers are unless they are targeting you, its path of least resistance. If they run into walls and they’re they’re just gonna move on because there’s enough people out there that don’t have anything up, at least have something there. Yeah, If there if you’re getting targeted by a nation state or whatever group you’re gonna get in, like it doesn’t matter how good it is. You’re just trying to prevent the easy stuff.

[00:52:41] Evan Francen: So, there’s such a diminishing There’s a diminishing returns on that last 5-10% of risk. All right, so, you’ll never be perfect and trying to chase that down. You’re just spending a ton of money. I’m getting a little benefit. So, yeah, this SS seven thing is interesting. I’ve seen other news articles about it, you know, since then. Mhm. The who roger grimes, Roger grimes. I’ll be in at our PSA For one day. I’m just going to see him talk basically. So, I’m flying out on Thursday. He talks on Friday, but his talk is, you know, 12 ways to hack MFA or two factor authentication, so I’m excited to hear

[00:53:28] Brad Nigh: that. Yeah.

[00:53:34] Evan Francen: Well, yeah, yell at people know because the attack,

[00:53:37] Brad Nigh: Yeah,

[00:53:41] Evan Francen: that’s one of the biggest challenges for us as the good guys. We play by the rules, the bad

[00:53:47] Brad Nigh: guys, They’re already using it. If if he knows about it, it’s no secret. Right? Yeah, that’s not a shot at him. He plays by the rules.

[00:53:59] Evan Francen: Yeah, yeah, totally. Yeah, he’s

[00:54:01] Brad Nigh: releasing it. It’s already in

[00:54:03] Evan Francen: Iran. I was introduced to him. He’s written 11

[00:54:07] Brad Nigh: books. I think. You better catch up quick.

[00:54:10] Evan Francen: So I have his last book, data driven information security. I started reading it very, very good. I think it’s his most popular book today, but I’ll share it with you and I’m doing it. Don’t tell him because I’m probably supposed to buy another copy, but like, like he’ll listen to the podcast.

[00:54:30] Brad Nigh: I was able to connect it on, linked in you connected because good kept sharing. It’s good stuff. Yeah, he’s had a really good stuff.

[00:54:41] Evan Francen: So this one is uh Towards the end of last, so this is from Sunday, 27, so this is a week ago yesterday. Um, and I thought it was interesting Microsoft 365 had a two day outage outlook and exchange were down. I had no idea. I must not have been working that weekend.

[00:55:00] Brad Nigh: I was having all kinds of problems with mail on my phone, on the app, like yeah, I can see a preview come through, but the app itself wouldn’t load it couldn’t

[00:55:09] Jim Nash: get a kickback for un deliverables. And

[00:55:12] Evan Francen: you guys were working that day. I work every day,

[00:55:15] Jim Nash: every day, every day except the days that ended. Why? But you know,

[00:55:20] Evan Francen: so I wonder what I just didn’t know what she was down.

[00:55:26] Brad Nigh: I would have noticed if I hadn’t I was having issues just getting anything. And then I was like what is going on? Is it is it my thought and I looked up the Office 3 65 status was like Oh That was even on the 29th. It was still having they’re still having issues. So

[00:55:48] Evan Francen: yeah having issues, receiving and sending emails delayed more than three hours. The first I saw was saw it was on e hacking news Mix off 365 underwent two day outage outlook in exchange down. But you say they’re still having stability

[00:56:04] Brad Nigh: on the 29th. They were having authentication errors. So I don’t know if it was directly related to this but that’s when I was having issues.

[00:56:13] Jim Nash: I think I even got a credential notification on my phone that my credentials were

[00:56:18] Brad Nigh: not. I

[00:56:20] Jim Nash: had to reset them or re doomed or enter them. So it’s

[00:56:24] Brad Nigh: it was good. I got that I tried to open it and it’s like oh I have to redo it killed I restarted my phone and like all right, more client. Yeah that’s when I started looking like okay they’re having issues. My

[00:56:36] Evan Francen: passwords are complex. I hate typing him all the time now. He’s passive

[00:56:40] Brad Nigh: man. Yeah. Like I don’t even know what it is. Right? That God is a hassle for a

[00:56:45] Jim Nash: couple of the ones. I

[00:56:46] Brad Nigh: thought

[00:56:47] Jim Nash: you’d share that link where you can go test your password. I’m gonna figure out the longest thing I possibly can and still remember. But you can’t type it fast for got sick

[00:56:59] Brad Nigh: like typing

[00:57:01] Evan Francen: Yourself to limit you to 11

[00:57:03] Brad Nigh: 16 1516 Characters 16.

[00:57:07] Evan Francen: Yeah. I bumped into that tube. Uh

[00:57:10] Brad Nigh: So I wrote it

[00:57:11] Jim Nash: down and put it on a sticky in my cube.

[00:57:13] Evan Francen: Yeah. Yeah. No, no one will ever know right. I keep my

[00:57:16] Brad Nigh: just don’t label it.

[00:57:18] Evan Francen: Yeah keep on my website.

[00:57:19] Jim Nash: It’s a good thing no one if you’ve got nothing to hide, you know. Yeah, I can ask him. Don’t worry

[00:57:25] Brad Nigh: about it.

[00:57:26] Evan Francen: The thing is Microsoft to is very open About this. I mean they tweeted about I think on the 24th and they so it’s not like Microsoft didn’t was trying to hide anything, right? I just I just I guess it just goes to show with all the things that go on all the time that you can’t keep up with everything because it surprised the crap out of me.

[00:57:45] Brad Nigh: Yeah, I think well I think what you’re starting to see is you know, some of these companies are trying to get ahead of it. All right. It’s better to be like, hey we’re having an issue here’s what’s going on being open and transparent about this stuff because when they’re not the google around google plus and all that, that they got beat up. So

[00:58:05] Evan Francen: Well, that’s it. I mean, you can control the message, right? Going back to where we started here with incident response. One of the things that was really, really important. And this is one part of the incident response training that was very explicit about our team meeting last week. The control of Internal and external Communications. All internal communications outside of this group has to go through in this case the ceo that’s it. Right. And then his backup is backup is the chief legal officer. But that’s it. I don’t you can’t even talk to another employee about an incident that we’re working without explicit approval. And then external communications, all those have to go through pr in the Chief Legal Officer period. Don’t you talk to your wife about incident? I mean, that’s really hard to control. But you know, once you lose control of the message, God knows where it’s going to go.

[00:58:57] Brad Nigh: Yeah, Yeah. That’s one of the ones that’s the part about into response that I know in the past that I struggled with the event right in it is we could have really good procedures around this stuff. But you don’t get the buy in from, you know, the organization to have all that. There is no formal anything. And I think that’s probably one of more common things, we see people like.

[00:59:24] Jim Nash: Oh, so that makes it brings a question to mind. So, I have a good friend of mine that works in crisis Communications is part of your incident response um, coaching to have a crisis communications team to say, hey, when this bad thing happens, not only are we supposed to do all these other things to figure out who, what, where, when, why ways to mitigate it, but also have the public facing part of the organization address this issue because I’ve not seen

[00:59:55] Evan Francen: the community for us. It’s an integrated plan. So, the PR team has the crisis Communications,

[01:00:01] Brad Nigh: okay, so they are called out as here is who is on that team because all external communications have to go through the PR period.

[01:00:05] Evan Francen: They own the crisis communications plan. So they’re responsible for training their team because we don’t need to train all the incident response team members on those specific details. But yeah, definitely an integrated plan. Same with business continuity plan and disaster recovery plan. Those are all also integrated separate plans. But All right, well, that about does it for this week. This is episode 13. Next week Brad. You’ve got episode 14. Uh, if you want to follow us on twitter @EvanFrancen is me at brad and Jim is @JimNashMN

[01:00:50] Jim Nash: That is me and thanks for having me on again.

[01:00:52] Evan Francen: Absolutely. Until next week.