Unsecurity Podcast

As information security professionals, we’re responsible for protecting sensitive business information involving financials, customer info, employee data, and more. But, those protections don’t always feel directly connected to us personally—more of our personal data lives in our home environment. So, from the perspective of security professionals, what should we do for information security at home to protect ourselves and our family? Evan and Brad provide some tips in this week’s episode of the UNSECURITY podcast.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: hey there, thank you for tuning into this episode of the Unsecurity podcast. This episode 106. The date is november 17th 2020 and I’m your host. Evan Francen joining me as usual is my good friend and coworker Brad Nigh. Good morning Brad.

[00:00:38] Brad Nigh: Good morning Evan

[00:00:40] Evan Francen: Man. I just noticed all kinds of things so I stumbled twice getting out of the gate on the podcast and then noticed in the show. No, still says November 11.

[00:00:50] Brad Nigh: Yeah, I noticed in my show notes last week that I had that uh it was, that’s it. My twitter is Evan francine

[00:00:59] Evan Francen: dot Yeah. Well, and for for listeners we should, we recorded these shows at seven o’clock in the morning on Tuesday and I wrapped up my show notes this morning at 6 58 AM. So two minutes to go Brad. You set your alarm wrong. So we’re about 10 minutes late and getting recorded.

[00:01:25] Brad Nigh: it’s gonna be one of those days a link.

[00:01:27] Evan Francen: Well, yeah, and I gave a talk last week and had my slide deck done about five minutes before the talk. It’s always, I don’t know why we do it. Uh stressful as hell because it’s like, oh and you’re just slamming stuff, you know, do you do that? You do it too or you’re probably more prepared than I am.

[00:01:45] Brad Nigh: I try to be more prepared. Um but there’s a lot of there’s a lot of things that we like, we do and it’s what, you know, helps us a lot of winging it right, where people asked at the last second or last minute to, hey, can you do this or can you talk to these people? And you’re like, sure, what are we talking about? Just go with it? Right. If it’s something that’s planned, I do try to have it done ahead of time and

[00:02:14] Evan Francen: right, yeah, I like show notes, I should’ve had that done, I should have that done yesterday or the day before,

[00:02:20] Brad Nigh: but typically I do it the day before, like at the last minute in the afternoon, but I do try to get it done.

[00:02:27] Evan Francen: Mhm. So I haven’t talked to you since last week in the podcast. I mean, I think we’re both on these separate paths doing all kinds of stuff. Uh what’s up, what’s new?

[00:02:40] Brad Nigh: How much I’ve been doing a lot of uh actually client work just trying to help out Because, you know, the team is just so booked with, I mean basically over 95% through the end of the year. So, you know, just trying to pick up stuff and help out. So it’s been a little chaotic.

[00:03:01] Evan Francen: Yeah. Yeah, I totally get that. We have uh a problem on the security studio side. Think Wallace, you know, vulnerability scan files and the lead for helping us develop the original sort of spec was mike. No one. So we went back to mike and like, hey, you know, you got any time, it’s like, nope, all right close to figure it out ourselves.

[00:03:31] Brad Nigh: He actually had to move back. He was gonna do some my our stuff with us and had to move back to pin testing because it was they were so busy. Yeah.

[00:03:41] Evan Francen: Yeah, I guess, you know, I was talking to somebody yesterday, I can’t remember who I talked to anymore. I had eight meetings before 1 30 yesterday after noon, so I can’t remember who exactly I was talking to. But I was saying for me, it’s better to be too busy than not have anything to do. So I’m kind of happy about it, but it’s stressful as hell, man. And it leads to sometimes like today I woke up this morning and I just have a cruddy attitude.

[00:04:13] Brad Nigh: Mhm. It happens. Well, I think also it doesn’t help that it’s like getting dark, you know, it’s dark now, or it’s just starting to get light and then it’s getting dark by the time we’re done with work. And yeah, be honest, the pandemic is it’s wearing on people. It’s hard to isolate for this song.

[00:04:35] Evan Francen: The pandemic. And social media is to me off. I mean just about everywhere I go around social media, there was uh let’s see if I can find it while we’re having our talk, but there was a, a graphic that a friend of mine sent yesterday about um just how many social network media things there are in the world and I was like, oh my God, most of them had never even heard of before. Here we go. I’ll show you.

[00:05:05] Brad Nigh: I literally, I do twitter for kind of like muse aggregation. I’m very selective on um who I follow. Try to Good Lord. Yeah, that’s a lot.

[00:05:20] Evan Francen: Alright. Youtube, vimeo vevo text. Yeah, I guess whiskey, a funnier die GoPro. Daily motion spout, video, watch it twitch lasso face cast rumbled. That’s just video sharing. If you talk about podcasting, you’ve got Soundcloud Itunes stitcher, pot, pocket casts, overcast, Spotify, the podcast. Our lives and bus sprout pod bean, blueberry, automatic speaker, blog, talk, radio, Casto, fireside, simple cast, audio boom, Bush car Portuguese or apology. Pine cast podcasts refer omni studio and anchor

[00:06:12] Brad Nigh: that’s just like hosting Good Lord.

[00:06:15] Evan Francen: That’s insane. That’s just podcast. Yeah. And then you go to like, I mean, he said this to me. Yes, I was like, I hadn’t even heard of, Oh my God and the world is Gonda popped. Yeah. What you got?

[00:06:31] Brad Nigh: Okay, so I just, I’m very, very good about like curating, we’ll follow, there’s not a lot of things outside of, you know, in for a second, right? But people

[00:06:48] Evan Francen: have this homo right there we have this fear of missing out, you know. Yeah, I mean I kind of don’t get it. I have twitter facebook, I use facebook, nothing I would use for facebook is I belong to to Harley Davidson groups. Once in a while I’ll see, you know, families, it’s up to. And then uh, there’s, they’ve got some really awesome funny videos on facebook. So I’ll just lay on the couch and watch funny videos. My wife was watching tv and just laugh my ass off. It’s, it’s hilarious. That’s it. Damn, I spoke,

[00:07:29] Brad Nigh: I read something, it’s weird. Uh, you know, I don’t remember where I saw it, but you know, and you know, we try to avoid politics, but it was around how joe biden and his campaign and that, you know, he didn’t do a lot of the online type of thing. And it was basically came out to say like, you know, only a small fraction of the population actually is online and doing those, you know, actively involved in whatever. So you’re almost speaking to like we’ve talked about your, you’re speaking to your uh huh. Yeah. Yeah. Oh my gosh, you can think, Yeah, the

[00:08:20] Evan Francen: constituents

[00:08:21] Brad Nigh: well know that the uh echo chamber, right? People that are like already super, you know, one way or the other. So you’re not going to be hitting the vast majority of people. And I think that’s probably true from them for not just politics, but in general. It was really, uh, to see if I can find it because it was, it’s pretty interesting read around online behavior and you know, who’s actually online and things like that. It was just directly political in any way.

[00:08:59] Evan Francen: No, no in politics is just so dirty. I saw a post but you’re right man on the echo chamber thing. It’s like, yeah, I mean you put something out there and you know, for your followers or you know, or your some of your following and you think like, oh this is funny, people are gonna love this and nothing. Sometimes you post something else and it will be like, it’s just a dumb thought and then it like goes viral and you’re like, what the hell, I cannot figure people out at all. Yeah. But yeah, social media’s kind of dangerous, what else, what else has been up to?

[00:09:45] Brad Nigh: Uh, you know, just like you said. And then you know, it just Q. Four. It’s just like everybody woke up, it was like, oh crap, I have to get all the security stuff done by the end of the year for compliance reasons and go,

[00:10:01] Evan Francen: right, yeah, it’s crazy. So for listeners who aren’t in information security consult. And it’s a lot the same. I think in if you, you know, if you’re not in consulting. But for us, fourth quarter has always always been crazy. Like some quarters has been beyond crazy. Like you get to the point where you’re like at a breaking point. Uh Yeah, I mean both all sides of the house are busy technical services, whether it be penetration testing, incident response I was talking to to Oscar So for listeners, Oscar mix was our special guests. And last episode I was talking to Oscar yesterday, so monday he and I check in and uh talking about the stuff flowed certain things about incident response because they were at a point where if they would have gotten one more incident response call, they would have to turn it down.

[00:10:58] Brad Nigh: Mhm. Oh yeah, it

[00:11:00] Evan Francen: was just inundated.

[00:11:03] Brad Nigh: That’s yeah, that’s why I covered that weekend in just a couple weeks back because these guys are just so busy.

[00:11:12] Evan Francen: Well, if you got me involved, you know, you’re desperate. All right. You know what I mean? The uh what we were talking about, some cool things about it. So one of my frustrations and it’s a big, big initiative. It’s a big effort, but I think I’ve got some people with me on it um right, is just the United States, our capabilities in the private sector around instant response are laughable. Oh yeah, And it really ticked me off. It came from that 427 hospital thing, the whole rigmarole with uh brian Krebs and you know, all that stuff, the we gotta do better. We don’t share information. Well, we’ve got too many people I think are unqualified to do incident response, trying to do instant response. We’re not sharing information. Um Yeah, we can do a hell of a lot better. So I think I’ve got some proposals to make, we’ll see where it goes. You know, um, we’ll follow proper channels will go, you know, or actually will go down, all channels will go, you know, the legislative route, the legal route we have, you know, strings we can pull there, we will go. The seas are out. Yeah, Because if it had had actually been a 27 hospitals getting hit at closely the same time, even within a week or so we would have, we would have screwed.

[00:12:37] Brad Nigh: So yeah, it would have been a nightmare. Not, I’m not, I’m not talking about just from an instant response perspective on time for healthcare perspective, it would have been just absolutely devastated.

[00:12:50] Evan Francen: Yeah. And people would have died I believe. And so knowing what we, and it, and then really the solution is fairly simple, simple and easier to different things, but we have to do better. And so one of the things that Oscar is working on kind of along the same lines as how do we influence or change some of the things that happened in the cyber insurance industry. Uh, you know, that’s enough. I don’t think, I don’t know how much you get in bed with them. I think it’s a two pronged approach, you have to get in bed with them to understand them and build those relationships that I think you also have to no, maybe stab him in the back a little bit.

[00:13:33] Brad Nigh: Well it’s, yeah, I’ve been not nearly as involved as he has with a bit, you know, staying up to date with where what he’s been doing and yeah, you know, it is that there’s a little bit of, you know, I think he would agree. There’s a little bit of like stickiness factor, you know, a lot

[00:13:52] Evan Francen: of Ickiness

[00:13:54] Brad Nigh: even if you’re going to do things the right way, you stopped if you want to get yeah, those incidents and actually help people, you still have to kind of do things their way and right. You know, it’s, yeah, it’s unfortunate. But at the end of the day it’s like, well if we want to help people and, and do this, we don’t really have a choice because most people are going through cyber insurance at this point.

[00:14:23] Evan Francen: Yeah. Well, and it’s cool to be, I think us sometimes the cool thing is do you get to look at it from different perspectives and not have any vested interest in, like, I don’t know any cyber insurance company, anything. You know, you don’t have any relationships with any of them that are so tight where you did something for me now, I need to do something for you. We don’t have that. What we do then is this is the right way to do things and I don’t care if it’s if it, if maybe you lose a few bucks in revenue. People are suffering because we’re not doing this right.

[00:15:02] Brad Nigh: Yeah. And you know, to be clear, yeah, it’s not gonna be sacrificing any of our, you know, mission or who we are, but you still have to have the customer get you on as the preferred vendor. You have to do all these different things. You know, that just to ensure we’ve had several words, you know, customers called us, We’ve gotten in there and stop what’s going to happen and then injured said, yeah, that’s great. We’re bringing in our own people.

[00:15:30] Evan Francen: Well, that stuff doesn’t bother me as much as, you know, some of the things you hear about like, Well we can rebuild this entire environment for, you know, let’s say $150,000 and have it done in a week if you know all hands on deck and then the insurance company says, you know that, mm you know what I mean? Yeah, We’ll cover paying the ransom. Well that’s $750,000. We’ve got a $500,000 deductible.

[00:16:04] Brad Nigh: Right? Yeah, that’s that part of it. Yeah. I don’t like, and we don’t get involved with.

[00:16:12] Evan Francen: No, but I think that’s where Oscar is like really, you’ve got a fire under his belly on that one.

[00:16:17] Brad Nigh: Yeah. Oh yeah. He’s very much, he’s fighting. It’s tough I don’t, I don’t envy him in that one.

[00:16:26] Evan Francen: No, but I like the fact that this stuff is corridor mission, but sometimes it does feel like an echo chamber back to that, you know, you’re like, hey, not the right way to do this, let’s fix it. And then it falls on deaf ears. And, and then what usually happens is, you know, some time later, six months later, a year later, then people are like, oh, this is the thing to do it. And you’re like, yeah, we were saying that like a year ago, just just saying. So I told uh who was I talking to this time, Ryan Cloutier, I know one of the things you got to get comfortable with in this industry is other people taking credit for your work.

[00:17:17] Brad Nigh: Mhm.

[00:17:19] Evan Francen: Right. Often does that happen? It’s like you got this thing and then like nobody gives a crap and then somebody takes your makes it saying, and then when and I like that because I mean, I’m not in this for me anyway, but I like it because at least it got done right, you know what I mean? You can use other people to get well done.

[00:17:46] Brad Nigh: I mean, there is the right way to do it, but even with that, it’s like, there’s a limited set of kind of core things, correct. You know, it’s, it’s everything is based off of, you know, see us not for 853 or isil or you know that it’s kind of it, it’s how you interpret it and actually implement those things.

[00:18:13] Evan Francen: Yeah. Well yeah and that’s that’s where the real seal comes in drawing up a standard is um piece of cake. I mean we don’t more damn standards. What we need is somebody who can actually take a standard and apply it. Make it make sense, align it with the business.

[00:18:29] Brad Nigh: Okay. Speaking of standards, you, I don’t think you know this, we just got the email yesterday that we were approved for the R P. O. For C. Mfc. I just have to stay in there. Good for you.

[00:18:43] Evan Francen: Good. So

[00:18:45] Brad Nigh: We applied in July, they said 2-3 weeks. It’s been uh you know, four months.

[00:18:52] Evan Francen: So does that mean that we can do uh see MMC certifications or

[00:18:56] Brad Nigh: we can do the pre work. We’re not gonna do this how you have to do that. That’s going to be probably just to get the ISO certifications and everything that’s going to be like your shell mons and whoever does. So, certification. Now, that’s pretty much is going to be able to do that. See MMC certifications, it’s gonna the requirements for being a three power for them. It’s pretty, pretty intense.

[00:19:29] Evan Francen: Yeah, I have a lot of respect for people who do the Schellman type work. But yeah, not my not my, not my gig man.

[00:19:38] Brad Nigh: Yeah. You know down the road maybe. But yeah, that’s that’ll mean we can registered provider organization which means we can say yes, we are certified to help you get to the point of certification. And the better thing where you can’t be you can’t do the free work and do the certification. Even like even sub subsidiaries.

[00:20:03] Evan Francen: I like that. That’s a good idea. You have to

[00:20:07] Brad Nigh: Yeah you can either do one or the other for a company. You can’t do both. And honestly we’re so I think we’re playing to our strengths and helping people get ready. Right, let’s do this correctly. And in the process get to where you need to be

[00:20:24] Evan Francen: nice. Well it’s good to I mean the work that you did and uh that we did too maps MMC to you know, security studio and S. Two or it will help. I’m really excited to work on the revision force right now. We’re on our three uh work on revision for that content because uh yesterday I was in a call with C. I. S. Uh center for internet security. They do that. You know, most I’m saying it mostly for the listeners. They do that the top 20. And we’re talking about you know what their first it looks like because they’re in version 7.1 and they’re going to be you know, incorporating cloud more in diversion eight. And I want to be in alignment with what we’re doing with our four great conversations man. See I asked people are the bomb. I love those people.

[00:21:16] Brad Nigh: You know for I really like the CIA’s clients a really solid start starting point. Um But I think the one issue I do that is when people take that and say yes we’re gonna build our program off the C. I. S. But you’re missing out on so much because that’s not their focus and to their credit they they’re not claiming it is but you know they have a very specific focus and they are very good at it. But I think some people just don’t, they’re like our programs built on sending it for internet security. Um Okay what about everything else?

[00:21:59] Evan Francen: Exactly? Yeah so that’s maybe we’ll do that at some point you know in our future podcast just dig into this G. I. S. Top 20. I think a lot of people May not understand how it actually works and that the top 20 isn’t actually just 20. I know a lot of stuff.

[00:22:20] Brad Nigh: 20 high level concepts I think more than like hey just these do these 20 things, it’s your 20 concepts you need to to do to be secure.

[00:22:30] Evan Francen: Exactly yeah totally. So lots of good stuff there. Uh not to add more but you know the security shit show was good last week. We can’t remember what exactly we talked about oh fire talk about fire burn out stuff like that. And also talking about you know the doorbell, did you see that that they had to recall 300,000 of them or something like that because we’re starting fires.

[00:23:01] Brad Nigh: No I didn’t see that.

[00:23:05] Evan Francen: Uh So it was not an electric, well it’s an electronic thing but not config thing or anything like that. It was if you use the wrong screws you can essentially hit the battery then.

[00:23:24] Brad Nigh: Yeah I

[00:23:25] Evan Francen: know but I’m glad they handle that that, you know because so many times organizations will, you know, just put a label on something right? Or you know put another warning sticker yeah in the box. It’s like nobody reads that crap. So that’s not what’s gonna take to fix this. You need to do a recall. And so like the next day or the day after you saw the record, I was like awesome. I mean that’s what you that’s what you need to do. So we talked about that and then we’re doing the pocky challenge. Have you ever done that?

[00:24:02] Brad Nigh: No. What’s up? What’s up?

[00:24:05] Evan Francen: Oh yeah uh my chips were way up there. It’s juan chip, it’s uh P. A. Q. U. I. One chip challenge. And it’s supposed to be the hottest, you know, tortilla chip ever.

[00:24:22] Brad Nigh: Oh jeans. No I’m good with not doing that.

[00:24:29] Evan Francen: Yeah. Well chris lost a bet. So chris roberts lost a bet to Ryan um made on the show. So when chris has to eat one of these chips, Well chris is an englishman, you know? And I think I think like ketchup is like salsa to

[00:24:46] Brad Nigh: him

[00:24:49] Evan Francen: so he’s gonna suffer so but he did fool us last week on the show where he actually uh uh you know, took a part of the adhesives so you couldn’t tell and everything and took the chip and made another chip that looked exactly like it. So that we all thought that the chip he had was the paki chip challenge, which actually it was just a tortilla chip that he put a bunch of crap on it. So, so he ate it on the show and we’re like watching them like this, you know, you’re dying. Why is he not dying? Well? And then he came clean and told us what he did. And so partially he was like, yeah, I get jerk. That part was all right. That’s cool. So he’s still gonna do at me. Uh I’m just doing it because I don’t, I hate to see a brother suffer, you know, without

[00:25:40] Brad Nigh: that’s crazy that it’s literally they send you a package with one chip in I the other day or a couple weeks ago actually made some uh so my family isn’t big on spicy stuff and I do enjoy it. But I kind of went a little overboard and made some uh basically we were having like chicken nuggets for dinner and and they sauce to toss my name to big hot wings. And it was so hot that I actually had like skin and like feeling like I got through like eight of them and all of a sudden I was like, oh God, I made a mistake.

[00:26:23] Evan Francen: Yeah. It’s funny when you see people with that look on their face like where that’s exactly what their face has is. Oh God, what did I do? Yeah

[00:26:32] Brad Nigh: and you’re pretty good at that. Like this is good, it’s spicy, but I’m enjoying it, you know, there’s a certain enjoyment too to that and then all of a sudden like yeah, built up and caught up to me and they were all thinking it was hilarious and I was overreacting the next day. I was like, hey look, here’s a

[00:26:50] Evan Francen: yeah, it’s too late at that point. Yeah, so that will be this thursday night at 10 p.m. Will do that episode where uh we’ll take the chip online and I’m excited to see chris suffer. Uh Ryan to Ryan thinks, you know, I don’t he’s probably gonna listen to this, but you know, he comes off like he’s really tough and I’m still in my, you know, I don’t know, jury’s still out a little bit. So I want to see him, he chips too. Yeah. Um the other other stuff this week, uh the book on security, which is kind of what the podcast named after and all that stuff uh is now on the cybersecurity cannon, which I thought, damn that’s cool. I mean

[00:27:37] Brad Nigh: I haven’t read through all of it, but I’m looking forward to reading that review.

[00:27:43] Evan Francen: Yeah. Well it’s like, I don’t feel comfortable being on a list of other books made by authors that are really, really, really smart. So I don’t know how to feel about that yet. That’s cool. If it helps the mission, then that’s what it’s all about.

[00:28:03] Brad Nigh: I think part of it is, well, you’re not self promoting somebody found it and wrote this review. So, you know, it’s not and honestly

[00:28:13] Evan Francen: should be comfortable with that. Mhm. Yeah. Yeah. Don’t be better for my name wasn’t on it if you just put it out there, you know what I mean? But maybe that’s how we’ll do the next book. Just put a damn name on it, written by or maybe it goes, that’s why those other authors, they do ghost riding. Yeah, smart. Uh maybe I’ll do that. But the uh Warner wrote that uh review and he’s a really cool dude. I like him.

[00:28:46] Brad Nigh: And so say yeah, the one we write together if it’s it’s not even I or brad fancy and it’s that’s totally not us,

[00:28:54] Evan Francen: Heaven nine Brad friends and I like that. Well, and so now you’re on this topic. I am going to start another book. So, Covid to us all messed up. We were planning on writing a book this year. You and me and then we invited Ryan in later to come contribute. Uh it never got done. I had outlined stuff ish done the book was going to be about information security for normal people or, you know, people at home not security people. It would have been nice to have that book done because I think it could help a lot of people but what we’re going to write I think and you know you and I haven’t talked about it yet is uh like the V. C. So handbook this is how you do virtual chief information security officer work. If you’re not doing it this way with these things in the program you’re not doing it right basically Good. I’m looking forward to that. Yeah so I’ll get started on that. I’ve already got I mean that’s that would be really I think a pretty easy right for us bread because it’s something that you and I have been doing for so long and it’s just so second nature.

[00:30:08] Brad Nigh: Well yeah exactly it’s what we do day in and day out

[00:30:13] Evan Francen: now. That’ll be fun. So this weekend uh and kind of the one of the things I wanted to talk about in today’s podcast and all that other good stuff. I mean there’s just so many good things going on and well it’s a security stuff so if you want to keep along or even participate in all any of the stuff that brad and I just talked about get in touch with us. You know I’ve got on the U. S. Incident response capabilities. I’ve got maybe three or four people that are already sort of helping with that. Um So you know if you want to make that information, uh you can email us. But then this other thing, you know, information security home. So this weekend I was sort of, I don’t know if I was bored or just 80 HD set in again, but you know, I’ve monkeyed around with raspberry pi Many times and I was like, you know what, I’m gonna go get the version four. Yeah, just play with it. So I went to Micro center, got myself raspberry pi and on my car and I want nothing to do with it. You know, I mean there’s a billion things you can do with these, but you know what I want to build like a home information security like device like a like a nerve center for information security at home interesting. Right. Yeah. So you can plug this thing in because one of the things I think people don’t even realize this, what do I even have on my network. And so this, you plug this thing in, it would compile your network inventory stored in a database and then maybe crawl the internet looking for vulnerabilities that affect that, you know, those devices. I think creating vulnerability scanner that is looking at ports and things like that. I think that’s more advanced than most people are, you know, know how to deal with. And I don’t think it’s gonna be very accurate.

[00:32:06] Brad Nigh: Yeah. So it’s really funny that you that you pulled this up or you brought this up because my one of the things for Innovation Committee that we came up with it that I really was kind of a yeah really core thing for us. See what is that? Oh it was the white was just it was the background was getting it but was home user and personal security resources. So like how to use for the most common life, how do you set security for the wifi and change default passwords and securing some of the more common IOT things and more resources for kids. And and then the big one was like privacy and security resources when uh when you’re leaving an abusive relationship. So how do you digitally sever that peace and secure protect yourself if you if you’re leaving relationship. So that’s kind of interesting that you brought that this up with. Yeah. Not being a big focus. We not talk about that at all. So

[00:33:15] Evan Francen: No, that’s awesome man. Because I’ll need help on this too. Right. I mean I can code some things and make make this thing do some things but having, you know, their sets of eyes, you know, having you know, other perspectives, collaboration. Yeah. Because if you if you look for how to build your own home information, security device or internet security device, you’ll find some good guidance but you’ll find it all over the place and you won’t find anything really solid

[00:33:49] Brad Nigh: and that’s what we’ll and and it’s not geared towards normal people. It’s right. Typically extremely technical and you know, it’s going to turn the vast majority of people off and that’s not helping. And that’s, that’s exactly why we were doing this is hey, how do you, how, what are the most common wifi routers or internet routers for at home? There’s, there’s only a limited number in reality. Right? If you look at the SPS and so let’s put together a guide for normal people that they can do that and it’s kind of two fold for us is, hey, here’s your, our customers, here’s how you can send this to your employees to the, you know, company employees on how to secure their self because everyone’s remote. And then also one of the biggest things that I get from doing this parent uh, security sessions is how do we do this? There’s nothing out there. I can’t find anything. So that’s, that’s right in line with where we’re going. It’s kind of funny.

[00:35:01] Evan Francen: Well it’s cool man because in these devices, you know, they’re inexpensive and they don’t need to be very powerful. Uh huh. I think we can set it up fairly easily where it can report up to and be calculated within the s to me as well. So we start automating some of your security scoring so people can put it into context because we don’t, I’m not sure what resonates with people in terms of, hey, you know, you’re using a default username and password on your router. That’s bad. Well, okay, how bad.

[00:35:40] Brad Nigh: Right. Did it

[00:35:42] Evan Francen: Take my score from a 700 to 400. Okay. You know? Yeah, so I think, you know, and so I started building this device and uh really what’s on it now is you know, raspberry pie recipe ins on here. Um Kismet is on here, uh pihole is on here. Uh and it was, you know, I’m I’m I’m actually a pretty light uh device user at home, right? I don’t like complexity at home, so I don’t have a lot of devices. I don’t have, you know, Alexa, I don’t have google home. I don’t there’s a lot of things I don’t have. Uh So I started uh oh and map is on here too. Um so I started building my inventory. Right? So let’s just do it and map scan of what’s on my network 13 devices and I was like 13. What the hell do I have on here? And so you know, they started to go track down, you know, what are these systems? Uh iphones, ipad laptops, tv direct tv is our tv provider. Each one of those boxes has an I. P. Addresses on the network, my router raku um what else do I have there? I think there might be. I think that’s about it. Shower, love what’s that

[00:37:16] Brad Nigh: are low.

[00:37:19] Evan Francen: Hello. Hello? I trashed that. It’s obvious. Shoot of batteries all the time. I was like whatever. I don’t want you anymore if you’re going to be more expensive to maintain than what you’re worth. Well that’s

[00:37:33] Brad Nigh: interesting I think the batteries.

[00:37:39] Evan Francen: Yeah well I’m probably not using it right. I don’t have time to figure it out either. So uh so anyway now I want to talk like on on your work because I still have two devices I haven’t even been able to hunt down yet.

[00:37:55] Brad Nigh: Oh wow. Yeah so I use I flashed my so I have the internet or the cable company router and don’t use the wifi on that except being integrated. I have another one that I flashed with DD WRT and configured for I have separate wifi for work and none of them can talk to each other uh work have an IOT one that is just for kind of like well for like the Arlo and things like that. And then I have one for my wife to use for her work a wifi and then one for the kids on their ipads and then one for my ipad so everything is kind of really segmented out and it’s all set so you know in theory they shouldn’t you can’t see across uh S. I. D. S right and you know having secure passwords and just really kind of locking it down and monitoring it. So I feel like I have a pretty good idea of what’s actually going on. Mhm.

[00:39:08] Evan Francen: So in order for this device that I’m building to work on your network as designed so far, I would need to have a separate wireless dongle, basically.

[00:39:22] Brad Nigh: Yeah, it wouldn’t work on them, but I mean, how many people do that? You’re probably looking at fractions of a percentage,

[00:39:30] Evan Francen: Right, And that’s probably and you’re probably not a target market anyway because you already know, You know how to do this stuff, you know, it’s uh 99% of the people out there who don’t know

[00:39:44] Brad Nigh: what to do, yep. Yeah,

[00:39:47] Evan Francen: I was talking with Kevin yesterday uh about building this and he’s like, yeah, I scanned my network like a year ago and there were like six devices, I had no idea what they were, but I was like, well, screw it. You know, I’m like, all right, well, we got to go further than that. One of these devices, like these uh these direct tv set top boxes, they came off a weird ass signature. Like they’ve got um couple RpC ports open. Well, I

[00:40:24] Brad Nigh: didn’t connect any of my dark tv to the internet.

[00:40:28] Evan Francen: Well, these aren’t connected to the internet, but they are on the network because they have to talk, that’s how they talk. That’s how This one talks with the Master one in the in the living room. They don’t go out to the internet, but they all talk to each other on this local network, so that that’s how the signals shared Gotcha. Yeah, it’s weird, but I, you know, the cool thing is I didn’t know how that stuff really works because I didn’t have time to actually do it. Um and now I know how to identify that box, I know what the signature is so that we can put that into the database map was totally useless on that. It just showed me. Yeah, you got these three ports open and looks like something’s there. Yeah, but it couldn’t identify

[00:41:15] Brad Nigh: the one thing that I really like pie hole, but I know that they’ve got some you got to keep up to date on on patching it, there’s been a lot of vulnerabilities around it. Uh

[00:41:30] Evan Francen: huh. Well that’s why I want this device to be able to call home because if it calls home we can script that stuff, we can update your pie hole for you.

[00:41:43] Brad Nigh: Well, you know, interesting, you know, we talk about IOT that that would be that’s something that the majority of IOT devices are severely lacking is any sort of update mechanism or infrastructure backbone or method people just get it out as quickly as possible and Security Is, You Know, 2nd?

[00:42:09] Evan Francen: Yeah and you know, here’s a new place that uh so I think it was last week I uh we became controller members to I O X T alliance, have you ever heard of that? Yeah, I’ll put it in the chat so its I O X T alliance O X T alliance dot com? I told Renee about it at f are secure. Um Yes. Yeah. So what 60 alliances is trying to standardize these things around IOT security now. The cool thing about 60 alliance is some of the names that are involved. You’ve got google amazon, you know, essentially all the big players are keep your Yeah. Uh

[00:43:03] Brad Nigh: And it is to drink this.

[00:43:05] Evan Francen: Yeah. And it is to define Mhm. I like the fact doing this because it’s the industry’s IBMS there. Motorola, it’s um oh it’s the industry’s attempt to self regulate itself as a versus what ends up happening is the government gets involved in messes it all up, Right? Not, you know like pc I did this and it’s not like Pizza is perfect, right? There’s no there’s no such thing as perfect in our industry just so you know nothing, it’s perfect. You mean there’s. Yeah. Right. Duh talk about echo chamber but uh they’re defining the global standard for IOT security, you can become a member and it’s not a money grab fr secure, can go sign up today and become a contributor member, participate in the working groups. Uh They also do a certification program for IOT devices so I’m hoping that all IOT devices at some point must have a specification associated with it, you know, very straightforward, It’s certified for this use. Um So that’s that’s very encouraging because I agree with you man, he’s all over the damn place. I mean I’m scanning my network you here. And I’m like, what the hell? None of this stuff is standard. Yeah. So I’m pumped up. That’s very cool. So at home that’s where I started. I started with taking inventory. So I think for home users, if you want to secure your home network, that’s where it’s gonna start, how are you going to secure stuff if you don’t even know you have it, right? This is uh

[00:45:03] Brad Nigh: and I mean, it goes to what we talked about, the business is day in and day out is asset inventory. But how do we get that to the home user for them to understand? Right?

[00:45:16] Evan Francen: Yeah. And so I think if if home users are comfortable using tools like end map or if you like a graphical user interface, you can use zen map. Uh that’s one place that you can start in your network and see what, what replies now, all the things that aren’t identified when you see an I. P. Address and it doesn’t have any association with the operating system or the host name. That’s when you get to go on an investigative journey, which I treated as a game. I think it’s fun. It’s like where could that be? You know? So you go from room to room in your house. You know, like nothing in here. This thing here plug you know, plugged in. Oh damn. Yeah, but that’s a great place to start. You know, just uh and maybe that’s where we can maybe next week brad you and I can even share the video. Let’s get zen map run up and let’s scan, we can scan my network, I don’t really care. Yeah. Just tell people how actually easy it is. It’ll take you 15 minutes tops in five minutes probably because plus you guys, you know, most home users are running themselves as ad anyway. So you don’t even have to, here’s to install and go.

[00:46:35] Brad Nigh: Yeah. Yeah. Yeah.

[00:46:39] Evan Francen: Right. So where would you suggest like a home user get started,

[00:46:48] Brad Nigh: you know? Well that’s the problem is is there not a line out there? I would say for now, probably the best resource to for for normal people and it doesn’t have a lot of how to use or things, but just more general information is the iC squared, I am, I am cyber aware. Hang on. They changed the yeah, I am cyber safe dot org.

[00:47:16] Evan Francen: Now, do they give you any advice on how to create an inventory of your, of your network or secure your network or is it more good user behavior stuff?

[00:47:27] Brad Nigh: It’s more like, so we’ve got, so I am cyber safe dot org. It’s got like some safety pdf tip sheets, some video tips. Um some of the research and things like that. So if you’re looking for a, I don’t even know what I should be looking for. It’s a good starting point. But there’s not, that’s the problem. And that’s why we identified this as a big need that we need to create, there’s just not a good repository or location for people to go out there and say, what should I be doing at home? It just isn’t done, because I think the problem has been for the most part, from a business perspective, it’s not a lucrative market, right? What do you what are you going to get from this? People are going to pay for it. So you have to do it for free, but it’s such a critical thing. So that’s I think that’s a big, there’s a huge gap right now for that and, you know, hopefully will become That location here. We’re going to start that this quarter, hopefully depending on how insane it gets, but uh really start focusing on that and a Q1 of having starting to build out this personal and home security resource to become that be trusted place where hey, I don’t know what to do. Okay, let’s go to fr secure. They can.

[00:49:00] Evan Francen: Right? Yeah, I like that. Yeah. Well uh maybe, you know, next week, uh and it’s your show next week, but maybe next week, uh we could start with except in mind sharing, you know, we do these things on video and we can always talk through what it is for sharing on video if we wanted to, but I’ll log into my, you know, I I used the firewall that’s built into uh my DSL Yeah, it’s sufficient, it works fine, but you know, in the next week I could log in share the screen and you know, show places to kind of navigate and work around. I think the biggest thing is, you know, defaults, change defaults, you know, change default user names and passwords on everything. Um patching obviously is really important to a lot of your home. At least my DSL modem automatically except for automatic patches. So, you know, the firmware is up to date and I hadn’t been in there and months, it had updated itself bottom a week ago. Mm Which is not a big deal because I don’t need the same kind of up time at home that I need at, you know, in an office where I’ve got 10,000 workers reliant on this Internet connection. Um but maybe that and uh and so the way the only way you would know what things are running default user names and passwords is one to know what you got, right, because I’ve got, I had like I said, I had a number of devices on my own, I’m a security guard that I had no idea, I had on my network and I got to go down this path of investigating those things. I’m doing it for another reason, I want to, I want to create signatures so that I can automatically populate that stuff too, but you know, I could have come easily come across something that was very vulnerable. Uh huh You know, monitoring the ingress and egress, which you can do on the firewall pihole plays a good role in that too. And even the updating pile, it’s not that difficult

[00:51:26] Brad Nigh: now and you know, honestly one of the things that I recommend is so forth makes there uh you tm firewall is completely free for home users. It’s the exact same as their corporate one. It’s just limited to like devices and some things for home. But hey, I mean if that that doesn’t take a huge amount of resources, I haven’t running on a uh like a Dell that I got in. Gosh, it would have been probably 2009, I mean it doesn’t take many, you can write on very low power things, it really is just looking for, you know, you just have to have to mix that can handle the throughput and how that’s such an easy thing again to do, you can set it up, download the installer onto a USB and boot from that and it installs

[00:52:27] Evan Francen: right, I want to stay, do they allow, I’m trying to think firewall, it makes a nice firewall to it that one costs money, you know, for home and it’s got all kinds of crazy cool features which I don’t know if people really give a crap about the crazy cool features, they just want a thing that they can plug in and not have to worry about it.

[00:52:50] Brad Nigh: Well, that’s what I like about the cell phones. One is it basically just you download the two against the and it goes, it really does, it’s really easy. Um and yeah, still limitation is 50 M. P. Addresses, so as long as you have less than 50 devices on your internal network, you know, fully firewall,

[00:53:16] Evan Francen: Can I get this unrest three pi

[00:53:18] Brad Nigh: uh you know, I don’t know uh it could run done this here, I don’t know if it runs on pie.

[00:53:28] Evan Francen: Mhm. Because I think, you know, we’ll probably put an open source version of something like this on their two

[00:53:36] Brad Nigh: pf sense or something like that. Right? Yeah,

[00:53:41] Evan Francen: because I really want to create something that’s just like you can just set it and forget it. Right?

[00:53:46] Brad Nigh: Yeah, it does uh dedicated intel compatible PC or in a VM run on any V sphere addition, so. Okay,

[00:53:56] Evan Francen: right, well, not another front. Uh chris roberts and hillbilly hit squad. So these things, it’s funny you mentioned the stuff that fr secure was talking about an innovation front, I’m doing this stuff at home is sort of hobbyist, I mean we’ll make something out of it for sure. And then chris roberts is working on uh some really cool devices that I don’t know, there wouldn’t be so much used for home, I think there’s you can probably slim it down, make it work there, but It’s essentially all in one plug and play network device for small to midsized businesses that will actually do pen testing as well. Yeah, he’s got a pretty cool thing going on there. I think he’s in test right now. Mhm. But these are we can I mean there’s certain things that we can just take care of uh you know, are always the biggest risk. So what are their biggest risks at home they don’t use, you know, I don’t know, there’s a lot of things patch their systems, they, you know, default user names and passwords.

[00:55:06] Brad Nigh: The biggest risk at home is just the lack of knowledge and lack of resources targeted towards the like we call them the normal people. It’s not, there’s not a good place to go and say what should I be doing? How should I be doing it in a way that they can understand. Yeah,

[00:55:29] Evan Francen: well if you’re cool with this, I’d like to keep this this effort going. Uh you know, if you want to do, it’s your show next week an episode one or seven, you know, we kind of laid some foundational stuff to talk about, but let’s keep going on this path of home information security. Thanks. You call that. Yes, I like it. It’s gotten too because, you know, it’s stuff that we can show as well pretty easily. Uh because we’re all working from home now and I don’t mind showing you some of my home stuff. I certainly wouldn’t want to show you, you know, work, fire, wally kind of things.

[00:56:08] Brad Nigh: Yeah, yeah, definitely do that. And, you know, talk about some of the other things you can do.

[00:56:15] Evan Francen: Yeah. And if you hack my home, whatever, it’s just not anything interesting here anymore.

[00:56:22] Brad Nigh: Internet, your work stuff, she will be going through VPN anyway. Right.

[00:56:26] Evan Francen: Exactly. Yeah. And the way uh Jeff set up things now, I have to re log in like five times an hour. It seems like it’s like, damn it, it’s got that time out set to like 14 seconds, but I don’t complain other than, you know, under my breath. And I would never go to Jeff and ask them to change things because it’s the right way to do it. It’s a pain in the ass sometimes, But yeah, I can’t imagine what bigger pain in the ass would be than, you know, to have our network compromised. Yeah. All right. And then as to me, you know, we do have some cool things coming in. Version three, maybe that’ll be part of our discussion at some point. Uh Version three is more along actually, holy crap, I’m not ready for that. I think eventually we want to create with the version three or four, probably five ish is uh an actual friendly guide. Somebody you can talk to, right? Like a tech support person in your home, like uh and walk you through, you know, the good behaviors and the bad behaviors. I think if we can build also, you know, maybe some kind of an intrusion prevention detection system into this, we can monitor what’s going on, you know, the websites you’re visiting. Um the risky behaviors, you know, you can see clicks, you know, things like that. I think we probably have to make this a proxy, you’d have to sit somewhere. But anyway, there’s lots of ideas around version re Version three is really more of a guided tour. Okay, cool. Uh Yeah, because people don’t like Even 15 minutes like ah 15 minutes to secure itself and save my family. It’s too much time my kids safety just isn’t that important. Yeah. Yeah. All right, good discussion. Here’s some news stories. Uh Microsoft 1st 1 is from hack read dot com Microsoft advices ditching they actually spelled it wrong and the headline, do you see that says Microsoft?

[00:58:49] Brad Nigh: That’s funny here.

[00:58:51] Evan Francen: Yeah, Microsoft advises ditching voice sms. Multifactor authentication,

[00:58:57] Brad Nigh: but it wasn’t that already recommended by the government like two years ago.

[00:59:03] Evan Francen: Yes.

[00:59:04] Brad Nigh: Okay. Just wanna make sure I wasn’t good.

[00:59:09] Evan Francen: Yeah, it’s good.

[00:59:10] Brad Nigh: Microsoft is saying that I agree with it. Hey hello. We’ve been saying that for years,

[00:59:18] Evan Francen: right? But I would much rather somebody used if if the the most attainable multifactor authentication option for a user is to use text based sms. Multifactor authentication, I’d rather than use that to not use any.

[00:59:34] Brad Nigh: Oh for sure. But I think with the number of free authenticator apps that are out there and how it easily integrated, those are I don’t know personally, I don’t know anybody that has a phone that cannot do google authenticator or the Microsoft authenticator

[00:59:54] Evan Francen: out. Right? But the reason why they don’t is because it’s another step.

[00:59:59] Brad Nigh: Yeah.

[01:00:01] Evan Francen: You know because it if I’m if no, but it’s it pops right up on my phone. If you make me do the google authenticator app, go open phone. I have to go I actually have it in a folder. It’s called work, I have to go to my work folder, click on the authenticator app. I’ve got multiple authenticators listed here. I got to choose the right one and then take that and go back. I I’m not complaining, I’m a security guy, but you’re normal people. That’s more, it’s hard enough to get them to do the single step of the text.

[01:00:35] Brad Nigh: I again, I fully agree it that’s better than nothing. But come on people.

[01:00:42] Evan Francen: Well, and I just think we need to preface this kind of stuff because what we’re what we end up doing is we end up giving people and out uh were, you know, well SmS is not secure. Well it’s not it’s the thing is it’s not there’s no security is not binary. It’s not you’re not secure or you are secure, it’s how secure are you? It’s some degree security sms multifactor authentication is actually fine for 90% of the stuff you do alright? If there’s if there’s a swim sim swapping attack, you’ll know about it. Yeah, your phone stops working

[01:01:27] Brad Nigh: and it’s better than, like you said, it’s infinitely better than nothing. Absolutely. I think this might be an issue with the headline, right? It’s not they’re not really don’t ditch it advises authenticator over SmS, that’s really what they’re

[01:01:44] Evan Francen: saying. And and just so people know to another thing then nothing will be attacked in successful attacks. I mean it’s just this never ending and it’s always been this way tough for, you know, because I do use a number of I have google authenticator I have uh which I don’t mind using but I also have a lot of things that authenticate with SmS and I don’t feel bad about it.

[01:02:17] Brad Nigh: Yeah, I mean it’s all risk based. As long as you know what the risks are and what the value of what’s authenticating the SmS an authenticator and which authenticator and all that stuff. Hey, you know what again, it’s fine the whole

[01:02:33] Evan Francen: point of well sometimes I wonder too, if if if we’re like security geeks gone wild right? Where it’s like, okay, you know, strong passwords get you just a strong password. Not even with multifactor authentication but strong passwords and some good user behavior. See it gets you 70% of the way there, right? And then you turn on multi factor authentication and it’s SmS based. Well that’s another 12% of the way there. You know what I mean? Yeah. And then uh security geeks sometimes want to get to 100% of the way there, which is

[01:03:16] Brad Nigh: you can’t, it’s that’s like you said, we can’t have a perfect score, right? It’s not truly attainable.

[01:03:26] Evan Francen: I wonder if the normal people look at us and be like, God,

[01:03:29] Brad Nigh: oh I’m sure I

[01:03:33] Evan Francen: just moved to you. I just I just turned on multifactor authentication with SmS and now you sons of bitches tell me that’s not good enough. Okay, great.

[01:03:45] Brad Nigh: Yeah, I definitely get some odd looks when I talk about like, you know friends and neighbors and stuff that I know that I’m insecurity, they ask questions and I go into what I do and they’re like you can just see him go, what is wrong with you? Are you kidding? Whatever. I don’t care. But uh you know, you have to realize that what we do and what we do, how we understand things is not going to translate to most people.

[01:04:17] Evan Francen: Well, right? And I think that’s one of the things that will have to be really careful of as we’re doing more innovation and doing more stuff at security at home is to not be that right? Not be the what is it now? You know, because people will tune out. I don’t want to hear it

[01:04:34] Brad Nigh: anytime I write or do something for targeted towards, you know, normal people outside of, you know, not related to client work. Always bounce it off of, you know, family that is not in the industry and not immediate like my family here, but you know, uh in laws that are not are are the normal people and see what they say, right? Like that’s because exactly that it’s so easy to go down the rabbit hole and they tune out. Wow,

[01:05:12] Evan Francen: Alright, I got another meeting. So we’re gonna skip the last two uh skip the last two news things. I’ll just read the article hein and then people can find these on the show notes. But Cisco reveals a critical bug in Cisco security manager after exploits are posted online. The fix patch, The patch is out patch here. Cisco stuff. Put all your stuff. Mhm. But yeah, that’s a big deal. The last one was Apple’s privacy pledges. Uh this one the registers always got funny article headlines, but Apple last week I think public big sur which is, you know, the latest version of the Mac. Os uh beyond having a bunch of just issues in the deployment and the roll out. Um They also had some privacy issues and other things that were called out. So the register points out those things, Apple actually is pretty good with most of the security stuff that I’ve come across. So I think they have addressed it. They haven’t tried to hide it or anything. I just thought it was interesting that even the biggest companies, the richest companies in the world have troubled troubled this stuff.

[01:06:31] Brad Nigh: Yeah,

[01:06:34] Evan Francen: there you go. Apple in your face. All right, shout outs. Uh, for episode six. Thank you Brad. You got any shout outs for anybody today?

[01:06:45] Brad Nigh: Uh, you know, I shouldn’t come to these more prepared because I know we’re gonna do it every week. I’m drawing a blank. Um, everybody just, everybody are secures just doing so much and helping out where they need to. It’s just so awesome to see, you know, people on the tech team covering for because I was so busy and helping pick up stuff and consulting and everybody on consulting, you know, willing to jump in and do whatever it takes. It’s just so uh, it’s energizing. It’s like, yeah, this is awesome. So I guess just to that everybody on the team. Just a generic love working here.

[01:07:34] Evan Francen: Yeah, yeah man, that’s, I could do the same thing for if I are secure folks. Every single interaction I have everybody I’ve talked to everybody I work with. It’s such a privilege. Um, so for sure that I’m also going to give a shout out to the uh, daily insanity crew every day. I get to talk with those guys and gals and uh, foster some really good relieves. Just really, really good people from across the board. So shout out to all those guys. Uh, they’re awesome. Right. Thank you to all our listeners. Uh, send things to us by email at Unsecurity@protonmail.com. If you’re the social type socialize with us on twitter, I’m @EvanFrancen and brad’s @BradNigh lastly be sure to follow security studio @StudioSecurity and @FRSecure here for more things that we do. We certainly invite people to come and join us with uh stuff. Help us, help us with the mission. The mission at the end of the day is helping people. Uh next week we’re going to dive in deeper with the the home stuff, the home security stuff and I’m kind of excited about them. So we have a great week. Thank you.