The pandemic changing social justice events, economic issues, the election cycle, and more, have all made for a changing information security landscape.In this episode, Evan and Brad discuss these changes and what they mean for the industry.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: Good morning listeners. My name is Evan Francen. The date is September 1st and uh, this is episode 95 of the Unsecurity podcast. I’m your host today and joining me is my good friend Brad Nigh. Good morning Brad.
[00:00:37] Brad Nigh: Good morning Evan.
[00:00:40] Evan Francen: So you are a nice guy. I predicted that you’d say hi or something. Yeah, you did this something uh, for our listeners who are expecting our show to come out yesterday on monday. We switched things up. We’re recording the shows on Tuesday mornings now. Do the crazy schedules, kids off ready for school, depending on whether they’re in school physically or um, uh, I guess remote learning for the time being the recording on Tuesday mornings and releasing the podcast around noon. Uh, all right. So same thing each week start by catching up new listeners might not know that. We originally started the Unsecurity podcast so that you and I meaning you Brad and I could find an hour to treat to catch up with each other. So let’s do that. Let’s catch up. What’s what’s new with you.
[00:01:33] Brad Nigh: Uh, you know, not much the weather kind of turned this weekend. So it’s nice and I spent a lot of time outside and just enjoying some really nice weather.
[00:01:46] Evan Francen: Yeah, but that means like winter is coming. I
[00:01:48] Brad Nigh: know. Yeah, I don’t.
[00:01:51] Evan Francen: Does anybody, there’s so few people, we live in Minnesota and there’s so few people, it seems that actually like winter here. I mean there’s a group that does for sure, but I’m in the camp that’s like yeah, I don’t I don’t like it.
[00:02:06] Brad Nigh: Yeah, it makes you appreciate like everything else thing with like summer when it’s, you know, 90 and human like, Gosh, I can’t wait for it to get cool again. And then so
[00:02:19] Evan Francen: yeah, there’s that. All right, so whether it’s changing, what else, what else is new house? The family? I was not on the bike.
[00:02:27] Brad Nigh: Uh I did actually, I didn’t that’s with a little surprising a bunch of like just playing with the kids. Um but now that it’s not 90 and humid I should be able to get out there and write a bunch more. But you know, it’s good. Um My oldest actually made is on the high school, one of the high school soccer teams, and their first game is today, so that’s pretty exciting to see how long you keep going. But
[00:02:59] Evan Francen: do they, do they allow fans
[00:03:01] Brad Nigh: uh immediate family? Only immediate family
[00:03:06] Evan Francen: Only not 6ft apart
[00:03:09] Brad Nigh: now. And I think the varsity team, they can get Like four people, but You have to be six ft apart and all that stuff.
[00:03:22] Evan Francen: Mhm. And they play for, She plays from Minnetonka. Okay to talk school you said? Uh huh. It’s crazy how that school has grown. There’s so much investment and money in that school district, it’s kind of crazy.
[00:03:41] Brad Nigh: I’ll be honest, I’m, you know, I’m a little nervous, at least she’s outside and everything, but uh and they’ve got really good protocols, I was really impressed with what they’re doing for uh preparing to go back to school, you know, they put in Like Merv 13, which is hospital grade Air filters in every classroom, we’ve got like five cloth masks for every student, you know, class sizes are reduced to 50% of normal, you know, they put a lot of things in place to hopefully minimize the risk.
[00:04:21] Evan Francen: Yeah, that’s cool. You know, I went to Minnetonka, so I’m a little, I’m a little, what do you call it, biased? Yeah, that’s cool, man. I uh here, I’ll show you a picture. I went to uh I rode my motorcycle on friday, see my face, that’s what wind burn looks like. I rode my motorcycle on friday down to Kansas, uh Lenexa Kansas man, my son, the one on the left there, He’s a police officer for the next police department. Okay, wow. And so it was uh yeah, and then the guy on the right is his future father in law. So I wrote it down there to uh tell mom because he’s, you know, it’s so volatile now uh we’re you know, some believe that all police officers are bad, you know, and that’s not true right? There are some that are very actually most are very very good people that risk their lives every day. So it was good to come down drive down there, see him uh do a little ride with him and then I back on saturday so it was 500 miles on Friday and then almost 500 miles on Saturday, wow.
[00:05:49] Brad Nigh: So on game
[00:05:54] Evan Francen: that’s a lot of time on the bike man. It uhh get your butt, gets a little and then I came back on sunday and I did this, check that out, wow. Yeah yeah so on sunday and I’d already planned this sunday I tore out the wall in her kitchen uh so that It’s all lath and plaster and our house was built in 1872 so it’s old and so ripped out all the lath and plaster ran electrical so I got a couple of new electrical outlets and you know you see the deck outside, put a new uh switch and light on the outside and then uh yeah I think today I’ll now everything’s all cleaned up and today I’ll be buttoning it all up with uh she wants ship lap I guess that’s a thing that women
[00:06:53] Brad Nigh: like nowadays. Uh huh.
[00:06:57] Evan Francen: Yeah and then my kids were over here so I had lisa Tyler Joel uh joe got um joe proposed to his girlfriend’s sunday. Yeah have a new another grandson coming since three because we just had the gender reveal on sunday. So yeah, life is
[00:07:22] Brad Nigh: you had a busy weekend.
[00:07:24] Evan Francen: I know man. And then yeah just a lot of stuff going on. Cool stuff going on at work. You know uh doing some work for the state of Minnesota. That’s going well. Um chubb insurance, you know with the s to me uh it’s going really well redesigning the whole s to me to be more consumer friendly. That’s kind of fun. Yeah. It’s crazy man.
[00:07:47] Brad Nigh: You have been doing some stuff with Minnesota as well around uh the election security. So that’s that’s pretty fun.
[00:07:55] Evan Francen: How’s that going? Our county is taking you up on the offer.
[00:07:59] Brad Nigh: Uh Not yet but uh Caleb was out so okay. He doesn’t scheduled as yet. Should get some stuff started today.
[00:08:10] Evan Francen: So what’s the strategy there? It’s to help the counties with their information security by getting the fundamentals and basic sort of squared away. Is that pretty
[00:08:20] Brad Nigh: much
[00:08:22] Evan Francen: and it’s under the banner of election security because obviously, I mean it’s just crazy the world and that’s kind of part of what we’re gonna talk about today is just how this crazy stuff, you know affects our jobs affects information security in just Yeah and one of those, one of those things is you know the election, It’s coming up. It’s only 60 days away, 60 ISH.
[00:08:49] Brad Nigh: Yeah. That’s crazy.
[00:08:50] Evan Francen: Yeah. And you know there’s all this infighting. The left is fighting the right, the right is fighting the left, nobody believes anybody and other stuff mail in ballot thing and it’s just so much crap going on. So you being in the middle of it and staying objective, like we’re here to just protect Mhm. The integrity, I guess, of the of the of the systems and supporting stuff
[00:09:21] Brad Nigh: And availability, I think, right? Yeah, those are the two
[00:09:25] Evan Francen: and we’re not taking a stance one way or another, you stay focused on the issue at hand, which is information security. The issue at hand is not not that you don’t account for the political strife and all the other crap that’s going on, you just stay out of it. We focus on the objective,
[00:09:46] Brad Nigh: yep, just do the right thing for from a security perspective, regardless. Yeah, quite frankly, I don’t care about which parties and like, right, just do the right thing. You just want to the Yeah, it’s about people like you’ve always said
[00:10:06] Evan Francen: so well and know, and nobody’s nobody’s focus, right? Nobody is like, so if you were to take a side, there’s always a counter and so the fact that you can whatever side you want, which is fine then, I mean, nobody is like, I mean, nobody’s sinless, we all got issues,
[00:10:28] Brad Nigh: right?
[00:10:30] Evan Francen: So, yeah, I have enough trouble just trying to keep myself out of trouble, right? Mhm. Cool. So everybody’s healthy. How’s your how’s your wife doing? Because she works in healthcare, right?
[00:10:45] Brad Nigh: Yeah, she’s a nurse. So um she’s a clinic and she sells to go into the office three days a week. So she wears a mask all day at work.
[00:10:58] Evan Francen: Is she now getting any kind of like, I know that there’s been talk of like acne and all kinds of skin issues and stuff like that. You
[00:11:05] Brad Nigh: know we got some really good cloth masks with like that kona cotton so it’s like a real soft then like fine leave. So she just rotates those and yeah, she hasn’t really had any issues
[00:11:25] Evan Francen: kona cop. Is that like the K. O. N. A. Like uh Okay. Yeah. It’s like all right. That’s why I went on my honeymoon court now. It’s really cool. Yeah. So if you ever get the chance at the time I didn’t have any money. Uh so broke. But my mother had miles because she worked for IBM. So she had all these travels. So her wedding gift to us was century or honeymoon, which she didn’t have to pay a dime for. So I guess I should, I guess I should thank IBM for my honeymoon. And oxy thank all by BMS customers for my honey movie. The cone. Oh my god, it’s so amazing. I don’t know if I could live there. Yeah. If you ever get a chance man. That that that’s the big island. And it’s the biggest of the islands. The Enema island. The cone is on is actually called Hawaii. Okay. Get Maui and all the other island six. And on the one side of that island is kona and there’s two mountains that sort of separate kona from the other side of the island. Which is where hello is. Hello? It’s like tropical rainforests. They get like 120″ of rain a year. It’s beautiful. And then you go to the other side of island, which is the kona side and it’s like the it seems like the surface of mars mm get like 23 year. That’s
[00:13:08] Brad Nigh: crazy. It’s yeah, just off topic. But it’s amazing. Like if you think about it, you can go like snowboarding on the mountain in the morning and surfing after lunch.
[00:13:21] Evan Francen: Yeah. When they got cowboys there, they had cowboys there. That ranch is in the middle. They’ve got some multi best coffee. You know, they’ve got tropical rainforests with like this beautiful waterfalls. And then you’ve got, you’ve got a volcano too right. Spewing lava. Right? It’s crazy. That’s on, you can do all of that in one day. It’s one of the most amazing places on earth. I’ve never I mean I haven’t been everywhere, but it’s crazy. Cool. So for all the listeners go to kona, you ever get the chance, how expensive it is nowadays. Uh You know, like I said, I didn’t pay for it way back when I haven’t been back. But go.
[00:14:08] Brad Nigh: So right now they don’t, they have like a quarantine on visitors coming in. Yeah, probably.
[00:14:15] Evan Francen: Yeah, they probably do all right anyway, so that the world is crazy. Senior uh Mhm. I guess it’s always been crazy now. It’s like overtly like in your face crazy. Yeah. So obviously there’s a lot going on this year. We’re about six months into covid terms of the disruption it caused to our business. I think many others. It was March of this year. And this is now september and so I came up with six months because nine is the number for March three is the number for I’m sorry, three is the number from March nine is the number for september nine minus three equals six have fallen before, yep, logic love it. Uh But Kobe had flipped everything side down, you know, the world on its head at least that’s what it seems like. So for many uh you know, cole is old news if it even though it’s not we’re not out of it yet. And I know that people are tired of talking about it. So I didn’t want to talk about covid as much as I wanted to discuss our reaction to it and how it suspected information security trying to stay as close to like like you’re doing with the elections as close to what it is. I know and what it is. You know, that’s possible. I don’t know. Scientists. Another Well, politicians, thank God. Uh And I’m not a doctor. So but I do know the information security landscape. And I have observed some of the things that have have changed. And so I don’t know if you’re like me Brad. But I remember the day, like it was yesterday, the day was March 16. This is the day that we close our office, our physical office at security studio and at f are secure. Yeah. And it’s just been sort of nuts, you know, ever since.
[00:16:25] Brad Nigh: It was crazy. And I mean, we had that discussion and about what we’re gonna do and we’re like, all right, well, we’ll close it for two weeks and see where we’re at. Uh hopefully is that things will go back to relatively normal and clearly that has not happened.
[00:16:45] Evan Francen: No. And I remember when the president of fr secure, john Herman came into my office and he said, yeah, we’re gonna close the office. I was like, why him? And that’s how I think just naive. I was about what was going on everything. And uh, he said, well, you know, it’s just the prudent thing to do because I’m not a fear person. I don’t I don’t react to fear much. Um So I felt like we were reacting the fear the end of the time. Um which turns out john made the right call, john and you and the senior management team, executive leadership team. Um Yeah, just, just show how unfair fel I am. I mean, I went to Sturgis a few weeks ago I self quarantine when I got back two weeks, I had no symptoms, nothing. And now I’m out of that. So I did that because I don’t want to get other people sick. Right? I think that was, that was the point. So in our own business information. So let’s assume we were always kind of nontraditional the way we did business. But let’s say we were traditional business where we had, you know, centralized, you know, data center or you know, something where we have maybe our active directory server and you know, some of the things maybe a file server and database or whatever and the network and people all in an office working together. Security looks one way and then you blow it out right now everything is decentralized. People are all working from their homes. Um, security is much different, right? It’s just, it looks different functions different. Your risks are in different places And I think some of us haven’t yet adjusted to where are the actual risks now? Where should I be focusing my time and money?
[00:18:55] Brad Nigh: Yeah, I think one of the biggest challenges that we keep hearing is how can I help secure my employees networks at home? How do you address that? And yeah, give them some resources. But yeah, that’s a tough thing to try and handle.
[00:19:18] Evan Francen: Well, it’s weird too because it’s like we started, we knew that this was, I don’t know if we do this, what’s going to happen. I mean we didn’t know that Colbert was going to happen obviously. Yeah. But I think we knew that if you really want to be the most effective with information security, you have to address the person. The people. Mm hmm. And you have to do it in a way that they want to do it. Not in a way that they’re told to do it. Not in the way to give them checklists and stuff. In a way that they actually want to they embrace it. They see the value in it. Yeah. And uh, so we knew, you know, we’ve said that people are creatures of habit. So the same good or bad habits they have at home with the same good or bad habits are going to bring into the workplace. Now that line is blurred where the place and home are basically the same thing. All right, okay. Uh, so in 2017 we develop yes to me for this reason. Not because we saw Covid coming, but because we understood that people, we have to figure out the people part,
[00:20:31] Brad Nigh: right? There’s not a lot of good, easy to understand for the quote unquote normal people resources. So
[00:20:44] Evan Francen: yeah. Right. And so, You know, an inversion wants us to me was released in 2017 and We didn’t really focus on much on adoption because we knew it was like a version one. It’s like, it’s not, it was basically just a glorified questionnaire with some scoring and recommendations associated with it. The concept was there and then You know, we went down, we went out with version two which introduced badges. People like patches. Yeah, accomplished anything. Yeah, I think for a damn badge
[00:21:22] Brad Nigh: it’s that what’s the same thing like doing like capture the flag for security. Right? It’s that kind of like yeah, I did it
[00:21:32] Evan Francen: right. And so that it becomes like a carrot but it’s not really a carrot yet. I think people want necessarily because it’s like alright it security but you know, I don’t really like her carrot. It sort of feels like kind of which is cool. You know, I get it. Uh So now we’re working on version three and so the hook point is now and then Covid happened, right? Covid happened in between all this. It’s like old crap now everybody is being pushed to home now. The home network actually matters. Yeah, a lot more than it did. And your kids on the same network as you matter. Uh your personal computers. If they’re separate from your work computers in terms of physical systems, they’re on the same networks that matters the firewall at home matters. Your IOT devices at home matter. Your you know, it just it push it push the physical boundary from work to home,
[00:22:44] Brad Nigh: right? Yeah. Instead of defending one parameter, you’re defending hundreds, some thousands.
[00:22:53] Evan Francen: Right? And so think about like schools, I just wrote an article for dark, reading about this and schools had enough trouble securing a few networks now, you’re securing thousands of networks or at least they affect your security well,
[00:23:15] Brad Nigh: and you know, we work with a lot of schools, school districts and I can tell you that they are just basically all focuses on remote learning period, like everything else, unless it’s critical is on hold.
[00:23:34] Evan Francen: Yeah. And so when if you play out where we’ve been, how many organizations do you think just wanted to survive? Mhm. You know, just get it up and running. I don’t give a crap security because security is just going to get in the way right now, get them all VPNS, get them all connected, get the, get the traffic flowing, make sure the applications can handle the, do we have support structure in place, Who are they going to call? You know, just all these things that went into pushing things out because nobody, I don’t think, but not anybody, but very, very, very few people were prepared for this.
[00:24:15] Brad Nigh: Right? Yeah. Well, and now, you know, we’re saying, well, if there’s an incident when nobody’s there or if a server goes down, somebody has to drive in to handle it. Right? Like you’re having a delay in service, you’re having a delay in response, if there was, you know, something suspicious going on, just all these things that yes, people just didn’t think about,
[00:24:41] Evan Francen: right. And so now and so the sad thing about the way security works when you tack on security after a fact, it’s much less effective than building security into it. Mhm. So you deployed a bunch of laptops, whatever, you know, whatever you did, you, I mean you the listeners or you know, companies in general, they pushed it out quickly. A lot of companies were lacking in training and awareness. So not only did you push out the network And so the physical security is drastically different. Typical security is drastically different and the personnel security is drastically different. Your training and awareness, which you were training people on before, I think lacked in a couple of ways. one you were telling people how to protect their company, You weren’t telling people how to protect themselves. And then leveraging that to protect.
[00:25:40] Brad Nigh: Right?
[00:25:41] Evan Francen: Yeah, it’s different.
[00:25:43] Brad Nigh: Oh yeah. You want people buying in and invested in a security program and the way you do that, that is mm hmm. Get them to understand and protect themselves and by extension that they’ll protect the organization because they’re doing the right thing. Yeah.
[00:26:05] Evan Francen: So in terms of our jobs, everything everything changed. Uh the basic concepts are still all the same, right, asset management. I can only protect the things. I know I a house access control, change control configuration management. All those things still apply because I can only secure the things I can control the challenge is now you had yet was almost at a bad word, property asset management before now you have crap your asset management because now, not only do you, Oh my God, it’s crazy because not only did you have not know all the devices, maybe all the applications, maybe all the data and where it was when you were at on prem now that you’re all remote, should you account for the assets on people’s home networks also in your asset inventory, if they affect your ability to secure things and
[00:27:15] Brad Nigh: what’s the liability and the legal repercussions and all that of, you know. All right, do you have your employee, did you give him a device, are they using their home computer and doing a VPN and remote desktop type of situation, You know, there’s just yeah, so many different things you have to now take into account, but what weren’t really, you know, an issue before,
[00:27:42] Evan Francen: right, certainly not as significant, you know. Yeah. So the crazy thing is they say that this is going to become, and we don’t have a crystal ball, but you know, this is going to become kind of the new normal people are enjoying working from home, they’re not going to come back to the office.
[00:28:02] Brad Nigh: Well, if you look at look at the companies that have said, yeah, you can be remote indefinitely. I mean Octa I think was the latest one that just came out and said, you know, the majority of the employees can just stay remote, you know that so many companies that are remote through at least the end of the year now. So yes, I don’t think it’s going to change anytime soon.
[00:28:28] Evan Francen: No. And so the dust, the dust hasn’t settled yet on the information security landscape in this new way of doing business. And the sad thing is you see checklist after checklist after checklist. You see news article after news article after news article on how to protect work from home, how to read, protect remote work. And there’s all kinds of good tidbits of advice out there. But what’s lacking is how do I actually apply it in the most effective way possible. Yeah, I know this stuff. I mean most people you talk to, hey, did you not change too strong passwords? Yes. Well, yeah, you know, I mean, even even my mother knows that sure. You know, I mean and she’s 70, almost eight years old. Yeah. So it’s not that you don’t know a lot of these things, it’s the fact that you don’t know which thing to do next and you don’t fully appreciate what’s in it for you, I think.
[00:29:41] Brad Nigh: Yeah, I can see that. Yeah.
[00:29:44] Evan Francen: You know, if, um, so,
[00:29:47] Brad Nigh: well, you know, we do like these incident responses where, you know everything is down and you know now as an employee that’s maybe not directly working on remediation, getting things back up and functional. The effect on you is still significant. Right? You can’t do your job, you’ve got customers calling you and now you’re unable to do anything because somebody clicked on an email and didn’t report it or just not realizing so many things. So yeah, everybody is impacted when something like that happens
[00:30:31] Evan Francen: right and equipment and so you combine all of this kind of confusion. And I think some companies, I think another, I don’t want to go down this private hold too much, but we’ve got a pride issue in certain places within our industry to where I got it. I got it handled, Yeah. We deployed uh endpoint protection and got everything all buttoned down. No, I worry. It’s like, well, but still you have the human being that is still ill equipped to use the device that you gave them. Still ill equipped to use the email to use the internet to use all these things. They use them. Yes, they get what they need done, but they don’t use them in a safe manner, right? You know, it’s like driving down the road without, you know, understanding the rules of the road that our understanding what all these traffic signs mean without wearing a seat belt, without having an airbag. So we got a lot of work to do. I think, oh, and I think we’re on the right path because one of the things I was thinking about too is, you know, we do a lot of risk assessments because you know, we understand, we understand that information, security is about risk management. So I can’t manage something that I don’t understand, I can’t make decisions uh Something that I don’t understand. So we do a lot of risk assessments. The one that we do today is the S. two orig. Mhm. But how much less valid is a traditional methodology like the S. Two Orig in a new world, in the new A place where at you know,
[00:32:22] Brad Nigh: the biggest part I think is around the physical, you know, we do talk about do you have guidelines and things for remote workers and all that? I think the vast majority of it is still very valid. Um But yeah, what happens with now that there isn’t an offense, right? If you’re completely a cloud based organization, there’s what is there now? I think that to some extent their stuff, but that’s probably the biggest thing. Um because like I said, we talk about everything else is still valid. Um It takes a new but that
[00:33:12] Evan Francen: I just coughed right in the saxophone, thought I muted myself but it
[00:33:16] Brad Nigh: was music. I didn’t hear it. You’re good, good. Um but you know, the internal technical controls take on a new aspect, looking at those a little bit differently. But you know, I really I think the majority of it is still incredibly relevant.
[00:33:39] Evan Francen: I think the content is I think there’s a couple of things that are concerning me that and actually we’re working on redesign, not redesign and refinement, you’re always working on refinement. Right? The world changes. If you have a methodology that isn’t flexible, they can’t change with the world. It’s a man, it becomes obsolete quickly, right? Uh isn’t it one of the things with fine, a lot of the content is still relevant. However, the way scores are calculated, the way weights are assigned, you know, has changed drastically. And so we’re working on trying to figure out, you know, in the algorithm what parts need to be emphasized more and less. And, and even then, even though we’re pretty flexible in our methodology, we can’t deploy till we’ve communicated to all the users who use it because they’re going to see scores go from, you know, one way or the other, they’re not stay the same. They’re going to, you’re going to have a, You know, I guess maybe a 5-10% variability and score plus or minus. Yeah. And we learned from our, we learned our lesson from when we recalculated. You know, internal vulnerability scanning that we’re not just going to like deploy it and be like, Oh crap, you don’t, you don’t know your score just dropped 30
[00:35:05] Brad Nigh: points. You know, I think we communicated there was going to change but not what the impact of that change would be so lesson learned on that.
[00:35:16] Evan Francen: Yeah, yeah, for sure. So we’re trying to prepare that, but then I think a second piece that I really see us work more on is we have the s to me. So we have the ability to measure and you can argue the effectiveness of the measurement. It’s better than nothing and it’s better than I think anything else I’ve seen. And I’ll just keep getting better. But we have the ability to collect information from home users in a way that it’s not, it’s not biased. If I tell you that this assessment is for you to protect you, protect your family, do your company does not see results, your individual results? They don’t um, you know, so if you give false information in data assessment, you’re only help you hurting yourself. Really?
[00:36:14] Brad Nigh: Right? Yeah. And it doesn’t even show like those aggregated results until there’s a large enough sample size that you couldn’t identify or single. Anyone else.
[00:36:26] Evan Francen: Mm Exactly. So if we can leverage the S to me into the S2 team in which we already have, we already figured that one out. Now, the next part is how should the S two team Results affect your overall risk assessment with the S. two or so there’s a very a marrying that has to take place. Yeah. Because then your risk assessment is truly more reflective of the real world.
[00:36:55] Brad Nigh: Yeah. Honestly, if you think about it, it’s probably should be a fairly hefty waiting, right? Because this is what your employees are actually doing, not what you say you’re going to do, not what your policies say you’re doing, what’s actually happening.
[00:37:12] Evan Francen: Right. Well I think there’s always three things in my mind that have to be in place for a metric or a score to be valid and nobody’s really argued with it. So I think it’s valid in the real world too is one that has to be objective. So whatever you’re going to use to score something, it has to be objective. It has to be yes, no, on off one or it also has to be applied consistently. So whatever metric you’re using, it’s the same wherever you put it. And then the third thing is that has to be relevant to whatever it is you’re measuring. So if we’re measuring risk, what are the characteristics Mhm. Of risk at home? Yes. That I can make a an objective. Either you’re doing this, you’re not doing this and then create. So I think the waiting, you will depend on
[00:38:13] Brad Nigh: you you couldn’t even use I don’t think you could use that aggregate score either. You have to do it by by section because yeah, there’s different Mhm. Different weights for you know what the risk to the organization for you know, using one machine for everything is different than do they have a personal incident response plan?
[00:38:38] Evan Francen: Right. Well I think so. The waiting. So the section waiting can be integrated. Weaved into sections of the S. two orig I think and then wait supplied based on how many people you have working remotely, what percentage of your workforce is working remotely and Maybe one or 2 other criteria. But that’s the part I’m we’re putting together now and then we’ll put it out for debate with you, you know, the content committee and our dev team and others because that’s the part that I’m trying to figure out next. Because what I want people to do it won’t ignore the shift. Don’t ignore the shifted risk. The risk is shifted right. Pre covid if you’re using pre covid risk assessments and meeting your risk decisions based on those risk assessments, there’s a certain level of in validity to it. It’s not as valid as it was. No, nothing is completely invalid. It’s just not as valid as it was.
[00:39:56] Brad Nigh: Right. Right. Well that’s why, you know, we constantly say don’t just do an assessment and that’s it. The risks and the threat the information security landscape and everything is constantly changing. Right? So you can’t just keep doing the same thing you’ve always done. You have to take those those changes into account.
[00:40:17] Evan Francen: Yeah. Yeah. So ideally, you know, future and I think we can get this thing to deploy. Mhm Hopefully before fourth quarter because I think it would be a lot of people do the assessments and forth. And then you use the information from those risk assessments to plan for 2021 budget. It would be nice to get this to play earlier that you can account for, you know, should I help my home users maybe with you know antivirus even though I’m secured, I’ve secured the end point for my system. Yeah. Um you know, 80% of my users just hypothetically then it’s probably not true. 80% of my users don’t have antivirus are up to date. Anti virus on their home systems which are on the same network as the system I deployed for you. Yeah. Well that’s true. Why don’t I negotiate a group rate on Mcafee, Symantec or whatever and traverse you want to use and then encouraged all the users hey install this antivirus. It’s 50% off. And the real reason why we’re deploying it to you because we want you to protect your family better. Right? Yeah. Yeah that’s a different story then what we traditionally say now.
[00:41:50] Brad Nigh: Yeah. Yeah I mean even even I think putting together a list of things that people could, you know, hey here’s and a virus that we recommend and having a couple options or no make sure you’re doing patches and give them some tutorials and just yeah some and resources written for the normal person. Not the security or I. T. Focus that we typically see. You gotta be very deliberate and how you write these things out without being condescending and talking down to. Right Because if you’ve done it down too much then people will be like it’s altered and what what happens in that case. Well they’re not going to follow it.
[00:42:40] Evan Francen: Uh huh. That’s why I think we want the content to be relevant to your level of up there and then of information science and technology for one we also want the message to be from the community more so than from a company. Yeah. You know, so then it doesn’t come off as condescending, It comes off as You know, 80% of the community is using a password manager. Mhm. For these reasons to protect their financial accounts or whatever you message you put. Yeah. So then not only do people feel like the company is supporting me and protecting my home, protecting my Children, but I also feel this community push of like yeah everybody’s doing it right that herd mentality is strong.
[00:43:36] Brad Nigh: Yeah.
[00:43:38] Evan Francen: Yeah. So it’s interesting we’ve got because we’ve been getting a lot of feedback from users of the s to me and a lot of the things are in line with what you’re saying to its I think there are four different dialects maybe of normal people speak. Yeah in terms of technology. So we’ve called them technology dependent technology and naval technology actually dependent tech enabled, tech aware and tech challenged. I can see that Yeah in the text dependent are primarily people under the age of 35 And uh you know there’s a couple of the criteria that go into that. The reason why 35 became like a really interesting age was because 13 years ago the iPhone became the first iPhone was released. So these people were 20, these people were 22 years old. Yeah the 35 year olds today And yeah, so 35 and younger, that’s not just 35 year olds And then it was 2003, it was 17 years ago gee was released. Mhm. What it’s led to the,
[00:45:05] Brad Nigh: What’s that? It garbled. What was released in 2003
[00:45:09] Evan Francen: R. G.
[00:45:11] Brad Nigh: Mhm.
[00:45:13] Evan Francen: Yeah so that what three G brat was data to mobile devices. I think that’s when everybody started doing this a lot more, you know, head down looking at their phone. The iphone just exacerbated that more. So in 2003 The 35 year olds were 18. So I think that’s the top end of what, you know, maybe you might call tech dependent, there’s a couple other criteria there but those are tech dependent people,
[00:45:48] Brad Nigh: that makes sense.
[00:45:50] Evan Francen: Yeah. And then the tech enabled people are you know 35 ISH to 60 actually tech dependent really is 20 and below The opposite maybe 35 but so anyway we’re trying to figure this stuff out that we can speak their language. Yeah,
[00:46:05] Brad Nigh: you have to talk differently to different people
[00:46:10] Evan Francen: right? And so not only within do have okay flush stuff going on. Um risk has changed information, security has changed drastically. So trying to figure out all the ways that it changed so you can make your solutions as effective as possible. It’s not about the cool thing about working for us, you and me and everybody else who works here is were so devoted to the mission that it’s like, I just want to solve the same problem. Mhm. If you make money great, I mean, I’d like to keep the lights on, I’d like to keep feeding the kids, they like food. You know, you know what what I end up happening is, I think is we focus on the mission, You’ll make plenty of money if you focus on you miss the mission. And so focusing on the mission, you start coming up with these ideas that I think are multibillion dollar ideas. Yes, so I think they’ll be for people who like money, I just I’m just not a big fan of money because I just wasted, you know, I’m just not a good person with money, so you just don’t want to give me any more. Yeah, so I think a lot of these things are coming together, well, it’s going to be really neat to see by the end of the year how we’ve integrated our existing assessment methodology that we’ve been using for. I don’t know, There’s probably 3, 4000 companies now are S two scores that have been generated Using the S two or Methodology. Yeah, to now marry that with and S two team and an S two main components that you can truly measure, like what is the real risk here? Not. You never and you’ll never get it. Perfect. Right, So don’t try to do
[00:48:00] Brad Nigh: that. Yeah. No, I mean I think it makes sense to do that, you know, to truly take Uh huh what your employees are doing and what they know and account for that risk because I can’t tell you how many times people are like, well this is what the policy says and then you talk to somebody else and you know, independent of that and they have no idea what you’re talking about or they say, oh no, this is what we actually do and it’s completely different and the other person has no idea.
[00:48:37] Evan Francen: Yeah. Yeah. Yeah, that’s a totally that’s a whole nother thing to for us to talk about. I mean it’s it’s a branch off of the same topic is how policies have been misused so much over the years, policies aren’t meant to be rude. Mhm. The reference documents, you know, just see people uh it’s a whole nother thing. All right. Anyway, so that’s those were on my mind when I was writing the show notes for today was just like two, we need to do a better job accounting for this. Your traditional risk assessment methodologies, traditional approach to a centralist or a small number of locations is less and less valid than and maybe even become in X at some point. Yeah, we’re good uh do anything else to add about. Just kind of the new thing with, because you do a lot of the incident response stuff, at least you’re very involved in that. And I know you’re working on a new methodology right now. Yeah. On instant assessment, which will also be married up at some point when it’s mature and ready.
[00:49:46] Brad Nigh: I think the biggest one of the biggest risks that we’re seeing out of this is, you know, unsurprisingly the Attackers are using. Uh huh. And then I, I use this word carefully. Disaster. Right. So any time you have some big event that happens, you’ll see, you know, the fundraising scams or the, you know, whatever you’re seeing a lot of that and a lot of a lot more fishing. Mm hmm.
[00:50:20] Evan Francen: Yeah. Yeah. Hopefully as you develop this methodology, you’ll be accounting for and I’m sure you will. I mean, I’m excited to see it when you guys, you know, have a version to share, but it will be, uh, incorporating, you know, how incorporate where the incidents are actually happening to because, you know, if they’re happening at home a lot more, uh, you mentioned earlier about the personal incident response plan. There’s a couple of reasons why I think that’s very valid for company one is shows that if I have a personal incident response plan that I understand enough about security to be prepared for the bad thing. So there’s a certain awareness that comes with it. And I think the second thing is if my employees are being attacked and they don’t have a method, you know, to respond to it themselves personally. Well, they’re not going to be very productive at work for one because their undoing all the damage that’s done to them, you know, by an attacker or whatever. Uh And number two, I think there’ll be some fear with people and I think people who don’t plan are more fearful because they don’t really understand. I think for a lot of times comes from lack of understanding.
[00:51:45] Brad Nigh: Yeah. Yeah, they’re they’re unprepared and Yes. Yeah. Yeah, it’s not a good combination.
[00:51:54] Evan Francen: No, so I think there’s maybe a tie into but even a tie in or a pass through um you know, it? S to me to an S. Two team to an S. Two are to your incident response, deeper dive assessment that you’re building now. Yeah, it’s cool, it’s cool being it’s cool working with smart people man fun, you know, it really is all right. Um All right. Another thing I had just, you know, the world going back to where we started, you know, the world Has changed much. May 25 and 26. They’re also days I remember. Well from this year, May 25 was memorial day uh started off like in Memorial Day. I I come from a military family. So Memorial Day has a deeper meaning I think for military families Because it’s a holiday to celebrate the people who gave their lives in the service of their country. Right? So I think it’s a super noble thing, right? When somebody else gives their life for you and your freedom, that’s a really big deal. Uh but May 25 was also the day that George Floyd. The whole George Floyd and I’m not gonna must try to stay away as much as possible from controversial around it. The fact is, May 25 was the day that George Floyd. The the events of George Floyd happened. Uh it wasn’t till the 26th that I heard about it because I was kind of disconnected from the news and came back and got reconnected. I was like what? You know? And yeah, crazy all that’s crazy. I mean the events that happened were crazy. The events around it are crazy. The events afterwards are crazy. The reactions are crazy. It’s just like, Yeah, and I haven’t fully, there’s so much emotion in it to that I haven’t fully appreciated or even appreciate it much actually about how this affects information security, but I know there’s an effect there, you know, Do you feel it?
[00:54:17] Brad Nigh: Yeah, I think it goes to both. Again, the more social engineering attacks around it. Um but also what it affects the physical security of organizations we’ve seen unfortunately seen damage. So how are you accounting for your location? Are you in, you know, it was all what happened in downtown Minneapolis and the destruction there. So how are you taking those things into consideration?
[00:54:55] Evan Francen: Yeah. Yeah. And then there’s the Mhm. One of the things I’ve never as much as I see now after May 25th, it’s just the bullying, you know, just uh you can’t say what’s on your mind sometimes because people will used it against you you for it. If I disagree with you, uh you know, we throw out. There’s two things that people do uh almost immediately whenever they can’t defend their position. Well, meaning I’m taking this position. If you do come with a counter position or you come with questions about my position, you may just be curious about my position, right? You may not even be attacking me at all. Right? But if I perceive it as an attack or I can’t defend my position well, and you can’t defend your position while you do one of two things, mostly, you either change the subject or I attack your
[00:56:09] Brad Nigh: character.
[00:56:10] Evan Francen: So if I’m if I’ve got a position and I don’t understand my position well enough to defend it, maybe it’s all emotion, maybe it’s right brain stuff. Uh And then you ask me about my position. Or let’s say you challenge my position. What I’ll probably what we see a lot going on right now is I’m going to attack you. You know, you bigot, you’re racist, you whatever, whatever, whatever which are all detracting from the point, The point is explain your position. So that either I can support it or I can fight it right or I can ignore it. But
[00:56:51] Brad Nigh: we don’t see enough to
[00:56:52] Evan Francen: what? No, we don’t. Yeah. And I don’t know what the information security impacts of this are. You know, as you start to try to figure it out and play it out. I know that there are impacts because it impacts society and society has made it up with people. And I know that information security isn’t about information or security as much as it is about people. So if it’s affecting people it’s affecting security. I just don’t we got to get our hands around it figured out a little bit,
[00:57:20] Brad Nigh: you know, you got to think of it from are these people going on websites and posting from corporate machines now that our remote are they making posts on facebook or wherever that are, you know, inflammatory or whatever it may be. And they say I work for, you know, X Y Z. Corporation now you’ve got that on your hands that you’re having to deal with.
[00:57:48] Evan Francen: Yeah. Yeah. I love to see, I mean truly, man, I would love to see love prevail. You know, I mean it doesn’t have to be yeah, it doesn’t have to be fighting. It doesn’t have to be destruction. It can be let’s sit down, let’s talk about the issues that’s come up with solutions, let’s work together. Let’s make the world a better place. Let’s not tear it down, right? Anyway. I don’t know that, you know, that’s the second kind of big thing in mind, that about this year is, you know, Covid obviously, and then the second is just all the social injustice and we could go into talking about elections and how that affects security too. But maybe that’s just a topic for another day.
[00:58:37] Brad Nigh: Yeah, there was a lot, a lot to impact
[00:58:42] Evan Francen: there is. But I love having these discussions and I talk a lot more sorry during these discussions, because there’s just a lot on my mind and it’s like, man, I want to the saddest, one of the saddest things that happened some social often is, you know, events that shaped the world happen and then we don’t capitalize on it. Yeah. This is a great opportunity for us to make security better too. Cut through the fear and uncertainty and help people become more understanding. And, you know, there’s just so much opportunity to use this for good. I like this. I’d like us to do that. And I think you would too. I mean, everybody fr Security Security Studio feels the same way. Yeah.
[00:59:34] Brad Nigh: How businesses are operating has fundamentally changed. Let’s take this opportunity with all this change going on to improve things based on this new Yeah. Environment new. You know, reality.
[00:59:51] Evan Francen: Yeah, yeah. That’s cool, man, I love working with you. All right? So, this is a year. Like, no other that’s for sure, truly, I’m hoping imprint love will prevail. I think in love will ultimately prevail. It. It always does. But to see people the other is all the jews at the root of the issues for yeah. You know, like take even black lives matter, right? At the root of that. I agree with uh, you know, 100%. Yes. Black lives do matter. So let’s make black lives better,
[01:00:27] Brad Nigh: right? You
[01:00:30] Evan Francen: know, that’s gonna take love. It’s not gonna take hate. It’s going to make it worse.
[01:00:35] Brad Nigh: Yeah. Yeah. No, I fully agree. And you know, I think we talked about it with vendors that fud fear, uncertainty and doubt and that’s what we see. It’s people that have fear, uncertainty and doubt and, but never that’s, it’s never a good thing.
[01:01:01] Evan Francen: No, no. So there there’s always good and evil, Right? I mean, the evil will take advantage of this to take advantage of you period. The good, we’ll do whatever they can to help you to take advantage of it for good, right? To make you stronger, Make you more educated, Make you better. Right? So that’s cool. Right? News. Yeah. Uh, newsy things. Uh, there are some news I thought was interesting. You are related to the news items that I called out. The first one is kind of a follow up to the second one that I’ll talk about, but this comes from security affairs. Uh, it’s Elon musk confirms that Russian hackers tried to Tesla employee to plant a malware.
[01:01:54] Brad Nigh: Yeah, that’s, it is a crazy story.
[01:01:58] Evan Francen: It really is man offering a million bucks to the start employee. They
[01:02:04] Brad Nigh: Started at 500,000 and I was like, that’s not enough. And then immediately went to the FBI so that’s pretty awesome.
[01:02:13] Evan Francen: It’s awesome to tournament, the guy’s name is Igor Igor of vich crude, I you cough 27 years old Rested on August 22 appeared in court on August 24 mhm Russian citizen, you should give that employee like a big raise. Maybe promote them,
[01:02:38] Brad Nigh: yep,
[01:02:39] Evan Francen: maybe adam I don’t know the whole story. Maybe the, I don’t know a million bucks in today’s world if you were ever going to I mean everybody’s, I suppose everybody’s got told that everybody’s got a price, I hope I don’t, but I don’t know, I’m a human being, so I suppose I’d probably do too, you would at least have to be enough to where I could retire comfortably because I’m never gonna be able to work again because somebody’s going to find out, I’m gonna have to fund maybe a new identity
[01:03:13] Brad Nigh: in a country with no extradition,
[01:03:18] Evan Francen: A million bucks ain’t gonna cut it a million bucks nowadays when she threw through. I mean chances are, well, first of all it will be a lump sum so you’ll probably go and buy some party stuff and blow some of it second the rs is gonna wonder where you got the million bucks.
[01:03:36] Brad Nigh: Yeah, you can just drop a million bucks in the bank and they’re like, oh cool,
[01:03:42] Evan Francen: Right, you’re gonna have to pay taxes on it. So that’s going to be 30, 50%. So you’re down about 500,000, You know fish and then uh yeah, you’re not gonna retire on it. No, so $1 million bucks. Yeah, just wouldn’t cut it. But it’s such an interesting story and you know, that’s the second story I have is from the hacker news and this one comes a little bit earlier, it says Russian arrested after offering a million dollars to us company employee for planting malware at this time, we didn’t know the company, it was uh he was sort of sealed in the court documents later. We found out it was Tesla So numerous time they met numerous times between August one and August 21 to discuss the conspiracy. Mhm. I guess Igor originally reached out on july 16th using WhatsApp to contact the employee. It’s a really interesting story. So if you read up on it, the court documents are out there and you know, including the charges and the background. It’s pretty interesting.
[01:05:00] Brad Nigh: It is, yeah.
[01:05:02] Evan Francen: Crazy. And this stuff for listeners. Uh don’t think this is some good incident and it’s not just the Russians, the chinese do the same thing. Uh the Iranians do the same thing. Uh any adversary of the United States is looking for a way to do things and that’s not including the criminal enterprise component, right? I don’t know what he gores I’m guessing it was more money driven wasn’t, but with Russia money and politics are so closely integrated, I can’t separate the two.
[01:05:47] Brad Nigh: Well they said that one of the guys working was a high level employee at a Russian bank, government bank. I mean what was interesting on that, the hacker news one is uh, that Igor had said he listed out previous companies, the gang targeted and revealed each of these targeted companies had a person working at those who installed malware. So it clearly works. And that would be interesting to see if that comes out to see if it’s some of these really big name companies that have been hit and if I’m not, if I’m that employee, I would be sweating pretty heavily. Yeah, because you know, these guys are gonna rat you out in no time.
[01:06:38] Evan Francen: Oh yeah, there’s no loyalty amongst steve’s no on the, and there’s always a trace, right? You follow the money. Even in crypto crime, you know, you’re going to spend that money somewhere, right? Somebody’s going to ask questions and it’s, yeah, crime doesn’t pay, isn’t that what he said when I was a kid. Yeah, I’m just not,
[01:07:05] Brad Nigh: It’s why you never hear about the the things that, you know, got away with it, right? Because they always get caught. That’s how we know it’s it, maybe 20 years, maybe 30 years but at some point it’s going to happen.
[01:07:21] Evan Francen: We’ll catch up. Yeah because that’s the thing too is people talk you know you say one thing and yeah I mean whatever you can’t hide the truth
[01:07:32] Brad Nigh: you tell one person I think you can trust and then have a falling out. That’s all it takes
[01:07:38] Evan Francen: right? Yeah. The best way to keep the secret is to never know the secret. Yeah. All right. Another one uh story from I. T. Pro portal which is a sight I’ve never really been to before but what caught my eye was X. Cisco staffer charged with deliberately deleting 400 plus E. M. S. Mhm. Faces up to five years behind us
[01:08:04] Brad Nigh: I’m gonna assume excusing uh Cisco is gonna go after him for damages as well. Right? five years and a fine of 250,000. Cisco is claiming in 1.4 million and a million two cuts and refund. So another 2.5 million.
[01:08:24] Evan Francen: I know man. And the person’s name is Sue dish. Kasaba Ramesh Left the company in April 2018. Access the firm’s aws environment months later. So there’s a problem. Yeah Cisco you should probably have disabled these accounts or sign on somewhere. I don’t know how you would have you know whatever that I wasn’t able to use.
[01:08:48] Brad Nigh: The shared you know passwords there is you know service account passwords when they are ever anybody with access leaves.
[01:08:58] Evan Francen: It’s the basics right in this, in this case lack of basics here did end up costing Cisco according to their calculation $2.4 million dollars in terms of their them recovering that money. It’s just not gonna happen. They may have filed insurance, they might have been covered there.
[01:09:18] Brad Nigh: I mean yeah, they’re not gonna, who would hire him? That mean
[01:09:25] Evan Francen: Right maybe the Russians But he deleted a total of 456 virtual machines. Which the key which Cisco used to run Webex, The Webex application. Oh my gosh. So anyway he’s released on bond. I don’t know 50 his bail was only set at $50,000. That’s not enough to keep you from running from five years in jail and a fine of $250,000 in zero job afterwards.
[01:10:02] Brad Nigh: Yeah, it’ll be interesting to see what happens.
[01:10:06] Evan Francen: Yeah. And the last 11 that I have cited here before, I don’t think is from the info sec handlers diary. Uh which is from sands. One of my favorite places to kind of keep up to date with some cool things that are going on. This one actually comes uh from there in the title is Centurylink outage caused internet wide problems and I actually remember Mhm. Something because I’m a century link user at home. Well in central link is I mean it propagates everywhere. So you’re gonna have issues if if somebody like central link is having BTP issues, um you’re gonna feel it another place as well. Uh anyway, it’s an interesting story and this one either hardware failure or a um employ a mistake. You didn’t just didn’t didn’t test your config first, something like that. Uh but it was a B G P a routing issue and if you know how B G P works PGP works, uh it routes between autonomous systems. So autonomous systems are, you know, big globs of essentially routers that, you know, control internet traffic and uh their autonomous system was basically knocked off flying for a while. Yeah, wow, the reason why I picked that one is because, you know, the Elon musk thing, the Russian, Elon musk, think that was an internal, there was a personnel issue at least that’s who was targeted and like you said, there are other companies that’s allegedly had fallen for this, you know, so we don’t know the whole fallout of all that stuff. The second one, the X Cisco staffer, that’s also an employee and insider issue and then this one, if it was a config mistake, then this is also an insider issues. So that’s why I picked these, I just thought, you know, we should do an episode at some point on insider threats. You
[01:12:12] Brad Nigh: know, what’s funny is uh working on this Ir assessment, I was on Insider threats and kind of the check boxes around preparation for Insider threats was where I left off yesterday. So before, before I even knew what you were talking about, It just happened to be where I left off. It’s kind of funny, it’s a sign of man, maybe next week the doctor, Insider threat.
[01:12:37] Evan Francen: It’s totally up to you man. I think that you could take that in a lot of, lot of ways. It could be a good topic. All right. Uh well, that’s about it. Uh episode episode 95 is almost in the, can we do our last thing which is shoutouts brad. You have any shoutouts to give,
[01:13:00] Brad Nigh: you know, give a shout out to Renee. Just she’s had a really nice email over the weekend and it’s just still super supportive and it’s always nice to know, you know, that john and Bonnie as well, but I just happened to think of her name because she sent that email, but it’s always so great to know that, you know, the leadership has your back and is there for you and is not just giving you lip service,
[01:13:29] Evan Francen: right? Yeah, Renee, it’s awesome. It’s
[01:13:33] Brad Nigh: the entire lt, it just happened to be Renee that sent that email that I made me think of, that.
[01:13:40] Evan Francen: It’s cool. I’m going to give a shout out to Ryan clark here and I don’t know if I’ve done that already once on our show, but he just continues to impress me. Uh he just, he gets things done, you know, I don’t have to worry about things, which is so cool. If you have a right hand left hand man, I mean you’re kind of that guy in methodology stuff and things that you’re doing over that far secure. He’s that guy at insecure studio and um uh and then you hear things, you know, you hear things like I was in a conversation with somebody else and they had said something that, right? Oh, it’s my own uh crap, was it my son who just had a birthday and Ryan had reached out to him and wished him a happy birthday and somebody else too. But just you hear things about people’s third hand that just can just, that just confirms your original thought of. Yeah, that really is a good dude. Yeah. So because sometimes you, you know, people will just tell you things, you know, two tell you things, but when you hear the third or fourth hand it’s like no, you’re not telling me, you’re not just telling me things. You genuinely are this kind of person,
[01:15:02] Brad Nigh: yep.
[01:15:04] Evan Francen: So that’s cool, right? We’re very grateful for our listeners and we love hearing from you. So send us messages by email uh at firstname.lastname@example.org or check us out on twitter. It’s @UnsecurityP uh all one word. If you want to socialize with me or brad directly, we dare you. We’re not social. Well we’re kind of social. I’m I don’t know, whatever. Uh I’m @EvanFrancen and brad’s @BradNigh uh, we work for people. And if you want to follow those people, security studio is @StudioSecurity and FRSecure is @FRSecure. That’s it. We’ll talk to you next week.