Unsecurity Podcast

Evan and Brad add to last week’s discussion about working from home and the past, present, and future of work from home in relation to COVID-19, information security tips while working remotely, and some tools that can help.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Hey guys and gals. Welcome to the Unsecurity podcast. This is episode 78. The date is May 4th 2020 and I’m Evan Francen with me. Today is my co-host Brad Nigh. Good morning brad.

[00:00:36] Brad Nigh: Good morning Evan.

[00:00:37] Evan Francen: It is a good morning though, isn’t it?

[00:00:39] Brad Nigh: It is

[00:00:40] Evan Francen: You know, I think it’s supposed to rain today.

[00:00:43] Brad Nigh: Yeah, it was nice this weekend. Although windy

[00:00:47] Evan Francen: wow. Yeah, it was Wendy. We’ll talk about that. Uh, we have another good show planned for today, but before we jump in, we are going to do that. We’re going to go ahead and catch up. Just like we normally do. This is brad and I brad and eyes chance to sort of catch up. So tell me about what you do this weekend.

[00:01:06] Brad Nigh: Well I took actually took thursday friday off. Didn’t work at all. It was nice. Just kind of relaxed and friday that my daughter’s head off. So we kind of hung out and did some stuff and then this weekend and I got the chance out as uh, my angus would say I changed out some wood

[00:01:28] Evan Francen: ching soured some wood.

[00:01:30] Brad Nigh: He asked if he could do it like you’re five. No.

[00:01:34] Evan Francen: Yeah, I think you have the beard for it. So that’s good.

[00:01:37] Brad Nigh: Yeah, I had on uh put it on like a fishing hat, you know, the big brim hat and I had my glasses on and he goes, she’s like, you look like somebody you’d see in the woods and run away from.

[00:01:49] Evan Francen: Yeah, no one of those guys.

[00:01:52] Brad Nigh: Okay. I don’t know what that means, but okay. Yeah. You

[00:01:59] Evan Francen: mentioned it was Wendy this weekend. What do that? Sure,

[00:02:03] Brad Nigh: saturday we, we didn’t get, you couldn’t really do anything. It was like 30 35 mile an hour, sustained winds on saturday. So we were outside playing and doing some stuff, but yesterday was most of it. I didn’t want to be uh trying to mess with bringing down trees and sawdust with that heavy of wind. Yeah,

[00:02:25] Evan Francen: we went on a couple of motorcycle rides on saturday. We went to a birthday reid um, and then like some kid was having his birthday. So there were like 30 maybe bikers, yeah, who drove by his house and you know, it all revved up our Harley motors and woke up everybody in the neighborhood

[00:02:47] Brad Nigh: very cool. And they actually had uh, somebody had a birthday party in our neighborhood and the fire department, the local fire department had two fire trucks and ambulances and the sheriff come through the whole neighborhood.

[00:02:58] Evan Francen: That’s cool.

[00:02:59] Brad Nigh: And uh, yeah, we got the double dose because we live on a dead end. So they went and turned around and came back. So it was cool to see all the kids like losing their minds excited,

[00:03:09] Evan Francen: objective.

[00:03:11] Brad Nigh: Uh He was a little loud for him. He had had the processes. So he missed the first pass and kind of went inside. It freaked him out how loud they were. But you know what do you do? He watched from the window and was okay

[00:03:28] Evan Francen: and it was a tough ride on saturday because you know, you don’t just go if you’re a writer, you don’t just ride to, you know, one spot. So we kept writing and my wife didn’t like it because it was too windy for her. It was blowing us all over the road.

[00:03:43] Brad Nigh: Yeah. Even yes. Yeah. Yesterday the winds are still 15, 20 miles an hour with that was we got a kite out and got to do that a little bit.

[00:03:55] Evan Francen: Yeah, yesterday was a much better ride. We probably put 100 50 miles on yesterday.

[00:04:00] Brad Nigh: Nice

[00:04:01] Evan Francen: gone to new all. Have you ever been the nuance, yep? The town was dead, but we found a place that had take out, got some takeout at a, at a just a picnic table and then rode back home. So it was a lot of writing. I probably got 250 miles in maybe. Mhm.

[00:04:22] Brad Nigh: Yeah, the weather was, I mean the temperature was perfect, that wind just was, that was tough.

[00:04:30] Evan Francen: Yeah, it was tough,

[00:04:32] Brad Nigh: dries you out too.

[00:04:34] Evan Francen: Yeah. And it’s hard, drives you out or drives you out tires you out um a lot of sun two and you did too.

[00:04:44] Brad Nigh: Yeah, it’s good. Yeah. Only only Minnesota can we like get sunburn like 60 degrees out.

[00:04:51] Evan Francen: Right? This is, this is us,

[00:04:54] Brad Nigh: we’re all in shorts and t shirt. People from florida are like winter coat.

[00:05:00] Evan Francen: Right? So what was your week like? Like last week? What it uh,

[00:05:05] Brad Nigh: uh, just working on like the CMC mapping, some incident response stuff. So got contained. It looks like I have been seen since Wednesday obviously on a big I are we had, well I got, they got real lucky on that looks like so,

[00:05:25] Evan Francen: so tell me what happened, how did they get lucky?

[00:05:28] Brad Nigh: Uh, well we were seeing the encoded power shell running across the environment and when we could, so we were able to decrypt some of it and it was ransomware gain spread. So we’re able to block that power show from Ryan at all. Okay. I mean it was, it’s a, there’s a lot of stuff for clean up for him. I said, I haven’t checked in and since Wednesday afternoon. So you know, as quickly as that stuff changes, who knows where it’s at right now. But

[00:05:59] Evan Francen: what, what kind of ransom or was it, do you know?

[00:06:01] Brad Nigh: Um, I think we saw imitate the FBI had said they thought it was maze, but we’re not last. I thought we hadn’t seen any indication amazed on there, but we did see a motet, which obviously would drop typically, uh, yeah, some of the other stuff, so I’m not sure exactly which one it was like I said I hadn’t been super involved in that one for four days, five days. I mean so I said that that changes uh pretty rapidly.

[00:06:36] Evan Francen: Do you ever find it difficult to remember what you were doing last week when you’re you know, we do these shows on monday morning and I’m trying to think like holy crap, there was a lot of stuff last week but I can’t remember which, I don’t remember what happened last night.

[00:06:49] Brad Nigh: You know, usually it’s not too bad but with being off and not thinking about it definitely made it worse. I was look at my notes, Cobalt Strike, we got there command and control framework we found there looks like their main one. So that’s that’s not usually a good thing to find on your network.

[00:07:11] Evan Francen: Oh to Cobalt Strike was on their network. So the attacker planted cobalt strike or multiple

[00:07:16] Brad Nigh: instances. Yeah,

[00:07:18] Evan Francen: interesting. Yeah, I guess Attackers a lot of times will use the same tools that you and I use.

[00:07:23] Brad Nigh: We’ve we’ve actually seen that this is probably the third or fourth time this year, you know the last four or five months

[00:07:31] Evan Francen: that you’ve seen Cobalt strike being used in an

[00:07:33] Brad Nigh: attack.

[00:07:35] Evan Francen: Mhm interesting. So not very original.

[00:07:40] Brad Nigh: I mean but it works, it’s true, it’s proven tool.

[00:07:47] Evan Francen: Yeah, it was my code something yourself if you already got a tool that you that works just fine.

[00:07:53] Brad Nigh: And if if the endpoints not being protect whatever they’re using, isn’t catching it. I mean, makes it makes your life easier. Yeah, I know that throw out all the other stuff that they built.

[00:08:08] Evan Francen: Do I look tired today

[00:08:11] Brad Nigh: a little bit? Okay.

[00:08:13] Evan Francen: Right. Just want to make sure, you know, it’s kind of my default. Just wanna make sure I’m keeping up the Yeah. Yeah. Looking the way I’m supposed to look. All right. So, we have a lot of times. Um the last, it’s been a really hot topic and I think last week we talked about it too. We talked a lot about working remote or working from home. Uh and truly, if you were around and paying attention, this was this has been a hot topic for quite a while. But I think since the outbreak of Covid 19, it’s even more of a hot topic. It’s certainly one of the top trending topics in information security. So just another take today on, you know what this looks like. You know, from a future looking perspective. You know, we can use we can do some uh predictions, you know, on this stuff. So what did work from home looked like prior to Covid 19 so much has changed in the last two months. Yeah. How, you know, on the rank of all the things that we deal with in information security, where did work from home kind of fit? If you can remember prior to Covid 19?

[00:09:32] Brad Nigh: I think prior it was much more controlled situation. Right? So you had a small number of people that we’re doing it so you could put a little bit more time into. It may be making sure that they knew what they needed to do. And usually the ones that were working from home just seem to be a little more maybe savvy. Yeah. Um So it wasn’t as big a concern.

[00:10:00] Evan Francen: Yes, it was less people. Right? And a lot of, a lot of times those people it seemed like had a legitimate work from home Need and they were approved and there were some there were some that involved there was more preparation for them. There was more training and awareness stuff for them.

[00:10:21] Brad Nigh: Right? I mean your it staff, your security stuff, you have the ability to you know, it’s easier to control small numbers, right? You can make sure that you have the controls in place that that they get that training that you’re talking about. They understand what it is versus three for all

[00:10:39] Evan Francen: right. So before it was much more and I agree with that. I think before it was much more controlled, you know, as a c so it was you know, it was on my list of things to do but it wasn’t you know top priority because it was kind of already sort of planned for and taken, you know taken Kara. Um Then Covid 19 comes all the offices shut down now. Our office shut down here in, in Minnetonka Minnesota. We shut down our office on what, March 17th?

[00:11:12] Brad Nigh: Yeah, that was the last 80 we’ve got everybody had a chance to uh they clear out and get what they needed.

[00:11:22] Evan Francen: Okay. The announcement was wade made what, March 16th the day before? Yes, Okay. So we had, we had about what, 24 hours?

[00:11:33] Brad Nigh: Yeah, I think, yeah, it was, we talked about it the week before, uh smt. So we had already kind of come up with it, agree that we saw it coming and announced it before the governor did.

[00:11:47] Evan Francen: Now when can you recall when we saw it coming? Was it a week before? So what? Nine?

[00:11:52] Brad Nigh: Oh no, we had, I think it has been part of like the conversations for at least, wow. I mean, we kind of talked about it in, in february. I know, and kind of like, interesting, we should take a look at this and see what’s going on and then in March, like the kind of that week of the second of the night, for sure, it became a much bigger topic.

[00:12:16] Evan Francen: Okay, so the discussions for us started february.

[00:12:21] Brad Nigh: Yeah, I would say informal. Okay, let’s keep an eye on this and understand what’s what’s happening.

[00:12:27] Evan Francen: Right? So it was a thought a notion, Something to think about, nothing formally being planned, but you know, something that was discussed in february and then what, maybe a week or two before we actually actually closed the office, it was all right, here’s the plan or let’s develop the plan put some formalization to it. Um What are all the considerations that we need to make? You know, one can people do people have connectivity, what things do we absolutely do we rely on so heavily in the office, I mean we didn’t have that stuff much.

[00:13:08] Brad Nigh: Right?

[00:13:08] Evan Francen: Yeah, there’s all considerations. Right.

[00:13:11] Brad Nigh: Oh yeah, absolutely. Have those conversations. It was it was a lot easier I think because we were set up for doing the remote work right with the assessments, your remote doing those by function, we had to be able to work remotely. So it definitely made our jobs easier. Uh at least from an analyst perspective, both on consulting and tech services. The biggest was more I think sales and you know, the support staff that we’re used to coming in and how do they handle that stuff?

[00:13:48] Evan Francen: So we all right, so I’m just trying to think because during this time it was weird for me, I was like the twilight zone, you know, I was on a cruise, you know, from the uh and we were debating on whether they didn’t have the cruise, we figured if they were going to do the cruise we would still go. Um So that was March 5th through the 16th. So I came back from the cruise on the 16th, which was the same day that the l to the executive leadership team decided to close the office and and then the 17th, the office is essentially closed. Which was just really weird for me because I never really came back to an office again, you know, back there.

[00:14:33] Brad Nigh: Yeah, you never got to, you’ve been it’s actually been even two weeks longer than for you basically.

[00:14:40] Evan Francen: So I’ve been here every day uh in the office by myself, which is just weird. Uh Today we have, you know, the governor allowed, you know, set some rules in place for the state of Minnesota on, you know, going back to work, you know what, people can go back to work, what people can’t essentially can’t have any customer interaction. Um limited numbers, things like that. So we have six people coming back to the office today. Mhm. Today is like I said May 4th, so it’s been 49 days, Yesh 48 days, but nobody here except for me and now people are coming, you know, they’ll be coming back today and I wonder how irritated I’m gonna be with that,

[00:15:30] Brad Nigh: you know, you say 49 days and it just is like how is that? It I saw it reminded me just I saw a tweet that was like, you know, it doesn’t matter if I die young, I was highly extra 30 years from March through our february through april of 2020. Yeah, it just feels like this is going for, it feels so much longer. That

[00:15:51] Evan Francen: that was one of the things that was nice this weekend, you know, I was telling my wife because we rode to, like you said yesterday we wrote quite a bit and when we were having lunch in um Newam, I mean there was nobody there, but it was kind of the first time in 67 weeks where it almost felt sort of normal, you know, because when you’re riding a motorcycle, it’s not really a social event anyway, right? With a bunch of people. Um Yeah, it’s weird

[00:16:24] Brad Nigh: funny and I think that that ties into the kind of coming back and working and remote and all that is how do we get back to some sense of normal without a vaccine or treatment or you know, how do we stay safe and and still get normal

[00:16:45] Evan Francen: bon and that’s always been a word for me. That has been hard for me to understand from probably forever. It’s just what normal means, you know, is normal mean? Yeah, I don’t even know I mean because I just do what I do and

[00:17:03] Brad Nigh: I think it’s different for everyone to, right? So that’s what makes it so difficult. What’s normal for you is not normal for me and what I would consider normal, you’d be like, no, that’s not normal. Right? So I think it’s that that makes it a little bit more tricky. So I

[00:17:20] Evan Francen: think that’s beautiful too is your normal is different than my normal, but it’s respecting each other sort of normal, you know what I mean?

[00:17:28] Brad Nigh: Absolutely. Well, I think we’re going to talk about it anymore, but because one of the articles mentions it, but one of the, I think one of the hardest things that getting away from work, which is right, my office at home downstairs is realize that the hardest part has been not, there’s been a lot of interaction, right, with videos and conferences and we’re talking all the time, but it’s different than that face to face interaction, right? That’s really than probably like I had that, I don’t know, epiphany and probably other people have already had that or whatever. But for me it took this long of getting away and actually getting kind of separating again from working home because it does start to blur altogether. And then, uh, yeah, just like the neighbors were out and able to talk across the street and it’s not quite the same, but it was like, oh yeah, that’s, that’s what to me that kind of, that’s normal, like having a space to face in person interactions just right now, you don’t have them. And then you’re wearing a mask to the store, realize like how much harder it is to like interact with people, you have to like communicate with your eyes so much more because they can’t see a smile or whatever.

[00:18:54] Evan Francen: All those nonverbals that you read on people’s faces is really difficult to read now.

[00:19:02] Brad Nigh: And thank for you. You know, both of us done like the social engineering in the past. So that’s something that I’m sure you pick up on. I think more than normal people if you if you haven’t done that type of stuff. I know family for sure has said things along those lines. It’s been difficult when you’re used to reading that and people watching and now it’s like I can’t tell what’s going on.

[00:19:29] Evan Francen: Yeah, it’s definitely confusing. It’s different. Um Yeah, so prior to Covid 19, you know, there’s all sorts of studies, but you know, one of the studies that cited in um you know in the show notes is the one from Forbes, which you know, the title of the article is is Working from Home the future of work. And it was interesting. I was looking for some statistics on how many people were working from home prior to Covid and it looks like about 10 to 15% of the workforce worked from home, so they’re not probably having any, I went very few less for sure, disruptions or abnormal c in their days.

[00:20:20] Brad Nigh: Yeah. You know, it’s been interesting, one of the things that our remote workers have said is a positive out of this is we are using video for these calls now, whereas before we rarely use video to like when we have a quick call and so like they’re actually has seen a benefit from this because now everybody is remote and realizing, Yeah, some of those things so kind of interesting takeaway there.

[00:20:48] Evan Francen: Yeah, I think, you know, there’s pros and cons, you know, and it’s, you know, when you look at, I guess all of it, you weigh them against each other and you know, kind of figure out. I think the biggest thing for me is I like having the option, right? If I want to work from home, then I want to work from home, you know, versus you’re forced to work from home. I don’t I don’t think anybody, a few people I know, I don’t want to be forced to do something. I wonder.

[00:21:19] Brad Nigh: Yeah. And yeah, I agree. I think that’s a that’s been a struggle to write. Nice. I’ve worked from home. It’s nice when, you know, kind of needed to get away from the office that you’re not getting some of those interruptions of people stopping in. Especially like we’re talking about like mapping and things like that, we need to be head down for hours at a time, right? But yeah, it’s a little different when you don’t have that choice.

[00:21:50] Evan Francen: Yeah, because I mean, working from home teleworking telecommuting, whatever you wanna call, it isn’t anything that’s new. It’s been around for at least from monkeys.

[00:22:02] Brad Nigh: Oh yeah,

[00:22:03] Evan Francen: remember, you know, some of the first VPNS I was using PP TP VPNS with, you know, in the empty you know um dial

[00:22:12] Brad Nigh: up modems. Yeah

[00:22:15] Evan Francen: and things have come a long way since then um And it’s taken us so long. There are lots of reasons why people I think don’t rush more to work from home. One is certainly we’re social creatures, right? Human beings are meant to be social. Were built to be social, social doesn’t mean video social means in person together. Alright. We’re clan people. We’ve always been clan people. Um That’s just the way you know it’s in our D. N. A. And I think so much of this for me feels that’s the part that feels abnormal is just part of my. Yeah I mean part of what I need you know as a human being. I’m not getting uh and I’m and I’m an introvert you know so like I’m supposed to be more comfortable with this than other people. But

[00:23:12] Brad Nigh: you know I think I think what one of the other things that I’ve realized is yeah I’m more of an introvert but you do from if you have that close knit group even as an introvert you still get I still get like some energy from yeah those close people right? Like seeing them and like you and the other members of the team it’s not getting that it’s like this is different.

[00:23:40] Evan Francen: Yeah something’s missing

[00:23:43] Brad Nigh: actually. I think the opportunity to come out of this on the other side being a better person more aware of yourself and others and there’s just a huge opportunity to grow from this. I just hope we make it to route it to be able to execute on that.

[00:24:00] Evan Francen: Right? Yeah. I hope that these things don’t wing some of the things that I think are unhealthy long term, I hope they don’t linger on, you know, except for things like people will never shake hands again in business. It’s like, yeah I mean we did we did prior to Covid. Covid isn’t like the first like thing first sickness that we’ve ever had. And I understand that this is you know, much more, you know, viral and much more harmful to people. But are we really not going to do certain social norms that we’ve always done just because we’re afraid of another pandemic. You know, in 100 years from now. You know, whatever it happens uh you know the spanish flu is the last kind of big pandemic. I know that there’s been you know, SARS and you brought other things. But I mean I hope because we human beings have such a short term memory. You know, I don’t know if you remember after 9 11, I really enjoyed the fact that the the the America came together. There was so much patriotism. There was so much togetherness. It didn’t matter if you’re a democrat or republican. It just we were together, we were we were one and then our short term memory, right? It wasn’t long before we’re back bickering and fighting at each other and just being stupid and then you know, this thing happens. I hope we have a short term memory and a lot of the things that we have here and then he just so long term memory and some of the healthy things. But I don’t know, it’s just gonna be weird.

[00:25:41] Brad Nigh: Yeah, like I said, I hope I’m really hopeful that the long term we we as I mean just people in general, it’s not just the US everyone like this realize that yeah, we’re in this together. Yeah, well we benefit from all that bickering.

[00:25:57] Evan Francen: But you know what? We’re right back at it again. I mean right when the pandemic first kind of broke out and I’m not going to get political, we’ll bring it back in here in a minute. But the, you know, the politicians, you know, right when the pandemic started kind of a real thing in the US, you saw the left and the right kind of coming together more and it’s like a couple weeks and then it’s back to like just being,

[00:26:22] Brad Nigh: it’s almost even worse. But yeah,

[00:26:25] Evan Francen: we’re cheating and then yeah, I’m gonna go on

[00:26:28] Brad Nigh: time. Uh Yeah, just

[00:26:31] Evan Francen: yeah, we have another I haven’t told you yet, but there’s another podcast coming. Uh it’s called the security blank show.

[00:26:40] Brad Nigh: You

[00:26:43] Evan Francen: can fill in the blank with the S word and that’s the one that’s coming, it’s gonna be me Um uh hello chris roberts, you know? And so we both have a tendency that I want to speak more like there are a lot of things I want to say on this podcast that I can’t I’m just like

[00:27:05] Brad Nigh: yeah, I’m with you.

[00:27:08] Evan Francen: So this is gonna be one of those ones that’s going to have the explicit logo on it, you know, so

[00:27:13] Brad Nigh: very cool.

[00:27:14] Evan Francen: It’s not going to be raunchy right? We’re not going to be purposely branch and dumb. It’s just we’re going to be able to say what we want to see. You get off our chests and say, you know, and if the swear word comes out and so be it, you know, I’m excited to do that because there’s so many times man when you’re one of the things about being and you’re you are too right. You’re a leader here. You know, you represent the company. So I want to say things but I also don’t want it to reflect poorly on the rest of you guys and what we’re trying to do from a mission.

[00:27:46] Brad Nigh: It’s always in the back of your mind when you’re saying something. What is this? How is this going to reflect? Yeah, it definitely filters what you say.

[00:27:54] Evan Francen: Yeah. So it’s going to be an unfiltered. We’ll have you on as a guest and you can coming be mean with us. Yeah. All right. So what happened because of Covid 19? I think what I saw was a mass exodus from the office to home and a lot of it happened with poor planning. I know that you mentioned, we were starting to talk about this in february. I wonder how many other organizations did that who had that leadership. Um, and then we are a company that’s a tech company primarily. So it’s not disruptive for us to go from here to there. But what about companies that one didn’t prepare? Well, didn’t see it coming into just aren’t normally set up as part of their business to be able to handle it. Well, yeah.

[00:28:47] Brad Nigh: Yeah. I think that’s why we’re seeing an increase in incidents and breaches. Right? I mean, we talked about the bit site report with malware on home networks 3 to 7 times higher than corporate networks. And you’ve got people companies that were like, we don’t have computers for you to use your personal one island. Right. You know, so I think they were caught off guard for sure. Take a lot of companies more of the old school thinking have fought against it for a long time. I know I’ve worked at places that were like super against telework or remote work, even though it’s like, you know, there’s sometimes where you can be far more productive, Right? You know, And so I think it’s going to be interesting to see how those companies adapt to that because there’s gonna be other companies that are like, hey this works do it and now you’re going to be competing for employees who maybe want to work from home saying, nope, not gonna do it versus you know, you can work wherever as long as your work gets done,

[00:30:01] Evan Francen: right? Yeah. So here’s here’s some statistics, you know, and some things that I found for, you know, write ups about what happened because of Covid and gives us kind of a glimpse into what the experts or what people are thinking the future looks like in terms of remote work. You know, after Covid 19 1, you know, the Forbes, the title of the article is working from home in the future of work. They cite that they did a study, m. I. T. Did a study 25,000 american workers. They found that 34% of them who had been employed four weeks earlier, say they are currently working from home. So those are new work at home employees essentially. Uh And combine that with a 15% who are already working from home. Pre covid, you had about 49 so about half of the workforce right now. Uh a remote workers and two thirds ish, two thirds of those, half our brand new work at home workers. All right, so it’s all new to them. It’s new to the company, it’s if you didn’t plan, Well it’s you know, so it’s pretty significant. Um One person from the brookings Institute Catherine got and Isabel Saw Hill Uh they wrote that this is a massive experiment in teleworking telecommuting. Which is weird because tele community is not new. Why would we still be experiencing are experimenting? You know, 2030 years later?

[00:31:34] Brad Nigh: Well, because it’s that select few versus Canada or can can an organization function with a remote workforce versus water to people or a small percentage.

[00:31:46] Evan Francen: Right? And I think it’s in some respects, it’s it’s myopic management that you didn’t see the benefits that you could leverage from having remote workers for one. And to the big reason why I think a lot of companies didn’t already go here more in bigger numbers. At least there’s a flexibility thing. Right? Give, I mean all the people that we that we employ here at fr security security studio are adults.

[00:32:18] Brad Nigh: Yeah, that’s exactly where I was going to go with

[00:32:22] Evan Francen: it. Right? And so as adults, we trust you to make good choices about what’s best for you in terms of work life balance. I think everybody here knows sort of what’s expected of them, what work it they’re supposed to be doing, get your work done. And I could care less where you do it, you can do it on a beach in the Bahamas for all I care.

[00:32:43] Brad Nigh: Yeah. As long as the quality of the work is good. It’s on time, customers are happy, especially like writing or some of that stuff. I don’t if it’s nice out, go play with your kids on a friday afternoon and then do the work right that evening. I don’t care as long as you hit when you get it done in time. Yeah. Quality customers are happy. What more do I need?

[00:33:08] Evan Francen: Well, that’s the frustrating part, Right? I mean, trusting your employees and they pick up on that, Right? I mean, if you I started cannot trust you brad. I think you’d pick up on it pretty quick before I’d ever have to say anything. Right?

[00:33:20] Brad Nigh: And there’s Yeah. And you know that that bullet point next with the gardener, 76% of employee. The top employee complaint is concerns about managers are from managers about productivity or engagement. And I was reading an article about how uh, the like that nanny software, right? The monitoring software has exploded in this is people are like, well, if they don’t move their mouths in 15 seconds area idol and it automatically turns and I’m like, oh my God, I would never work in that place.

[00:33:53] Evan Francen: So let’s put this. So just this point right here, let’s put a security piece on this. So, you know, and I’m just playing, you know, sort of into this uh storyline if I don’t. Okay, so I don’t trust you. I’m part of the 76% that’s three quarters of their biggest complaint is the fact that management essentially doesn’t trust them. Right? Right. So I don’t trust you and now I’m gonna make you do some mandatory information security training on how you can protect me as your employer. How receptive are you going to be to that?

[00:34:31] Brad Nigh: Maybe like click move my mouse. Okay. Yeah, we’re good. Yeah.

[00:34:37] Evan Francen: I mean, it’s just you set up a really crappy environment for collaborative learning and protection.

[00:34:45] Brad Nigh: There’s no loyalty. No. Like why would I care if I know you don’t trust me? Why would I try? Like what’s the point? What benefit do I get?

[00:34:57] Evan Francen: Yeah. It just compounds my problem as you know, in a company if I were a C. So it just makes my job that much harder. Yeah. To get you engaged to get you because we all know that people are the big, the biggest risk. Well, that means, you know, I need to work with you to teach you good security habits or at least create an environment, will you, you will want to form good security habits. Yeah, I wouldn’t.

[00:35:24] Brad Nigh: I mean, well, and then you’ve got, if I were there for me, if you help, somebody asked me should we put in this software that turns on the camera automatically if they go idle during work hours? No. Well, and that’s what you’re going to find. Yeah.

[00:35:39] Evan Francen: Yeah. I don’t want you seeing in my house, I’m sorry, employer, whoever you are, right, There’s not enough money you can pay me for you to see the things that my home, you know, I work from home a lot. My home is my safe place, right? It’s the place where I do have privacy. It’s the place where I don’t invite hackers into my living room every day. That’s why I’m not big on iOT. Uh, you know, it’s just where in the world do I have a safe place?

[00:36:15] Brad Nigh: Right. Right. And you know, what’s interesting to me is is like there. So if you haven’t done it right for whatever, we’re going to track the activity, what office environment do people not walk around, shoot y’all talk with each other. Congress fancy football, whatever it is. You know, that they’re not productive eight hours a day every day. Like there’s tons of studies that show that, but then suddenly you’re expecting that when their remote

[00:36:48] Evan Francen: Yeah. So it’s just really difficult environment for security for sure. And then so combine this with the anxiety and everything else we have coming from Covid and all the things going on in the world and the political bs that’s going on, combine that with the fact that my employer doesn’t trust me, combine that with the fact that I no longer have social interaction according to another, you know statistic and study 19% of remote workers called loneliness. Their biggest struggle with working from home. Uh, so at least 19% in all of this are also dealing with loneliness and isolation. Uh it’s not a good environment at all. It’s not conducive at all to information security. I could give two craps about, you know, you’ve got this setting set up in that setting set up on your workstation, all this other crap that’s not the concern. The concern is the person sitting behind the keyboard, typing things, clicking things, They’re not thinking their minds, not straight. Uh and it’s because a lot of it is because of Covid. I understand that, but also a lot of it is because of the way employers are treated at home,

[00:37:59] Brad Nigh: right? There’s a huge difference in, you know, forcing, again, forcing somebody to be monitored and checking in with them and say, hey, how are you doing everything okay? Right. Versus we’re going to make sure you’re doing what you’re supposed to do.

[00:38:14] Evan Francen: It’s a terrible, terrible culture for security. Good culture for security is a culture where people are on the same page. People want the right things, people are vested in it. People feel like a family. Uh, this is it’s terrible news for where we’re currently at. And if we’re gonna go here and continue to go here post Covid this is this is a bad thing, man.

[00:38:41] Brad Nigh: Yeah, they’re from uh again, from a security perspective, there is going to have to be major changes and how, you know, the infrastructure is set up for an organization, the training and awareness. You know, just how do we handle this sudden change? Because no, the very few companies were set up for it.

[00:39:06] Evan Francen: Well, even if you’re set up for it, there’s a way to do it and there like you never want to come out, in my opinion, you never want to come off like you don’t trust your employees, you want to come, you trust your employees and not just that, but I love my employees. I love we’ll want to do what’s best for you, what’s best for your family, what’s best for you, you know, Because I know that if I cater to you that you will produce the best word possible, right? Because you want to not because you have to,

[00:39:36] Brad Nigh: well, I think of it the risk for an organization for having to find losing an employee because you didn’t trust them who maybe was, you know, had been brought into the culture and wanted to be part of it. Now, you got to find somebody new and hope that they’re willing to buy in and be part of the security program. When you basically told him from the start, you don’t trust

[00:39:59] Evan Francen: them.

[00:40:00] Brad Nigh: Like uh, that is a risk from a security perspective.

[00:40:05] Evan Francen: Exactly. So I think right now our remote work beyond just the technical things that go into, you know, pushing people out of the office to work from home quickly and preparing all the technology and laptops and whatever you’re using VPNS and all of that and zoom and whatever. There’s so many things there, but also don’t lose track of the number one risk, which is people you have to create an environment for people to feel comfortable in an environment where people can think clearly an environment where people want to do the right thing. And so according to that Forbes study that I read, we haven’t done that, we’ve totally, totally missed, you know what I’m saying? Not we as in fr security, security studio, I think we’ve done a really good job and I credit you and the rest of the management team for doing that. But according to that, the rest of the business environment is screwed. It’s a terrible place to try to implement security controls and collaboration. Yeah. Another, you know article cited is, you know, some may work from home permanently. So when you start looking forward looking, according to Gartner, 25% of the 317 Cfos who were surveyed expect 10% of their employees will remain remote. 17% of those 317 expect 20% will remain remote. 4% expect 50% will remain remote and 2% expect 50% will be permanently working from home after the pandemic. So a lot of these employees, so we pushed them all home, many of them will not come back to the office. Mhm. And if we’re operating under the previous article, the Forbes article in this manner, you

[00:42:09] Brad Nigh: gotta better figure something out.

[00:42:12] Evan Francen: It’s not cool at all.

[00:42:15] Brad Nigh: Yeah, it’s gonna be it’s gonna be interesting to see what happens over the next couple years,

[00:42:22] Evan Francen: right? Another article, you know, working from home has its troubled history. I think that was an interesting article from The Guardian. Uh we’re just we sort of, it sort of explains a little bit about, you know, teleworking remote work has been something, you know, in our industry for 20 plus 30 years and so, but there’s a reason why we didn’t go there in mass, like we should have. And I think there’s some good stuff in that article about some of the flaws in having people work from home, but I think a lot of it is mental, you know, and management style more so than anything else.

[00:43:05] Brad Nigh: Yeah. Yeah. I think, you know, ultimately you’re going to have more a mix where people work and have that choice, take advantage of it more often. And again, it’s weird when you have happy employees, their productivity goes up weird,

[00:43:21] Evan Francen: they’re more secure. Yeah.

[00:43:24] Brad Nigh: Yeah. But in your well, they have a when if they’re happy and they like where they work, they want to protect it. I mean, it goes hand in hand

[00:43:36] Evan Francen: 100%. Yeah. Culture is so critical to good information security, it just becomes part of how you operate, right? Yeah. I mean, I treat my it’s like, I don’t know if you’ve ever lent out tools before, but I learned tools to some of my friends, some of my friends who just, they don’t protect my tools and I already know this before I give it to him, right? So it’s not like a big surprise, but when I learned a tool to a friend, I don’t expect them to, I almost don’t expect them to protect that tool as much as I would if it were in my garage.

[00:44:15] Brad Nigh: Yeah. Most people don’t do that, right? I mean it’s not their things, same, same exact concept,

[00:44:23] Evan Francen: right? So if I make my garage, your garage, meaning I invite my friend, hey man, these are our tools, you know what I mean? Then it becomes kind of different because they’ll treat my tools better

[00:44:36] Brad Nigh: a stake in it, right? Like the feel ownership of it.

[00:44:42] Evan Francen: That’s so important, man. Alright, so another thing, another article, because I did cite a lot of articles in the in the, you know, in the show notes this morning. Um but all really good. I think we found a really good central theme that we’re keeping in on, which is just how do you motivate employees to want to be more secure, you know, when they’re working from home and how not to do it. I think we already hit pretty hard on how one of the ways not to do it.

[00:45:10] Brad Nigh: Yeah, this last one was really interesting. That last bullet point.

[00:45:15] Evan Francen: Yeah, 60% of people report is either being productive or more productive when they’re working from the office,

[00:45:24] Brad Nigh: but 76% of the other one said, hey managers don’t trust me to be as productive, whereas it’s like okay, there’s clearly that disconnect somewhere.

[00:45:35] Evan Francen: Yeah. Yeah. Very interesting. I think when you get your, you know sort of studies and news from different places because one of the things I’ve noticed over the years and information security is, most of the studies you read from our industry are biased. Mm Study was uh sponsored by somebody who’s trying to sell you something, right? So those results are always going to sort of be slanted and bent towards that point. So I think that’s why it’s really important to get different articles from different, you know and compare them with each other. But I think the central theme here is uh more people, I don’t know how many more people, but more people will work from home after the pandemic. Mhm. And they don’t like being micromanaged. Right? Yeah. It’s going to produce really

[00:46:32] Brad Nigh: trust your employees to treat them like adults and gosh, you know, I’ve had really good success with that for as long as I’ve been and management.

[00:46:44] Evan Francen: Well, if I didn’t trust you, why the hell did I hire

[00:46:46] Brad Nigh: you? Right.

[00:46:48] Evan Francen: I mean what the hell is going on? I had we had a choice on who we hire and who we don’t hire and if we hire somebody, I mean that’s why the number one thing on our core values as we tell the truth. Mhm. I mean whatever. I guess it’s frustrating to know that there are so many companies out there that must have really, really crappy cultures.

[00:47:13] Brad Nigh: Yeah. One and again, regardless of what percentage of people go back or stay home. I mean it’s going to be a significant number that are now remote more. Right. I mean, even if it goes from, what was it 10 or 15% to 25% I get 10% of the workforce. You basically doubled my remote workers. I mean, you better start preparing on how to handle this. Do we give them their own devices? Do we have them set up with VP? How do we do this and start looking now? Don’t, don’t wait because it’s not going to suddenly be like, okay, everybody goes back to be looking at these things now.

[00:47:54] Evan Francen: Yeah. So we got a lot more to go through. So we got to kind of pick it up a little bit too. But the, so the mhm Yeah, I mean culture and you can’t fix culture with technology. Right? So the way I manage people, there’s no technology, there’s no VPN that makes it better, you know, So what about information security? There’s no shortage, certainly in our industry, you know, when you look at and a lot of these things truly are trying to get you, I think at some point to buy stuff like if you look at the remote working security or safety and security firm Kaspersky, the number one locals to get antivirus. Yeah, I wonder why it’s Kaspersky and they uncle Morris. So um but there are lots of different things information, security tips, right? Security tips for working from home W. F. H. Because we need more acronyms. Malware bytes has one. Kaspersky has one. Zd net has one ci dot security has one and all good tips. Right? Uh In general, I wouldn’t say number one for me would be to run. Antivirus would certainly be something I would run. Uh But you know, whatever, there’s all sorts of tips, no shortage of those things that I think makes it’s good to show uh probably makes people confused little bit uh

[00:49:22] Brad Nigh: like it’s it’s almost you already have people that don’t understand and feel intimidated. And now all of a sudden they’re just getting inundated with all these additional things.

[00:49:33] Evan Francen: So no shortage of that. But I think to get at the root of the problem, which is to build better security habits or at least help people want to form better security habits or creatures of habit. So, you know, that’s the approach we took, you know, with s to me and s two team and we could um s to me, so if you want to know what that is https colon slash slash s to me that I owe we released this in 2019. It was well ahead of Covid and I think the point was and the reason why we created it was to help people build better security habits at home where they’re more motivated to build better security habits. Because at home I have myself to protect, I have my money to protect. I have my privacy to protect. I have my family to protect. So let’s give them, let’s give people a simple it’s not quick. 10 to 15 minutes. A simple information security risk assessment that I can do at home. That will produce a score that I can measure myself and I don’t need to know all the details of what goes into the score. Just know that a low score is a bad thing. My score is a good er thing. So that’s what we built the s to me for. It’s a personal information security risk assessment. And now it’s built Version one was last year, version two was released last week, Version 2.1 will be coming very soon after that. Every time we have a major release, we like to do limited releases, right? Because there’s a bug fix. Yeah, but that’s what we’re trying to motivate people. Mhm. To work better at home. So if I have a crappy, it was a bad word. I have a crappy culture. So I’m part of that 76%. I’ve already got that culture fixing the culture is going to be difficult. What if I gave them a personal information security risk assessment tool. Not because I want you to protect the company better, but because I want you to protect your family better because I love you protect your family better. Your family is under attack period. It just is that’s the way it works. And the more stuff you keep adding at home, the more IOT you kept keep adding at home, the more cool gadgets, the worst that’s going to get for you. So here take this. As to me it’s free. It will always be free. It’s a consumer tool. It’s meant to help you, like I said, assess where you’re at and then what do I do to build good security habits? Now? The way the organization can leverage this to make their security better is through the S two team tool and what the company sees is I never violate the privacy. I never see brad’s individual results because brad’s individual results are for brad. Yeah.

[00:52:30] Brad Nigh: Yeah. I

[00:52:31] Evan Francen: do see as I see the population’s results so that I can give the population good information, security tips, tricks tools, training so that they can protect their families better. And then I can leverage that to make my company better. Mhm. Right. So that’s why we built the s to me and the S two team to get over the hump of all of this remote work stuff. Right?

[00:53:03] Brad Nigh: Yeah. Well, I think what, what I’ve seen and obviously we’re you know, sister company so different is with the team, you get to see where your people like you said, they’re struggling and okay from a security perspective now I know, gosh are people stink at region incident response? They they don’t know what to do or they sing it backing up their data. Well if I know that from a security perspective now I know to say, okay, I need to look at our backups, make sure that we’re getting this stuff. Are they saving it where it needs to be saved. So that from a company perspective we’re not losing data because they are saving it locally in their laptop dies or they don’t know how to report an incident or no identify it or they don’t know what to do. You need to focus on that area. So you do get actionable results out of this that you know, our areas, your employees are gonna be like, okay,

[00:54:04] Evan Francen: right. And the difference is this isn’t, this benefits the employee more than it benefits the company.

[00:54:12] Brad Nigh: Yeah,

[00:54:13] Evan Francen: I can’t use this to punish brad. You know what I mean? Because I don’t see, I don’t see your individual results. Uh Instead I can say, hey, here’s some things that we can do or provide like a password manager for instance. Yeah. Maybe my user population really sucks a password management. Maybe it’s a good idea than for me to buy an enterprise password management tool and deploy. It’s all my employees and allow them to use it personally or get a separate tool and allow them to have passive management at home, whatever it is, there’s so many different things in the S to me that I think can be really be leveraged by organizations. Two and then just think how much better it is for the culture for me to to me to give you things help you to protect your kids or your family better. And that’s it. No strings, you know?

[00:55:09] Brad Nigh: Yeah. Mhm.

[00:55:11] Evan Francen: So uh you know and I do encourage anybody anytime go out there. Take the S to me again it’s https colon slash slash s to me that I owe free. Always free if you want. If you want to not give us your registration information, just put dummy data in there. We even give you instructions on how to do that. You know, the point is not to collect your data, not to monetize your data, not to do anything else, not to sell you anything truly. The point is for you to protect yourself at home better and the way I benefit from that one, I sleep better at night knowing that I’m helping people, we’re all connected. You know, there might be 15 hops between my house and yours, but we’re connected somehow. Your crappy security habits do affect me at my house one way or another or they cost me more money in bank fees or whatever else, right? So when you say that we’re all in this together truly we are all in this together, we’re all connected to the same damn internet, yep. When you get ransomed, I pay more for uh pay more for insurance, insurance premiums. Right. I mean, there’s just so many different ways that I pay more because of your bad security habits. If I can help you create better security abbots, I sleep better at night knowing that your family is better protected and I benefit from all kinds of different things. Yeah.

[00:56:37] Brad Nigh: Mhm. I agree.

[00:56:38] Evan Francen: Yeah. So we’ve got some other things, you know, still on the show notes. Um maybe we’ll just get to those maybe next week. But real quick, loyal listener. Jason dance. He was one of the people I gave a shout out to last week then uh you know, just I love the stuff he does, you know? So it’s kinda cool watching him and see what he’s doing. But he sent us an article. Um it’s from Consumer reports dot org. And the title of the article is, it’s not just zoom, google meet Microsoft teams and Webex have privacy issues too. What? Yeah, Right. That’s what we’ve been saying people.

[00:57:19] Brad Nigh: It’s nice to see that kind of getting put out there in a mainstream kind of publication though.

[00:57:24] Evan Francen: Yes, nana freak. The media. My God, they do not do as any justice at all. So anyway, it’s a good article. Good link there. So, Jason, Thanks for sharing that. Absolutely agree. 100%. It’s no if you’re looking for some ironclad silver bullet kind of web conferencing technology, that’s just never going to have any bugs or privacy issues, not gonna find them. Yeah. Uh and if you want to go with, you know, blue jeans is one, you know, that’s pretty good. Uh it’s a good product, but so assume the reason why zoom is getting attacked more than blue jeans, it’s just like the old apple Microsoft thing, right? All the, you know, you saw all the attacks and exploits at Microsoft and then max started getting really popular. He started seeing a lot of exploits there too. So Attackers work off of, you know, um return on investment, right? If there’s a better return on the investment in attacking zoom, I’m gonna attack zoom. Mhm. But that doesn’t mean that zooms less secure, it doesn’t mean that zoom is, you know, a bad product. So there you go. Thank you Jason for sharing that. The link is in Evan francine dot com. If you look at the episode 7 78 show notes, you’ll find the link there. Really good uh read Yeah, on that. Uh I had four news articles to talk about and I think I’ll just mention them. We don’t have to talk about them necessarily. Uh the first is newly discovered android malware steals banking, passwords and two factor authentication codes that comes from trip wire. Uh Yeah, android is more susceptible to malware, I mean that’s just the way it works. So if you’re going to be using android, just like any technology you’re going to use, learn how to use it, learn how to use it securely. Android is more susceptible muller because it it has a more open ecosystem for getting malware onto your android. That doesn’t mean that that’s bad either. It’s just a different architecture that you need to account for. So uh good article there. Just be aware of it. If you’re not, you know, most people are probably should be running some kind of anti malware. Antivirus under android,

[00:59:45] Brad Nigh: please do

[00:59:46] Evan Francen: what

[00:59:47] Brad Nigh: please do.

[00:59:48] Evan Francen: Yeah, please. Uh National Emergency. Next articles from info Security magazine. It’s National Emergency as trump bans foreign power grid kit. So there you go. If it’s made outside of the United States. Uh There are certain risks I guess that are being certainly in today’s political climate. Right? Uh interesting read. I don’t know how much you can really take away for your own benefit there, but uh I just thought it was interesting.

[01:00:20] Brad Nigh: It was yeah,

[01:00:23] Evan Francen: two more fake email campaign demanding ransom in Cryptocurrency, surprise, surprise. E hacking news dot com has this article. Uh Yeah, so just because you receive an email that you’re being ransomed or you are ransomed or whatever doesn’t mean you go pay the Cryptocurrency, maybe talk to somebody first, you can certainly reach out. Yeah. People have asked them before you just go and rush off to pee something that’s obviously much, much easier for the attacker if all they have to do is send you an email. No kidding. Uh, but that does happen. Be careful. The last one um, which I thought was interesting, I’m sort of, but this one was uh, you know, it’s it’s sort of biased because it is a sponsored study. It’s from help net security dot com. The title of the article as consumers will opt for competitors after a single ransomware related service disruption. All right, So if you have competitors, it’s probably good to protect yourself from ransomware, um, and you won’t be able to protect yourself 100% from getting infected. Right? But can you get back up and running quick enough to where you don’t have a service disruption that your customers will notice or carry if I’m paying for a service and I can’t get my service? Yeah, I’m probably looking somewhere else, yep. I mean, why am I paying you

[01:01:56] Brad Nigh: exactly?

[01:01:58] Evan Francen: Okay, so, uh that’s it. Okay, so wrap it up lots of things. I really enjoyed the conversation brad. I talked a lot more than because I was trying to kind of keep things moving faster.

[01:02:09] Brad Nigh: No, it’s good.

[01:02:10] Evan Francen: We could have talked for hours on this. I loved it. Um lots of things. Episode 78 is almost in the can Brad. You got any shout outs for anybody

[01:02:19] Brad Nigh: actually, I’m gonna change it up a little bit and give a shout out to my daughters for their hard work with school and helping with Zach and I know it’s been stressful for them and you know, 14 and 12, that’s a it’s a tough time to not be able to see your friends. So they’ve been doing a great job and keeping up. So I’m gonna give them a shout out, but still

[01:02:41] Evan Francen: what you’re doing, that I’m going to give a shout out to my daughter to uh she has really grown up this week, just this week in particular took her out driving yesterday and I’m just proud of her man. She’s she stepped up, she’s working out. She’s yeah, that stuff around the home. I’m like, my God, what happened to my daughter? Yeah. So I get your brother shout outs to our daughters daughters everywhere for crying out loud. Yeah. All right, huge thank you to our listeners. We love your encouragement. Every time we get a message, you know, that just says, hey, I found this thing that was really helpful or whatever. That stuff just encourages us to continue. Everybody needs encouragement. Uh, so we love that. We also love your advice. So, and we don’t take it lightly. Uh all our listeners are great. We appreciate you. Keep the questions and feedback coming, something’s always, if you want you can get us on linkedin, you can send us things by email at unsecurity@protonmail.com. Uh if you’re the social type, I’m @EvanFrancen and brad is @BradNigh on twitter. Mhm. That’s it. So have yourself a fantastic week.