Unsecurity Podcast

UNSECURITY Episode 27: Ryan Cloutier, InfoSec in K-12, Security News

Episode 27 is packed with meaningful discussion around internet safety for kids and how we can do a better job of teaching our children the importance of information security and internet safety starting at a young age. To do so, Brad and Evan are joined by Ryan Cloutier— a decorated security architect and security education advocate.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning. It’s another monday morning here at the fr secure security studio world headquarters, meaning it’s time for another episode of the insecurity podcast, monday May 13th 2019. And this is episode 27. I’m brad and I’m your host this week. And Evans not physically here today, but he is joining us by phone. Evan. Are you awake this early on the west coast? Yeah, yeah. It sounds like the caffeine is kicked in a little bit for you.

[00:00:49] Evan Francen: 2nd Energy Drink, Man.

[00:00:50] Brad Nigh: Good Lord. It’s like 45 a. m. for um, what time is it there?

[00:00:55] Evan Francen: My one kidney is uh screaming right now.

[00:00:58] Brad Nigh: Okay, so Evan is out in Anaheim to speak at the ice aka C A. C. S conference. And what are you talking about? Uh

[00:01:07] Evan Francen: oh man, seriously? It’s uh, seven o’clock in the morning. Well, that’s when I speak, which is too early to be talking about third party information security risk management.

[00:01:15] Brad Nigh: Hopefully there’s lots of caffeine for those getting audience. I was gonna say. Hopefully there’s lots of caffeine for them.

[00:01:22] Evan Francen: Right? Yeah. And you know, I don’t know if you know this, but it’s a slightly different tribe. Uh, Sacha is uh, you know, the big day in the middle of audit. So there’s a lot of auditors here slightly different tribes than than ours. But it’ll be fun.

[00:01:37] Brad Nigh: That would be, it’s good to get your name out there. I know how much you love getting out and talking in front of people.

[00:01:44] Evan Francen: Yeah man, it’s all about me, you know that.

[00:01:47] Brad Nigh: So because Evans not here today, I am joined in studio by a special guest. Today is Ryan. Oh man, I’m gonna mess it up again. Ryan. Clowe ta here at some point. I’ll get it. Maybe not. Welcome, Ryan,

[00:02:02] Ryan Cloutier: thanks. Glad to be here.

[00:02:05] Evan Francen: The french way. I

[00:02:07] Brad Nigh: know that’s what I kept wanting to do. It is uh,

[00:02:10] Ryan Cloutier: and that’s acceptable as long as you don’t put any Ds in it. I’ve been called cloud Air more than once.

[00:02:17] Brad Nigh: I could see that. So how are you doing today? Right. Oh, would you say Evan

[00:02:23] Evan Francen: did somebody call you Clotaire?

[00:02:25] Ryan Cloutier: Yeah, I actually had a couple of grade school teachers that would call me cloud air when I asked if they were qualified to educate me because clearly they couldn’t read. I might have spent some time in the principal’s office.

[00:02:35] Brad Nigh: That’s funny. It doesn’t typically go over well to, to speak back to the teachers right or

[00:02:40] Ryan Cloutier: wrong fitting for today’s topic. Yeah.

[00:02:44] Brad Nigh: So we are excited to have Ryan joined us today. Very passionate about training and teaching Children around information security. Uh, we met last week and it’s really hit it off in terms of, you know what your passions are kind of, some of the things that and that I work on but let’s get started with what got you into information security.

[00:03:02] Ryan Cloutier: Yeah you know my my journey uh and as I talk about information security always talked about it as a journey. My journey began many too many years ago um obviously it’s podcast can’t see the gray hair but I started out you know building systems building boxes as a kid and you know infrastructure kind of segued into software development you know started coding scripting um you know spend some time doing data systems, spent some time working in business intelligence security was always kind of the common thread that stitch that all together. Um And so I just kind of naturally migrated towards it. It’s also probably the hardest thing in I. T. That you can do because of the most challenges and puzzles and so really it captivated me and had a lot of trajectory of growth for me to work in and there was always a new problem to solve. Um and then you know I discovered the people side of the equation and really that’s where my passion you know today lies is in you know understanding that this is a human based issue more than it’s an I. T. Based issue and you know um for as much as I want to be able to get the blue hairs to change their ways a lot of times older we get the more stuck in our ways we get. And so really I try to focus on the kids because I think that’s where we can make the greatest impact to really change behavior.

[00:04:19] Brad Nigh: I agree. I think you know Evan has a great way of putting it avenue. I thought you know risk decisions and and uh uh that your whole analogy around that,

[00:04:30] Evan Francen: can I say something?

[00:04:32] Brad Nigh: We’ll just, we’re talking about like you know getting kids to change the way of thinking and their risk decisions and you know like driving in the car, I didn’t know if you wanted to tell your story. I thought that was

[00:04:43] Evan Francen: oh yeah yeah yeah get him, get him young.

[00:04:49] Brad Nigh: So I think it was sort of

[00:04:53] Evan Francen: so you call me, I had to move because some ladies out here cleaning out.

[00:04:59] Brad Nigh: Uh

[00:05:01] Ryan Cloutier: she’s

[00:05:03] Evan Francen: clean. Did you hear the door like start to open this big mechanical door?

[00:05:06] Brad Nigh: No, you know this is what makes it exciting.

[00:05:11] Evan Francen: Oh yeah that’s how we do things but

[00:05:13] Brad Nigh: live.

[00:05:15] Evan Francen: I hit the new button as fast as I could because I don’t know you would think would be so hard to find a place that’s quiet at five a.m. In California but it is so I missed probably half of what you just said but it was probably really good and you

[00:05:31] Brad Nigh: know people are happy to hear it so well so where I was going with that I’ll tell it is, you know we talk about with kids. I was going to give you an opportunity.

[00:05:40] Evan Francen: Uh,

[00:05:43] Brad Nigh: so, but with risk decisions, you get in the car right, you put your car your seatbelt on. Why? Because you see your parents doing it right or you’re coming up to the red light or a yellow light, you make those decisions immediately. It’s just something you’ve always done. Information security is not something that people have done. And so they’re not comfortable or not familiar with making those decisions from a young age.

[00:06:05] Ryan Cloutier: Yeah, absolutely. And we see that every day, you know, we, I work with the kids and the parents and the various districts and public sector entities and common thread is a race to adopt the technology, but not really a full understanding of the impact of the technology, right? So to your point about risk based decision making, you know, one of the challenges that that we see daily is in even painting the picture that there is such a risk. One of the analogies I use with people is, you know, if the internet was a real place, you’d never go there, it would be the darkest, seediest alley way in the world and you just, you would never set foot yet. You invite it directly into your living room into the palm of your hand. And I think, you know, it’s, it’s absolutely um, an area where we have to focus is for all the empowerment and awesomeness that technology has given us there really is a pretty vast gap between how we use it versus how we should be using it. Another thing is like if we drove our cars the way we surf the internet, everybody would have a car sticking out of the front of their house, in their living room.

[00:07:15] Brad Nigh: Yeah, that would, yeah, It’s a good way to put look at it, I think. Thank you. Right. You see that I’ve got this device, I’ve got access to everything and don’t think twice about what that actually means.

[00:07:27] Ryan Cloutier: Absolutely. And especially, you know, with the youth, um, it’s getting a little bit better with the over sharing. But you know, I’ve heard horror stories of just even, you know, the previous generation from from the current, you know, one that over sharing is still impacting them in their careers. You know, they’ve they’ve had their identities stolen and they don’t find out until they go to apply for that first car loan, that first apartment and then they find out they own five foreclosed homes in florida.

[00:07:58] Brad Nigh: Right. Right. Well, and you know, I think we’ll we’ll talk about it a little bit later. But one of the things in, in one of the parents story, our parents training sessions, I did was one of the moms said that her daughter was 13 or 14 at the time a couple years ago and was recorded singing along to some rap song that had, you know, inappropriate language and one of her friends who recorded it isolated the N. Word and just distributed out of context. Yeah. And and it was like there was a huge issue around,

[00:08:35] Ryan Cloutier: oh absolutely. And I think with the rise of Deepfakes that’s even becoming more prevalent and relevant. You know, I don’t know if you guys have been kind of keeping up with that technology, but you know, they’re able now to fairly accurately reproduce video with any audio behind it up to. And including full mimic re of the individuals, you know, expressions, emotions. And it’s interesting times.

[00:09:02] Brad Nigh: Yes. Um, so you kind of touched on it. You know, I think the part of information security gets you excited to the people. It’s the kids and the protecting and teaching. It sounds like is that

[00:09:14] Ryan Cloutier: Yeah. You know, it’s it’s it’s the greatest puzzle in the world is how do you convince somebody to do something different? And so for me that is is truly exciting. Um technology has fundamentally changed our lives. And in every other aspect we have a slower pace in which we train our Children in which we we expect them to get good at things right? We wait till they’re 18 to call them an adult. And that has a lot to do with giving them that runway two to make sound decisions before we give them power. And you know, we kind of circumvented that when we gave them an iphone or you know a smartphone, I don’t wanna just pick on apple, but you know we give them a smartphone and we say okay here you go. Well mom and dad don’t know how to use the phone. Yeah the kid does in their running circles and one of the things that that’s starting to cause is a, is a communication barrier between the youth and the adults and that gap is only increasing, you know with each new technological revolution, you know new new smartwatches and what have you now. The kids are talking to their

[00:10:24] Brad Nigh: wrist. It’s uh so my you know having can talk about it, I think your kids are around the same or a little bit older. I think my eldest is 13 Evans youngest is 14 Evan is that correct?

[00:10:40] Evan Francen: Yeah my daughter sports and the youngest.

[00:10:42] Brad Nigh: So my phone um she’s my oldest has a phone now and she got instagram on her 13th birthday, she wouldn’t do it, but her friends have had it for years and it blows my mind. You know what, there’s not even thinking about,

[00:11:00] Ryan Cloutier: Oh you know that’s absolutely true. My my son is a little bit older, he’s 20 just a little bit, but you know what was interesting is is in our household, we came up through this revolution. So what you guys are fighting now was bleeding edge when my son was, was your kids his age and he wanted to be a youtube star and he wanted my dad, can I have a webcam in my bedroom and I’m like, absolutely right. Well, if I was to go in a time machine, I might make a different decision because back then, you know, being on Youtube wasn’t a income street people were making millions of dollars at that time. Right? And when he wanted to, well dad, I want to play video games while I have this webcam on me. Well, the security privacy guy and he’s going nuts, I’m going, no way, no. How does my minor child have an unattended webcam in his bedroom is going to happen? But you know, we we see the longer term impact and how that’s actually created an entirely new economy. And so as parents, I think it’s important, we it’s a delicate balance and that’s why I focus so much on common sense skills, basic life safety skills that they already understand in the physical realm. And I try to map that to the digital realm because that seems to be very relatable and easier to understand. Um but you know, I think as a society until we collectively agree that this technology can also be dangerous today, we don’t think of it that way. We only think of it as helpful. We don’t think of it as harmful. Um and I think that’s that’s a barrier right now to us truly using and leveraging it in safe, safe and sane ways.

[00:12:44] Brad Nigh: Yeah, I agree. It’s uh, with like it’s just coming up into that. It’s, it’s a little scary,

[00:12:54] Ryan Cloutier: Well, you know, in their societal side side of the conversation, right? Um, one of the conversations we had in my house was, hey dad, everybody has it. Do you not want me to participate in my peer group?

[00:13:06] Brad Nigh: That was a big,

[00:13:08] Ryan Cloutier: and that was ultimately what tipped the scale towards getting him a smartphone? Was that I did start to see a little bit of a lag behind in the social structure of his peers and I didn’t, you know, none of us want to see our kid have any less chance of success in this world. And so that was really difficult. So we put a lot of parental controls in place, some physical parental controls, not just relying on the software, you know, it’s time for dinner. Hand the phone over.

[00:13:38] Brad Nigh: Yeah. My daughter doesn’t, her phone doesn’t go up to her room, right. It

[00:13:42] Evan Francen: is a good point. You’re fighting, you know, sort of a tidal wave of influences, you know, outside of the house where everybody else is doing it. And then your child almost becomes have an outcast, you know, in their own little tribes because they can’t participate like everybody else. So it’s, it’s hard, it also seems like technology just continues to move so much faster than then we have the ability to absorb it and secure it. You know, you mentioned kids know more about, you know, the phone than their parents, you know, that’s, and the phone is dangerous. It’s like, yeah, yeah, at some point you’re gonna have to slow down and just going to take it in right.

[00:14:32] Ryan Cloutier: Yeah, absolutely. And you know the big barrier there that, that run into almost constantly is the administration that we asked to really to raise our kids. I mean let’s think of what a school is today and what we really asking these, these folks to do for us and it’s take a leading role in the development of our child. We have not given them the funding, the training, the equipment, the knowledge or even relatable points to the previous point I had made earlier about the conversation barrier that’s starting to form between the youth and the adults. Um, you know, I see kids now that communicated an emoji language and you know, I kind of giggle to myself, I said, well the Egyptians did that, you know, many, many years ago, it’s cyclical and it is and it’s making a resurgence. Well, you know, a lot of us are as good at reading emoji language as we are reading hieroglyphics and there is no Rosetta Stone for that today. You know, there’s no real resource today for a parent to go get that up to the date information on, you know, what is that? What is the trend? What is the app we see, you know, it was all about Snapchat and now we see tick tock and to tax starting to become the front runner if you will um Being being that it’s run by the chinese government. Uh It is actually pretty good at limiting and controlling speech in content but it’s still there and you know there’s a lot of background information. That’s that’s one that I usually get a ha from the audience on when I’m giving talks is if you ever thought about how much data’s behind you in that photo that you just took that selfie you just took in the bathroom, did you know that your name address are on that prescription bottle that can really be red.

[00:16:22] Brad Nigh: It’s funny to hear like any time I see those pictures of people that’s the first thing I look for is alright. What did they give away? It’s kind of you know it changes how we think about things but

[00:16:36] Ryan Cloutier: you know it does and and the you know one of the things I’ll teach folks uh and this is you know across all industries but especially prevalent in education because in education teachers really are local celebrities and they want to share and you know folks want to be excited about sharing. Well they’ll get a new job and the first thing they do is take a picture of their photo ID and their keys. Well okay we know there’s kiosks at them all that we can take a photo of a key, reverse the image for both sides, sent it to the kiosk and print out a physical key and you know scraping a photo I. D. And then Photoshop and a fresh copy is you know pretty simple these days.

[00:17:19] Brad Nigh: Yeah it does pull in my mind I think you know kind of going back to, you know with kids and changing that. One of the things with my daughter is is I do the iC squared safe and secure online and so a fort. Well fortunately for me, unfortunately for them any time there’s a new version, they get to sit through the practice session. So they think they do pretty well. They had a good example. The other last year I guess my oldest was hey they wrote that the user names and passwords for everybody on the on the board for whatever school app or whatever. Like can you change it? No what? Well yeah but she she caught hey this is a, this doesn’t seem right

[00:18:11] Ryan Cloutier: and that’s awesome because you know uh that’s the kind of change we need to get, we need to get them to, you know have that awareness. And a lot of times in a school setting. Child’s digital identity is treated as a matter of convenience without long term thought to the consequence of that identity without realizing that that google account Ultimately follows that child, you know, they go some of the higher ed institutions will accept AK12, you know, you can do a transfer of that account. Um and so long behold everybody has that information and and the kids don’t know it. So it’s it’s great to hear that, you know, your kids are waking up to some of that

[00:18:53] Brad Nigh: stuff, fingers crossed. Yeah, we talk, you know, so we work with a lot of different schools and you know, I was talking to some students and they were all, we’re talking about passwords and how to make strong passwords and using phrases and just trying to get that across to them. And they’re like, yeah, it’s it’s pretty bad to schools. We all know everybody’s password because it’s and they knew exactly what what the convention was, you know, and can you change it, nope.

[00:19:23] Ryan Cloutier: Yeah. You know. Well, and what’s sad is that’s also true for the staff. You know, my son came home one day and he goes, dad I know the staff wifi password and I said, oh I said, so do I. He says, how do you know, is it because you work with the schools? I said no, it’s the buildings address. It’s also the same as the alarm code for the building. And and that’s the reality? And and that has been true uh for multiple years, even after it was brought to the administration’s attention and that the answer given as to why change couldn’t happen was that it would be inconvenient because again, they don’t as a whole that industry struggles to understand the physical impact of the digital decision.

[00:20:12] Brad Nigh: Yeah, we we had talked with somebody and they were talking about uh trying to get multi factor

[00:20:20] Ryan Cloutier: at that school. Yeah, infamous uphill climb

[00:20:24] Brad Nigh: and and yeah, his comment was have people that don’t have a phone or device that could use it

[00:20:32] Ryan Cloutier: well and you have to be careful because believe it or not, that starts to become an equity conversation very quickly. And you know, when we talk about equity and diversity and inclusion, you know, technology still today can be a barrier and a lot of districts and even, you know, public entity cities, counties, you know, small local government, um, hyper sensitive to that. And so any technological solution that’s required without the funding to make sure that everybody has equal access uh, you know, a lot of times be a non start.

[00:21:10] Brad Nigh: Yeah, that was and that was kind of the thing is either we have to make it available and at large cost and give everyone a device or a key or whatever. We can’t do it.

[00:21:23] Ryan Cloutier: Yeah. And you know, we as security practitioners need to and Evans doing great work trying to fix the broken industry, right? We need to start to help secure funding, we need to start working with the lobbyists or become lobbyists ourselves or something to help sway so that getting a key fob isn’t the end of the world right? That it’s like, well we bought him the laptop, right? You know we’re spending untold volumes of money on these chromebooks and you know mac books and I mean I’ve been in schools that have you know state of the art, three D. Printing labs, they’ve got smart lightbulbs, they’ve all this tack but yet getting a simple dollar $52 you know U. S. B. Uh second factor installed. No forget

[00:22:16] Brad Nigh: it can’t do it. Yeah

[00:22:18] Ryan Cloutier: but they’ll build a new football stadium, you know what I mean? So it’s

[00:22:23] Brad Nigh: I think it’s that it’s that common issue we run into right at security or idea. It’s a cost center. That’s that’s how they still very

[00:22:32] Ryan Cloutier: absolutely. You know one of the one of the things that I’ll say um if I’m finding a district is uh resistant to the idea that security matters, I’ll simply ask them how the building is controlled and 90% of the facilities ideal with have some type of electronic door control. So they’re using some type of H. I. D. Proxy card type of system keypad entry, something like that. And then when I asked them where the command and control computers located, the answer is almost always next to the boiler in the maintenance room and I said well desire to take care of that machine will no facilities. It’s facility. Exactly and and there’s a a difficulty at times and separating that in understanding that that computer is responsible for physically securing. And once that ah ha happens I tend to find those districts become front runners for spreading the message and sharing the message and trying to go to their board and tax base and get some kind of funding.

[00:23:40] Brad Nigh: Yeah. All right. So we’ve kind of gone into a lot of the open discussion, but before we go too much further, I do want to talk, we went back in episode 20. So seven weeks ago, um, we talked, talked about, well, we Evan and someone else because I was on vacation, uh, staying healthy and information security. So we’ve talked a lot about, it sounds like you’re doing a lot of volunteering, a lot of speaking, but how do you keep a good balance for personal and work?

[00:24:06] Ryan Cloutier: Well, I, I don’t separate the two. So, uh,

[00:24:11] Brad Nigh: my Evan just perked

[00:24:13] Ryan Cloutier: up. Yeah. So I don’t, I don’t separate life and work. Um, I take my moments when I need them. And I would say, you know, there’s, there’s three types of security. Um, there is compliance based risks base and sleep based and I strive for, for sleep based, right? So it’s, it’s about, you know, just finding that balance. I try to get some exercising in a little bit of yoga. Um, you know, when I’m on the road and, and Evan can relate to this, you know, as a road warrior. Your diet isn’t always the best, Your sleep isn’t always the best. Um, and so you gotta take those moments where you get them? And I think that, you know, for me, it’s just, it’s knowing my limits, Knowing when I’m starting to run myself a little thin or I need to step away for a minute and take a breath and then just doing that and not being shy about if I need a day, I take a day.

[00:25:07] Brad Nigh: That’s good. Yeah, I think, you know, it’s, I think it’s something we all struggle with. You know, when it was an episode Like 15 within our wives are on exercise. Yeah, we’re

[00:25:21] Evan Francen: on the same page. Place and exercise like, no, not this guy.

[00:25:24] Ryan Cloutier: Yeah, exercise is definitely, uh, it’s a key part, Right? It can rejuvenate you, it can, you know, and sometimes it’s the best way to get the stress out because let’s be honest, if you work in information security, you’re gonna, you’re gonna have some stress in your life.

[00:25:41] Evan Francen: And there was one thing to, you know, Ryan, you know, since you, since we were, you guys were sort of talking about it. You mentioned, um, I’m backtracking a little bit here. But uh, what I think you mentioned was There’s no problem getting funding for, you know, this bat and everything else in, in, you know, and keep you 12. But uh, you know, you mentioned security and you know, you can’t get a couple of bucks for, uh, you know, you be okay or something. The, how do you, how do we change that? Is it changeable? I mean the people who make the decisions to do those funds. Is it possible to build security things into the grants? What do you think on that?

[00:26:23] Ryan Cloutier: Yeah, absolutely. And you know, so for example, here in Minnesota, we have the safe school levy. Uh, last year I gave testimony to the Senate in an attempt to expand the definition of that legislation to include cybersecurity controls. We weren’t successful in getting that change implemented. Um, a big part was that the cybersecurity legislation they were looking to pass was so laborious and rigorous that it, it created kind of a non starter. And so I think the way we change that is first, let’s do something. Let’s, let’s if, where we have to start is just getting those door computers secured and that’s how we get that funding door open. That’s how we get those conversations going and support from the community. I think it’s great and we, we go after it. The short answer is, is every taxpaying constituents has to start speaking up that this is a problem and that we need to solve it. And so the more we do things like have a podcast like this and we spread these messages and do the talks that we go out and do, um, we got to get mom and dad and the kids right? I think it’s going to take some time. A big part of why we focus on the kids. is that I don’t have to convince my son this is important. He now gets that he’s not quite yet to an age where he can have the degree of influence needed to get our legislator to open up money, but there is not a lack of awareness on his behalf. If I even go 12 generations up from him, um, what’s the big deal? Right. And it’s no problem. We’ve been posting our lunches to instagram since it was invented. We don’t understand, you know, the issue. So I think I think change is twofold. It’s it’s time that we have to kind of be a little patient, which is hard for us I. T. Guys and implicit guys sometimes. But the second piece is is we have to make this a community issue and really raise that community voice because that’s really the only way we’re going to, we’re going to get the administration to you know, do what we need to have done. It’s similar to the arguments we’ve had to make around active shooting and how have we gotten funding released for that? Um, it took some unfortunate tragedies to get people to wake up, but now that they’re awake, you know, and I hate to say capitalize on it, but I think it is relevant to at least relate to it because I can foresee a day where, you know, a student who is going to commit an act of shooting crime, also uses technology to create disruption to unlock or lock the doors or set off the smoke, I’m sorry, set off the fire alarms and you know, cause chaos, chaos, chaos, exactly. You know, false false alerts. One of the ones that we’ve heard about is, uh, and they’re just doing it for fun right now. But it’s terrifying. Uh, some of the kids are hacking the P. A. Systems and they’re doing it to, to play a song. It’s, it’s all over Tiktok. It’s, it’s a viral thing they’re doing right now and they basically hijack it and play the owl song. Well, the fact they can hijack the P. A. System from their phone because somebody plugged a bluetooth adapter into the P. A. System so they could play Spotify over the school radio is the same tech those kids can exploit to that, you know, cause trouble.

[00:29:46] Brad Nigh: Yeah. Yeah. It’s scary. And I think one of the things that has surprised me the most is, is maybe the reluctance of some of the school systems. So I do that the safe and secure online. It’s a free program. There’s zero cost to the school to come in and speak to the students about security and it’s almost impossible. I found to get in. We’ll know we have a good program. We have somebody who’s in charge of that.

[00:30:14] Ryan Cloutier: Well, so yeah, and that’s the fear piece. Right? So I would say a lot of the districts I interact with and just school in general, they want to control public perception. They want to not show their their warts if you will. Right? Well, there are no different than any other industry. Right? We all any industry, any any human right has some things that are great about them and some things that are not so great about them. But when we get into the school world, they want to control that perception so tightly that they do foolish things like turn down that free training that’s going to actually make the world better.

[00:30:52] Brad Nigh: Yeah, it’s plausible parent, the teacher, I’ll come into P. T. O. To do the teachers on as part of their, you know, they have to do continuing education and training. We come in and talk to them and talk to the kids. No, we’re good. We got it covered

[00:31:08] Ryan Cloutier: well. And you know, and I identified that that issue early on into my, you know, segue into the K 12 vertical. So what uh, I’ve personally done to try to change that is with the organization and with today we’ve actually developed a series called cyber safe schools for educators and it is a uh, see pe backed um security awareness training specifically for teachers specifically in the classroom. And we had to take that approach in order to get adoption. One of the things is a very siloed industry. So what the administration does nose and really is passionate about doesn’t always match what that classroom teachers experiences or that buildings and grounds guy. That facility service guy, right? And so we’ve had pretty good success with breaking the message apart and making it very relevant to the individual. Um, and and also to we’ve been swaying, you know, the school board association, we’ve been working with some of the other professional development org’s to help push down the importance of it to that classroom level so that we’re not dealing necessarily with that local administrator who maybe wants to protect a viewpoint or position or perception, but but really trying to change the tone at the higher level and that speaks to what everyone was asking about earlier. How do we get funding? How do we bring about this change? And it really is that working with some of those higher level national organizations to set a new precedent and then working with the local organizations to to bring that precedent to bear. And and you know, that’s uh I see squares great organization. Um it’s hard for tribe. It is a tribe. It is absolutely a tribe. And the challenge that we have is understanding there. Mhm.

[00:33:07] Evan Francen: All of those things that I’d be really interested in working. You know, I think closer with you Ryan and and I’m sure uh I’m sorry speaking for brad too. But I know where brad’s heart is on a lot of these things because he does that say, you know, they’re safe and squared because you know, I mean, we give a crap, right? We care about people, we care about Children. Uh, security is not about information or security, it’s about people and it’s sort of heartbreaking to know. I think it seems it feels like we’re losing this battle and I know be patient. But um while technology continues to get further and further sort of away from us, we’re making progress, but not keeping up. It feels like the gap is getting longer and so, you know, I don’t know how to really crap the message, you know yet, but I know that if we more people will get working together, maybe we get better. We can craft a message that will resonate because we have to get these kids young too. I mean like super young because now people are giving, I see kids walking around, you know, 7, 8 years old, even younger than a phone in their hand. Yeah. So yeah, anyway, we can get back to the health thing, but I would like to figure out a way well, we can collaborate more on this because we shouldn’t take our eye off this ball.

[00:34:30] Ryan Cloutier: Absolutely. And you know, one area that I’m getting ready to target that I think would be great to partner with you guys on is, you know, coding in kindergarten. Well, that’s cool. I’m all for it. Can we do secure coding in kindergarten? Please don’t make new bug makers.

[00:34:45] Brad Nigh: Let’s teach some fundamentals first before we go to that, wow, that’s crazy. Um So

[00:34:56] Evan Francen: guys, I gotta, I gotta run over here. Uh but you got to take the rest of the show because I got to get ready for this talk thing. Good,

[00:35:02] Brad Nigh: good luck. Break a leg. Right. You know what they say now now. Alright. See

[00:35:08] Ryan Cloutier: Evan. Thanks seven.

[00:35:11] Brad Nigh: Um so have you done anything, have you seen that? K 12 cybersecurity com? Did you, have you seen that link before?

[00:35:18] Ryan Cloutier: Yeah, I’ve definitely check that out and you know, great uh informational resource, the challenge that we face and part of why things like that don’t get as a higher rate of adoption. Um is that it’s still very technology focused and what we find is a lot of the educators working in technology or with technology in the schools didn’t necessarily start out in technology or even have a deep technical background. Lot of times they’re a media fair specialist who kind of upgraded job positions or was asked to help out early in the days of tech in his tech grew in the adoption grew so did their job responsibilities. One of my favorite folks I ever met um was a tech director was getting ready to retire a couple of years ago and you know, and he looked at me and he says, I’m you know, I’m glad to be done. And I said, well why? He says it’s it’s moving too fast, you know, to a point I made earlier. He says, you know, the stuff is changing so quickly and I was a little taken aback by that statement because as a technologist, that’s what we’re wanting, that’s what we’re looking for. So is it purely from a technological viewpoint, the faster it changes, the more awesome the toys get right? And I said, Well, how did you get into technology? And he said, well back in 1980, I think two or something like that, uh, they bought a bunch of apple to ease Right? I was the only one that could figure out how to wire him up. Yeah. I became the Director of technology and I said, oh, did you go to school past that? No, everything was learned on the job in the context of supporting district technology, which left a vast amount of information unlearned. Right? Um, and so in this individual was, you know, the person in charge of making those security and risk decisions for the order, but without any foundational structure behind them to make that decision soundly, wow.

[00:37:27] Brad Nigh: Yeah, it’s a tough position to be in? And and it goes back to the funding, right? You know, was even even if he had wanted the opportunity to do it, would it, would it have been improved? Would he have been able to do,

[00:37:40] Ryan Cloutier: you know, and what’s interesting about that? I sit on a variety of national consortiums committees as part of the volunteer work I do. And I was having a call last week with one of the committees I sit on and we’re talking to the district technologists and we talked about the talent gap and the talent shortage. And that directly relates to funding funding for continuing ed funding for, you know, top tier talent. Uh, you know, our security guys aren’t exactly cheap. So 11 of the solutions that they’re looking to do to get creative and this is very exciting news for us in the K 12 space. Uh, they’re going to their HR department and saying, look, how about, we know we can’t pay for the school, but what if we allowed them one work day a week or three hours a day on payroll to study and to to take their course work um, because they need that talent, they need that knowledge. They can’t afford to be without the human all day. Um, and a lot of cases, you know, tech teams in most districts are one lean. Yeah. You know, it’s very lean, you know, one for sure. One and the biggest teams I’ve seen, I think we’re eight, that’s in one of the largest districts here in town. Um, And so they really can’t afford to be without their people. So they’re in this catch 22 of not enough hours in the day and not enough dollars in the wallet and how do we deal with it. And so so to see them take those creative approaches to say we’ll sacrifice some some hours today or something like that is I think it’s where we have to start until we can really push this through. Um Have you ever heard of the gen cyber program? You’re familiar with the gen cyber? So what that is is a joint collaborative between the National Security Agency and the National Science Foundation and they provide grant money to uh institutions to run a cyber security bootcamp for like it’s a week long camp. Um I’ll be uh honored and humbled to be able to kick off this year’s jen cyber camp that we’re doing in Minnesota in alexandria technical colleges hosting it. And so they applied for and got the grant which allowed them then to put this camp on and for a week the kids are going to come stay there you know they got their sleeping bags and stuff and they’re gonna learn um all about cybersecurity and and they teach it in a in a really powerful way. Obviously the N. S. A. Needs some some new workers themselves but the kids get to learn how to think like an adversary how to evaluate risk, how to how to actually do some ethical hacking. There’s some lab work, there’s you know it’s really an immersive experience and it’s you know spend spend a week in the life of an I. T. Security guy.

[00:40:37] Brad Nigh: Yeah I was I was talking to one of the schools in the metro area and they were saying that that their students were going to be able to participate with something with I thought it was D. O. D. And then Virginia tech. So it sounded very similar where they hack and the same program. Okay okay program you’ll see. I didn’t know it I just didn’t know the name.

[00:40:56] Ryan Cloutier: Yeah and it’s and you know that’s you know to to some points that ever made earlier. You know I think that’s a great place to collaborate as well getting involved and and inserting ourselves as the local you know businesses as the local you know parents I. T. Security parents. I mean we’re probably the biggest thorn to any district technologist is a parent that works in I. T. And having questions that are not properly answered. You know so so the more we can work with the vendors and the parents and everyone to kind of create that common language. I really feel like that’s that’s the place and and so these kids go to this camp they get excited. They come home they start talking to mom and dad about this cyber stuff about the security stuff a lot of times that’s the first mom and dad’s ever going to hear about it.

[00:41:47] Brad Nigh: Yeah I would agree I think you know from doing the parent you know talks there’s that’s supposed to be like a 45 to maybe 60 minute presentation. I haven’t had one that’s been less than 90 minutes from

[00:42:01] Ryan Cloutier: the, from

[00:42:01] Brad Nigh: the, yeah, it’s not like at the end, it’s every slide is like just they want to learn it, they’re seeing their kids doing it, but there’s not those resources out there, you know, to, to teach them. So getting the kids involved in it, having them talk to their parents, having us make things available. You know, there’s a huge, the whole,

[00:42:26] Ryan Cloutier: there is, and, and you know, um, the more we can do to, to fill that void and, and frankly, you know, mom and dad need to work in this industry to, you know, that’s a, that’s a big piece where if I do, so sometimes I’ll do career fairs at the middle schools and high schools and when I go in to do a career fair, I have a little print out that I bring with me and on the front half of the print out, it’s got some, some stuff for the kids and depending on where they are age wise, the younger they are, the more I tell them we’re superheroes, right, right. And the older they are, the more I tell them, we all have nice cars. So, um, but on the back side of the page, I have a salary sheet because there’s so many parents that, that, you know, and you know, this, you don’t have to be a technologist to work in this industry, especially now with the industry exploding in growth and there’s, there’s marketing jobs and sales jobs and um you know, uh even in the technical jobs, some of them are becoming fairly easy to do through the use of tools

[00:43:35] Brad Nigh: well and even looking at governance policy, technical writing, just, you don’t have to to be an expert on it. You just need to be good at one of these supporting skills and

[00:43:49] Ryan Cloutier: jobs are there? Exactly. And so on that back side with that salary sheet is a few job titles and what they make and when I give it to the kids, I say take this home and give it to mom and dad because there’s there’s such an ah ha moment when they, when they turn it over and they go wait. So if I was just had a security plus certification, relatively fairly easy cert to get um I could increase my take home by that much of a margin, wow, maybe I do want to be in a different industry or for example I have some friends of mine who are in industries that are, you know at risk right now of automation elimination And so they’re calling me up seeing the curve come and saying, well I still plan to work for 20 more years, what should I be doing? Where? Yeah, where should I focus? So I think the more we can have that conversation with our community, our friends, our family, you know, I think that’s what we have to do to really get the change to happen.

[00:44:49] Brad Nigh: Yeah and again we’ve we’ve talked about that with with the huge shortfall. You know how do we get more people in? Well my women and minorities are underrepresented. How do we get more in career change or you know the youth.

[00:45:04] Ryan Cloutier: Yeah. And it’s raising awareness to a lot of folks when they find out you know what I do for a job they’re like oh wow, like that’s hard or or you must, how long have you gone to school for? Right. And it isn’t until I break it down to them in non tech terms that they go well that sounds like something I could do and then it’s like that aha moment where it’s like yeah you too can be an I. T. Superhero right?

[00:45:33] Brad Nigh: Yeah. I think that’s the one thing that people don’t get it so they don’t understand it. So there’s this huge mystique around all these things and it’s like this is no just change your thinking just a little bit. It’s really it’s common sense a lot of times it

[00:45:48] Ryan Cloutier: is and I think you know with with uh the work Evans done to try to fix the broken security industry right? And some of the things he makes reference to in his book. Um I think that the challenge that we face there is some of that Mystique is is that tribalism that some in the I. T. World in the in the I. T. Specifically info sec um it’s almost like a better than you. They want to keep it. Do agree. And I think that that’s detrimental to us as a society.

[00:46:21] Brad Nigh: Yeah exactly. I think yeah that’s super hero mentality that you know I’m going to come in and save the day and then fly out and nobody understands exactly what I did. Yeah. Don’t we don’t want that bad and it’s frustrating to work with. Two.

[00:46:38] Ryan Cloutier: Oh it is it is. I mean I think we all have the story of working with that one. You know human who they knew what I knew a novell guy back in the day and he knew novell in and out and up and down and all around thought active Directory was the worst thing in the world. Didn’t want to learn anything about it, didn’t hated it. And but he was so smart with that novell and then the day that the leadership decided the licensing was too high, he was sucking buttermilk, he didn’t know what to do. He had to bring in all these contractors And once they implemented the new system this this hard work he was doing this this difficult job that no one else could do all of a sudden everybody went what have you been doing for the last 10 years? So I think there’s some of that as

[00:47:25] Brad Nigh: well. Yeah you see that a lot wow. All right so we’re running out of time. So let’s talk about the news really quick. I picked a couple of stories here that I thought um well the first one definitely is relevant. Uh Scott county schools out of Kentucky Scammed for $3.7 million. So that was an interesting one where they got in um uh an email from a vendor turned out to be fraudulent saying no we never got paid key please pay us and had the bank info and they just paid it without validating anything. Um luckily on this one. Uh they they did have insurance around it but they ended up not needing it. The bank was able to recover the entire amount against the scammers were in the U. S. So that was a huge saving grace. But as underfunded as some of these school districts are, I can’t even imagine what would have happened if

[00:48:26] Ryan Cloutier: that’s great that, you know, they had insurance. Um I’d be very curious to see if that insurance would have actually paid out or covered uh something I run into all the day every day. All the time with school districts is, well, we’ve got cyber insurance, Ryan and what I’ve come to find out when we look at it is they have a property casualty policy with a writer with a writer and that that rider covers the replacement of the physical technology, but it does not cover the intangible asset of data and there’s very few cyber insurance providers out there that actually pay for the true costs that you’re going to incur and, and the, and the loss of that intangible asset.

[00:49:09] Brad Nigh: Yeah, that’s, we see that a lot too with our incident responses were like, yeah, we’ve got it were covered and then they’re not. Yeah. Or, or the insurance comes in and says, well, we’ll do the investigation if you will get paid out. And of course, what are they looking for? Any reason to not? Yeah. You messed

[00:49:28] Ryan Cloutier: up. You know, that’s, that’s another thing that we’re seeing as a trend in the insurance industry right now. I work very closely with a couple of different insurance providers to create common sense insurance that works in the cyberspace. Uh, but one of the trends we’re starting to see now is insurance companies calling cyberattacks terrorism so that they can refer to the terrorism exclusion clause and not

[00:49:53] Brad Nigh: whether it’s that big one with, uh, was it the parent is a Cadbury or it’s one of the big candy, uh, parent companies and they have the insurance said, nope, it’s an act of war. We’re not paying.

[00:50:05] Ryan Cloutier: Yeah. And we’ve seen that with banks even, I mean, it’s it and that, that is an undefined area yet. So there will be court cases that we’re waiting to see the president gets set on. But it is. And so, you know, anybody listening that has, you don’t think you have insurance, you should probably check what’s actually in the policy,

[00:50:23] Brad Nigh: verify it and yeah read the policy. Don’t go. Yeah, we’re covered. Yeah. Yeah, we’re seeing, you know what we are seeing a couple now that are actually taking the fight to score further underwriting. Oh nice. So you’ve got like no international Lloyd’s of London brokers that are doing it and some others. But yeah, they were like we wouldn’t ensure a building without doing a walkthrough, but we’re issuing tens of millions of dollars on, You know, two or 3 page questionnaire that nobody really understands

[00:50:55] Ryan Cloutier: well. And I found a lot in districts where if even if they have answered the questions a lot of times they unknowingly or unfortunately some cases knowingly falsely misrepresenting the back. Maybe

[00:51:09] Brad Nigh: not stretching the truth just a bit, just a bit. Uh the next story was about a hackable biometric USB. Uh So this USB device uh the I disk which was using an iris scan to unlock. Apparently it’s pretty good from actually developed reading the irish. He couldn’t they couldn’t hack it with someone else’s with his kids i with a picture until he actually put wire shark on and then it was dumping the password in plain text. So it was the software itself I think. And to me the bigger reason around this is this is why I don’t like biometrics authentication, identification. Sure. But authentication and you can’t change it and be it’s the implementation that scares me.

[00:51:57] Ryan Cloutier: Well there’s there’s you know there’s that and I wholeheartedly agree. You also have the legal ramifications. You know it wasn’t until just recently that we finally had a court ruling that says that bio identity can be protected depends on the circumstance passwords are protected by the 4th and 5th amendment. Your fingerprints in your face and your retina, they are not. You put them on public display every time you leave your house. So I think for me there’s also the where did those lines lie And with the redefinition of the internet and it’s now non telecommunications status. It’s now a consumer service. A lot of the protections went away with that. And so you know what happens when your fingerprint or your iris traverse is even if they aren’t dumping clear text password, what happens when it’s intercepted during traversal is that you know how is that treated? We know you can’t tap a phone but now can you tap the internet connection.

[00:52:56] Brad Nigh: Yeah. Yeah it’s uh it’s there’s gonna again going back to technology is so far ahead of in this case the laws just it’s going to be years of trying to get this. But yeah that’s a that’s a mess that’s on threat post. Uh the first one I should have mentioned. Um you know it’s out of Kentucky dot com has the update that they got their money back last one for today is off of information security magazine and it was americans are overconfident in cyber hygiene. So uh I think They’ve published cyber Hygiene Risk Index published that 88% of consumers expressed confidence in their own cyber hygiene. Oh, that’s the, that’s that website. I’m going to close that, wow, that was annoying. Auto play ads. That’s gonna not happen again Anyway. Um, yeah, of of Americans are confident in in their hygiene, which I would guarantee you is not accurate.

[00:54:10] Ryan Cloutier: Well, you know, I think, I think they are confident in their hygiene. I don’t think they’re hygiene is very good. Uh you know, if we think about a similar statistic about, I just heard the other day that I was a little shocked by 4% of Americans change their bed sheets less than four times a year. Let that sit on your per second. That same four don’t wash their hands or we’re guessing right. But um and, and so, but if you were to ask that person if they’re clean, they would tell you they’re clean, right? And so I think we, we have a similar situation where, you know, everybody thinks they’ve got a great password but they don’t realize is I can go to their facebook, anyone can and let’s see, well 88 pictures of Snow Bell the cat in the last 15 minutes, how much you wanna bet your password is. Snow Bell and you know, whatever year you created it implemented by one at whatever the password reset schedule was. You know so I see that kind of stuff a lot. Um I also see um you know they think it’s good because it’s meta complexity requirement. We we failed everybody when we gave them those complexity requirements. And so yeah it’s got a pound sign in a in a one. So therefore it’s a great password. Well if it’s password pound sign one it’s really not that great of a password.

[00:55:36] Brad Nigh: Yeah. Yeah that that’s a that’s that compliant for secure mentality. Yes it’s compliant with the policy the policy it’s not a secure one. Yeah I think you know when we whenever we see these things you’ve got to take it with a grain of salt. Um You know I think they’re saying 5% share the following best practices so they’re backing up data using online and offline systems. Great. That’s actually really good. Um I’m gonna skip the middle one because I don’t agree with it. But the last the third one they use a VPN I. D. Protection or secure password management services. So password managers. Fantastic. Those are great.

[00:56:13] Ryan Cloutier: I highly recommend them

[00:56:15] Brad Nigh: but then they pay for their anti virus software not relying on free options and they keep it up to date. Okay keep it up to date. Yes but paying for the anti virus that doesn’t necessarily mean anything.

[00:56:29] Ryan Cloutier: Well and as we keep the virus is only as good as yesterday.

[00:56:32] Brad Nigh: Yeah. Well did you see the story I just saw it this weekend. I didn’t have a chance to put it in on uh their major antivirus providers in the US that have had their source code hacked.

[00:56:42] Ryan Cloutier: Yes I am.

[00:56:43] Brad Nigh: So that’s that will be in next week. For sure. We’ll talk about that more I’m sure. But you can’t rely on on that.

[00:56:50] Ryan Cloutier: No and actually I um I just purchased a product over the weekend and I’ll let you know when I get done evaluating it what I really think of it. But they’ve made this little tiny I. P. S. I. D. S firewall so called firewall up and it’s made for the home consumer to be able to plug into their router and add sophisticated traffic patterning I. P. S. I. D. S capabilities. It’s got a mobile app with the phone. Um because I haven’t even unboxed it yet but you know if that does prove to be a more effective technology I think it’s it’s going to be through things like that that we can kind of up the game if you will. And then just we we got to retrain the focus on what is a decent password.

[00:57:34] Brad Nigh: Yeah. Yeah that’s a big part of it, tie it all back to beginning, goes back to education at the end of the day. It’s just just educating so well that’s all the time. We have that we could absolutely go longer if we had time but people probably don’t want to listen to us for another hour. So special, thank you Ryan for joining us today. Um, don’t forget you can follow Evan or myself on twitter Evans @EvanFrancen or Brad @BradNigh, and you can email the show at unsecurity@protonmail.com. Ryan. How do you want people to get a hold of you?

[00:58:08] Ryan Cloutier: Uh, easiest way to get a hold of me is through gmail and you can get me @cloutiersec, I’m sorry linkedin is actually the best way to get a hold of me about to give my email and security guy. Oops. Um, it’s too early in the morning.

[00:58:21] Brad Nigh: So, ah, Ryan’s linkedin is in the show notes. So we’ve got the length for that. So you don’t have to trying to remember his email or his email now. You got me doing it. See, All right, well, awesome. Thank you very much. This is that is it for episode 27. Everyone have a great week.