ISC2 – Information Systems Security Certification Consortium

Unsecurity Podcast

There’s a lot of money changing hands in the information security world. Unfortunately, a lot of what’s being sold is just blinky lights, but don’t actually make anyone’s security better. Organizations look for quick fixes and easy buttons out of fear of a breach, despite the fact that it takes legitimate, consistent work and buy-in to make their security better. ISC2 can help with this. Evan and Brad break down the money grab.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, good morning everyone. This is brad and I your host for episode 36 of the un security podcast. Today is monday july 15th and joining me as always is Evan francine.

[00:00:32] Evan Francen: This is where I say ebony things.

[00:00:35] Brad Nigh: There are many things I just said it. All right, good. So we were just talking about this before and it says it in the notes. Uh I was trying to write this episode all weekend and I was just struggling and you know, I know what we wanted to talk about. We talk about it all the time, but actually getting it written down. Um yeah, it was it was a struggle. I was just like putting it off because yeah, the show notes that the research and I was like, I don’t know where to start, you know, so that’s where you can some can console for the writer’s block please.

[00:01:11] Evan Francen: Uh No, I had some that today even I sat and looked at my crazy

[00:01:18] Brad Nigh: 15 minutes, like I knew exactly what I wanted to say. It was in my head. Like if we had been talking would have been fine. I could not get figure out what where to start.

[00:01:27] Evan Francen: Yeah, well, and so the topic for today’s podcast is the money grab. Uh and if anybody is a writer and you’re and I you and I are gonna you do, right? But we’re gonna be doing a lot more writing here, hopefully soon. Um You know what writer’s block is? I mean, you just sit there. I looked I stared at the letter. Why Not? Really? Just the letter Y for like 15 minutes this morning.

[00:01:56] Brad Nigh: Yeah. You just, yeah, I don’t know how to explain it. If you haven’t gone through it, it’s tough to explain. You just sit there. You know what you want to say that nothing happens. So finally, yesterday, I’ll be honest, I told my wife to take the kids and they wouldn’t go went and saw Toy Story four is like, I’ve got to get

[00:02:14] Evan Francen: I can’t four of them

[00:02:15] Brad Nigh: now. Uh

[00:02:16] Evan Francen: Oh my God, I watched the first one like 1000 times with my

[00:02:19] Brad Nigh: kids. It was pretty good apparently. But I thought I was like, you gotta go, I’ve got to I’ve got to get this done. It’s now 3:00 on Sunday and I haven’t I’ve been putting it off. So I’m sitting there just staring and like what am I gonna write about? And then I just had my the moment of, oh wait a minute Evans already done this. There is a total chapter in his book, what am I doing? So I’ve seriously pulled out the book and reread chapter nine and went, okay, here we go and just nailed it out because you just need that like a little crack in the dam and once it happens and you kind of get past that initial it it just really flew. So uh thank you.

[00:03:01] Evan Francen: Absolutely, man. I mean that’s, and that’s what writers block is. You just, it’s like breaking a damn. You just got to fight through it.

[00:03:07] Brad Nigh: Yeah, it was just said that initial How do I mean it sounds better moved over a little. Hello? Uh yeah, just getting started it, once you get to get it going at the flu. So we’re gonna talk about the money grab as you put last week, the money we steal from each other or spend uh, for more politically correct. So in the book there’s three problems you’ve identified plenty of snake oil for sale. The fear and sex, a lot of stuff and money spent poorly is bad money. And then You know, I think good timing. I see. Square just released a study on the, I think it was a 12 um, small businesses need new security solutions but aren’t always sure which ones. So I don’t know if you had a chance to read that because I did send it over pretty late, but it was really interesting that that they say yes, we absolutely need to do something. Um, but you know, if they were asked if there were security tools and solutions they want, but don’t have budget for 72% said Yes oh yeah, that’s the biggest problem is a, they don’t have budget. Even if they knew what to get and be if they have budget they don’t know where to start what is their biggest risk. Right? So they’re getting constantly bombarded with you know hey this is the easy button this fixes everything uh you know small businesses have a limited budget. Where is the right place to spend their money? So yeah I think we talked about that and then again in the show notes I went and found some information around global security cybersecurity spending. Uh One place is saying $1 trillion between 17 4021 gardeners saying over 124 billion in 2019. Um There’s a couple of little graphs in their state of I. T. For spice works did a survey and you know why are the what are the leading factors uh for um spending? And I think it was interesting. I think number uh just messed up my uh computer. All right, there we go. Uh Number three was 56% said top factor for uh I. T. Budget was increased security concerns. And another 11% said recent security incident. So those two together 67% said that’s the reason that would be the number one ah factor for increased budgets and other ones you know needing to upgrade outdated I. T. Uh infrastructure. Well that kind of goes along with security as well but you know there’s definitely a lot of money being out spread around out there and it seems like it’s pretty universal that they don’t people don’t know where to spend it. They’re just you know, here’s the easy button from whoever the vendor is.

[00:06:01] Evan Francen: Yeah. Well I mean the thing is people don’t like I don’t know, there’s so many things that ticked me off about. Mhm. About this. Uh you have the crooks who who you know, are the obvious bad guys that you know steal money from you. We talked about that last week and then you have these I mean they’re almost crooks to write crooks who sell you stuff and don’t really care if it’s a good spend of your money. Um We know that people don’t like to work. We know that people like sexy stuff, we know that people just like to uh you know, hope that their problems go away. But a lot of things that you need to do an information security can’t be automated. They don’t require you to buy a tool, they require you to understand how security works, they require you to do basic fundamental things and that’s where the cracks in the dam are for most people and you know in their security programs,

[00:07:01] Brad Nigh: right? Yeah. Uh some solution is not the beale and all cure. All right, you still have to configure, you still have to monitor it, you still have to continuously tune it

[00:07:12] Evan Francen: well and one of the things I mean, I’m working with a large, large company right now and they have they have a global they have a nice expensive sim solution. But if you understand the basics of how sim works, garbage in, garbage out, if you’ve got crappy configurations in your servers and your applications and you’re not sending good log data, then who cares about your sim solution?

[00:07:37] Brad Nigh: But we’ve got one, you know, the box.

[00:07:40] Evan Francen: Right. And so people, I think just uh you know, especially S MBS and companies that that don’t understand the fundamentals um yeah, I wrote a bunch of things last week, you know, and these 100 truth about security and one of them last week was lazy. Security people suck. Yeah. You know, because it’s it’s true, some of the stuff just takes work. You know, some of these things you might not have a tool for, you might have to break out an Excel spreadsheet and you know, do some work. I mean, that’s just how it is.

[00:08:14] Brad Nigh: I agree. You know, it is, it’s crazy like I know we’ve had kind of along the same lines right, that we’ve had, we’ve gone up against other large, nationally known, well recognized companies for a risk assessment and you know, when we were talking to the company, they’re like, well this other place was three times what you are going to charge. And they said that, you know, for travel, they have to be because of the distance. It was going to have to be first class tickets for their uh analysts and all this other stuff and require you, you know, why are you so much less? Yeah. Well hey, it’s not a money grab for us. Right? If we if you spend, you know, let’s just make round numbers just to make it easy. Right? If you spend $40,000 on an assessment versus you know what, 10,000 or 15,000, well where are you going to do to fix it? You spend your entire budget on finding the problems And I have no idea or no money left to actually do anything. We’d rather do the right thing. Could we probably charge more. Yeah, but that’s not the point.

[00:09:27] Evan Francen: Well nowadays anybody with anybody with a laptop and a website can be an information security expert. Right? And nobody would know the difference. And so I could give you all sorts of advice on all you need to do this. You need to buy that tool by this tool. And you know it it’s not those aren’t the things that you need, what you need. Are the fundamentals still uh you know, even reading this, you know, so that you you mentioned a bunch of things, you know, kind of at the top on, you know, some studies those are all posted on on the blog on Evan francine dot com for the show notes. And when you click that link and you look at the I. C. Square blog. Here’s a right in the middle of that article they have here is a partial list of technologies they could use meaning they small to medium sized businesses and here is the list third party firewall data encryption. Most snb’s don’t even know what the hell you’re saying right. What the hell is third party firewall data encryption, more advanced malware detection and anti phishing tools, artificial intelligence machine learning. Every time I see that every time I see that I throw up in my mouth pete. Oh my God I get asked all the time. Hey tell me about you know a I I’m like well okay let’s talk about ai and let’s talk about so ai requires data requires lots and lots of data. Where are you getting? We’re data were data poorer in this industry. I mean the only data good data we have is maybe network analysis and network traffic and things like that. But in terms of lost data there is none white listing. I

[00:11:12] Brad Nigh: Mean that one. That’s a good one.

[00:11:14] Evan Francen: Right? But however S. And P struggled with blacklisting.

[00:11:17] Brad Nigh: Yeah. Well I would say I can think of everybody I’ve worked with here from a customer standpoint. I can count on one hand the number of people that have done whitelisting to any extent.

[00:11:30] Evan Francen: Okay. Well yeah because I mean how

[00:11:32] Brad Nigh: it is hard to

[00:11:33] Evan Francen: do. Excuse

[00:11:35] Brad Nigh: me. Usually

[00:11:36] Evan Francen: I’m the one coughing. So uh yeah I mean take whitelisting whitelisting requires me to have a very good application and asset inventory because I need to know what I have before I am going to know who it should be communicating to and how it should be communicating. Right? So you have to have a really intimate understanding of your environment unless you’re just going to white list one Z Tuesday type things but then you have such a backdoor and such a gap on everything else. I mean if you’re going to whitelist whitelist

[00:12:06] Brad Nigh: right? And it’s again it’s not something you can just be like we’re going to turn on white listing this weekend. Right. I mean I guess you could

[00:12:13] Evan Francen: sure

[00:12:15] Brad Nigh: my guess is it’s gonna be uncomfortable come you know the next couple of weeks as you right fix things

[00:12:21] Evan Francen: and then you’ve got round the clock monitoring. So these are the partial list of technologies they could use and it’s funny when you look at these just follow my thinking here third party firewall data encryption, more advanced malware detection and anti phishing tools, artificial intelligence machine learning whitelisting and round the clock monitoring those all played really really well for an M. S. S. P. Yeah I mean you just you

[00:12:45] Brad Nigh: just you know I think you know it says in there right that that they are uncertain and self aware about where they’re at and where are they going to get their information from? Very M. S. Sp. Right. Right. So I think it makes sense.

[00:13:03] Evan Francen: But how many M. S. S. P. S. Today are there that just have a website and a.

[00:13:07] Brad Nigh: Oh right, right, there’s

[00:13:10] Evan Francen: plenty and we’ll sell you all these services for gobs and gobs of money and it’s nice for them because it’s monthly recurring revenue which is like the Nirvana, right? So they get a bunch of em are are and where in here is the basics, you have no asset inventory

[00:13:28] Brad Nigh: and I kind of teased it in the in a reply to I C squared, you know, you’ve talked about it and with what’s coming with faisal score and how that’s intended to be, you know, pretty much that’s pretty game changing and disruptive. So you know it and being vendor agnostic is huge for us and I really like that, we do that

[00:13:53] Evan Francen: because as long as I’m here will always be product Agnostic.

[00:13:56] Brad Nigh: I’m with you, it adds so much, it adds value and its truth, right? Hey, here’s your order. That’s my nickname dude, I don’t know why I said

[00:14:07] Evan Francen: it, you know it’s

[00:14:09] Brad Nigh: not but you know, at the end of the day they need to know what their biggest risks are. If you don’t have asset management, it doesn’t matter what firewall encryption you have around the clock monitoring because you’re not monitoring the right things. Right, dad?

[00:14:29] Evan Francen: No, no it’s too and that’s one of the reasons why we’ll always be product agnostic is because our, our motives need to be clear. When we give recommendations to somebody. There’s no ulterior motive. When I tell you your firewall sucks. It’s gotten, it’s because I’m not, I mean it’s not because I’m trying to sell your firewall. Your firewall really sucks. And it’s probably not your firewall. That sucks. It’s how you manage your firewall. That probably sucks. Or

[00:14:53] Brad Nigh: Your firewalls like 12 years old and not supported, right?

[00:14:57] Evan Francen: Yeah. So, you know, it’s, it’s those things, uh, you know, everybody wants easy buttons, you know what I mean? There they sell. So that’s what it’s all about. It’s all about revenue.

[00:15:09] Brad Nigh: I mean, you’ve talked about, uh, the blog monitoring solution where they bought it and it sat on the shelf because they checked the compliance box. And then he said, yeah, we’ve got one for a couple of years for a couple of years. Right? I’ve seen the same thing, You get these things put in place to check a box, but then nothing is ever actually done with them. Yeah, we have DLP in place. Do you look at it? Do you tune it? Do you make sure that it’s working? Do you check, you know, you have to actually monitor them things. You can’t just, boom, here’s a software solution. We’re all sad.

[00:15:48] Evan Francen: Right? Yeah. They have to be tuned. They have to be configured correctly

[00:15:51] Brad Nigh: and it takes that’s hard work to very time consuming. I know

[00:15:56] Evan Francen: I remember back in the day, I mean I’m old enough and you probably are too when it took it would take 6 to 8 months for an I. D. S. Oh yeah device to actually give me good data and there’s so much too much

[00:16:09] Brad Nigh: faster now. But it’s still you can’t just plug and play

[00:16:12] Evan Francen: right? You had to be really careful when you tune something out because you weren’t going to get an alert on it again. Had to really track this communication flow and make sure that it was truly legit.

[00:16:24] Brad Nigh: So you know, DLP right a previous life, put it in place, we put it in monitor mode, you know the business said no we don’t want to do that yet. It’s not we don’t want to turn it on. It’s too much, you know, negative impact for the business if it catches false positives. Alright, compromise, we’re going to put it into just simply into alert mode. It’s not going to block anything, it’s just gonna log the traffic reviewed it. one Friday. I look in it and there’s like 1500 hits from one computer going to a USB drive for ph i sensitive information. You know, that’s that feeling when your stomach just drops so go and tell the C. I. O. We go to the head of that department were like, hey here’s what’s going on, turns out it was turned it was completely innocent. Uh The lady had retired and was copying her mind documents. So she would have all her pictures and stuff. Well, she also stored all the uh they employee uh higher data, right? So she had social security numbers. She had a bunch of patient information in there just because that’s where it’s saved by default. So they called her, she came right back in with it. It was, it turned out to be a non issue. Right? That monday they said turn it on because but I mean we had it in place for six or eight weeks monitoring it, logging it, tuning it on the back end. And then we got had that happen. I mean, imagine if you hadn’t done

[00:18:03] Evan Francen: it well and even, you know, on the surface that may seem like a non issue, but it’s a compliance issue. I

[00:18:10] Brad Nigh: mean, that might be a report. It could have been, it could have been much much worse. Yeah. But you would have never known if you weren’t actually tracking it. Right?

[00:18:23] Evan Francen: So yeah, fear insects. We’ve oversold fear.

[00:18:27] Brad Nigh: Oh, I hate that the flood

[00:18:29] Evan Francen: will and we’ve oversold it. So now it’s no, it’s no, it’s no surprise that when I use logic with somebody about information security that they ignore it because they’ve heard it enough. I mean every time you mentioned statistics to somebody like you mentioned a bunch of statistics, I know my own self. I have trouble not tuning out because we’ve over statistic the crap out of ourselves. You know what I mean? And we’re oversold fear because most of these statistics and studies anyway, you have to consider the source of these statistics and studies. If I’m right, if I’m commissioning a study, I’m probably commissioning a study for a purpose and it’s probably to sell something to you.

[00:19:15] Brad Nigh: Well and was, you know, you can make the numbers say anything you want

[00:19:19] Evan Francen: depending on who

[00:19:20] Brad Nigh: you’re right. Yeah. What you’re looking at and how you ask the questions, things like that.

[00:19:25] Evan Francen: So now when I, when you legitimately tell somebody something that should invoke some fear based on logic, not just based solely on emotion, like here’s something logical that you should be concerned about. Now. Often times it will fall on deaf ears because we’ve oversold fear as an industry. Yeah, yeah, it happens to me all the time. You know, not all the time. But you know, I’ll talk to somebody and tell them, look not having an incident response plan. Let’s just talk through the logic of not having an incident response plan and how important that is

[00:19:59] Brad Nigh: to you.

[00:20:01] Evan Francen: Let’s just play it out. So there’s a breach. You know that no matter what, no matter what you do, no matter how much money you spend, no matter how blink your lights are, you’re going to have a breach

[00:20:11] Brad Nigh: because venture what matter when

[00:20:14] Evan Francen: Yeah. And so then what happens, play it out. Just play out the scenario. So and as you do that, you start to realize, yeah crap, I should have an incident response plan. Well then let’s get one, let’s do it,

[00:20:27] Brad Nigh: right? Well, you know, we had uh an I. R. A couple months ago and we got in there and they didn’t want to pay, we’re pretty sure they had a uh an active breach, they didn’t want to pay for the 24 7, let’s get going, you know, just just during the day, so we started it and their office was closed on friday because of a remodel or something happened there actively breached and we couldn’t

[00:20:55] Evan Francen: get attacker in your

[00:20:56] Brad Nigh: system in your system. Well, we’ll get back to you on monday, monday comes around, we finally get a call set up for Tuesday, that’s what they would move. Get in, Yep, you’ve got active hits, like basically 2/3 of your machines have different uh you know, you name it type of situation, Get through the first, you know, block of 20 hours were like we we’re still you’re still seeing active hits on the threat hunting tool still here, still here. Well, I got to try and get see if insurance will pay for it or if not if it’s worth it and we decided not to continue.

[00:21:40] Evan Francen: Yeah, we’ll see what you’re doing is you’re making a case for where you absolutely should spend money. I mean that should be a no brainer,

[00:21:46] Brad Nigh: but it wasn’t, I don’t see the value of it. And I think part of that is people become so numb to this stuff happening. So there they’re actively breached the tool that we were using to contain it that try a license expired. It’s not gonna stop anything anymore.

[00:22:09] Evan Francen: Yeah. So we’ve absolutely oversold fear in our industry. I don’t think there’s any way really back from that. But that’s, you know, it does drive. It makes our job more. It makes our job more difficult because we have, but it’s also in a good way. We we have to educate more. We have to spend more time. We have to explain ourselves more ah because people are tired of being sold crap. I mean, people are starting to wake up like, yeah, but

[00:22:34] Brad Nigh: they keep buying crap because they don’t know any better. Right? It’s not. I don’t think the majority of people are buying it just to buy it at this point. I think a lot of them are buying because they think it’s the right thing to do where they’re trying to do the right thing. They just need education on what is what that is.

[00:22:55] Evan Francen: And so I’ll tell you what, what that is, spend your money on your most significant unacceptable risk,

[00:23:03] Brad Nigh: right? And if you don’t know what that is. Yeah, figure it out. Right?

[00:23:08] Evan Francen: Don’t Yes, but risk assessments. They’re not sexy. No,

[00:23:12] Brad Nigh: I mean there are

[00:23:13] Evan Francen: no right. No, they’re not. Well and especially when you’ve done risk assessments before and you’ve done the sort of risk assessment where you do it and then it takes you to the, what we’ve been told is takes you to the edge of the cliff and the cliff and then leaves you hanging. There’s no next steps. So you did your risk assessment, you check the box on the compliance form and then it set up on your shelf, right. You didn’t use it for the next step, which would, which would be make some decisions on what you’re going to do with the risk broad map. Um, but you know, that’s one of the big reasons why, you know, so when we talk about sex sells, that’s, that’s one of my peeves about the words cyber security.

[00:23:55] Brad Nigh: Oh,

[00:23:56] Evan Francen: it’s so much sexier than information security but it’s not the same. Think

[00:24:02] Brad Nigh: correct. Right. And I think that there is a right place and usage for for right. Like our incident response is cyber incident response. It is a technical focused incident response program. It’s not, hey you had a chemical spill and we’re going to help with the incident response. No. Right. It’s cyber focused. So it’s used correctly. But most people don’t do that.

[00:24:28] Evan Francen: So one that one of the citations are one of the supporting things for um, this podcast was you cited From cybersecurity ventures. Global cybersecurity spending predicted to exceed $1 trillion dollars From 2017 to 2021, which is only like a year and a half away now. So I wonder if being that they called it global cybersecurity spending, that must not include anything about information security, training and awareness. It must not include anything about policies, procedures. Risk assessments must not include anything about physical security because all those things are not cybersecurity,

[00:25:05] Brad Nigh: correct? And

[00:25:07] Evan Francen: but it’s that’s not what they’re referring to.

[00:25:09] Brad Nigh: No, I don’t think so. And the gardener one, I grabbed a their chart. It’s all there, there is nothing about around governance, there’s nothing around, you know, training and awareness. Any of the, well that name maybe security services, but that’s not how I read that.

[00:25:27] Evan Francen: Yeah, look at how big that number is 64. Is that billion dollars million? No, 60

[00:25:32] Brad Nigh: billion billion,

[00:25:34] Evan Francen: wow. Damn. What kind of services are those? That’s where your Myspace peas are. Probably probably people like us to

[00:25:41] Brad Nigh: there were in there. Uh, it’s a, you know, the big ones, uh, that’s probably your incident response. So that that’s probably blown up with, you know, the big IR providers.

[00:25:56] Evan Francen: So for listeners who can’t see what it is that we’re looking at, We’re looking at the blog on that. Um, you provided a table there uh, in our, so in our show notes, if you wanted to see what we’re talking about, we’re talking about the um, The gardener provided a study that the spending is going to exceed 124 Billion dollars in 2019 and you know the good thing Kudos to Gartner because I point out bad things but I should point out a good thing global information security spending. So they used the word information security as opposed to cybersecurity. It’s expected to exceed $124 billion. Which I don’t think most of us can mentally

[00:26:43] Brad Nigh: get her head. I mean trouble getting

[00:26:45] Evan Francen: ahead around what that number is if

[00:26:48] Brad Nigh: You look so half of that is security services like half of every year. So I have 2017 18 and 19 2017 the total spin was 101.5 billion and 52 billion was security services. And they went to 100 and 14 billion in 2018 and 58 almost 59 billion now 124 But in three years it’s saying it went from 101 to $124 billion dollars spent. And you know we just keep hearing it. And people I think you’re right. People throw are just throwing money at the problem not knowing is it the right thing to do.

[00:27:30] Evan Francen: Right? Yeah that’s one of my peeps too is when you see like I was I was talking to I was in Los Angeles and I was talking with a a company that was trying to hire a c. So so they wanted some of my advice on you know hiring see so so I asked him to tell me a little bit about your information security program. I mean kind of where are you at? You know? And so they started right off with, well Last year alone we spent over $10 million dollars on information security. I’m like okay. So on what? So I mean I don’t know what that means, right? On what? Yeah, exactly. What did you spend it on? But it was an education process, not only in helping them find a C. So but also in helping them understand that it’s not a function of how much money you spent. It’s where you spent it. That really matters. You know, governments will talk about that too. Right. Even our own state of Minnesota, we’re gonna spend x number of millions of dollars on information security next year. Great. It’s still a mess. You’re not spending it? Well,

[00:28:33] Brad Nigh: Yeah. In the gardener, I was just reading it. They do to find out services which is subscription and managed. So 50 security software. Uh you’re looking at hybrid deployment. So um deploying specific security technologies such as sim in a hybrid deployment model. So in on prem and in the cloud uh and managed services represented about 24% of deployment. So it’s a huge amount of money out there. It is it the right thing or, you know, are you are you spending money on a good here, Right? You can spend money thinking you’re doing the right thing, but it’s a really bad company. That doesn’t what they’re doing. We see so many of those,

[00:29:21] Evan Francen: right? I wouldn’t, I wouldn’t spend, my advice is I wouldn’t spend a dollar unless I knew with some level of certainty that it was a well spent dollar. Right? I mean it’s going to reduce my most significant risk or is it going to at least reduce risk by some function, you know, more than the dollars I’m spending. Yeah. And that requires analysis that requires, you know,

[00:29:47] Brad Nigh: knowing your systems, knowing you’re no one goes back to knowing your risk posture. Where are

[00:29:52] Evan Francen: you at? It really does. That’s, that’s where it’s got to start. Uh, and, and the place not to go, honestly the place not to go for this type of information is a vendor. I mean, unless potentially it’s a product agnostic offender. But you don’t call up Symantec and ask them, hey, what, what solutions should I consider my environment? They’ll be like, oh, do this. And be careful even asking piers, right. If you ask a peer, hey, you know, what are you doing for this or that? What kinds of solutions? Because they’re going to recommend? More often than not the solutions that they’ve purchased because it justifies their purchase. Does that make sense? Yeah. So if I bought Symantec and I’m like, I don’t know if I should about semantic and I can get you to buy Symantec. That’ll make me feel better for buying Symantec and I’m not picking on Symantec. I’m just

[00:30:46] Brad Nigh: saying whoever, right? Yeah. No, I’m with you. I and, and you definitely fall into that. And I think I’ve, you know, people have asked us, what do we use or what have we used in the past. What do we see? And you know, I’ll tell them right. With my last job, I used so focused their total in point. Overall, it worked really well. It wasn’t without pain points and it’s not gonna be the right fit for everyone. But it’s rare to hear that that honesty from people because exactly that they want to justify it. I’m like, well, yeah, you know, it added some overhead. It had some problems. So yeah. So it’s funny here, we’re doing our podcast and today’s are all quarter hands. A bunch of people. Everybody’s national, Yeah. Everybody’s not walking in, luckily had my back

[00:31:38] Evan Francen: to them whenever somebody, whenever somebody asks me, hey, Evan, what product are you using? I’m like, dude, I’m a security guy. I’m not telling you a product I use. Yeah,

[00:31:49] Brad Nigh: well, I’m not saying

[00:31:50] Evan Francen: now, I’m not telling you ever for me, I’ll tell you because I trust you,

[00:31:55] Brad Nigh: but I don’t mind because that’s what people want to hear our experience, right? And I’ll like you said, well, tell the truth, Hey, I thought it worked overall worked pretty well. That was, that’s not to say it was perfect by any means semantic, I’ve used Mac, if you have used

[00:32:12] Evan Francen: to drive a ford tracking until you ford trucks with the best. Okay, Are you a Chevy guy?

[00:32:17] Brad Nigh: Whatever had a Chevy, I’ve had Chevys, I’ve been having affords a dodge and Chrysler

[00:32:24] Evan Francen: back in the day. So anyway, um, sorry? Yeah, exactly.

[00:32:28] Brad Nigh: For dating ourselves. Um,

[00:32:30] Evan Francen: so plenty of snake oil, what, what, what, what would snake oil B

[00:32:34] Brad Nigh: that’s the, the easy button, right? Hey, put this in place and your security goes, your problems go away, right? You know, I think you see it and we see it even with really good tools that they, they almost over sell the simplicity of it. Right? And I’m not, I don’t know. I think a lot in point protection is the biggest area we see that, you know, advanced ai, you know, whatever buzzwords they put in place regardless of if the tool is, you know, it might be a good tool, but there, it feels like they’re, they’re not being, you know, the marketing and buzzing and wording it

[00:33:19] Evan Francen: up. And so to me, a snake oil is something that doesn’t work well, it doesn’t work. Yeah. I mean it’s something that promises to do something that it doesn’t do.

[00:33:28] Brad Nigh: I think. Yeah, I guess so. I’m thinking right there going, oh, just by putting in place and you have to worry and that’s not the case. You still have to write if you just buy a product and throw it in, it’s never going to work, you have to spend the time on it. And I think to me that’s where I’m coming from is them going, yeah, hey, put it in place and all your problems are solved to me that snake oil now put in place and monitor it and tune it and you know, spend some time with it and it’s going to reduce your risk. Okay. That’s not, not snake oil now.

[00:34:04] Evan Francen: Yeah, I agree with that completely. And I think the second on the second point, you know, fear and sex sells a lot of stuff, the importance there is don’t use as much as you can, emotion always plays a role in any purchasing decision. I get that you can’t eliminate emotion, but make logic as much as you can trump emotion in every purchasing decision you make and if you can’t understand or if you don’t understand how the technology works, don’t buy it, learn how the technology works first and then buy it right. So you might have to put off a purchase for six months where you get a little bit of training on how this new thing works, do it, it’s money well spent because I’ve seen so many times to where people bought a product and it’s a great product, but you’re not using it, you’re not doing it right. You know, they in the event and the event and the vendor probably doesn’t give a rat, they made the sale right? And they’re getting the support contract. So you know that’s you know when I say fear and sex sells a lot try as much as you can to use logic to make all of your purchasing decisions and then the money spent poorly as bad money. I don’t know about you brad. But I have a limited budget. It doesn’t matter how much it doesn’t matter how much money I make. I still have a limited budget. And so in information security we’ve been fighting for dollars ever since I started in this industry trying to get a sufficient budget but every not everybody many many people suck it budgeting for security.

[00:35:42] Brad Nigh: Oh yeah yeah I asked what what the right budget is and it’s got all over the place right percentage of the total I. T. Spend. Well how do you justify that? Right. There’s no yeah

[00:35:56] Evan Francen: so every dollar that you get for information security you better spend it wisely. You better get the most bang for your buck on those dollars. And I I’m one of those guys and I think you are too where I take it even more personal. Um I’ll give you an example. I worked at a company, it was a big pharmaceutical company. I was there. See so uh prior to starting fr secure and we made oncology drugs right which is you know cancer uh to fight cancer and stuff. And so I bought um I I knew I needed some kind of a network access control was a big thing, right? So you know, I went out to market looking for a network access control solution, found one that I just really liked spent like $2 $300,000 on this thing and realized that, oh crap. I just pissed away because I don’t have time to manage it and I have I don’t have time to tune it. And I took that really personally because at the end of the day, I mean if you want to use logic here, That’s $2 $300,000 that I just took from money we could have spent to make our drugs better money that we could have spent to reach more people to make their lives improved

[00:37:18] Brad Nigh: or on on a product that actually did what you needed, right?

[00:37:23] Evan Francen: So, you know every dollar that you spend as well on information security is a dollar you take away from

[00:37:29] Brad Nigh: something else in the business, whatever, whatever that may be.

[00:37:32] Evan Francen: Right? And so that if I can use my dollars and information security to reduce risk and further the organization’s mission. Those are no brainer dollars. Yeah. I mean spend those all day long. Yeah. So it does take work. It does take analysis. It does take education. It does take experience. You just have to go through

[00:37:55] Brad Nigh: this. And then I think part of the issue is as well, we keep seeing the shortage of qualified security talent. So you’re you’ve got people making decisions. We already know that there’s not enough good qualified security people out there. You know it just compounds does yeah. All right. Yeah there you go. So yeah the last one I threw in there. I don’t if you saw it. So they’re in the blog post you know it’s the cybersecurity ventures Gardner one Spice works the state of I. T. You know I just thought that was interesting from a spend perspective that yeah we know we need to do this this is where we’re getting money but I think it still goes back to the not knowing and then I kind of threw the last one in there. Um I. T. Security salesman told me the software doesn’t work. So this is on zd net dot com. Uh You know reading through it it was I don’t know about you if you read as you read through it if you’re just like shaking your head going yeah no no ask Sherlock. Right? Um So basically the the author was playing golf and um just happen to meet up with a guy and you know how often they played blah blah blah talking okay you know there’s he’s in sales and he does I. T. Security sales which is a huge thing. Um And he’s like yeah he worked for a you know a well known company and unprompted goes you know our product doesn’t work right? And it’s like what what do you mean? Um You know like I said quite well known in the field and what he said is almost the hackers are always one step ahead. It doesn’t matter what the security software is. They’ll find a way around it. Yeah. No kidding. We’ve we’ve been saying that for years, what’s the lag time on and a virus signatures catching

[00:39:59] Evan Francen: up but brad brad. I know it’ll fix it. Ai

[00:40:03] Brad Nigh: yeah. Right. God. Well and what what kills me is this guy knows it and he’s still going out and selling it. Like how? Yeah so he unburdened himself on a stranger. Probably having no idea that I was a writer and was going to do it. But like how do you

[00:40:21] Evan Francen: sleep at night?

[00:40:22] Brad Nigh: Yeah.

[00:40:23] Evan Francen: Well in my opinion you’re actually something like that. You’re actually worse than the crooks because at least the crooks are honestly crooks. They know they’re not

[00:40:34] Brad Nigh: but it’s this you

[00:40:35] Evan Francen: know they’re crooks. This guy, this guy is a crook and you don’t even

[00:40:38] Brad Nigh: this is the money grab right? This is this is what’s wrong with so much now what he was saying in and he’s not isolated. No this is this is pandemic across the the industry but I think what he actually said his quotes are really good truthful quotes right? Most of them overseas. If you can find even if you can’t find where they are? Even if you know where they’re in the government doesn’t care and won’t do anything. And so there’s nothing anyone can do. No, not really. Well, okay. That’s not entirely true. Right? There are things we can do. We can do our risk assessment. We can know our risk, we can do our assets, we can have logging and alerting in place. We can’t stop everything. The things that we can’t stop. Can we report on them? Can we get alerted about them? There are things we can do.

[00:41:27] Evan Francen: Absolutely. But fundamentals man,

[00:41:30] Brad Nigh: the last quote just just pisses me

[00:41:34] Evan Francen: off. Twisting

[00:41:36] Brad Nigh: our software is pretty good compared to most of the others. So no, I don’t feel bad in any way. I get to play golf three times a week really. It’s all about, you know, but and that’s what’s wrong. Just and you see it all the time. Right

[00:41:54] Evan Francen: one. And that stuff that sort of mentality will never fly here. No, no. Where we work. It’s not, we don’t, it’s not a self serve, self serving culture.

[00:42:05] Brad Nigh: What’s great is I’ve actually had, we had, I had to last week. I didn’t even know it when it was. I lost all track of time couple within the last month. Uh, I had a salesman come. They had somebody reach out to them and it was not going to be a good fit. It just wasn’t what we do. And they said, you know what we talked about it for a couple of minutes and like you know what, I’m just going to go back to and say, you know what, this just isn’t right for us, this isn’t what we do rather than try and shoehorn something in or make something work. They said, you know what, we’re not gonna, we’re not, we’re not the right fit for you, you know, which when you get salespeople doing that, you know, you’ve got them bought like they’re bought into what we’re doing,

[00:42:53] Evan Francen: which is, I love it. It’s awesome. I sleep like a baby. Yeah, and you know, and I may not be able to play golf three times a week, but I didn’t get into this industry to play golf rage, like I got into this industry to help people.

[00:43:07] Brad Nigh: Yeah, it’s not, it’s not about just cashing out, alright, if we needed to, if I wanted to cash out, I would go work somewhere else for a lot more money and I’d be miserable and stressed out all the time and go home and not be happy and we’ve all been in that position for sure. I go home at the end of the day, every day going, I did, I made a positive change. I’ve done good things. I’ve helped someone. Exactly. I mean, even if it’s just on a call and going, you know, you guys can do these two things like on a pre sales caller, just not even a billable engagement, hey, yeah, we can help you, but until we get to that point, do this because if you don’t, you’re gonna be calling us for an incident response and that’s gonna be a lot more expensive and that’s not going to help anyone. Exactly, yeah. I don’t know. I just pissed me off.

[00:44:05] Evan Francen: Well, let’s make more of us out there in the industry. Make more people because I do know, I mean, I follow some of these people on twitter, you know, uh, run a lot of them are connections on linkedin and a lot of them are personal connections. There are groups and pockets of information security people and maybe even most information security people who really do want to make a difference in the world really do want to help people. We have to rid out. We really do have to run out the, the money grabbers and get them out of the industry, they’re hurting us, right?

[00:44:42] Brad Nigh: Yeah. It hurts the entire industry to write. It kills all of our

[00:44:47] Evan Francen: I mean, what do you do with a wolf in sheep’s clothing

[00:44:51] Brad Nigh: expose? You kill the wolf. There you go. I

[00:44:55] Evan Francen: wasn’t sure where you’re going. I mean, but it’s the truth. You can’t,

[00:44:58] Brad Nigh: you gotta get, you got to get rid of them. Yeah.

[00:45:02] Evan Francen: And I’m not saying go out and kill and kill anybody. But what I am saying is, you have to be brutally honest, you have to be harsh. They need to get out of our industry, go sell used cars.

[00:45:15] Brad Nigh: Yeah. Yeah like I said it hurts this guy whatever well known company is at is ruining the reputation of everyone

[00:45:27] Evan Francen: else and it’s too bad in that city in that article. Yeah I mean I understand that he’s got to keep his you know author job and everything but you know it’d be nice if you were outed specifically the company or in the guy’s name.

[00:45:40] Brad Nigh: Yeah I’ve been I would have I would have settled for the actual like solution right? It’s an I. D. S. Or it’s a you know whatever they’re known for just to give us something. But

[00:45:55] Evan Francen: all right man we’re coming up towards the end of the show already because we started talking we can talk about the money grab for a long

[00:46:01] Brad Nigh: time. Yeah. Oh yeah. Well any of these when we get and or ranting on him

[00:46:05] Evan Francen: why you and I both hate seeing people get taken advantage of. I hate it. Yeah I do.

[00:46:10] Brad Nigh: It’s just not the right thing to do. Just do the right thing. Right? Anyway. All right. Yeah so good discussion like I said I even put it in the notes we get heated up about these things. So some news articles real quick. I thought this tied in nicely with what we were talking about I. T. Pros. Understaffed under resource and under pressure

[00:46:32] Evan Francen: so under pressure and I get that in my head and

[00:46:37] Brad Nigh: we’ll be out at the all hands meeting. I’m just gonna start singing that right on. Well you’re talking so this was on naked security uh For so foes I. T. Pro is understaffed under resourced and under pressure. Uh They surveyed 3100 I. T. Managers across 12 countries about cybersecurity experience organizations between 100 and 5000 users. So it’s a pretty good sample size in a very representative business size. Uh two out of three organizations, 68% suffered a cyber attack in 2018. They were unable to prevent from entering the network and nine out of 10 that said there were running up to date cybersecurity protection at the time.

[00:47:19] Evan Francen: Of course they were.

[00:47:20] Brad Nigh: So they’re like well what should we be doing? So you know it’s. Yeah so just a couple more 53% suffered phishing emails. Um but I think the one thing that really stood out and why I included this is uh He said 86% of the respondents said they needed more skills to combat these threats. And the problem is they can’t get them. eight out of 10 said they struggled to recruit the right people. So it’s the same it’s what we keep hearing and it ties into going back to the money grab. I can’t hire people. I’m going to throw software at it Ai because there’s there there’s a shortage, there’s not

[00:48:02] Evan Francen: what I understand. I mean I understand too. I mean you’re sort of stuck right in this catch 22 for S. And B. S. If you can’t afford the talent and and you know, you do know you have to do something, right? So you do try to go out and buy something to do something

[00:48:16] Brad Nigh: and I don’t blame them, right? They are trying at least they’re trying to do something, but Yeah. All right. So that if you’re if you’re feeling the pain, you’re definitely not alone.

[00:48:29] Evan Francen: Well, the way you solve for that, I mean, I think understaffed under source resourced either find somebody in your own organization that you can train up in the way. So go get them some training so that they can become that person for

[00:48:43] Brad Nigh: you. But even if I train them, they’re going to leave for more money, which is

[00:48:47] Evan Francen: OK. Okay. I mean sometimes it’s okay. But um if you have a good culture, they probably won’t leave anyway. And I think another thing is, you know, find a VC. So so virtual Chief information security officer. But find one with, I would say at least two criteria before you, you know, just go out and invest in a V. C. So one they need to be product agnostic. So if you’re going out to, you know to market to try to find a VC. So and they sell products beware and second a VC so that can you can measure progress, right? So what are they specifically doing for me? And how are they driving down risk or helping me manage risk if you don’t understand that really Well give us a call and wolf, I mean we will not sell you, I promise because that’s not I just that’s not how we roll, but we’re here to help and a lot of times you’ll get free advice so you know, do something about it.

[00:49:48] Brad Nigh: Absolutely. Uh Second article I had was from threat post um thousands of IOT devices, Brick by silex malware.

[00:49:57] Evan Francen: So you say I O. T. It’s not uh

[00:49:59] Brad Nigh: it’s close enough idiot. So this one is nuts. 14 year old hacker used a new strain of malware this week to break up to 4000 insecure devices before shutting down command and control server abruptly. Which you know, Mom or dad came in and said, what are you doing? Get off of your computer. 14. That’s insane though. Uh He so the comment was so uh it was larry cash dollar who is a senior security intelligence response to the new year at akamai. Um he found it, but he reached the hacker reached out to him and said I was he was trying to take down targets for other script kitties who might be looking to build botnets and he was just getting sick of it. His sole motivation was to remove the vulnerable Iot devices that botnets are built on to stop other script kitties from building botnets and it was aggravating him and this is I think the definition of maybe, you know, kind of that gray gray hat, he he had a, it sounds like he had a a good intention and just not a good execution in terms of what he should have done, But it’s crazy. You know, you’ve got a 14 year old kid just shutting down 4000 devices and breaking them. What what’s gonna be interesting is what are these companies going to do for their customers? Because how did they, were they not patching? Like what, how did this happen?

[00:51:36] Evan Francen: I think it’s last name is cool. Cash dollar.

[00:51:38] Brad Nigh: Yeah,

[00:51:39] Evan Francen: let’s give me my change my name to Evan. Cash

[00:51:41] Brad Nigh: dollar. Cash dollar, but it’s a really good um really good thing. So lindsey O donnell uh interviewed him on the, on the threat post podcast. But in the transcription there there’s a really interesting read. Uh and then the last article I have was, and we’ve started talking about this, you know, you made the initial uh prediction. Last january I think was you know about there’s gonna be a cybersecurity incident that cost people lives. And I think this is along those lines. I thought of that. So again, this is off of naked security by sofas, cyberattack lands a ship in hot water and um basically a ship was affected by a deep draft vessel. So this is a big boat. Uh, so the malware significantly degraded functionality of onboard computer system, but essential vessel control systems were not impacted. But the, the inter agency response found the vessel was operating without effective cyber security measures in place exposing critical vessel control systems to significant vulnerabilities. Uh, yeah, it was, it’s scary scary. Right, heck, cruise ship, Right. That’s got, you know what, a couple 1000 people on it. And all of a sudden they have no control. It’s a huge catastrophe or, or a container ship with all those uh, containers on it. Right. So, uh, yeah, International Maritime Organization only issued guidelines On Cyber Risk Management in 2016. It’s, I think this is going to be be better. But uh, the one comment was pretty funny, penetration testing firm use default passwords on satellite communications systems to tamper with their electronic chart display systems, which provides electronic navigation charts. So there you go, default passwords. There you go. Super secure. Yeah,

[00:53:55] Evan Francen: well, yeah, well, unfortunately this will fall on deaf ears too.

[00:53:59] Brad Nigh: Well, until, right. I don’t know man people until something happens. That’s what I’m saying. We’re

[00:54:07] Evan Francen: oversold fear. So it’s like,

[00:54:09] Brad Nigh: okay. Uh, it’s scary

[00:54:12] Evan Francen: unless you’re on the cruise ship or you’re on the ship, you know itself, just like that will never happen to me. I mean, that’s that’s that’s our ill logic that always gets in the way of these things.

[00:54:22] Brad Nigh: Yeah.

[00:54:24] Evan Francen: All

[00:54:24] Brad Nigh: right. So that’s a wrap. Thanks again to our listeners. Thank you. Evan uh, have a great week. Don’t forget you can follow Evan or myself on twitter. I’m at at @BradNigh and Evans is @EvanFrancen and always email the show at unsecurity@protonmail.com.

[

/by