Marriott Data Breach and Third-Party Risk Management

Unsecurity Podcast

In episode 4 of the Unsecurity Podcast, Evan and Brad break down the massive Marriott data breach that happened this week. They also take some time to discuss Microsoft’s multi-factor authentication, GDPR issues, third-party risk management, and more.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right. We’re back with episode four of the insecurity podcast with Brad and Evan. How are you doing today?

[00:00:30] Evan Francen: Good Man. December. 2nd guess. Already a week passed. Thanksgiving time is flying.

[00:00:39] Brad Nigh: It is, yeah. Yeah.

[00:00:43] Evan Francen: It’s hard to believe that. What’s that?

[00:00:45] Brad Nigh: So this last month has just flown by.

[00:00:50] Evan Francen: I know, I know it was, it’s november or whatever where you don’t shave and I’m just starting to like my beard. It’s really grown out quite a bit, but it’s time to shave it. Maybe

[00:01:01] Brad Nigh: you could just go with what I did capsule in the Stanley cup and I’m just keeping the beard now. Just keep it forever. Kiss. Keep it. Why not? Or at least as long as the wife will put up with it.

[00:01:13] Evan Francen: Yeah, I think she’s, I think she’s game. I don’t know. I’m afraid to

[00:01:16] Brad Nigh: ask. So it’s better. Was it asked for forgiveness? Information? Yeah, yeah. Sorry. I thought you liked it.

[00:01:26] Evan Francen: She’s still sleeping in the same bed. So you know,

[00:01:31] Brad Nigh: she’s getting dirty

[00:01:32] Evan Francen: looks. No, no, I think we’re getting along so I’m going to go with it.

[00:01:37] Brad Nigh: There you go. I think I’m in. I think you should.

[00:01:41] Evan Francen: Yeah. So I was like, you know, care 11. I don’t know if you saw the

[00:01:45] Brad Nigh: I have not seen it yet. I saw the, I saw it go out and I have not seen it yet. I’ve been crazy busy.

[00:01:51] Evan Francen: Feel free to skip it

[00:01:53] Brad Nigh: now. I have to watch it. I wish I had watched it ahead of time so I could like give you some grief about it.

[00:02:01] Evan Francen: Well, first of all, it’s a friday, right? Everybody’s broken on Fridays. I’m tired. Uh you know, to a couple of days of traveling you were out to um and then they did like this weird wide angle stuff so you can, you can see my whole body, you know, I mean it’s cool and you just keep it to the face, you

[00:02:21] Brad Nigh: know, got to keep some secrets.

[00:02:25] Evan Francen: Right? I know I need, I know I need, I know I need to lose weight, you know, but don’t put it out there.

[00:02:32] Brad Nigh: Yeah, yeah, we’ll talk more about why you were on care 11 here. Yeah, minute. But yeah, I think uh you know, we’ve gotten some good feedback so far. So I’ve been pretty happy with how things have been going. I feel like we’re getting a little bit better at this and uh yeah, what do you think?

[00:02:53] Evan Francen: Yeah, I agree. I think, you know, it’s it’s only our fourth podcast. Uh some of the feedback we’ve gotten is people like the fact that we talk about talk shop. You know, there’s a lot of podcasts out there that talk news. Um so we’ll talk a little shop and Sprinkle little news. I think

[00:03:11] Brad Nigh: yeah. to me getting that feedback was great because I was always worried, you know, that we’re going too deep into that and getting, like I’ve said it a couple times, we’re getting deep in the weeds and apparently that’s what people are liking the most. So sweet. Right? That’s really easy to do.

[00:03:29] Evan Francen: Yeah, it’s easier to talk first hand experience. So speaking of that, what tell me about your week?

[00:03:37] Brad Nigh: Yeah, it was it was busy. So, um, a couple of customer issues just normal. It’s funny how customers don’t like being told they’re not doing well, right. They think they’re doing a great job or whatever it is. Then you come in with, you know, an assessment or pin test and you compromise them or show a lot of weakness and and they don’t like that. Funny.

[00:04:04] Evan Francen: Well, yeah, there’s certainly an art to telling people bad news in a way that they’re like, right?

[00:04:16] Brad Nigh: Absolutely. And it’s important to listen to their point of view as well on that because, you know, it is easy to misinterpret something. Maybe they misstated it because, you know, they’re doing an assessment. They’re not, it is taxing to be on the receiving end of the assessment when we go through that interview process. So, you know, their brains may have been mush a little bit and there’s been, there’s always, you know, we’re always willing to to listen to him and adjust it if it’s appropriate. So that that usually helps. And I think we’re in good shape with Uh the other ones. But yeah, that was fun to, to deal with. And then the last two days off site doing 2019 strategic planning, so that it’s a whole different type of work and exhausting in a totally different way.

[00:05:06] Evan Francen: Right? Security guys doing strategic planning,

[00:05:09] Brad Nigh: right? That’s not normal.

[00:05:13] Evan Francen: No. Well, it’s great though, man. It sounds like you guys had a great couple of days off site. I’m excited to see what, you know, it comes of it.

[00:05:23] Brad Nigh: Yeah. So am I, it’s um, there’s a lot of of work coming. Mhm. But I’m pretty excited about what it is. It’s gonna be, you know, that new challenge. So I think, I think that’s a really good thing too. You push yourself and make just keep challenging yourself. Don’t, don’t just settle. So I’m excited about what’s coming.

[00:05:50] Evan Francen: Well, you should be, I mean, 2019 or 18 were still there? Um, I mean, we, we grow at 40% a year, at least the last few years and you know, it looks like that will continue and be able to do that as a consulting company with 20% margin is pretty exceptional. So I mean kudos and hats off to you guys for all your good work.

[00:06:16] Brad Nigh: Yeah, it is uh it’s one of those things, I mean, you started as an analyst, you kind of look back and go, which has happened at the end of the beer and you see that the numbers come out and yeah, it is rewarding to see that, hey, well, hey, we’re making a difference, but be that all that hard work is actually quantified somehow.

[00:06:42] Evan Francen: Well speaking of an analyst, ng, I was out on the east coast. Yeah, with our big travel company and this will be a good segue when I think I need to talk about the mirror’s

[00:06:55] Brad Nigh: gonna that. Well that’s how I was gonna say, how are they doing?

[00:06:59] Evan Francen: Well, yeah, so, okay, last week was what we finished the book, I mean like finished, finished, finished. So that’s really exciting because I don’t have any more work to do with that. It’s at the printer, They’re putting a rush on it, 5000 copies I think by Christmas.

[00:07:19] Brad Nigh: So I shouldn’t, it’s too late to tell you about the typo,

[00:07:22] Evan Francen: oh man, I can’t, we could, we could do an entire podcast on the experiences of, of writing a book. Um, I had no idea that it was that how much work goes into writing a book because it’s one thing just to write it. Uh, then you’ve got ghost writer, editor, editor, editor proofreader, I mean on and on and then you got graphic artist, you know, designing the cover, you’ve got to get endorsements. I mean holy buckets.

[00:07:58] Brad Nigh: So would you say if you’re gonna do it again, would you write and just right at a very high level kind of like just outline it and then just fill in details where appropriate. Or would you go and attack it in depth like you did the first time.

[00:08:13] Evan Francen: Uh, so you said if I’m doing it again, I’m

[00:08:18] Brad Nigh: when

[00:08:20] Evan Francen: well the wind is even settled. It’s, I’m starting again in january. Oh my gosh. So this book will be uh information security for normal people.

[00:08:31] Brad Nigh: Okay. Like

[00:08:33] Evan Francen: that. Yeah. And I think what would I do? I think one of the things I learned is I would spread my thoughts across the book as opposed to when I started this one. I spent so much time on the first chapter that my first chapter was a book almost by itself.

[00:08:52] Brad Nigh: Yeah, that’s kind of that, that’s where I was going with that. Just outline it and figure out what the whole high level is going to look at and then dig down and drill down from there.

[00:09:04] Evan Francen: Yeah. Good. But I’d love to see. And I know that, I mean, I’ve talked to uh like jim nash at the office. Um, he wants to write a book. Like dude, you have to do it. I mean anybody who feels the urge or the itch to write a book, I think should do it. It’s a great experience. I almost died. But whatever,

[00:09:29] Brad Nigh: you know, almost

[00:09:32] Evan Francen: right, isn’t isn’t there some wisdom saying that that which doesn’t kill you, makes you stronger. Yes. Yeah. So it must be pretty strong now. All right, so then it was two days in uh in Jersey, which I think uh you know, it was this is a large global company, you know who they are and I can’t I don’t have permission to to say their name,

[00:09:58] Brad Nigh: it’s not Marion,

[00:10:00] Evan Francen: it is not here yet, but as somebody closely very close to Maria, um But it’s it’s funny, you know, it’s a very large organization just in this region, you know, there are 20,000 employees and you think, I think small companies and even analysts, we think that bigger companies have more haven’t more figured out. Mhm. And it’s very not true, we’re just now starting to really get our hands around asset management and we’ve been, you know, we’ve been working for six months, I

[00:10:38] Brad Nigh: Almost feel like there’s a sweet spot, right? So you have the small businesses, so they let’s just say under 50 employees, they don’t just my kind of gut take on it, they don’t seem to always have the resources to handle that stuff, so that is a lot of times lacking, unless they’ve got a partner doing it, Then you get that 52, you know, 500, maybe even 2500 up to that big. That seems to be the sweet spot for the yep, we’ve got the resources to actually hire people and get the right tools in place, but we’re not so big and we don’t have so much in politics that we can actually move forward. And then once you get to that, you know, sub enterprise and enterprise, you start seeing so many different um, business units and you know, mergers acquisitions and nobody is doing the same thing and then there’s politics around everything. And so I’m not really that surprised they struggle. Um, but I would agree that the common perception would be That, yeah, these, you know, Fortune 100, Fortune 500 companies, they’ve got it there locked down and I, I don’t think that’s the case at all.

[00:11:53] Evan Francen: No, no. Well, and these guys, I mean awesome. We had so much fun in the two days, you know, that’s one of our principles, right? Security is fun, yep, So we had a good time. They’ve shown uh 10% increase in their faces score. So yeah, over six months. So that that’s a hell of an improvement for a company that that large, but just wrapping up, you know, incident response planning, which is, you know, good timing for that. Um Yeah, just a lot of things going on out there, a lot of work to do, but it’s fun.

[00:12:30] Brad Nigh: That’s good. Yeah, I can only imagine there was a lot of uh stress and very short fingernails at the end of the week. Last week for them.

[00:12:42] Evan Francen: Yeah, so I get back and I get back from the trip. Uh you know, I’m there once a month. I get back on friday morning, about 1 30 in the morning this is a trip I took, I took my wife with because you know if you’re going to travel right? So she uh in the southwest, lost her, lost her bag. Oh no, yeah, So that delayed us getting home, so I got home about two, Getting bad about two am and then you get up the next morning and then there’s the Marriott breach, it’s like God and then yeah, so it was a hairy day on friday.

[00:13:22] Brad Nigh: Yeah, yeah, I’ll be honest, I was kind of like, you know, I’m gonna have to be careful what I say here because I’ll get yelled at by the other people who run that that off site. But I was kind of watching my email a little bit closer on friday um just to see and I didn’t honestly didn’t see anything from my my customers, you know, and there wasn’t a lot of email, I haven’t talked to the analysts, so that will be tomorrow morning, but I was a little surprised how little chatter there was from, from people about it, maybe it’s because it’s still nobody really knows what happened yet. Mhm.

[00:14:02] Evan Francen: Yeah, well and so for for our listeners and you know, and you know already, but you know the client that I work with um is a global large huge travel company. Um and they the book travel on behalf of corporate clients and they booked travel on behalf of leisure, you know consumers and so with thousands and thousands hundreds of thousands millions of clients probably so some of those bookings that they do, you know obviously our own Marriotts systems so this whole myriad thing when the news broke, it’s like we got to get out ahead of this even though it didn’t the breach wasn’t our client. Yeah the breach affects our clients so much because it’s their core business that it requires us to you know do a response of some states.

[00:15:09] Brad Nigh: Oh yeah they’re gonna get all kinds of questions.

[00:15:12] Evan Francen: Yeah and the breaches, you know when you I mean we could spend a lot of time just talking about this breach but it’s uh It’s amazing to me. 500 million ish clients, I mean how could start what hotels have that many records and a database. My God

[00:15:32] Brad Nigh: no that’s a big database. Um Yeah you know and what’s crazy is if you look at it so you know a little background on it, it was Starwood Hotels. The breach was had taken uh Had happened in 2014 which was before Marriott actually purchased them so they purchased a breach and didn’t catch it which is An issue there. That’s one then the second one is they were encrypting using a S 1 28. That’s great. However they store the encryption keys with the encrypted like documents or files or databases. So uh so close.

[00:16:15] Evan Francen: Well yeah so the uh yeah okay so The Breach I think you know they noticed the breach in or something unusual. They received an alert on September 8th. Um And I think the way they were alerted was because the attacker or there was some attempt at exfiltration of the data and when they do the investigation they find out that there may have been unauthorized or it looks like there was unauthorized access there Since 2014 so four years.

[00:16:52] Brad Nigh: Yeah

[00:16:54] Evan Francen: And I don’t know if there were any exfiltration of data between the 14th between 2014 and 2018 or if the attacker was just kind of accumulating data before attempting to exfiltrate in september. I don’t know but it’s it’s a big one and it affects a lot of people and it’s sensitive information to

[00:17:17] Brad Nigh: write passport information, data, birth. Uh You know basically everything you need to uh steal someone’s identity is right packaged up name, mailing address, phone number, email address, passport number, date of birth, gender, travel information, right? Painting the card information. And

[00:17:44] Evan Francen: I mean when there’s a lot of issues with this too, I mean with the dates so one of the things you know I like I’m a positive guy right? You know me on the positive side I really like the breach disclosure or their disclosure on Kroll’s site. I thought it was you know maybe a little too much detail but anyway good detail um I can ascertain as a as a as a client or a potential client I can ascertain what the risk sort of is to me. I mean I like the the disclosure. Mhm. The bad thing is it september say eighth two november 19th. Um It took a while and uh you know especially when you think of G. D. P. R. And what do I you know how soon I need to notify those authorities.

[00:18:37] Brad Nigh: Well in the way the way I read it was they found it on the age I would have I didn’t see I would assume they closed it down pretty much immediately but it took another two months actually decrypt that packet to figure out what exactly was being taken.

[00:18:56] Evan Francen: Yeah so maybe that will be there.

[00:18:58] Brad Nigh: I I didn’t see anything on there about when it was actually locked down but I would assume once they identified that they locked it down and it didn’t get worse. It took two months to figure out.

[00:19:12] Evan Francen: So you mentioned what about this issue of they bought a breach. Yeah. How many times do we see companies acquiring other companies and securities? Either an afterthought or not a thought at all.

[00:19:24] Brad Nigh: You know I yeah all the time I was thinking back I’ve been doing this but I’ve been here 2.5 years. Almost 2.5 years and one company has hired us to build a or work do a acquisition assessment. Um Despite I was talking to a lot of them um You know I just had another customer that by the company and they were like oh well before we integrate them onto the network or a. D. We do want to do an assessment against them to understand what we just bought. Like well Alright well better than not doing it at all. But you know I guess ideally you’d want to do it before you bottom but better late than never. At least I didn’t integrate them into their you know 80 and on B you know it’s totally separate it’s on its own so at least they’re getting there. But no it’s just you don’t see it very often.

[00:20:26] Evan Francen: It’s funny I mean sometimes just want to record what they say and then play it back. You know we want to we want to do a security assessment before we integrate them so we know what we bought. I mean think about that for a second. Right.

[00:20:41] Brad Nigh: Well and I think part of it could be also is not necessarily I don’t want to say that it’s a shot at at the security of that company right? They they may not have been told or been aware of it and then hey we bought this other company and now it’s already been done so what can we do to to minimize it? I think that goes to you know security not being adopted at the top. It’s not integrated into the culture.

[00:21:14] Evan Francen: Well, it’s treated as an I. T. Issue. It’s not a business issue, right? Which is wrong. Well,

[00:21:19] Brad Nigh: and you know, it was interesting, um, I’m gonna find it uh, Krebs on security who in his talk about the Marriott Bridge, um, you know, he’s got little chart on there from the enterprise strategy group from 2014 about what the categories the basic organization, progressing organization. Advanced organizations, um, about security. So things like, you know, the philosophy being cyber basic cyber security is a necessary evil. Progressing organization says cybersecurity must be integrated into the business and advanced would be cybersecurity as part of the culture. And I think

[00:21:59] Evan Francen: we’ve we’ve been we’ve been screaming that. Yeah, forever, you know.

[00:22:05] Brad Nigh: Yeah. But you know, but what we still are seeing is most places, Gosh, I would say maybe 5% in that advanced if that um, basic cyber security is a necessary evil. Yeah. I don’t know 60%.

[00:22:27] Evan Francen: Well, yeah. I mean, why is it an evil at all.

[00:22:30] Brad Nigh: Right. But that’s the thought process around it, right. It’s still, I would say the majority of places we see it’s we have to do this because regulation, it’s not we want to do is to understand what’s going on. Sure.

[00:22:46] Evan Francen: Well, and so going back to what you said, you know, it’s almost like we want to figure out what we bought after we already bought it. Mm hmm. It’s like that’s the wrong time to figure out what you bought. I mean, I just take that to your own personal purchasing decisions. I mean, do you go and buy things and just now I should figure out what I’ve actually bought. I mean

[00:23:12] Brad Nigh: Uh huh. Right.

[00:23:14] Evan Francen: This doesn’t make any damn sense. Um well in the company that I was talking about two that I was out at, this, you know, this, this last week, they grow through acquisition. And so that was another point. And we address, we started to address this about 34 months ago because they were acquiring another organization. It’s like you better do an assessment of this organization before you purchase. Like, wow, we already purchased. I’m like, all right, well then do an assessment now.

[00:23:41] Brad Nigh: Yeah. Before you integrate

[00:23:43] Evan Francen: and here’s a process to follow in all future purchases. It’s simple. Right. I mean you don’t have to go crazy in your assessment but at least do some due diligence. Right.

[00:23:53] Brad Nigh: Right.

[00:23:55] Evan Francen: Oh boy.

[00:23:57] Brad Nigh: Yeah, yeah, I’ll be interested to see how this. It stayed undetected for four years. That is just that’s crazy.

[00:24:09] Evan Francen: Well, if it’s like most um, enterprise sort of acquisitions, I’m assuming that Starwood sort of ran as its own kind of business unit within Marriott and there was probably some segmentation between the two. Um, so it’s possible even that the security folks from Marriott, I haven’t even had a chance to really dig in and integrate. You know, even after a couple of years after the acquisition. I mean it takes a long time to do this. Right?

[00:24:43] Brad Nigh: Oh absolutely. I just, it just four years is a long time to be compromise.

[00:24:51] Evan Francen: No. Yeah. You know it’s the, you have the ones that get, you know, you identify them and like Days, sometimes minutes and then you have these ones that go four years and I guess It’s no wonder the average dwell time is like what, 200 days ish?

[00:25:07] Brad Nigh: Yes. I’m like right around 6, 7 months someone there eight months.

[00:25:11] Evan Francen: Yeah. Well and so another thing about this, this breach in really every breach, you know, you keep reading them, you keep reading him And you know I was talking to the car 11 reporter on Friday because they came calling which was awesome. I love I played him in ping pong too by the way.

[00:25:30] Brad Nigh: I’m assuming you won,

[00:25:32] Evan Francen: well I wouldn’t have played unless I would have won. But uh, you know, one of the things, you know it uh yeah, it’s like, well what can people do, what can people do? And I’m like, because there’s this, people are frustrated and enraged mike what if you thought about just thought about this differently? Just assume that information is going to be breached because it is, it’s not about risk elimination, it’s about risk management. It’s just like when I drive a car, there’s no guarantee that I’m not going to get in an accident between here and work. Right? But I manage that risk it’s the same thing with data breaches. Its why get off flustered and upset about it when it’s guaranteed to happen.

[00:26:19] Brad Nigh: Right. Yeah.

[00:26:20] Evan Francen: I mean mathematically you can’t not make it happen.

[00:26:23] Brad Nigh: Right. Yeah. Do they freeze your credit? It’s free on all three credit a credit bureaus at least you’re doing something to help mitigate that damage.

[00:26:33] Evan Francen: Right. And then you learn you learn your lessons right. I mean what are the lessons we learned from the Starwood breach or from this Marriott breach 1? Do your due diligence before acquisition ideally

[00:26:44] Brad Nigh: only keep information you absolutely need. Right.

[00:26:48] Evan Francen: Yeah. Yeah. I’m guessing 500 million records. There’s probably some of those records they didn’t need anymore.

[00:26:55] Brad Nigh: Right. Yeah. And and really do they need for their Starwood preferred guest account? You know do they really need all the information that they collected? You need a gender and date of birth for or for that? You got their passport information? Why are we keeping that? I don’t know. It depends on how they’re using it. But what can you do to reduce the amount of information you hold as a company?

[00:27:23] Evan Francen: Right. Because you know less information less risk. Right. I mean the impact would be less. So yeah you’re right. It’s it’s all about risk management not risk elimination. And I think if you have that mentality breaches like this aren’t quite as emotional. They don’t surprise me as much. They’re not a shocking

[00:27:43] Brad Nigh: you know the numbers. I mean that that’s pretty impressive. I was I was a little bit surprised how how big it was but not yeah not overall.

[00:27:55] Evan Francen: Yeah I mean it’s sensational right? Because of the number. It’s like oh my God that’s like the whole U. S. Population and then some but

[00:28:04] Brad Nigh: yeah fine.

[00:28:05] Evan Francen: But as an individual, as a consumer, you know I’d be I’d be thinking to myself what can I do to protect myself because I can’t stop Starwood Marriott, I can’t stop any organization from losing my information. And it’s guaranteed that some will um you know what’s my own personal instant response plan, right? If you think of it that way. Yeah it’s more constructive anyway.

[00:28:32] Brad Nigh: Yeah. Hopefully you don’t feel quite as much despair about, well it happened again, what are you gonna do

[00:28:39] Evan Francen: Or just the are on the other side which I think we’re seeing two. Is this breach fatigue as breach acceptance? Where Oh it’s just another breach and then nobody even pays attention. Well that’s not you went too far,

[00:28:51] Brad Nigh: right? Yeah.

[00:28:54] Evan Francen: Well it’s just in the middle somewhere.

[00:28:56] Brad Nigh: It’s yeah we’re almost to the point where it’s like you see an I. T. Or insecurity, it’s the alert fatigue right? They get so many email alerts that you just miss it because uh well here it is again

[00:29:11] Evan Francen: right. And meanwhile Attackers are getting away with hundreds of millions billion billions and billions of dollars, you know, so it’s it’s not that you don’t do anything, you just got to put it in perspective. Yeah, and have a plan

[00:29:27] Brad Nigh: man, so I’m going to move on, but kind of tied to that, so I will full disclosure these articles that I picked out I had picked before the, before the Marriott breach came out. But it’s really interesting how they do tie together, um or at least I think that we can’t, but the next one was off a dark reading dark greeting dot com about the weakest link in the supply chain And saying 60% of organizations have suffered data breaches resulting from a 3rd party Uh 34% of companies have a comprehensive inventory of all 3rd Party suppliers they work with. This was a 1,038 professionals across multiple industries that were surveyed by ponemon Institute and commissioned by Opus, so said us third party suppliers Since at an average of 583 and I would say this from what we’ve seen with, you know, getting been defense up and running and getting it out. It’s not surprising to me at all that That only 34% 30. The thing that surprised me is 34% have a comprehensive inventory of, of their third party suppliers.

[00:30:45] Evan Francen: Yeah, so I think there’s some, I don’t think that number is that high. I mean if we speak from our own experience and you know our Part of the world with our 1000 or so um clients. It’s not that high.

[00:31:00] Brad Nigh: No,

[00:31:02] Evan Francen: I mean even big companies I was talking to a the sea so of a vascular you can’t say company names but a very large retail operation. Right? You know what I’m talking about, don’t you? Probably. Okay, well they’re one of the first ones that we built then defense for.

[00:31:23] Brad Nigh: Oh yeah, yeah, I do

[00:31:25] Evan Francen: know you do know. So so this this organization um that was I

[00:31:31] Brad Nigh: know where you’re going to. Uh

[00:31:32] Evan Francen: Yeah. So so the the the the author of this article, I love her first line. The first line of her article is do you know how many third parties your organization works with? Mhm. Bingo. Because that’s where you start. Right? That’s phase one of a vendor risk management program and oh my gosh. You know because I also think of like the why like why would even care, what do I care about vendor risk management? Well, it’s Probably so I can put myself into kind of a defensible situation like when a breach does happen because if 60% of organizations are suffering Data breaches from 3rd parties, what do I have in place to defend myself in the very first question that I could just imagine opposing counsel would ask after a breach. Do you even know how many 3rd parties you have?

[00:32:28] Brad Nigh: Mhm.

[00:32:30] Evan Francen: Yeah. And then if the answer is yeah, I do know or I think I know or Yeah, I don’t know,

[00:32:39] Brad Nigh: you know, so we’re working with another customer on that and you know we’re talking about, well let’s get all your list of all your vendors Like well we have this list, I’m going to make up some numbers so it’s not a little bit close but not not exactly got this list of 25 vendors that are part of our ISIS certified scope. So we’re gonna just do them. Oh okay. Is your what’s in scope for your ISO certification completely segmented from the rest of your environment? Well no, mm

[00:33:21] Evan Francen: Well that is that the only place you have risk, I mean we’re not expecting.

[00:33:24] Brad Nigh: Right? So what they had said is and and they were fully uh and I will give them a little bit of defense, they fully were aware that they needed help there um and that’s why they’re going forward with it as they did identify that hey, this is a problem, we know these because we have to we don’t really have a good handle on the rest of the organization and we need to so they’re starting to get to the right place on it but I mean that’s that’s what you would I think we see most is well we know there’s this, you know picking a number around this particular product. Right. It’s our online web portal. So we’ve got these seven vendors around it, that’s great. What about the rest of the organization? Um, right.

[00:34:15] Evan Francen: Well, and, and so it’s one thing, I mean, it starts, it’s like, it’s like an alcoholic, right? I mean, you gotta first, you have to admit you have a problem, you know? And so if you have a problem, which, you know, if if you’re not sure, then I’ll tell you you have a problem. Yeah. It’s just whether or not you’re going to believe it and own it. Um, then it’s, what am I going to do about it? How do I take care of this? And I think many people get confused about how third party or vendor risk management works. You know, when I say risk management too, there’s all kinds of different risk. I’m going to say security risk management?

[00:34:52] Brad Nigh: Yeah, I will say this. I think a lot more organizations have that financial portion of the vendor management under control, you know, is the company financially stable? They’re going to be around for a while. You’re like, oh good. We don’t have to worry about it. And then that’s it. And I think that’s a lot more common. Uh, yeah. The other.

[00:35:18] Evan Francen: Yeah, absolutely. So information security risk management, vendor, third party information security risk management. How do we, you know, how do we handle that? Simple? You know, keep it simple. And it’s easy for me because I’m a simple guy, but you’ve seen me brad. You know. You know how I roll I drive a pickup truck? I wear jeans. I’m simple

[00:35:43] Brad Nigh: if we’re lucky you wear jeans.

[00:35:46] Evan Francen: Oh, jeez, we don’t want to go

[00:35:47] Brad Nigh: there. Oh, right, sure. I mean short.

[00:35:51] Evan Francen: Right.

[00:35:53] Brad Nigh: Um No. Yeah, I agree though. Uh you know what we see is people, we’ll come in and they’ll ask us to help them with, you know, policy procedure and we get to vendor management and it’s this just, you know, we’re using the stig light or stick and and then we have to interpret it and then we do what we we’ve made this custom assessment and then it’s all subjective and why are you making it so comprehend? Like it does. It’s way too complex. How are you classifying your vendors? Well, it’s this. You know, basically you have to be a PhD level to understand how it works by things, right? It’s not, it shouldn’t be hard make it make it to the people. If it’s hard to do. And it’s complex what’s going to happen? We’re just gonna check boxes and they’re not going to pay attention and you’re not gonna get accurate answers exactly what what does the vendor do for us? What do they have access to? Is it physical or virtual? And you know, how much do they have? What type of access do they have?

[00:37:00] Evan Francen: That’s probably it. That’s

[00:37:02] Brad Nigh: probably, Yeah,

[00:37:03] Evan Francen: maybe. Maybe criticality, you know?

[00:37:06] Brad Nigh: Yeah, yeah. What type of Yeah, critical. Yeah, I would say that. So five questions though. Maybe six. Yeah.

[00:37:15] Evan Francen: And then they’re classified, creates create set rules. So you’re not using judgment, subjectivity doesn’t enter into the equation. Right? Yeah. Yeah. So step one inventory, Step two classification based on kind of the stuff that you said. Step three, then you do your assessment and the type of assessment should be based on your classification, yep. And then step for make some decisions, you’re going to mitigate some things. Do they have an acceptable level of risk? You know, whatever? But it’s just so simple. I think people get confused because lot of people did it wrong probably and it’s not fun. Maybe I think it’s fun but I’m a security guy.

[00:37:54] Brad Nigh: Well, you know, I think yeah, I think the problem is that people don’t think it’s fun because it’s been made into this really bad, horrible thing. And I mean honestly we had spreadsheet templates for questions but we had math behind it based on their answers. So it wasn’t subjective at that point. They were still as frenchy people had to deal with. Well, yeah, nobody wants to get a spreadsheet from someone that’s not fun. No,

[00:38:24] Evan Francen: no. Well this is in the book, I mean this is chapter one in the book is this translation of information security between two organizations and that’s sort of why we designed Fyssas score also. Right. Uh huh. So I don’t even have to go through this, Bring them a roll off spreadsheets and all that maintenance stuff. It’s going to I mean, we’re making progress. It’s just gonna take a while to get there. But you know, this is a problem that we’re your dad said on solving so we’ll keep keep going at it.

[00:38:55] Brad Nigh: I’ll be honest. I’m excited to see where we’re at in a year because I think once once it starts to to catch just a little bit, it’s gonna just explode.

[00:39:09] Evan Francen: I agree. I think we’re ahead of the wave. Unfortunately, it be like most things insecurity where compliance will push it, but whatever.

[00:39:16] Brad Nigh: Yeah. Yeah. But again. Mhm. It’s always better to be doing it because you want to do it than to be doing it because you’re told you have to.

[00:39:25] Evan Francen: True, it’s always better, Right? I mean, just think like at home I’m doing stuff around the house that I like to do. Yeah, It’s a lot better than my wife telling me I have to do. So just get up and do it because I would.

[00:39:38] Brad Nigh: And which one are you going to put more effort into and do a better job around right? There could be more quality if you’re like, yeah, let’s do this versus Oh man, I can’t believe I have to do this totally except at home if the wife tells you want to do something, man. That’s the best thing to do.

[00:39:56] Evan Francen: I get excited about that.

[00:39:58] Brad Nigh: I can’t tell us you can hear me or not. All right. So the next one, um, was from info security magazine. Again, this is starting to see some trends on our sources here. We’re gonna get some and get to the point where people are going to have read all the articles before we talk about

[00:40:19] Evan Francen: them.

[00:40:21] Brad Nigh: Um, so it’s interesting. This is about the thought that G D P R could actually lead to greater risk of breaches. Um, and You know, right now, it says 23% of UK and German businesses believe that may have resulted in an increase of greater risk. And, you know, the reason being G D P R led to increased complexity. So what do we have? I mean, it’s in everything we put out there, complexity is the enemy of good security, you know, and now we’re starting to see what we got to do all this stuff in a specific way. And and then people start trying to do it and it’s not good security.

[00:41:11] Evan Francen: Yeah, I I totally agree with this article, complexity is the enemy of security. I mean, we can show evidence of that everywhere. And the second thing that I also like about the article is compliance doesn’t mean better security. You know, if I’m so focused on checking boxes and the boxes may or may not be the most significant risks I face in my organization, then it’s gonna be counter right.

[00:41:39] Brad Nigh: Yeah. I mean, I know we’ve done and you know, this isn’t to call out any particular certification or anything like that, it’s just an example. A little disclaimer there. But we did a pen test against a high trust certified company. Well high trust like Pc IR talked to these are all really scoped down. Okay. They spend a lot of time and money getting hydra certified to hit all these requirements but missed a huge open door because they were so focused on getting the certification because client told them they had to and it was you know, I think they got internal uh full access in under an hour. Yeah. Nothing.

[00:42:22] Evan Francen: Well I love the the intent behind almost every compliance piece GDP are hip G. O. B. A. The intent is right on its it’s how people interpret the intent. They’re not following the intent there following the letter. So you follow the letter of the law versus the intent of the law. If you followed the intent, you don’t automatically be complaint. But that’s not how people think,

[00:42:51] Brad Nigh: you know, I think and I may get skewered for this one. But I think it actually does a fairly good job of saying these are the things you should do. But it’s not very prescriptive. It leaves a lot of interpretation, right? So I think that one does a fairly good job. It’s just that people then don’t know how to interpret it and say and they’re not doing it. Yeah. Yeah. They’re not doing good security. So the thing that’s side

[00:43:17] Evan Francen: though we’ll think that’s challenging with with Hipaa is yeah I mean when you look at like hip the things in it are good components of security programs. So you know I like that part but in a healthcare environment you have to be so much more creative because you cannot get in the way of providing care the patients and I think so it’s it’s just not being interpreted well

[00:43:44] Brad Nigh: where people are doing I think well and this is kind of the flipside is because it is kind of open ended and vague about it. People do the bare minimum because it’s not saying you have to do these things specifically. They’re like oh well I’ve done well I mean you start with oh the anthem the breach. They weren’t doing an enterprise wide risk assessment they were just doing a risk assessment on that specific area. Well that was that satisfied hip but not really.

[00:44:21] Evan Francen: Well I mean we’ve said it a billion times checkbox security just doesn’t work. It’s not about that’s why we have to have that formal inner definition of information security. It’s got to be managing risk right? It’s not about checking boxes it’s about managing risk.

[00:44:37] Brad Nigh: If your focus is checking boxes you’re probably losing. Right. Oh man. Yeah but yeah I thought that was really interesting with the G. D. P. R. And I I hadn’t thought of it that way and when we start looking back at all the customers that have reached out to us and just like well what I don’t understand if we’ve written a lot of it in a regulation that nobody understands how to comply with. I love the intent behind it but man that’s that’s not good. Um Okay well yeah that keeps going.

[00:45:22] Evan Francen: We keep fighting the fight.

[00:45:24] Brad Nigh: Yeah. Um Next one talking about was the again from info security magazine was Microsoft was talking about the causes of its global and if they outage uh we talked briefly about that last week and they came out and said Basically there was a three root causes. The first two were from a code update that ran November 13-16. That caused the latency issue between the front end and the Cache Server. And then because of that it triggered the second condition or the second issue which is a race condition, processing responses. Uh And then the third one came out because of that race condition. But I thought that was interesting to kind of follow up on that. And yeah you know it doesn’t really matter how big you are,

[00:46:22] Evan Francen: how much money you got. I mean

[00:46:25] Brad Nigh: it’s probably I’d like to know what exactly that that code update did but just a simple latency issue during high traffic between the front end and cache server caused just a monster outage. That’s tough to test for two.

[00:46:43] Evan Francen: Oh for sure and I mean and we’re humans humans and I don’t want to get into the whole ai discussion because a I would be created by humans to I mean there’s still people behind everything. Um We make mistakes, right? I mean 14 hours is a hell of a long time.

[00:47:04] Brad Nigh: Well, I mean, I heard I’ve heard stories of people turning off M. F. A. Because you have to work well you’ve now introduced a huge that’s another big risk that you’ve introduced him to the organization. Did everyone get it turned back on who was checking out that it was turned off?

[00:47:23] Evan Francen: Yeah, it was a very expensive 14 hour and it and it will probably have some some lingering effects because some people won’t want to turn it back on because it was so painful in the first place. But you know, it happens it even to the biggest and you know, living to the biggest and most well funded I guess, you know, I was going to be the best, but I don’t know if they’re the best, but

[00:47:51] Brad Nigh: I mean,

[00:47:52] Evan Francen: I like the fact that they told us exactly, they told us sort of what it is. That was good.

[00:47:57] Brad Nigh: I will. Yeah. You’re starting to see uh companies are realizing that they can’t put out these super big disclosures anymore. They get just roasted for not saying what it is and like I do like that and I’ve always been this way, if you make a mistake, you make a mistake, tell me how you learned from it and how we’re gonna avoid it moving forward, Right? So yep, here’s what happened, here’s how it happened and here’s what we’re doing to fix it to make sure it doesn’t happen again. Awesome. At least I can understand that. And they’re taking responsibility for it.

[00:48:35] Evan Francen: Well, and there’s a website uh Azure, it’s https Azure dot Microsoft dot com slash en dash us slash status slash history. We can see the Azure status history. Um So you and you can, it’s a great site to monitor. Um So you can see all kinds of things that are happening, stuff that you may not even know about, right? But it’s a site that I’ve added to my sort of uh alerting list, just keep an eye on. But it’s a it’s a really cool, have you seen that one?

[00:49:10] Brad Nigh: Yes, I looked it up when, when we were having not here, but when you had issues with hosted stuff like what the heck is going on? Uh They’re usually pretty good about getting it updated to pretty quickly,

[00:49:26] Evan Francen: right? Because I know that, I mean I’m we’re not we’re not necessarily an I. T. Anymore, but fry. T. Folks. Um And if you just google as your status history because everybody people might be asking questions and I always hated if somebody else had to tell me about a problem before I knew about a problem. That was embarrassing. So I always like to know before anybody else does.

[00:49:52] Brad Nigh: Yeah, I agree. Yes and the other one, I think. So the other one I would go to is the uh is your status. So that would be, it just gives you that kind of the green check of all their services across all the different ah um regions that they have. Oh yeah that’s a nice 1 uh To have up as well, so if you’re 90 again, not probably not so much anymore for for us, but from the Nike perspective when you had, you know, one of you in the cloud stuff, it’s those two are really good to assuming you’re using it.

[00:50:34] Evan Francen: Yeah, I mean they’re definitely sites that I keep an eye on, you know they’re bookmarked. Um I don’t monitor them necessarily but but you know, as an I. T. Person, I certainly would. Yeah.

[00:50:48] Brad Nigh: Yeah I think well and even from the the status history from a security perspective is probably the more Usees in those two. Mhm. Uh huh. Yeah all kinds of stuff out there

[00:51:02] Evan Francen: were given good tips, man, making the world a better place.

[00:51:06] Brad Nigh: We do what you can. Right,

[00:51:09] Evan Francen: that’s it.

[00:51:11] Brad Nigh: So next one this one, so this is on Krebs on security. Um came out Nov 26/2 of all fishing sites now have the bad block, so This is a bummer to see um 49% of phishing sites in the third quarter of 2018 had the Green Security Padlock next to the site domain name, That’s up from 25% just a year ago. And I was like uh because what’s one of the things? Well, one of the things you hear a lot is we’ll look for the green padlock, that’s why, you know, it’s a safe site and I think we need to be careful with our messaging on that, that it’s not that’s not the case, it just means it’s encrypted, it means the data can’t be captured except for your machine and backend server, but you still got to know where you’re actually at,

[00:52:08] Evan Francen: yep. And uh I’m just wondering why why it took attacker so long to get here. It’s like, get off your butts.

[00:52:18] Brad Nigh: I wonder if and and this would be an interesting thing to look at is, was it that you had to purchase the ssl so they weren’t willing to, that was kind of the barrier. It’s not just not worth that hassle. Versus now there’s, you know, multiple free services around getting ssl s and those free services are fantastic. Don’t get me wrong. But I’m wondering if that’s the case.

[00:52:45] Evan Francen: Well, it’s a big moneymaker. And if people are, I mean if, you know, these are this is a business, you know, for these guys, so I’m sure they know that if I get the padlock, you know, so I go and register certificate and you know, all that um you know, and I’m going to make X more you know X more dollars from it. You know it’s a business for them. And so it you know they’re getting a better return on their investment by during those padlocks on. But that’s just one of many things that we say with fishing. I mean my favorite one that I tell all the time, it’s never click on a link that goes to a log in page and log in period. Yeah.

[00:53:29] Brad Nigh: We just had a an incident where they got the one of their client customers got compromised and sent out Phishing emails look like a one drive log in and it came from the you know, came from that customers email. So they didn’t question it. Which I mean it it makes it hard because that’s you know, you’re starting to see a lot more click here to access your secure download link and you’re seeing that more right With all the just the different methods for encrypted transmission of data and got to be so careful about what you click on and like making sure you read that domain name and not just. Oh okay.

[00:54:23] Evan Francen: Right. And like I said I’ll never enter credentials even if it is a legitimate email. Yeah. I just want enter credentials into a site that I got to from a link.

[00:54:32] Brad Nigh: I think the yeah the one that I struggle with is like the secure mail from our shoot. I can’t think of who it is which can’t really which one which solution is, but you know, if I’m using last pass, I would have created that account the first time and it will auto fill if it’s the correct domain. If it’s not the correct domain is not going to auto fill. And that’s kind of another way to look at how can we reduce risk? Use a password manager that has that plug in.

[00:55:02] Evan Francen: Good idea. That helps.

[00:55:05] Brad Nigh: Yeah. You know, the Krebs one has uh, you know, an example of paypal? Well, if you, if you go there and it doesn’t auto fill, maybe that should be a trigger red flag that there’s something wrong here because last time I was looking at the correct at the domain and you are all information.

[00:55:23] Evan Francen: That’s just it too. It’s just, it’s just that awareness, you know, if something seems a little bit off investigate that, right? There’s only do what we tell them to do. So if something is a little bit off something or somebody told it to do something different than it did before. Right? Uh, so there’s always a reason for it. Uh, so, you know, I think it’s a great advice.

[00:55:47] Brad Nigh: So that’s yeah, it’s tough though. Just comes back to training and awareness and I as it or, or is in a, uh, industry gonna have to change and be a little bit better about that message.

[00:56:05] Evan Francen: Yeah, for sure. We certainly haven’t figured that one out.

[00:56:11] Brad Nigh: All right. Uh, the last article I had just kind of interesting to me, this is more uh, kind of awareness on open source, but it’s off of the naked security blog from so foes. The javascript library is for sneak attack on a copay Bitcoin wallet. And basically they took an open source node, Js utility package called event dash stream that’s used for handling or sending and receiving data In September of 18 that was handed over to a new maintainer. So that new maintainer released an update to the package. And then in early october another update appeared and what happened is in november, someone investigating an error in event stream discovered that it was had Cryptocurrency stealing malware hidden in it. So uh, it turns out it was pretty narrow in scope. Um, it was only for the people that were using the copay, crypto wallet software that it was targeting. But man, I think kind of the, the warning on this is I don’t just trust that software that you’re getting, you actually have to know what you’re implementing and take a look at it.

[00:57:35] Evan Francen: Right. Yeah. Well, so yeah, this is an interesting article because um, you know, you have the Bitcoin piece, right. Bitcoin is already, I mean if someone’s got your wallet

[00:57:46] Brad Nigh: Yeah, they got your stuff.

[00:57:50] Evan Francen: So that’s one interesting part. But I think the other interesting part is that how somebody can just become a new maintainer without. Mm Hmm. Any due diligence. Right. So this right? nine control. That’s his, you know, moniker is able to take over maintenance of this package. You know, make this change. Nobody really knows, right? And it runs from september till november. Yeah. Before somebody knows and they kind of stumble on it.

[00:58:22] Brad Nigh: Right? Yeah, it was it wasn’t it was pretty well hidden. It was just yeah, I had an error message. What am I doing?

[00:58:30] Evan Francen: So one of the things that, you know, we always touted from a security perspective about open sources that, well, it’s more eyes looking at it. You know, there’s more eyes on the code. So, you know, it’s going to be more security would be harder to, you know, insert something malicious. Well, that’s not the case, is it? Because the opposite happened here?

[00:58:52] Brad Nigh: Well. And I kind of wonder if it’s like, you know, the If there’s an emergency you you know, you go and say someone call 911. You point to someone say you call 911. I wonder if it’s that same mentality here. Oh, it’s open source. So other people are looking at it. If there was a problem, somebody would have said something and nobody ends up looking at it.

[00:59:14] Evan Francen: Right. And one of the developers quoted in the article chris Northwood, so, you know, his quote, nothing’s stopping this from happening again. And it’s terrifying. That’s true, man. Because, you know, I don’t know. I don’t know. I don’t have a solution for it, but it could very conceivably happen with any open source, you know, a new maintainer. It takes a lot of time and effort and work to maintain. Um, you know, these packages are maintained code. Yeah, thankfully there’s only two months but there is an exposure here to write for the Copay users from version 5.02 to 5.10. That’s where the malicious code is.

[00:59:59] Brad Nigh: And the one thing that I didn’t see anything on here and I kind of looked a little bit and I didn’t say it was who was affected like how many people did, how much money was compromise or taken and I didn’t really see a whole lot around that.

[01:00:16] Evan Francen: Yeah, yeah, I don’t know either.

[01:00:17] Brad Nigh: So,

[01:00:19] Evan Francen: But if, if there’s like most software there’s gonna be a lot of people that will keep running 5.02-5.1 until they are gone.

[01:00:27] Brad Nigh: right? Yeah. If you have that doughnut run or open the app. Yeah, yeah, yeah. Before you you run it.

[01:00:39] Evan Francen: Right. So any, any users of copay 5.02-5.1 don’t run or open your app period upgrade and move all your funds to a new wallet.

[01:00:50] Brad Nigh: Yeah, yuck. It’s a mess.

[01:00:54] Evan Francen: Yeah. Yeah. So I think two things that are interesting in this article for sure is just the fact that you know, how susceptible all open source could potentially be uh from new maintainers and you know, inserting new instructions that people didn’t see.

[01:01:12] Brad Nigh: And I mean I’ll be honest I know I’ve gotten you know, power shell or whatever off of you know, snippets off if everyone reuses, it’s the smart thing to do and you look through it and I would never run anything that I didn’t look through. But you know when you’re starting to look at hundreds or thousands of lines of code, it’s so easy to miss something.

[01:01:35] Evan Francen: Oh yeah, for sure. This guy says there’s nothing to stop it from happening.

[01:01:41] Brad Nigh: It’s scary, yep man. Fun times.

[01:01:45] Evan Francen: Well that’s why that’s why were employed and that’s why we have our podcast. True.

[01:01:50] Brad Nigh: So that was the last one. But but I do have Exciting news to wrap up. We do have our first guest confirmed. So I beat you on that one. Damn it. I know I’m excited so I can’t announce who it is yet. But uh The 16th. So in two weeks we’ll have our first, well unless you get a guest next week I guess you could still get one. But I saw the first confirmed guest

[01:02:14] Evan Francen: Making my 14 year old daughter in here.

[01:02:16] Brad Nigh: Oh man. No,

[01:02:18] Evan Francen: I wouldn’t do that. Right, but that is exciting. So I’m

[01:02:24] Brad Nigh: really looking forward to this. We can’t really talk about it yet until we get some clearances uh from them. But I I think it’s gonna be really good conversation.

[01:02:35] Evan Francen: Cool. Yeah, I’m looking forward to it to I got to put together a show for next next week.

[01:02:40] Brad Nigh: Yeah. All right. We got to be lack of things to talk about though, so that’s okay. I guess that’s good for this. Bad for the industry as a whole

[01:02:51] Evan Francen: maybe. All right, well, have a good week, man, get some rest.

[01:02:56] Brad Nigh: I will go go finish drywall in my basement after I got it re insulated. So that’s exciting.

[01:03:02] Evan Francen: That is exciting. All right. Until next week. All right, Thanks, man.