Unsecurity Podcast

In an executive order announced on May 12, 2021, President Biden is aiming to improve national cybersecurity practices. Naturally, as security professionals, Brad and Evan want to poke holes in the entire thing—find out what it gets right and where it misses the mark. Section 1. Policy Section 2. Removing Barriers to Sharing Threat Information Section 3. Modernizing Federal Government Cybersecurity Section 4. Enhancing Software Supply Chain Security Section 5. Establishing a Cyber Safety Review Board Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities Section 9. National Security Systems Section 10. Definitions Section 11. General Provisions.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the Unsecurity podcast. This is episode 132. The date is May 18, Joining me is my good friend. Uh, you know, my buddy Brad Nigh. How are you?

[00:00:40] Brad Nigh: Good. How are you?

[00:00:42] Evan Francen: Good. So we’re just talking before the show started. How you’re tired. You’re getting your second shot Moderna tomorrow.

[00:00:50] Brad Nigh: Yeah. I’m excited to be able to like, you know, function normally. It was you had my daughter’s play soccer. We had, they had their first game on saturday and it was weird being outside around people and not wearing a mask.

[00:01:09] Evan Francen: Yeah, Yeah. So here in Minnesota, you know, for our listeners, our governor governor walz rescinded the mask mandate. I think last week, Right?

[00:01:22] Brad Nigh: Yeah, Yeah. For fully vaccinated people or when you can safely, but it’s socially distance. So I mean being outside of the soccer field is pretty easy to, yeah, get away from each other.

[00:01:36] Evan Francen: And I think it’s been Maybe three weeks since our two weeks at least three weeks maybe since I had my second shot. I did the Pfizer.

[00:01:45] Brad Nigh: Yeah. My wife had hers in her second shot in. Like february benefits of being a nurse, but she went into the store without a mask and was like, came back out. She was picking up some food after the game. She was like, that was so weird,

[00:02:01] Evan Francen: right? Yeah, it totally is. No, because I’ve been going to stores to, you know, out here without a mask and uh yeah, that’s weird man because you can see people’s faces now.

[00:02:12] Brad Nigh: I don’t like it. I like

[00:02:14] Evan Francen: eight. Yeah, I don’t like you see in mind, but yeah, 16 years, you know?

[00:02:19] Brad Nigh: Yeah, exactly.

[00:02:21] Evan Francen: Yeah. There’s been a lot of things happening in the last uh you know, weeks. It seems like the world moves, you know, it’s spinning faster than. What? Is that? The 23 hours, 54 minutes? Is that how long it takes for the world to spend? Something like that. It seems like it’s going faster than that in the last what? 12344 episodes. We’ve had roger grimes, episode 1 28 which I thought was just awesome. Unfortunately we had recording issues, but you know, I’m blaming all that on Roger.

[00:02:53] Brad Nigh: We’ll just have to have them on again. Yeah.

[00:02:56] Evan Francen: And then, uh week after that we had Ron Warner, which is, you know, just another awesome dude. And we had john stram. And then last week we had chris roberts and I’ve gotten a ton of really good feedback box, all those podcasts. Yeah. Uh this week we were scheduled to have gave Freelander, but then he went on vacation.

[00:03:17] Brad Nigh: I had,

[00:03:19] Evan Francen: yeah, that’s a nice security goes away. Uh But anyway I took a vacation so we’ll have him on I think next episode. But this is a good opportunity for you and I to talk about a couple of things. You know one thing I want to talk about uh just plenty of you could talk just

[00:03:38] Brad Nigh: a few that.

[00:03:39] Evan Francen: Yeah, but last week uh President and biden. President O biden. Uh Yeah President biden. His name is joe biden issued an executive order. This executive order 140 – eight and it’s labeled improving the nation’s cybersecurity. Uh So we did an analysis of that. A pretty in depth analysis where you read every single word. I actually have a document where I took every date that was mentioned in that executive order and started sorting it by that. Uh huh. Yeah. And then he calls out, you know, specific, you know for instance, you know within 90 days of receipt of the recommendations described in subsection B of this section of the Far council shall blow us. So then I did another pass through where I took, you know, you called out the far cancel and this far council in this particular section of the section. Uh So I also organized by responsibility. Mhm. And then and then I did it again where I actually just took a summary and wrote opinions on executive order and then share that with you and yeah I think Oscar as well. They will be published. I think today did you chance to read any of this stuff?

[00:05:17] Brad Nigh: I’ll be honest. I have not read what you sit over.

[00:05:22] Evan Francen: Yeah, no problem.

[00:05:24] Brad Nigh: Uh, yeah, it’s today I will be able to read it. I actually have some free time. It’s

[00:05:31] Evan Francen: weird. Well posted on the show notes too, because it will be published, will publish it online. Um, it’ll be in the show notes and if you follow security studio or fr secure on social media, you’ll be able to find it there probably and linked in and what have you. But it’s a really important executive order. So a lot of people don’t realize that an executive order is law.

[00:05:57] Brad Nigh: Yeah, basically it’s but so my takeaway from reading it and kind of reading some of the uh, some reason what other people are saying that because it’s always good to get multiple points of view. But yeah, it’s basically saying the federal government get your shit together.

[00:06:19] Evan Francen: All right. But, you know, as you read through the executive order, you know, you have to she I view everything with a grain of salt, right? I mean, it’s the government hasn’t exactly set good precedent in terms of being trustworthy, uh, being considered the stent, I guess consistently untrustworthy maybe. But, uh, but yeah, they do need to do a lot better job, you know, So when you read through the executive order, there are 11 sections to the order. The first section is policy substantially, you know, what you’d expect in policy, you know, high level, you know, I pulled out the policy statement itself, which is, you know, and I quote, it is the policy of my administration that the prevention detection assessment and remediation, a cyber incidents is a top priority and the central to national and economic security.

[00:07:26] Brad Nigh: Yeah. So I was reading msn msn, there’s two pole what’s going on

[00:07:34] Evan Francen: uh what you’re on a podcast.

[00:07:36] Brad Nigh: I know my people just looked out for a second there. Uh uh there’s an article on uh l’affaire blog that I thought was pretty good uh summary of it. And basically their takeaway was, yeah, picks off the low hanging fruit. It’s basics, the fundamentals that we constantly preach and then uh

[00:08:02] Evan Francen: some of that. But then if you read into it, man, there’s there’s some concerning frozen here

[00:08:07] Brad Nigh: such as maybe I missed

[00:08:11] Evan Francen: or with such as Uh you know, the rush to zero trust architecture. Yeah. You know, when, I don’t think, I think it’s premature, you know, zero trust architecture is a nice marketing thing. Uh There’s a lot to be said about zero. And the concept of Zero Trust is awesome. The application of zero trust is nearly impossible for complex organization, especially the government. Mhm.

[00:08:42] Brad Nigh: Yeah, yeah, we’ll see how that plays out. I kind of, I kind of took it is like, hey, we’re gonna go to the cloud. So as you migrate take this, you know, integrate this as there’s the migration to the cloud,

[00:08:58] Evan Francen: there’s somebody reads but could be, I mean it could be, that’s what they meant But they really approached it as two separate things. There is the zero trust architecture. Uh huh And then there’s the club and even the zero trust architecture. So you know, step one, essentially zero trust architecture is yeah, really intimate understanding of what the hell you have right, you know hardware, acid inventory, software, asset inventory applications, um business processes, data flows, you know it you gotta be pretty tight.

[00:09:38] Brad Nigh: Yeah. So the reason that I said that was there’s like they put out the fact sheet which is there, you know the crib notes and you know there’s is an executive order, helps move the federal government to secure cloud services and a zero test architecture, multifactor and whatever. But then ah the government must lead the way to increase its a and increases adoption of security best practices including employment, zero trust security model. Accelerating movement to call out secure card services. So to me I kind of read that is a there they’re saying that those two things are pretty tightly intertwined. I they’re not I

[00:10:27] Evan Francen: mean they’re not in there, not in the actual executive order, you know what I mean? Because in the executive order It’s section three is modernizing federal government cybersecurity And B2 under that is develop a plan to implement zero trust architecture Which shall incorporate as appropriate the migration steps that the National Institute of Standards and Technology. So they’re referring to sp 800-207 that’s all separate in the next section, which is the next subsection is C says as agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the federal government to prevent detect so and so forth. And then it says to facilitate this approach. The migration. Do cloud technology shall adopt serial trust architecture as practicable so they’re separate and then brought together as well,

[00:11:35] Brad Nigh: I

[00:11:36] Evan Francen: Would argue. Why would you do zero trust architecture in the cloud and not? Well, your local infrastructure,

[00:11:43] Brad Nigh: it’s what we’ve talked about it. I mean, once the cat’s out of the bag, is that where it’s almost impossible. So kind of. That’s why I kind of it’s like almost a salad is a practical approach, right? Yeah. We want to go here, but the reality is it’s just not going to happen in existing systems because of how it is, how it’s been done, it’s been there for so long. So as you move to new things, you have to incorporate zero trust.

[00:12:18] Evan Francen: Yeah, it’d be nice if that’s it said,

[00:12:21] Brad Nigh: Well, I mean, it’s a dominant, you can’t have it in that plane of language.

[00:12:28] Evan Francen: Uh huh, Right? But if the executive order is law, you know, you can’t have to go with what it sends, Right? I mean, yes, you could have written it. So I think what would have been more reasonable than calling out zero Trust architecture from the beginning would have been things like, you know have have an asset inventory, you know like have an identity and access management process or system, you know whatever that’s consistent with whatever As opposed to let’s go with the marketing thing of zero trust architecture, call it out specifically by itself and then also sprinkled in with other things because according to this you have to have a plan And how are you going to get to zero trust architecture? Like

[00:13:20] Brad Nigh: do it, you know? So that’s a good question. I don’t know does it say the dates? Yeah, you have to have a plan but does it have wind that will actually be like within X amount of time that you have to be there

[00:13:38] Evan Francen: Within 60 days of the date of this order, the head of each agency shall develop a plan to implement zero trust architecture. So that’s 60 days they have to have their plan to implement zero trust architecture.

[00:13:51] Brad Nigh: They there’s no I think that’s probably the the out as it were right. You have to have a plan but there’s no I mean you’re playing could be 10 years long.

[00:14:05] Evan Francen: Yeah, maybe

[00:14:07] Brad Nigh: there is, I don’t know, laws are weird.

[00:14:12] Evan Francen: Oh yeah. Well yeah. Yeah it will be interesting to see more interpretations of, you know what specifically, you know, we need to do because the the plan has to then be provided. They have to provide a report to the director of O. M. B. Um And then the Secretary of Homeland Security in consultation with the Administrator of General services acting through the federal risk and authorization management program. It’s like all right. You know, you’re gonna have to weave all that.

[00:14:49] Brad Nigh: Yeah well I think that’s the challenges. You’ve got all these things already in place that our law and you can’t just like throw them out the window and so you have to you know integrate and work around the existing stuff for lack of a better word. And you know personally like I had a federal court case way back when and it went to the Supreme Court over the meaning of sub paragraph. So I mean it’s ridiculous how some of the stuff gets you know, where it is so complex and gosh, what’s the how often we said what’s the enemy of security complexity And unfortunately when you’re looking at some of the stuff you can’t avoid it, which just means things are confusing and difficult to understand sometimes.

[00:15:52] Evan Francen: Well that’s it. Right. Yeah, totally agree. Does real trust architecture conceptually isn’t new regardless of whoever wants to take credit for creating it. They didn’t they created the name, they didn’t create the concepts because you know the default deny concepts, you know defense and depth network isolation. None of those things are new. They’ve been around kind of since we Oh yeah,

[00:16:22] Brad Nigh: forever.

[00:16:24] Evan Francen: So the impulse in section one then they also, or biden also calls out, you know, bold changes and significant investments, which is good. I think that’s, that’s legit. We do need to make bold changes. We’ve, we’ve fallen so far behind that. You need to be really bold and you know, like you said, get your shit together.

[00:16:50] Brad Nigh: Yeah.

[00:16:52] Evan Francen: Partnering with the private sector obviously is very important. And then one statement that kinda makes the hair rise on the back of my neck a little bit is we must bring to bear the full scope of its authorities and resources because every time they become, you know, the federal government wants to bring to bear the full scope. It’s like, oh God, is this going to hurt? So let’s see.

[00:17:22] Brad Nigh: Yeah. You know, I think, I mean there’s yeah. Do you think overall it was well intentioned and a positive step just because if nothing else it’s getting people to talk about it. And I think that’s been a huge struggle that we faced is, you know, the general public just kind of ignores this stuff and so well, it’s pretty hard to ignore this.

[00:17:52] Evan Francen: What is, but you know, I also want to be cognizant, you know, you go into this with my eyes wide open that, you know, are there ulterior motives behind some of these requirements or are they truly what’s best for security, you know, take for instance the movement to the cloud? Oh, there’s a huge push in this. Exactly. They have ordered to move to the cloud. Right. It could be good. That could not be good. It kind of depends on, you know, how you’re going to implement. And it’s almost like, uh, you know, Lennox or Microsoft, what’s more secure, you know what I mean? It depends on how you use it. Right. So in and of itself a move to the cloud isn’t a security thing, you know, per se?

[00:18:46] Brad Nigh: Yeah, kind of. Yeah. Well, yeah, I don’t, yeah, I don’t necessarily the cloud, we just, we’ve always had that. It’s just been, whose computers are you running the cloud on. Right. And so I think when we look at this, it’s almost like using the cloud as that movement to the cloud is the excuse or reason, you know, Hey, well, got to go to the cloud. So as you’re doing, it implements Euro trust because, right, how do you, would you ever get there if you’re keeping it all in house?

[00:19:33] Evan Francen: Well, you know, to be honest with you as everybody else is going to the cloud. I’d rather stay home.

[00:19:37] Brad Nigh: I’m not, I love how often how much how cyclical is I t to write, you saw, you know, everything is local, then you had remote, you know, client server with green screens and then everyone went back to work stations that actually processed and then you had outsourced and now brought it back in and go to the cloud and now come back. Yeah so who knows.

[00:20:05] Evan Francen: Well you know so but that’s one of the it’s these little tells that make that sort of like why the big push to the cloud because they’re the big push the cloud is like Really big and and actually I’m a little bit out of myself to let’s go back to section two. So section one is policy, section two is about removing barriers to sharing threat information. That’s the title of section two. and really what section two is all about is uh you know better sharing better reporting um you know between contracted I. T. And O. T. Service providers and the federal government. That’s good stuff. Mhm. Um topics covered in that section. You know review the existing reporting requirements and procedures recommend updates to the federal acquisition regulations. That’s far that’s going to affect you assume. See MMC at some level

[00:21:03] Brad Nigh: yep. Yeah

[00:21:06] Evan Francen: then we have update the far itself enforced I. T. O. T. Provider compliance. That’s probably the crossover and there’s and see MMC itself is called out in the executive order but far and humans here like married. Right.

[00:21:23] Brad Nigh: Oh yeah no and be far yeah which is defense acquisition but you know I think it’s yeah I like that it is kind of addressing that big issue that we talked about where agencies can’t disclose stuff to each other contracts because it’s it’s like, you know, this is bs get rid of that. You can’t, we’ve got to work together here,

[00:21:49] Evan Francen: right? Yeah, for sure. And I think, you know, section two is really favorable, uh, you know, centralized reporting. And then, you know, at the end of that section, that’s, you know, how are we going to pay for it? So there’s no budget provision? Uh well, really it’s, you know, yeah, O M. B. I think reviews, you know, all this and then, you know, makes a budget accommodation for it. Yeah, the deadline on that one, the entire section and this is a little bit concerning to is the aggressiveness, You know, I do know, you know, you know, we need to move fast, but of all the deadlines in section two, the longest one out is october 9th 2021. So all that stuff has to be completed by

[00:22:36] Brad Nigh: Then, basically six months.

[00:22:38] Evan Francen: Yeah, it’s fast.

[00:22:40] Brad Nigh: Well, you know, I kind of feel like regardless, you know, it’s kind of a damned if you do damned if you don’t type of situation where hey, we gotta go fast. Well, it’s too fast. We’ll give them three years. Well, government moves so slow. Right? So I personally, based on what we’ve seen, I’d rather in this case go fast and just be like ripping the band aid off.

[00:23:06] Evan Francen: Right. Well, you have to call out what, what the uh, what the risk is in doing that, right? I mean there’s going to be risks involved no matter which way you go. The risk. I think the primary risk of going that fast to primary risk that come to mind is one you won’t do it, right.

[00:23:22] Brad Nigh: Yeah.

[00:23:23] Evan Francen: And the second is it’s going to be disruptive. Yeah.

[00:23:29] Brad Nigh: I mean maybe that’s what’s needed to get people’s attentions and get it taken are, you know,

[00:23:37] Evan Francen: Right. But it’s still risk.

[00:23:39] Brad Nigh: Oh, absolutely.

[00:23:41] Evan Francen: You know, and when you’ve got significant portions are significant, a significant number of resources dedicated to just section two, uh it takes your eye off the ball of other things that you might be working on as well. Right? So yeah, I assume, well maybe I shouldn’t assume I was gonna say, I assume that people in the federal government aren’t just sitting on their hands with nothing to do. But maybe some of them are. And you’ve got that’s another challenge with a lot of this stuff too. When you’re moving this fast, somebody’s gotta do it. So they have to take them from where there are, you know, doing something else that hopefully they’re providing value put them here or you got to go find them and hire him. And I hear, you know, the rumor is we’ve got a got a shortage of talent. So it’s like, alright, something’s gotta give. Yeah, but I agree. It’s gotta move fast. We’re so far behind. At what point do you just like we gotta go. Sorry.

[00:24:40] Brad Nigh: I mean, yeah, I agree. It will be interesting to see how this plays out over the next six months because there’s, I think there’s a lot of, like I said, a lot of good intention now. Yeah, desire translate into good procedures and everything else and we’ll see. Right,

[00:25:03] Evan Francen: Well, so that section two and section three is modernizing federal government cybersecurity. The main purposes of this section I think really are to force wider adoption of cloud technologies for better or worse. I don’t know. I guess if you’re moving to the cloud, you know, do it right. But it does, you know, begged the question, You know what specifically moving to the cloud security does for security, right? There’s advantages, but there’s also, you know, take disadvantages and you got to kind of weigh those things. But uh, we’ll see. And then zero trust architecture is mentioned in section three as as well as multifactor authentication, which was kind of good to see.

[00:25:49] Brad Nigh: Yes. Yeah, I was really happy to see that

[00:25:52] Evan Francen: also encrypting data at rest and in transit centralizing streamlining access to cybersecurity data and, you know, investments In technology and personnel to enable all that stuff. All that is in section three. Uh, that’s also super aggressive man. Oh my

[00:26:15] Brad Nigh: Gosh. Uh, yeah, 180 day deadline for all federal civilian executive branch entities to adopt multi factor. I

[00:26:26] Evan Francen: mean, okay,

[00:26:27] Brad Nigh: you’re wrong. I’m all for getting them on it. But wow, I’m glad I’m not on that project.

[00:26:34] Evan Francen: No. Right. So you’ve got 16 to which is our, which is aggressive and then you pile on section three. It’s like holy crap. That’s a lot to do. Um, and I think, you know, some of the barriers with zero trust architecture, uh, like I said, I’m pro zero trust architecture absent the name. Yes. I think a theory. Yes, absolutely. 100% behind the theory because it’s logical. It makes all the sense in the world, but I don’t like is the name and I don’t like the way yeah, People suggest that you know how you implement it, right? Because in order to implement zero trust architecture vendors are selling more crap, which makes things more complex, which makes it harder to secure. And it’s just killing yourself.

[00:27:26] Brad Nigh: I mean we we’ve done that concept. I did it to some degree without any of that. It’s not, it’s not like you need this stuff. It’s hey, who has permissions to these folders? Do they need permission? No. Get rid of it? Right. Can you log in here? What’s your reasoning? No, you don’t need, you don’t get it. You have to justify the business need before they get access is not just whoever and things open. Yeah. I think all the technology and things that are being sold, just like you said, make it more complex is at the end of the day it’s really not hard thing to visualize like right hey nobody gets access until you can prove you need the access. I can do that with it without hundreds of thousands of dollars of technology.

[00:28:27] Evan Francen: Right? Well and there’s also the um yeah it’s the complexity is the adding more stuff into the environment which makes it more and more difficult to secure. Uh And you look at the definitions that are provided in our industry about zero trust architecture. So if you look up or google. Mhm. What is zero trust architecture? What is zero Trust? You’ll get the first six or seven things will be all ads. You’ll get one. Okay definition. Then you’ll get a crowdstrike definition. Did you go to um an STS P. 800-2 oh seven? Which is kind of an S. T. Definition. You’ll get another definition. If you go to NSA’s guidance, you’ll get another definition. It’s like why are we all trying to outsmart ourselves? We always do this. We’re like oh this is the definition of zero trust architecture. Well, how about just like two words. Make it simple. It’s a default deny.

[00:29:28] Brad Nigh: Right? Well it’s like

[00:29:30] Evan Francen: and then then when somebody asked me well default tonight or what? Yes, everything. Yeah.

[00:29:38] Brad Nigh: Yeah. It’s like it’s like a thing with chris last week where you know it’s not necessities laziness. We’re going to take something that You know, it takes five minutes to do twice a month and spent eight hours. You know engineering some script and doing all this stuff because we don’t have to remember to do it twice a month. Like it just is yeah,

[00:30:08] Evan Francen: it’s frustrating man because so right, so you’re gonna you’re gonna push an entire very complex environment, many multi very complex environments and tell them zero trust architecture. So then they’re going to go, here’s the problems Most people don’t know what zero trust architecture even is. Even people in our industry, even security, people were talking about Syria Trust architecture, you get all kinds of different sort of things.

[00:30:37] Brad Nigh: It’s like asking them what the definition of information security is. Right? But exponentially worse.

[00:30:44] Evan Francen: Yeah, if you’re going to implement it, you need people, people cost money. People are hard to find, especially people who understand zero Trust architecture, who aren’t from some vendors trying to sell you some crap that actually understand it, will actually implement it properly. Because here’s the thing, if you don’t do it properly, you just pissed away a whole bunch of time and money. You have to redo a lot of work. Just spent a lot of time and money on.

[00:31:10] Brad Nigh: Yeah, probably is very going to be disruptive to the business process in the in the meantime.

[00:31:16] Evan Francen: Oh, 100% man. Yeah, this is not going to go off like yeah, you know, everybody was happy. No, it’s not gonna happen that way. People are not going to be happy because you’re going to be cutting off access to things they thought that they needed but they didn’t actually need that. They liked having but they don’t actually need having. It gets it’s not it’s not what Yeah. Okay. Another thing it adds complexity. So if you look at just you know, look at N. S. P. R. E. S. P E N I S. T. S. P 800 S 207. Look at the things that are required for zero trust architecture. You’ve got policy engine policy administrator policy enforcement points, continuous diagnostics and mitigation system, an industry compliance system and potentially a whole lot more. Right. And there’s a whole bunch of new language there that lot of people don’t never even heard of before. Like policy and what the hell is a policy the policy administrator is that somebody, is that something or is it somebody and something, you know, policy enforcement points, Hell’s a policy enforcement point. You know, I mean it’s like continuous diagnostics and mitigation system. I mean these are things that are like, so wouldn’t it be better just to take access away from everything and then just.

[00:32:39] Brad Nigh: Yeah. Yeah. Well but so here’s where I struggle is yet in theory. Yes. Absolutely. But the reality is right. We talked about it all the time. You have this information security. We have to work with the business, right? We can’t be the no people all the time can’t be, you know causing constant outages. So you know, how do you balance trying to transition to that without, you know, significantly negatively impacting the business?

[00:33:18] Evan Francen: What else did you and when you talk to, you know, I spent a study late last week, the week before that 55% of c level executives see information security as a um are breaches as being over hyped and essentially they don’t care, wow that’s over half. And so then you’re going to tell them, hey, even though you know this isn’t a big deal to you and you don’t care, I’m going to do zero trust architecture and disrupt the business. Uh The federal government’s different. They can disrupt it. They’re not investing true steal it. That’s different.

[00:33:57] Brad Nigh: But yeah, it sucks about that. Is Those, those 55%. Oh my gosh I just, I can’t believe, I don’t see like how they

[00:34:10] Evan Francen: look at it. Why why would they, who holds them accountable? Oh

[00:34:15] Brad Nigh: I mean yes from that standpoint but having uh until they’ve been through it and have seen what that business impact is. Like we have to like

[00:34:27] Evan Francen: take out Equifax for instance. Yeah well there you went right back up and now they’re making more money than they’ve ever made before and not just that, but now they’ve got a flourishing cybersecurity business?

[00:34:39] Brad Nigh: Are they, are these other companies that big? That’s the problem, right? If you’re big enough you can weather the storm, who depends

[00:34:48] Evan Francen: on the, depends on the breach to write, if it’s if it’s ransom where?

[00:34:51] Brad Nigh: Yeah. Well think about the one that we had earlier this year where they got completely ransom and including their backups, they went to pay and the FBI said nope terrorist organization, you can’t pay had to basically start over what’s the impact to that? Are they still in business? I honestly, I don’t know. I haven’t looked but I mean, are you going to survive it?

[00:35:21] Evan Francen: Yeah. Well, so zero trust architecture and there’s a whole bunch more, you know, barriers to implementation and those are covered, you know, in the summary. The thing if you’re going to start, let’s say you want to start down the path of zero trust architecture, which again is a good thing. The concepts if you want to start down the path, the very first thing you need to do and if you’re not going to take my word for it because I preached it forever, go read the N I S T SP 800-7 to step one in the migration requires an organization I’m quoting requires an organization to have detailed knowledge of its assets, physical and virtual subjects which was basically another asset. It’s just people right? Or processes that operate upon other processes that those are subjects and business processes. So with that it means is you need to have an asset inventory. Mhm. Detailed asset inventory. Start there. They put zero trust. Like out of your mind and just do an asset inventory.

[00:36:32] Brad Nigh: Yeah. Yeah.

[00:36:35] Evan Francen: And then map those assets then to business processes. I mean that’s step two,

[00:36:41] Brad Nigh: I can’t argue with you on that. I totally agree. But at the same time, so at the end of the day, as much as we hate to admit it, there is there is political reasoning behind it and you know, it must be honest, Asset inventory isn’t sexy whereas zero trust. Hey, that’s the hot buzzword. So you know, they have to take that and you know, you know that was taken into consideration when they were writing and putting this together.

[00:37:18] Evan Francen: I hope so. I hope so because the thing is with security to is security, there’s no politics. Security risk doesn’t give two craps about whether you’re black or white left or right up and down. I

[00:37:33] Brad Nigh: mean yeah, we’ve seen that for sure.

[00:37:37] Evan Francen: So Number 1, 0 trust or not asset inventory, hardware assets, software assets, not just, you know, servers talking, you know, firewalls, routers, mobile devices, laptops, workstations on and on every single bit of hardware they are responsible for. And it got harder for people because it used to be, we would have things within a boundary and now everything’s exploded. Right? So now you have to account for hardware, let’s say that somebody at home you might have to account for the kids laptop potentially if there’s any interaction between the two that’s an asset that’s on, that interacts with your asset. Right? So it got it got more complicated, you know, as we get more convenient with things and I’ll tell you man in in 30 years, I don’t know how long I’ve been doing this. Uh I’ve seen less than five as an inventory. Is that I’ve been actually, you know, they have actually been impressed with when you talk about hardware, software and data.

[00:38:51] Brad Nigh: Yeah, the data is the that’s the tricky part. I mean I’ll be honest, I had really good software and hardware and I kind of had some idea of data but it’s so hard to do, especially when you’re not starting from scratch but you’re inheriting something that’s already been, you know, out there for so long. It’s tough to to make that change.

[00:39:23] Evan Francen: Yeah. I think the way the way to start with data in Tory is start with your applications. You know, they’re the ones that that store manipulate do things to your data. I would go out to the endpoint probably last right. You’ve got to start with like take your most critical application in your environment. Where does it start its data, Where does it send its data? Where does it get its data? Right. Start there and then Okay. We got a good handle on that. Right and then map those data flows, then go to your next most critical application. All that is progress right? You’re not going to get from not doing anything to like I got an acid in it? Because that’s another thing we do in our industry, we like, were such an instant gratification society that it’s like if I can’t push a button and get that crap, I ain’t doing it. It’s like you’re gonna get screwed.

[00:40:18] Brad Nigh: As I said, the Evan, that’s hard work.

[00:40:21] Evan Francen: And uh, I was telling, I was telling uh, john Herman, you know, for the listeners, john Herman is the president of fr secure. We were down together in florida and I was telling them, it’s hard to believe some days that we actually have paid for this because it’s just logical, you know, just like, mm, how am I going to, you know, what? How am I going to secure my assets? It’s like, what assets do you have? Like, Oh yeah, good question.

[00:40:55] Brad Nigh: All right. Oh my gosh, Yes. You know, you can’t. It’s a lot of times I’ll be honest, I hate having the camera on sometimes because you gotta be like, no reaction when they say that same, right? Because you’re like, what?

[00:41:14] Evan Francen: Right? Yeah.

[00:41:17] Brad Nigh: I mean, I want to be clear. I’m not disparaging or looking down at the, at anyone who says that, that when you’re like, hey, we’re gonna stand six figures on this? Oh, cool solution and you go, okay, so what, what do you have to go and what do you mean? Yeah, but come on

[00:41:42] Evan Francen: or, or you know, one of my favorite questions to ask is when somebody tells you, Yeah we’re gonna go get this thing and I ask why like well what do you mean? Why? Like why?

[00:41:54] Brad Nigh: Yeah.

[00:41:56] Evan Francen: Well because of this that and everything is that is that what you need to be doing? And it’s just something like when you talk to your kids right? And I don’t talk about. I mean you try to educate right? I know this this is what I know you know this stuff like. Yeah. I’m not gonna only imagine like a C. P. A. Talking to me about finances.

[00:42:17] Brad Nigh: That’s exactly what I was about to say. I’m not gonna tell C. P. A. Or accounting how to do finance. I’m gonna listen to their advice thinking here. Yeah that’s funny.

[00:42:28] Evan Francen: So anyway that’s that section three man. Section three is going to be a pain in the butt you know and then pile on. Section four. Section four of the of the executive order is dancing. Software supply chain security. Which I think there’s some really neat things here. Uh you know develop standards tool, those best practices for secure doctor development already have those. So that’s good. We can build on those actually call those out as official um enforced secure software development practice is the key word being enforced. I love that. Then there’s this new thing that pretty intriguing right, define and enforce a software bill of materials.

[00:43:08] Brad Nigh: Mhm.

[00:43:09] Evan Francen: S bomb which is like the ingredients that went into making your software, where did you get these things? What are these things potential? I’d be really cool to see how that comes about.

[00:43:21] Brad Nigh: Yeah. Do you know what libraries you’re pulling from and how do you vet them? And yeah, I’m actually actually before I really overall I really liked, I mean, and then calling out the IOT stuff and like there’s a lot of really good things there.

[00:43:39] Evan Francen: The toy is deck is the next thing. So the S bomb is super cool. Uh could you know, just like anything. It’s a double edged sword. Right? If I start disclosing the all the ingredients in my software, potentially I’m exposing some of my intellectual property and potentially I’m exposing things that an attacker can use against me.

[00:44:01] Brad Nigh: But at this flip side, look at the open source,

[00:44:06] Evan Francen: I mean, I think overall it’s a good thing, but it can be used for bad, just like the internet.

[00:44:11] Brad Nigh: Yeah. Yeah. Well, and it will be interesting to see how this plays out because I know the ingredients of coke, but I don’t know the mixture right point. Just because I’m using these things. It doesn’t doesn’t I don’t know how they are being used. Yeah, I have a general idea, but there’s still a lot behind the scenes.

[00:44:36] Evan Francen: Are we, So that’s in section for there’s also the definition of what critical software is. It’s not defined yet. But that’s one of the things that will be done in the work of Behind section for and there’s this other intriguing thing, the two most intriguing things in section four is a software bill materials and then the consumer labelling programs, Ryota and software. That’s why I

[00:45:00] Brad Nigh: was so happy to see that you know, going back with that critical Software, it will be interesting to see how that plays with some of the existing like high value programs they’re already there. Like how do they do they just adopt some of that? So that will be good to see. But yeah, the IOT oh my gosh, it’s like thank goodness.

[00:45:25] Evan Francen: Well right and you can, you can equate that to like because I know Carnegie Mellon was doing some things here. Uh so hopefully they, you know, there’ll be some I guess some marriage between that because think of the labels on the back of the foods that you eat or the drinks that you drink. It will be something sort of like that for IOT devices that you buy. Software that you buy.

[00:45:52] Brad Nigh: I mean you’re smart tv now is going to have to tell you, hey, we’re gonna put pixels on the screen that record what you’re doing or what you’re watching how many people go whoa! Time out. What?

[00:46:04] Evan Francen: Well that that was the second piece, you know, so I was talking to a friend of mine about this too and I was like, I just hope people read it.

[00:46:11] Brad Nigh: Yeah, I mean, well I think what you’ll see is once it takes effect. I mean, honestly this is a an area where maybe the media is going to have some positive because this is going to get ratings. So you know, that’s going to get some coverage. And you know, we’ve, We’ve kind of railed against the 24/7 news coverage and all that stuff, but maybe we can get some positive out of it because they’re going to be like, oh my gosh, look at all this stuff that’s happening that nobody knew about,

[00:46:45] Evan Francen: right? Yeah. So that section four, Section 4, also aggressive timeline. So, you know, all these timelines are faced.

[00:46:54] Brad Nigh: I’m very happy. I’m not responsible for having to put any of this in place and how it’s happening very happy. I’m not responsible

[00:47:04] Evan Francen: If there is one government agency that I think is on the hook the most and is probably in a huge, you know, I’m talking about hiring hundreds of new people, Maybe, maybe 1000 new people would be Sisa. Oh

[00:47:21] Brad Nigh: yeah. Which honestly

[00:47:23] Evan Francen: they have a lot of work to do in

[00:47:25] Brad Nigh: there. I’m okay with that. We’re going to hire a bunch of people just put them in. That’s a good area to put them in. Yeah.

[00:47:33] Evan Francen: Section five is established a cyber safety review board. Um Yeah, It’s not a lot of meat to section five, but you know, the review board, obviously

[00:47:45] Brad Nigh: one of

[00:47:45] Evan Francen: the things that review board, one of the things the review board has to do once they’re sort of assembled is create their own job description basically.

[00:47:54] Brad Nigh: Yeah, it’s, you know, from what I’ve seen is really kind of think of this is the NTSB for cyber, which is it, I think it’s going to be a good thing because we’ve seen really good things out of that, out of the NTSB, you know, positives from, hey, here’s, here’s what happened for for transportation and we need to do these things to fix it. Uh, so I’m hoping that that is how it plays out.

[00:48:26] Evan Francen: Yeah. Well to see, you know, we know that the, you know, who’s on the board is or what it’s going to be going to be made up of his, you know, federal officials, people from the Department of Defense, Department of Justice, Sista, and NSA, and FBI, and then, uh, as appropriate are private sector entities, uh, appropriate, um, suppliers.

[00:48:52] Brad Nigh: Yeah. So kind of bring in experts based on what happened, right? Like

[00:48:59] Evan Francen: honey and why, what did I hope they don’t do is bring, because here’s the thing with our industry man, everybody’s got a damn bias. You know what I mean? Like you got, like, that’s what’s, so you’ve been bringing Microsoft in, What do you think I mean? No matter how much you think, you know, Oh Microsoft, they just, you know, they just love the world. No, they love profit. They want

[00:49:23] Brad Nigh: money that’s going to be interesting to see how that plays out because ideally you’re going to say, hey, we had a breach in this, you know, topic a or whatever. So I’m going to bring in a specific expert in that area versus I’m going to bring in a Microsoft or a fire I or you know, whoever, and we’ll see what happens. I don’t know,

[00:49:50] Evan Francen: natural either because I think you just need to be really careful about where the pay to play is in this, you know, about, you know, being really clear about what the rules of engagement are in these things because you can easily be used to leverage for their benefit, not necessarily the benefit of, you know, the country. Yeah. So hopefully we’ll keep an eye on that. I don’t, I’m not calling it out and saying that that’s happened or will happen. I’m just saying we better keep our eye on it because if you leave it to just like, you know, chance. If you don’t keep your eye on it, the bad things do happen, right? The bad things, always sneaking them out. You have to watch out. Section six is standardised. The federal government’s playbook for responding to cyber security vulnerabilities and incidents. That’s pretty cool.

[00:50:44] Brad Nigh: Yeah. Bye. It’s interesting. Uh, yeah, I think it’s really, this is a huge positive, right? Like, but like you said, yeah, she’s going to have to hire a lot of people

[00:51:04] Evan Francen: because this is also really aggressive and uh, you know, and everything right? there’s that’s just the way security works right? If it’s used this play it’s awesome. It’s used this way. It’s not awesome. You know, you know something like a playbook where you’ve got all the agencies working off the same playbook, that’s that’s generally really, really positive now where it could be less positive is if the enemy knows what your playbook is, you know, you and I played football right? How beneficial would it be to know the offensive playbook when you’re playing

[00:51:42] Brad Nigh: defense? Yeah. Oh yeah, for sure. You know, and I will say I’m reading an article uh kind of follow me through and it does have a link that DHS is doing a 60 day workforce sprint to hire 200 cyber personnel by july one half of those will be uh for Visa. The other half will be various HS component agencies. So at least they’re not just saying, hey get all this done. They’re actually putting giving some resources to get this going. Which is, I mean it’s encouraging to see

[00:52:22] Evan Francen: When I yeah, I’ve heard the number, I’ve heard numbers from other sources to up to up to even 400.

[00:52:29] Brad Nigh: Yeah. Well I mean I think that’s the 60 day sprint like in the next two months you’ve got to hire 200 people. That’s a that’s a lot. It doesn’t sound like it but that’s a lot of people.

[00:52:42] Evan Francen: Well you’re gonna need uh I mean you’re going to get what you pay for? Two, right? So if you’re going to hire 200 people, I’ll pay them $50,000 a year. Well, that’s the kind of person. People you’re going to get If you’re going to hire 200 people and pay them $150,000 a year, well then you’ll get a different kind of person probably.

[00:53:06] Brad Nigh: So it’ll be interesting to see because it doesn’t state what level that? Because I mean, if you’re just paying someone to monitor like a sock injury level. Yeah, okay, that’s fine. And maybe that’s what’s needed. So that’s the unknown is that’s such a huge range, who knows what they’re looking for.

[00:53:30] Evan Francen: Yeah. And you’re competing with the private sector for those skills, right? So let’s say that you Find your 200 and you pull them all into this and the government, because all of this really only applies to federal government agencies and the people they do business with, you know, basically. So ma pa store, you know down the street, small to mid sized businesses, uh Even education K. 12, you know, you’re taking resources from there and you’re putting them over here. And that’s I’m not saying that’s bad or good, you just need to be aware of that because if you’re if you’re hiring all these people, well then other people on the streets, I may have to pay more.

[00:54:14] Brad Nigh: Yeah. Well, and this is that kind of age old discussion, is it better to have those people in the government or in the private sector if you know, and if the government’s down and ransom, that’s a, that’s a problem because so many people rely on those programs in those departments. But what’s the impact if now you have a business that is down because they couldn’t hire? It’s, yeah,

[00:54:44] Evan Francen: uh, you still have 50 state governments that you have to contend with. And God knows how many, uh, you know, county governments and how many city governments. And you know, it’s, it’s not as simple as just, you know, is this, I’m not saying good or bad, you know, I don’t know enough to judge, but I do know enough that supply and demand, this is the way it works right. If you only have so much supply and you have a huge demand over here that drives prices up. And that also, you know, means less people have

[00:55:20] Brad Nigh: Yeah, Well, I think, you know what, I don’t, I don’t remember seeing it. I would have loved to have seen something really focusing on getting more people into the, into the industry.

[00:55:32] Evan Francen: Yeah, there’s no mention of that anywhere in this,

[00:55:35] Brad Nigh: some around some sort of incentive or, you know, getting, you know, if you get your degree or you go into this, here’s some benefit.

[00:55:45] Evan Francen: Right? Well, that’s what most of this executive order is, it’s not very strategic, it’s very tactical and I think what the government needs is an overall solid strategy long term. What are we gonna do? How are we going to get out in front of these things because we do have a supply demand issue that would have to be part of an overall strategy.

[00:56:09] Brad Nigh: Yeah. Well, and I think kind of reading between the lines a little bit, it doesn’t call it out, but I mean it really does give Sisa that uh, imperative to like get that stuff together.

[00:56:25] Evan Francen: Well, you you it’s almost like this though, it’s like, let’s say that I, you know, I give you a laundry list of things that you need to do like here. You know, you’ve got now got whatever your job is today, we’re going to triple the tasks that need to get done. Now. You may assume that I’m going to give you the resources to get, you know, to hire more people and to get those things done. However, I never promised, you know, I mean, there’s kind of that level of like, yeah, you got to do all these things. But yeah, it’s gonna be it’s gonna it’s not gonna be easy. Yeah. So section seven is, you know, improving Action of did I do 66 was the Playbook seven is improving detection of cybersecurity vulnerabilities and incidents on government networks general not, you know, this section is not all that surprising. There’s two things I think that we’re a little concerning for me. One is this particular section gives Sisa the ability to do threat hunk strain threat hunting on all the federal agency networks and systems without their authorization. So you have this blanket authorization but essentially ceases all in your stuff any time they want to without you knowing and Knowing that you’re out there hiring 400 new season people. It’s like, oh boy, you know, you got a whole bunch of people that are new to this. Maybe not new to security, but new to this game. But I know I’m gonna be,

[00:58:05] Brad Nigh: it’ll be, yeah, this is another one is like,

[00:58:12] Evan Francen: I think you’re froze or did I freeze, did you freeze? Is that you that time? What’s going

[00:58:19] Brad Nigh: on? Peter is like, whoa, okay. My I guess my uh doc is messed up right,

[00:58:30] Evan Francen: right. Hunting you right now.

[00:58:32] Brad Nigh: That was bizarre. Everything. My two extra monitors just turned like reset and everything went to the, my laptop. Anyway. Uh who was I saying? It will be interesting to see how this plays out like a in again, in theory, I like having somebody responsible for looking for this stuff. What does that actually mean? We’ll see, you know, are they going to subcontract that out? Is that allowed or you know, and that at that point, what does that look like or does it have to be done in house personally? I’d rather see it done kept in the government not so contracted because then you get a lot more again that that bias and pay to play, but we’ll see what happens

[00:59:24] Evan Francen: on the flip side of this. I mean that that’s why, you know, a lot of these things have to be really thought out. But you know, there’s such aggressive timelines. I don’t think you have a lot of time to really think about because you now have this mandate were seized is going to be doing the threat hunting and all these government agency networks and these aren’t small, government agencies are not like some small ma pasha. We’re talking like Department of Health and Human services, right? Thousands of employees, thousands of notes that you need to do threat hunting now if you’ve ever done in you. And I’m not saying that’s when I say if you’ve ever done, I’m saying generically if you’ve never done threat hunting, it’s not, you know, cook a few buttons. You know what I mean? It’s totally it

[01:00:09] Brad Nigh: is. Yeah, it’s in what Yeah, I don’t know how to explain it. It’s I mean, even with the best tools, you’re still Kind of like a needle in a haystack with only maybe a 75% of the Haystack vs 100% because you’re, there’s so much noise out there that you have to weed through to determine. I mean, yeah, we see it now with encrypted or encoded power show running in memory. Well, okay, that sounds like it’s an easy thing to look for it is how do you know how many other software, legitimate Softwares use encoded power shell. Oh so it’s just like, okay, let’s figure out what this is this legit? No. Yes. No. Yeah, okay. You know and just trying to figure. Yeah. Yeah

[01:01:05] Evan Francen: it is. And so you’ve got SiSA tests but doing that and again, lots of new people going to be introduced into Cisa, which means some of these people, I mean play the play the rule of numbers. Some of these people are not going to be good actors period. It’s just the way it is. You take a large enough population of media. One of them is going to have some motivator to do something that they shouldn’t do. Whether it be they found they they fell on financial hard times. They depression. Um an addiction of some sort shit happens.

[01:01:43] Brad Nigh: Yeah. Well I mean even if you let’s take the road, you know, put on the rose colored glasses or whatever. Even if there was no, they are, you know, malicious intent, there’s going to be likely somebody who just is not good at the job and messes up, you know, some level of incompetence that, that unfortunately you see, um so what happens when You’ve hired all these people and you make one bad higher out of 400 I could definitely they miss something or they do something wrong. That could be pretty impactful

[01:02:28] Evan Francen: good. Hopefully those things will all be accounted for at some level. But a lot of work for Sisa and then there’s also, you know, a call out in section seven about, you know, the adoption of government wide and government wide end point detection and response, which okay, you know, I’m not anti end point detection response. But what specific need are you what I’d rather see is rather than calling out specific products or specific technologies, college specific things that you’re trying to protect against because there may be other ways too protect against things. So yeah, obviously you’re ready. Our suppliers, you know, they’re going to be fighting all over this contractor these contracts and they’re grinning ear to ear. Well just like any other tool you put any other tool you put into an environment if you don’t run this crap correctly, you’ve made more risk than you had before you put started

[01:03:30] Brad Nigh: kind of going against that. What agencies, where is there not E. D. Are already in place because that’s a little disturbing. Right? I would think that for the most part this is just formalizing that requirement of what’s already in place. I would hope

[01:03:50] Evan Francen: so. Yeah, we’ll do. There’s there’s there are things in this uh executive order where I was like um, okay like tika the government’s playbook for responding to vulnerabilities and incidents. I was like you didn’t that

[01:04:06] Brad Nigh: I think they have it. It just so scott if there’s no central right? Everybody has around it’s chaos.

[01:04:14] Evan Francen: You don’t have it.

[01:04:15] Brad Nigh: Well but each individual agency has one but there’s no like nobody knows what the other person is doing. We saw that with solar winds right? You know Irs didn’t get hit because they didn’t have, it was there was no internet access for the server whereas the others were like there’s no I’m

[01:04:33] Evan Francen: going back to your going back to your point about not having any. Er It’s the same thing was like why wouldn’t you have a government playbook for all of your agencies to follow? I mean it’s not like you’re not integrated

[01:04:43] Brad Nigh: again it comes back to politics right? Everybody wants to be on their own and I think a lot of it is consolidating this and it’s kind of tasking Visa with being like hey you’re responsible for all the agencies. They’re not on their own anymore. You’ve got to have yeah one you know one place to go and that’s what we talked about just for businesses to do you know who you are, what your your I. R. Team do you know who to go to to contact this? Do these people know their responsibilities right now Kind of seems like as a whole. No that’s not the case for the government now maybe within H. Agency it’s well defined. I don’t know please that doesn’t help when you know I. R. S. Can’t tell dhs something because they’ve got a contract.

[01:05:32] Evan Francen: Were arguing the same thing. Yeah it’s

[01:05:36] Brad Nigh: all crazy. Crazy.

[01:05:37] Evan Francen: Yeah, totally, man. So yeah, so that’s section seven. More work for pizza bread haunting on everything. And er section eight is improving the federal government’s investigative and remediation capabilities. So this is about the types of logs that need to be retained. The time trades for longer attention.

[01:05:58] Brad Nigh: It’s just standardized. So much of this is just standardizing the basics, which I love. I love that is calling it out, forcing them to do it right. It’s disturbing that it hasn’t been the case, but you know, hey, let’s get this

[01:06:15] Evan Francen: going down, yep. And again more cisa work to be done there. So as well as other agencies, right? It’s not just this all throughout this, there’s, you know, yeah, women Bs in here, uh justice departments in here. Department defenses in here. There’s a lot of work for a lot of people to do. So that section eight, section nine is uh, you know, mention national security systems essentially. It’s you need the the Secretary of Defense who is responsible for those systems needs to adapt. Um he’s got the same requirements or more. Yeah, scott I hope isn’t a problem,

[01:06:58] Brad Nigh: you know. Yeah, I kind of read this is like, hey, we’ve got to cover this just to make sure but you you better already be doing this.

[01:07:07] Evan Francen: Yeah. Yeah. Yeah. And the nine, that’s 9, 10 definitions, 11 is general provisions and then uh so lots of lots to impact. There is a ton of work, I’m glad I don’t work in the federal government because I don’t want to be responsible for any of this. I would have been, I’d be pulling my hair out like why the hell are, why the hell were you doing this already?

[01:07:32] Brad Nigh: Uh you know, overall, I think, I think this is going to be a positive, it picks off some of that low hanging fruit that we preach about multi factor encryption. Um I think it’s gonna push, she said surprisingly, I think she’s has been kind of Vokey right. A lot of people don’t necessarily know what they’re doing and I think this is going to really push them out into the spotlight, which is I think a good thing uh but you know, if it’s nothing else, maybe this Yeah, yeah, yeah, I think it’s gonna hope, I’m hoping that this is going to be a net positive.

[01:08:17] Evan Francen: It could be

[01:08:18] Brad Nigh: and there’s a lot of good things in there, there’s a lot of things that are like, okay, we’ll have to see how this goes.

[01:08:25] Evan Francen: Yeah. Yeah. Well that’s yeah, I mean it could be good to compete disastrous. It could be somewhere in between, you know, honestly, I don’t know, it’s gonna come down to the implementation. Yeah, I think what is, there’s a lot of pie in the sky kind of thinking here.

[01:08:42] Brad Nigh: Well, I think what we’ll see in that 60, 90 day window when they start publishing plans, that’s when we’ll see and no more, I think overall, I think it’s really a step in the right direction now. Mhm. We’ll see if they, you know, if it’s you two steps forward, one step back type of thing when those plans get published. But again, this is a huge issue that’s been neglected for way too long, so at least for we’re seeing something being done, which is good.

[01:09:19] Evan Francen: Yeah. Yeah. Right. Uh news only have one nearest thing and it’s from Krebs and it’s uh I think it’s sort of funny because it drew a lot of attention on twitter and other places. This was me. The title is try this one weird trick. Try this one weird trick Russian hackers hate, but I think it’s okay. Really what it’s about is changing uh are adding the Russian language set to your operating system because it’s virtual

[01:09:58] Brad Nigh: keyboard. Yeah,

[01:09:59] Evan Francen: because, you know, Russians, they operate with impunity in Russia attack, as long as you don’t attack Russia Attackers in Russia, don’t have to worry about the police coming right, it’s when Attackers attack Russia that the Russians, you know, kill you. Probably, so, you know, one of the fail safe, they put in their malware is that if this is this is a system that we suspect is Russian, we will not attack it. So the keyboard is the cyrillic keyboard. Yeah, that’s installed. Well, okay, but great, fine, probably true, but now it’s probably not. So, you know, don’t expect this to be your fix. It’s not worth my time and effort to do it. I just don’t click on things and I keep things locked down. That’s probably a better approach. But if you want to you can install anyone else. What, 16, 17 different.

[01:11:09] Brad Nigh: Yeah. Yeah. It’ll be it’ll be interesting to see, I mean, we know rushes, like you said, their legal system is basically like don’t do it to us and you’re fine, do it to us and well, enjoy the gulag in Siberia right? Forever. Right. He was disappeared.

[01:11:34] Evan Francen: Yeah. So, but, you know, there are certainly other programmatic ways for software to determine whether this is a Russian system versus a U. S. System. Right? So there’s a limited window and it’s a limited number of attacks that’s actually going to protect you against. So it’s just not for me it’s not worth the effort. Not all that concerned about Russian malware, because my system and I don’t use it for things that put at risk for, I

[01:12:03] Brad Nigh: would say in there that uh batch script that adds it. But if you really wanted to look in that article, there’s a on GIT hub, you can just click it and run and get it done with. I’m

[01:12:18] Evan Francen: still not worth my time now. Trust somebody’s bad spirit. Uh huh. Because Yeah. All right. Uh That’s it. That’s all I got for this. Uh this is a good episode, man, a lot of stuff to talk about and unpack and I liked it. I liked how you had different uh and some you know like your perspective because it’s not the same perspective as mine. It’s not that one perspective as right and wrong. It’s different perspectives and that’s what makes us better. So I appreciate that man.

[01:12:48] Brad Nigh: Yeah. You know like you said at the end of the day were on the same page, right? We have the same goal is just how we approach it, which is what makes it’s still good in from a company perspective, not just the podcast but but so awesome.

[01:13:08] Evan Francen: Yeah man, I feel the same way. Uh any shout outs this week for you.

[01:13:12] Brad Nigh: You know, I’m gonna get a shout out to my wife. She volunteered to give uh the vaccine to middle school yesterday. So she spent, I don’t know, four or 5 hours at the Middle School Uh reconstituting and getting it ready. She didn’t actually do the injections, but it was a nurse kind of cool to see. I think she said they had an estimated 750 kids got it uh at the one middle school and they Think about 750 at the other middle school get it. Uh in the county. So awesome. You know

[01:13:48] Evan Francen: that is awesome. I’m going to give a shout out to the daily uh The daily insanity chicken folks, we’re still going strong. It’s now maybe 18th. We started that, you know that that group and

[01:14:05] Brad Nigh: March, March or late March or april right? Yeah.

[01:14:10] Evan Francen: You know when the pandemic came about, we started this uh this group and it’s just it’s just kind of a support group and it’s just people talking whatever, whatever is the top of mind and what kind of support you need.

[01:14:22] Brad Nigh: You need to start trying to make it back on there. Just so many meetings. It’s it

[01:14:27] Evan Francen: sucks. You know, whenever you get a chance man, I think everybody there be. It’s cool. It’s been cool to see how it people come, people go, people come back, people go again, you know, it’s a bit some good friends

[01:14:41] Brad Nigh: in there.

[01:14:42] Evan Francen: Good people.

[01:14:43] Brad Nigh: Yeah, there was a lot of yeah exactly good people. Yeah,

[01:14:48] Evan Francen: so I’m gonna give a shout out to those guys um Mhm Yeah, that’s it. So you, to our listeners huge thank you uh for to you man for sharing your perspectives and uh you know, talking through all this stuff, you have something you’d like us to know where you want to interact with us, go for email the show and insecurity at proton mail dot com. After the social type socialize with us on twitter. I’m @EvanFrancen Brad’s @BradNigh uh the other twitter twitter handles if you’re interested, you know the places we work @StudioSecurity and @FRSecure and that’s it, we’ll talk to you next week.