NIST Cybersecurity Framework and More Data Breaches

Unsecurity Podcast

In this episode, Brad and Evan discuss “Tom” (the “normal people” who are the reason behind what we do at FRSecure), the very soon-to-be-released UNSECURITY book, the next UNSECURITY book being written now, the next book later this year that Brad and I will be writing together, cool vendor risk management and NIST Cybersecurity Framework (NIST CSF) stuff that Brad’s working on, and some current news: 2019’s First Data Breach: It Took Less than 24 Hours and 2019 security forecast: Cloudy and unsettled, with a chance of gloom – The 21 scariest data breaches of 2018 –

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Alright, here we go. Today is not Sunday, 6, 2019. It’s actually Tuesday now the 8th. And this is episode nine of the un security podcast. My name is Evan francine and joining me today as always is Mr brad and I brad, how are you?

[00:00:40] Brad Nigh: I’m cold. How are you?

[00:00:43] Evan Francen: Oh, not cold. I’m live from Cancun. We were just talking about this, this is our first ever international podcast.

[00:00:52] Brad Nigh: It’s a momentous occasion.

[00:00:55] Evan Francen: Well we tried it on sunday and at the resort bandwidth was terrible. So I found a Starbucks about three quarters of a mile away and that’s where I’m at now. So if we have background noise, my apologies, but we’ll make it through.

[00:01:13] Brad Nigh: I mean it’s just part of writing a book in Cancun just gotta deal with it.

[00:01:17] Evan Francen: Right, You know, and that’s exactly why I’m here. Got here on what taste today. Oh, Tuesday. And he said that got here on saturday started writing internist yesterday and uh just crunching away. So through the introduction and most of Chapter one

[00:01:41] Brad Nigh: it’s impressive.

[00:01:43] Evan Francen: Well yeah,

[00:01:44] Brad Nigh: once you get into a flow it just kinda it just goes right

[00:01:49] Evan Francen: well, this one as you know is more personal. Yeah, the first insecurity book, which is due back from the printer tomorrow. So there’ll be a release or release party and signings and whatever the hell else goes on. And so that first book was written to the audience was people like me and you. This book is written for what I call normal people. Uh huh. So hopefully it’ll resonate with the everyday person on what they should be doing to protect themselves better.

[00:02:26] Brad Nigh: Yeah, I mean based on on some of the feedback you’re seeing on linkedin from your post, I think there’s definitely uh, some passion around it.

[00:02:36] Evan Francen: Yeah, that surprised me. So for those of you haven’t seen on linkedin, I post, I took a picture where I I ran into that. I met somebody uh, tom on the flight down from ST louis from ST louis to Cancun on saturday and uh, Just fell in love with the guy. I mean, this is 68 year old, Uh, was a 6th grade teacher, he’s retired. Um, and we got, we had a really good conversation. One of the things he said is uh, you know, something to the effect that second graders, you know, no more about information security than he does. And so people like tom really are the inspiration for the second book. Uh, so I posted it on linkedin expecting, you know, I mean, normally what? Happy to get 20 likes, maybe a couple 1000 views. This one.

[00:03:35] Brad Nigh: I’m happy to get a couple 100

[00:03:37] Evan Francen: man. It surprised because I posted it on sunday, right at the end of the day, on sunday, we almost had, You know, 80,000 years, I think it’s 50,000. Yeah, so people love tom that’s good, people should love tom. And uh yeah, let’s help, let’s help tom, let’s work for tom, that’s that’s what we’re doing, yep,

[00:04:03] Brad Nigh: I like it.

[00:04:03] Evan Francen: Yeah, but you know, I was really blown away by the of the people who commented a lot of those people were security people and it seems like we’re motivated because we haven’t done a good job. People like you and me and reaching out to and really helping. I think the normal people,

[00:04:25] Brad Nigh: Yeah, I think there has been historically a little bit of that, the blame on the air, quote normal people, but it really should be back on on the IPO set community if we’re not communicating on and and explaining it and helping them understand how was that their fault.

[00:04:44] Evan Francen: Right. Exactly. And that, so I think that’s that’s resonating pretty well. Hopefully, you know, that same message will take it into the book and uh you know, it will make a difference. I mean after all our mission is to fix the broken industry. So it’s let’s do our part, yep man. Yeah. So what else is new with you?

[00:05:06] Brad Nigh: Uh not much, you know, we’ve had, you know, you know, this will pull back the curtains a little bit, a little bit of reshuffling internally and so just trying to figure out, get into the groove of the new role and responsibility. So trying to figure out what that exactly looks like, which is, it’s fine.

[00:05:24] Evan Francen: Yeah. Yeah. Well, new challenges, right? I mean you have a great group of people that you work with every day to help you navigate these waters. So that’s cool.

[00:05:34] Brad Nigh: Yeah. Yeah. They make it way easier

[00:05:36] Evan Francen: now. I just realized that this is also the first, our first podcast of the new year.

[00:05:44] Brad Nigh: Oh yeah, you’re right. It is.

[00:05:46] Evan Francen: So it’s our ninth overall, but our first one of 2019. How is your new year’s?

[00:05:52] Brad Nigh: It was good. We uh didn’t make it till midnight. Um Our daughter, my daughters stayed out there in middle school and elementary school and they wanted to stay up. So my my mom was visiting and Like, all right, we’ll stay up. We play a bunch of card games in about 10, They were, you could just tell they were fading. Uh so we watched the ball drop in New York at 11 and they were asleep by like 1102.

[00:06:19] Evan Francen: Yeah, I was I was I was in bed by 11 myself.

[00:06:24] Brad Nigh: Yeah, I was asleep by like 11:30.

[00:06:27] Evan Francen: This is the exciting life of security people. Right?

[00:06:31] Brad Nigh: Exactly. I’ve worked a full day. I’m tired,

[00:06:37] Evan Francen: right? We sort of earned our our sleep. I actually fell asleep on the couch before my wife made me go into the, you know, go to bed bed.

[00:06:46] Brad Nigh: Well, funny. Yeah, like yeah, it’s funny how, uh, how protective our wives can get them. It’s like last night I had to get caught up on some stuff and comes down and it’s like, all right, make sure you set an alarm because I really don’t want to get up at two o’clock and find you’re still working because once you get going on this stuff, you know, I had my headphones on and music going and I’m just working and you lose track of time. There’s no interaction, nothing to really track the time. And about midnight I was like, oh, shoot. Well, I’m glad to, I’ve got thirsty there to realize the time it was right.

[00:07:23] Evan Francen: Well, so we’ve, we’ve got a ton of great things I think planned for this year plan for 2019. Anyably, uh, anything in particular, you’d like to share, anything in particular you’re excited about.

[00:07:34] Brad Nigh: You know, just, uh, you know, professionally just continuing to mature our processes here and what our offerings are. There’s a lot of behind the scene stuff that’s going to make everything better. And I’m really excited about working on some of that stuff. Um, you know, I’m looking forward to the second half of the year and writing a book and with you and getting that experience

[00:08:02] Evan Francen: to wait. What boom. Did you just announce something? You just announced that we’re going to do a second book.

[00:08:08] Brad Nigh: I think we mentioned it casually. But yeah, I think we should.

[00:08:12] Evan Francen: All right. It’s done. It’s going to happen. All right. Well, I think uh based on the things I learned from the first book, so and this is encouragement, hopefully for anybody who listens to that. If you’ve ever felt the urge to write a book, you know, I highly recommend it. It’s a it’s a hell of an experience, you know, pushes you, I think to to the limit there’s one book and I’m going to recommend this to you to bread. There’s one book that really helped me get through the struggles and it was a book by Stephen Press Field, it’s called it’s called The War of Art. Mm mm Uh huh Stephen Press Fields, the author who wrote The Legend of bagger Vance and you know, okay, a number of other books. Uh it gives really great advice. Um so I learned a lot in writing this first book. I know that books are not written by, you know, just one person that’s not just an author, you’ve got a ghost writer, you’ve got editor and another editor and sometimes another editor and then you’ve got a proof reader and you’ve got a graphic designer and oh my God. Uh but that first book took about a year, you know, like it’s like like I mentioned, you know, it’s it’s going to be officially released here in the next couple of weeks. Uh but I think really what, knowing what I know, I think uh two books in one year is not super crazy. Uh huh. You’ll be

[00:09:51] Brad Nigh: your word for it. I’ll find

[00:09:52] Evan Francen: Out and you’ll be helping me on the 2nd 1.

[00:09:55] Brad Nigh: Yeah. That hopefully makes it easier, not harder.

[00:10:00] Evan Francen: Well I think you know figuring out how we work best together. Uh you know is it do you take one voice in one chapter and then your voice in the next chapter and get into that kind of rhythm through the book

[00:10:13] Brad Nigh: or there’s a lot of options. Right? Yeah. And then you have like will pop out for if you wrote a chapter if I want to put something in or how do you do all that? So that would be that is gonna be exciting.

[00:10:29] Evan Francen: Yeah and that book is going to be about I don’t know people have read traction. You and I have read traction before but it’s a great book by Geno Wickman and in that book he talks about uh the entrepreneurial operating system E. O. S. And the US is uh really really popular with small to mid sized businesses. So you and I are going to write a book about an operating system for security for small to medium sized businesses along those same lines. So thank you to Gina Wickman for sort of setting the example for us. Mhm. But being that you and I have you know I think been doing this for as long as we have and it worked with as many small to mid sized businesses as we have. I think this book will really really help.

[00:11:23] Brad Nigh: Yeah I think so. I think the most common thing we hear is like they don’t know what they should be doing and they’re trying to make it way more complex than they need to be so hopefully we can simplify it for him.

[00:11:38] Evan Francen: Well I think one of the biggest challenges too is uh you know actually operational. Izing security, it’s one thing to have policies and have some written procedures and whatever but to truly integrate it and make it part of your business. That’s where you I mean I think that that’s where you capitalize on your security investments. It becomes less of a call center. Uh So I mean it’s yeah I mean it’s gonna be a lot of fun for us to do that together.

[00:12:08] Brad Nigh: Yeah. Thanks. So I would say one other thing I want to mention that I I just thought about we’ve got the mentor program coming up again in april and I had somebody uh reach out and and send me a text that he went back and was listening to last year. It was like I did not expect to see you there which is always like yeah great. But uh you know the feedback we were getting is it was better than some of the training he had paid for for them and for C. S. Sp so I think that was really exciting. Makes it makes me feel like it’s worthwhile.

[00:12:43] Evan Francen: Oh yeah absolutely when we know throughout the year, I mean we’ve we occasionally get or not. I mean regularly I guess get requests for endorsement.

[00:12:55] Brad Nigh: Yeah I think At least 10 this year that I’ve gotten the between the two of us that I know of, which is pretty good.

[00:13:04] Evan Francen: Well yeah I mean I think just for me, just one right, there’s a difference, it’s a step. Uh Yeah so the 2019 C. S. Sp mentor program which you can find online at fr secure dot com slash ci SSP dash mentor dash program um Starts on April eight this year. No it’s open to anybody. You don’t have to have any prerequisite experience. Uh just come and join us and if you don’t make it through you don’t make it to every class, that’s that’s totally fine,

[00:13:41] Brad Nigh: yep, it’s definitely we’ve had, you know, sea levels and manager type, consider that will never take it. They have no in need or desire to take it, but it said it helps them understand it, it’s just a little bit different way of looking at it.

[00:13:58] Evan Francen: Yeah and it’s super enjoyable, I don’t know about you but you know, we it makes me a better security person. Oh yeah when I have to continually, you know review and teach the basics

[00:14:13] Brad Nigh: it keeps you humble because it helps you realize how much you don’t know.

[00:14:18] Evan Francen: Yeah I mean how much you’ve forgotten, right? You know, and, you know, from the C. I. S. Sp, there’s plenty of things that are okay to forget because you’ll never ever use them. But there’s some always some good nuggets, some good basics that you have to keep, you know, keep aware of. Indeed, so Mondays and Wednesdays from six PM to eight PM central, you don’t have to be there physically, because it will also be taught online, okay, Goes from April eight until May 29 of this year, and we’ll be teaching me. You do. We have some other people of my drums, but we have a

[00:14:58] Brad Nigh: couple I think may step in and help out as as needed or help moderate online, so we’ll figure that out. Which is always, it’s always good to get more people involved.

[00:15:11] Evan Francen: Yeah. It’s fun to see that metro program how has sort of grown from Six students in 2010 to last year. I don’t, we have like 350 something, it

[00:15:21] Brad Nigh: Was like 3:53, right around there.

[00:15:24] Evan Francen: Yeah. So hopefully we can knock it out of the park and beat that number because what we’re trying to do with this mentor program is offer free training so that we can help at least make our contribution to fixing the broken industry where we don’t have enough talent in our industry, right, yep.

[00:15:43] Brad Nigh: Yeah, the classes that are out there just,

[00:15:46] Evan Francen: you know

[00:15:47] Brad Nigh: extremely expensive and hard to get to and so yeah

[00:15:54] Evan Francen: and so far I haven’t heard anything from those paid places that there, you know pissed off at us or anything, so hopefully they’re still making their money to.

[00:16:06] Brad Nigh: Uh Yeah I would assume so

[00:16:09] Evan Francen: yeah because I don’t think there’s anything wrong with doing paid training, it’s just some people can’t afford it, so let’s give them, give them an alternative ever travel. Cool. Uh So again that’s just if you just google fr secure ci SSP mentor program, you’ll find the page, encourage everybody to to sign up. Yeah what else, what else we got anything else you’re excited about? You know, you were working today on some vendor risk management stuff.

[00:16:38] Brad Nigh: Yeah, yeah just you know, doing some manage vendor risk management for customer and doing some um hey Yeah all kinds of Geeky fun stuff. Yesterday was not as much fun for me, had 13 meetings yesterday, so I know it was insane. But yeah, but today much better, a lot more time. We got, you know, a new associate analyst started yesterday, so I got to spend some time this morning coaching her on some stuff and focus on you know focus on one thing for you know an hour or two at a time. So working on that NIST CSF (NIST Cybersecurity Framework) maturity assessment tool, that’s fun, I really broke it, it was fantastic,

[00:17:30] Evan Francen: I liked breaking stuff,

[00:17:32] Brad Nigh: right? I’m speaking a bunch of the formulas and adding waiting and then it just totally broke the dash for it. I was like, oh, okay, I know what I have to do, I just haven’t had time.

[00:17:44] Evan Francen: Well, we got some good feedback. I think over the last couple weeks from listeners of our podcast and one of those was they thought it would be a better idea for you and you and I to actually do a podcast or do podcasts in the same room. So I think that’s definitely in our future, yep, which will be nice because you play off of each other so much better when you’re looking at each other agreed, so that’ll be fun and we do encourage, you know, anybody who listens to this podcast to give us feedback, give us, you know, the things you like, the things you don’t like, maybe some things you like to see more of out of us. Um yeah, so there’s no shortage of things going on right now.

[00:18:26] Brad Nigh: Yeah, no, I think with the other one that I really like that we talked about, we haven’t really gone into detail yet, but is it sort of uh asked the experts segment. So I figure out how to make that work, but I really like that, that I do it again, you know, kind of a quick hit, may be a question of the week or something to figure that out.

[00:18:46] Evan Francen: Yeah, that’s a good idea. So one of the things we need to do is set up an email address or listeners to email their questions so that, you know, we can address those online,

[00:18:57] Brad Nigh: but uh assigned someone to actually look at it. You have a question for us.

[00:19:04] Evan Francen: Absolutely right. And a lot of times I don’t know if you’re using twitter, but I, you know, I’ll tweet a lot of things, especially lately as we’re starting to try to get more kind of traction and get more people working together. Uh so you can always follow me on twitter and that’s just at Evan francine and then you’re what at brad ni, Right, correct. So I’m probably posting, I don’t know, half dozen or so articles that I’m reading each day.

[00:19:35] Brad Nigh: It’s funny, I’ll put stuff out there. I use it almost exclusively is like an aggregator and cracking like following the people and reading articles that we haven’t haven’t been nearly that active on twitter. I should be more active.

[00:19:55] Evan Francen: Well, you know, I’m starting to learn more about others. I mean because there’s a, there’s many influential information security people. Uh it’s kind of cool to watch and read, you know what they’re up to. Um the one thing I don’t like is when a security person thinks that there are political walk, you know, so they have to comment on, you know, trump or democrats or you know, whatever it’s like, so I don’t post anything political on my, on my twitter, I just I keep that stuff in a different type of guest communication.

[00:20:40] Brad Nigh: Yeah I’m with you. I almost forget it is a an extension of my my work personally I guess you know identity. So yeah we talked about that with clients. I wouldn’t I wouldn’t talk about it on twitter.

[00:20:55] Evan Francen: There you go. That’s a good point. You know how I look at it when some people will put you know, thank views and things that I’m expressing our mind and not deals with my employer. But still if you’re working with clients

[00:21:07] Brad Nigh: right? Oh we’ve seen it where uh you know we had one where a a customer with got an email from a potential client about an employee posting like some really nasty bad you know insensitive racial type of comments on facebook I think and it said you know I said where they work but their views with their own and it didn’t it doesn’t matter

[00:21:36] Evan Francen: right because your views are your own doesn’t make it okay.

[00:21:42] Brad Nigh: I work prep are secure but these are my views not the companies use and then it’s just viewing nonsense like oh come on.

[00:21:49] Evan Francen: Right. Yeah. Yeah good point. So that would be maybe something uh you know for companies maybe you could put that in a social media policy or social networking policy. These types of things because in most cases I think I know Minnesota where we you know where our headquarters is. It’s an at will state. Uh So I mean I don’t I haven’t. Okay. Yeah this is full transparency now. I don’t think I’ve read our social media policy and as a ceo of a company that’s a big no, no for me. So after the yeah.

[00:22:29] Brad Nigh: Yeah. I’m gonna hold you accountable now.

[00:22:32] Evan Francen: Uh son of a gun. That’s the same thing I rip on about other ceos and here I am doing the same damn thing.

[00:22:40] Brad Nigh: It’s been pretty pretty standard.

[00:22:44] Evan Francen: Yeah. I mean I’m sure I’m not in violation, but I should at least uh I’m going to be more aware.

[00:22:50] Brad Nigh: I’m gonna start stalking you and uh Kanye out. There you go. That’s my new sport on board. Well there wasn’t,

[00:22:59] Evan Francen: there was a day was probably two weeks ago and I still don’t know who did it but whom I complain. Uh I left my office open and my computer logged in. Uh huh. So I guess the point is I’m a human being. We all make mistakes. It was a no, no. Security guys certainly should be setting the example for other people. Uh But I got B. Bird right? And so my first reaction was, what the hell man, I’m the ceo, you show me some respect. But then I was like, oh but

[00:23:34] Brad Nigh: your health and the same standards.

[00:23:37] Evan Francen: I know. So my first reaction was uh and then the second reaction was, you know, once you thought creeps in, it’s like, yes thank you guys. You’re right. I’m not above the law. You know, I need to play by the rules awesome, yep, lesson learned.

[00:23:57] Brad Nigh: You know I do. And I will say this I like that you that you do hold yourself accountable to the same. You know, you made a mistake and all right, well, that’s what we do here and I got busted. So

[00:24:10] Evan Francen: yeah. Well, thank you. I always uh usually believe I was gonna say always, but I usually believe that the biggest problem with information security is in the mirror. Mhm. So that’s that’s one of the parts of this book that makes it sort of exciting for me is because, you know, I’m trying to reach out to normal people, right? Everyday people who aren’t security people. And as I’m reflecting on the things that trying to make it resonate, right? Because a lot of times the things that we write the things that we say, normal people aren’t listening to it.

[00:24:49] Brad Nigh: So yeah. You know, I just said we bought a house earlier this year and out this summer talking with the neighbors. And so what do you do? And oh, I was leaving for the mentor program and where are you going on? So I told him and oh wait, what do you do? And I started just telling them about your P. C. I. And you can just see their eyes glaze over. I’m like, oh shoot I know about it and I still fall into it. All right, okay, let me try this again. And you know, it’s tricky to not because it just comes so naturally to us that because this is what we do and then to flip and and talk to again, you know, air quote normal people in a way that’s not condescending. And that’s tricky because uh huh I worry about that.

[00:25:41] Evan Francen: Right? And so that’s I mean that’s a big, big point of the book is looking at myself in the mirror as I’m writing it and really trying to get points across in a way that, you know, because I started the book off this one with and I even quoted a little bit Simon cynics book. Start with why what is the why for this book? And the why is to teach basic security principles to normal people and inspire them to act so it’s not just, it’s not just lecturing them, but how do you do it in a way that will actually inspire them to, right? You know, do better for themselves.

[00:26:29] Brad Nigh: Right? Yeah, it’s tough. Especially said it can be so intimidating.

[00:26:36] Evan Francen: All right. I mean you’ve been to security conferences before. I mean sometimes you walk into like uh black hat deaf gone. And you know, some of these people are serious geniuses, right? And not only are they geniuses, they’re jerks

[00:26:55] Brad Nigh: death of self important.

[00:26:58] Evan Francen: Right? So if you have a genius jerk, Forget about it. I’m intimidated by that. I’ve been doing security for 25 years. Yeah, I don’t want to be anywhere near a genius jerk.

[00:27:09] Brad Nigh: I mean, well yeah, I’m gonna say not jerks, but I mean some of the guys even on text services with what they can do and I haven’t done a lot of that technical stuff now for you know, several years and it’s like, oh wow, okay, yep.

[00:27:27] Evan Francen: But the cool thing about our guys are guys and technical services that are secure is they’re not jerks. No,

[00:27:33] Brad Nigh: not at all. But I mean even just being in the industry and seeing some of that stuff that I haven’t been doing and gotten out of, it’s like, whoa, okay, Time out slow down. I can only imagine, you know how, how a person is already intimidated by, you know, kind of stereotypical but programming the VCR right? That’s kind of the joke. But you know intimidated by t and then you add this other layer of security on top of it. I’m sure it’s overwhelming.

[00:28:04] Evan Francen: Yeah, for sure. And and so one of the, you know, just an example of, you know the great work that those guys are doing uh matt Finley. I don’t know if you saw it created a

[00:28:13] Brad Nigh: Yeah, I was working with him on that. That is awesome.

[00:28:15] Evan Francen: You have that bash script that pulls uh Hello, I got boned or you know, two months. Have I been phone. There you go. And uh you know, prints on the nice list for you. That’s it’s a simple way to just run a bash script and thank, thankfully uh to mr hunt for exposing his api so people can do that. I mean, he’s done some amazing work.

[00:28:41] Brad Nigh: Yeah, that was when he was showing me and showing how he’s trying to get it done and and then that’s where I but any ideas around this, and I was like, uh well, you’re gonna have to do this. Okay. This basically read Jack’s in real time and I just get like pTSD ticks about rejects. So cool. But you got to figure it out. I was really impressed. That’s a really cool tool. I’m excited to start playing with that a little bit.

[00:29:11] Evan Francen: Yeah, I’ll have to, I think. Can you remember? So next week’s podcast, you lead it, yep. And maybe if you could uh grab that, uh you are l and share it with the listeners uh in our next podcast.

[00:29:25] Brad Nigh: Yeah, I will get approval from Math to do that. Already

[00:29:29] Evan Francen: made it public. It’s not get home.

[00:29:31] Brad Nigh: Oh, is it? Okay. Cool. I didn’t know he published it. Oh, yeah. Well, it wasn’t dialogue into the email, but it wasn’t done where I said, I’m gonna mumble to myself

[00:29:40] Evan Francen: because that’s what security guys do.

[00:29:45] Brad Nigh: Yeah. All right, we’re gonna know myself right now to do that.

[00:29:49] Evan Francen: Cool. So we’ve got I’ve got some news stories. I think these are a little bit stale because we’re a couple of days late. Uh you know, producing this podcast, but there’ll still be some value in it because we can talk about some of these things. But the first news story I’ve got is from the computer business review. The title is 2019 1st Data Breach. It took less than 24 hours. This was actually published On January seconds or six days ago now. Yeah, you get a chance to read that one.

[00:30:22] Brad Nigh: So yeah I did. And you know, I read it and my first reaction was Oh only 30,000. That’s not too bad. Oh my God, how is it? Only 30,000 isn’t so bad. Right. What what what is going on?

[00:30:42] Evan Francen: Yeah 30,000 and this one was out of Australia. So you know, being a US guy uh on the other side of the world, but still uh you know, things that happened on the other side of the world certainly can and do affect things in this part of the world.

[00:30:59] Brad Nigh: Yeah. Yeah. You know, it sounds like it wasn’t, it’s gonna be more around social engineering data that got compromised work, email, phone number, job titles. So it’s not too bad. But it’s still, oh

[00:31:18] Evan Francen: Yeah, so 30,000 Australian civil servants uh their data was stolen a directory. So this may not even be, you know what we would typically classified as confidential data. This might be something more that we would typically classify as internal use data. So it’s like all right, a directory. Uh Maybe not a big deal. Uh That was downloaded by a third party. This supposedly happened through a phishing email, surprise, surprise. We never see phishing emails. Right?

[00:31:56] Brad Nigh: Yeah. Never.

[00:32:00] Evan Francen: Uh So anyway, that was I think interesting. It was the first breach of the year. So, if you ever are called on a trivia game show, uh And they asked you when was the you know, what was the first breach of 2019? Yeah. Uh in Australia was the and what was the actual name of the organ? Uh What was the name of the actual organization? Just as Australian civil servant victorian government

[00:32:27] Brad Nigh: victoria premier’s Department of the state of victoria.

[00:32:34] Evan Francen: Mhm. All right. So there you go. Yeah, Australians there. The well, that’s like the first part of the world, isn’t it? When the world turns, don’t they get like, okay,

[00:32:47] Brad Nigh: I have no idea If they’re ahead of us. I guess they are right. Yet daylight over the pacific. So, yeah. Yeah. That’s about as fast as you could get.

[00:32:59] Evan Francen: Well, there you go. All right. So, don’t be too hard on the the Aussies. They win the trophy for that next piece of news 2019. Security forecast. Cloudy and unsettled with a chance of gloom. I actually wrote a blog post. I don’t know if it’s going to be posted today? Tomorrow I think tomorrow because tomorrow is Wednesday. Uh And the title of my blog post is I’m done making security predictions. Uh Yeah. And then I explain why I think there’s so many freaking predictions out out there every year. And some of them are just a complete waste of time I think to read. And some of them are actually really well thought out. Uh some of them are confusing and some of them are. No, no, no.

[00:33:53] Brad Nigh: Yeah. I like our uh our idea last uh from last week to uh we’ll pick some and then go back and review them. So we’ll pick some now in this month, review them and the end of the year and see how they did

[00:34:06] Evan Francen: Right now. And in our last podcast, you you had brought up my predictions from 2004, Right? And then I sat down because I’ve written predictions I think every year for long time and I was going to sit down and actually right predictions for this year. And I was like, what is the use? Uh, there’s a lot of research. There’s a lot of things that go underwriting those posts

[00:34:32] Brad Nigh: a lot harder than people think.

[00:34:34] Evan Francen: Right? So I just made an excuse and why I’m not going to write them. Uh and one of the reasons is frankly, I think there’s there are better people that are better at it than I am. So let’s just point everybody over there. Yeah. Anyway, this uh, this article is from silicon angle. I’ve never even heard of them that site before either But the title is 2019 security forecast. Cloudy and unsettled with the chance of gloom. Uh And here you know predictions uh lots of different things anything in this that stuck out to you bread.

[00:35:21] Brad Nigh: Um Not really. I think the you know the big the first one was the year consolidation they had. I’m not surprised by that but just looking at the amount of money and the number of cos you know 3000 companies that list cybersecurity in their market category out of crunch base a lot of companies.

[00:35:42] Evan Francen: 3000 and I hate the word cybersecurity.

[00:35:45] Brad Nigh: I know I know I’m with you.

[00:35:49] Evan Francen: All right so 3000 companies in the investment database that lists cybersecurity. Never even looked at that crunch based database before of you

[00:35:58] Brad Nigh: a little bit but not not to the level that I will be using it moving forward after kind of digging into it a little bit after that.

[00:36:09] Evan Francen: Yeah I wonder is fr secure even listed in that database.

[00:36:13] Brad Nigh: Um I can tell you

[00:36:16] Evan Francen: boom you’re doing research on the podcast,

[00:36:20] Brad Nigh: consulting information technology and security.

[00:36:24] Evan Francen: There you go. So I guess we are listed were one of the 3000.

[00:36:29] Brad Nigh: No not in cybersecurity though. Thank our I. T. And secure. Pretty

[00:36:34] Evan Francen: yeah I suppose that’s all right. So I guess you know if we changed it to I don’t know you know how you change it, but if we changed it to cybersecurity, the one or two inquiries I get a week about selling will probably triple right? So I’m okay with it not because those negotiate, those discussions are just sort of distracting. We’ve got a mission. I think most of us still have some gas in the tank. You know, when the time is right, we’ll do things and, and I think everybody that works at up our secure trust that I’ve got their best interests at heart. So it’s not like having, you know, cells cuts and runs right. Right. Um, that’s yeah, it is interesting how much money is actually floating into and has already been in this industry the first book which you know, you know, there’s a chapter devoted to the money grab which is part partly this stuff and the money can cloud people’s judgment I think really quickly. So we try really hard to stay true to the basics. Stay true to you know, information security, its definition and risk, spend your money where you have risk.

[00:37:58] Brad Nigh: Yeah, yeah, yeah. I know, you know, we’ve done it where we’ve gone against other large Security firms for assessments and their three or 4 times the cost. It’s like what are you getting for that much more?

[00:38:17] Evan Francen: Well you and I have seen

[00:38:19] Brad Nigh: what you’re paying for analysts to fly.

[00:38:21] Evan Francen: Oh yeah, I remember that one. Yeah. First class our analysts will probably never fly first class and I don’t fly first class if you spend all your money, but yeah, I fly I usually fly southwest, which I I’m

[00:38:39] Brad Nigh: fine. I don’t Yeah, but your risk. Oh you broke up there just a little bit.

[00:38:46] Evan Francen: Oh, I still hear,

[00:38:48] Brad Nigh: yep, you’re here. Okay, okay. That’s that Starbucks that Cancun weather. Um Yeah, it’s been all your money on on the assessment and you don’t have anything left to actually do anything. Have you really helped yourself? I don’t think you have.

[00:39:06] Evan Francen: Right. And there’s a certain thing about fair, you know, I mean every, I think every company has a right to a profit, but there’s a certain value where you you’re gouging you’re taking advantage of people. Uh So it’s always a fine line. You know, you got to got to keep it keep it real. Another thing in here was cloud attacks. Step up. Not surprising that it’s where the data is.

[00:39:40] Brad Nigh: Yeah, I would say it’s more surprising that we haven’t seen more cloud attacks. That’s true.

[00:39:50] Evan Francen: We’ve seen a lot of unsecured containers or configurations uh online and data leaking out that way, but not specific targeted attacks. I think

[00:40:04] Brad Nigh: on cloud computing, like on the provider’s I would I would have expected to see some more on some of these providers where it affects multiple companies. Not just one company. Miss Configuring something.

[00:40:17] Evan Francen: Yeah. Yeah. So I I agree. You know, cloud attacks will probably increase this year. Economic and political espionage will rise. What does that mean for us?

[00:40:28] Brad Nigh: Um, uh, you know, Well, we just saw the newspaper that went down. Right. So I would say probably more of that type of stuff where hopefully they’re not targeting and taking down power grids or, you know, utilities that that negatively impact the population. But yeah, it could absolutely happen.

[00:40:53] Evan Francen: Well, it’s funny because I was writing, um, in the introduction of this book, uh, I was claiming or I have claimed in in that introduction that raging all around us is a war. And just because you can’t see it, you know, feel it’s, you know, physical effects doesn’t mean it’s not happening of and so I started doing before I made that claim. I did a bunch of research, you know, like because I don’t, you know, you don’t want to use fear necessarily as a motivator, but you do want to put, you know, you put it into context and make it real. Uh, but there is actually, you know, war happening. I think we’re bad guys or whether the bad guy is motivated by money by influenced by power. I mean, you’ve seen nation state stuff happening. Uh, you know, I think increasingly may have there’s misinformation campaigns all over the place, whether it be through facebook or, you know, elections trying to influence elections. Um, so I think there’s a lot of things in the espionage piece only makes sense. I mean, it’s there for the taking why wouldn’t a bad guy capitalized on that. Right.

[00:42:19] Brad Nigh: All right. I agree.

[00:42:21] Evan Francen: I think I saw an article, I think one of the articles I post posted on twitter that I read was about a manufacturing company. I think you’ll see a significant increase in manufacturing companies being targeted because they have so much intellectual property. Yeah. And they’re very exposed. A lot of them don’t think they have anything to protect.

[00:42:41] Brad Nigh: Oh my gosh, We see that all the time. They’re like, well, it hasn’t happened to us. We just make this one little part about this other thing. And, you know, we don’t have all of it. But no, no, that’s not how it works. If you’re one little part is not there, the whole thing doesn’t work. It’s kind of critical.

[00:43:01] Evan Francen: Right? And think about how much money, how much engineering goes into, you know, the customers of those manufacturers, you know, how much they put into these things and that one little part may not seem very significant to you. But if it clues a competitor, yep, into the bigger picture, I mean, it’s a big issue, potentially.

[00:43:24] Brad Nigh: Well, and, and we’ve seen that, you know, it’s no secret, that china has no issue, you know, not worrying about copyright and intellectual property, they’ll just take whatever and and copy it. Right? So, yeah, especially if you’re a government contractor.

[00:43:43] Evan Francen: That’s the thing. I mean, it’s it seems so obvious, but something’s not connecting for some reason. We’re not we’re not connecting on this, but we’ll figure it out, yep. All right, so what else do we have uh also in that post the year of privacy legislation? So in europe we have the G. D. P. R. In 2018. Uh We expect more pressure coming from GDP are, but do we also expect privacy legislation here in the United States?

[00:44:17] Brad Nigh: I think it’s I mean, well, it says that California introduced, there’s um that’s really similar to G. D. P. R. So when you get a state that large, it’s just it’s what we have been telling people anyway, even if you don’t have uh you resident specific data just start doing it. It’s best practices anyway, some of those requirements around it, you know, knowing what you have, data management, all those things. It’s just a matter of time though because it’s going to come. Yeah, I wonder,

[00:44:52] Evan Francen: you know, I’ve uh I’m thinking of a time uh recently when I I was consulting a very large company, uh and I’d asked I posed the question because I think they were really getting confused between privacy and security and how they how they work together. And so uh as is common for me, you know, what’s our definition of security? What’s our definition of privacy? I think many organizations and many people don’t have an, you know, specific answers, they just hear privacy. Yeah. Thinking, well it’s this but I mean formally defining those things because if you can put them into context. So you know, I’m preaching to the choir here, but for the listeners information security is about managing risk, right? The information confidentiality integrity and availability using administrative, physical and technical controls. That’s our definition of information security. So then what’s our definition of privacy, privacy is really just about protecting the confidentiality of one type of data, Right? That a viable data. So privacy, given those two definitions clearly fits within information security, not the other way around. Yeah. And so but over and over and over again we see privacy dictating what security does because they’re treating security like it’s a compliance issue,

[00:46:22] Brad Nigh: right? Yeah,

[00:46:23] Evan Francen: not a risk management issue.

[00:46:25] Brad Nigh: Right, Right. Yeah, I’m with you. If you do security properly put the controls in place, you build it correctly. The privacy part is, you know, realistically it’s pretty easy to do. You’ve already got the fundamentals there,

[00:46:41] Evan Francen: right? And that’s how you make a cost effective, flexible uh effective. Just effective in general information security program and privacy program As opposed to running them as two separate things or uh getting it backwards.

[00:46:58] Brad Nigh: Right, well, can you see it repeatedly on, you know, with the hipAA violations that are out there where they were doing a security risk assessment on the enterprise. They were doing privacy around this specific thing, but bad security elsewhere. Which just it means your your privacy controls are, you know, whatever. Why have them? Right,

[00:47:21] Evan Francen: yep. Uh huh. So, we’ll have to keep fighting that battle. I think hopefully, you know, people will define it I think. And I put those definitions fourth, I don’t know how many times and I haven’t gotten pushback. So if somebody’s got a better definition, let’s discuss it. I certainly don’t have all the answers. Right? No, But until that happens, until we start getting together and really, okay, this is what we’re doing and that’s this is chapter one, right of the first book, security people we need to unite that. This is what we’re actually doing rather than just doing stuff. Doing stuff is fun sometimes. Well, we can certainly make a lot of money doing it. Right, Right. All right. The last thing that they had in this one article is blocking So that that caught fire in 2018 and it’s not new. Right? Watching didn’t just emerged last year. Uh but they said Blockchain, wait until next year. Would you think about this?

[00:48:25] Brad Nigh: Yeah, I mean, I thought they were dead on from my standpoint in that, you know, I haven’t had a lot of time to look into it. It’s, you know, I think there’s a lot of complexity around it, which like we talked about it, that’s the the often the opposite of good security is complexity. So it’s got a lot of potential, but I think they need to needs to be more better understood better, little more user friendly and more people just need to be able to to dig their teeth into it. There’s a lot of potential there. I

[00:48:58] Evan Francen: think I think there’s a ton of potential at least in theory. But in practicality I haven’t seen it used anywhere other than Cryptocurrency.

[00:49:06] Brad Nigh: Right? Yeah, I keep hearing about what we’re gonna do this around Blockchain, but you don’t see anything or it’s Yeah, we’re using Blockchain but it’s not really well defined. I don’t know, I think, yeah, it’ll get there, but I don’t know, 2019 will be the year either.

[00:49:23] Evan Francen: When I think, I think a lot of people will lose a ton of money in it too because you know, in this article, Blockchain startups have raised billions of dollars in venture capital and some of that stuff is just smoke and mirrors. Yeah, there are legitimate applications and I think a legitimate used for Blockchain, but I think a lot of those startups maybe, you know, maybe there they’re just not gonna do anything. Yeah, I don’t know. Mm So if you want to know more about Blockchain, I’d say study Blockchain, it’s got, like you said, I think it’s got a ton of potential. Uh it’s certainly around data integrity more, more so than probably confidentiality, which is what most people focus on when they think of security. But yeah, it could be a cool thing. Yeah. Alright. And the last article I’ve got For us to talk about is from the business insider and this is the 21 scariest data breaches of 2018 Scary. So there’s 21 breaches here and you did a good idea, you did something good, you emailed me something just before we started, uh you want to explain what you put together?

[00:50:39] Brad Nigh: So what I did is I read through all of these, I was like huh, wonder what the average time was that That these were actually active. So out of the 21, only eight of them had any sort of started in date defined and a lot of those were still you know a month that started and ended. So of the eight, The average time of the Breach was 647 days Shortest was 15 days long. It was 1,523 days. Alright, roughly.

[00:51:15] Evan Francen: All right, so you took the 21 breaches that were, that were defined in this article and you try to figure out when the breach actually started and when it was discovered based on the news and only eight of them you were able to find that information.

[00:51:33] Brad Nigh: Yeah, yeah and that business insider article, I had some information on a bunch of them which was really helpful but yeah there was a bunch, yeah there was something I hadn’t even heard of and

[00:51:47] Evan Francen: uh okay so of those eight you’re saying the average time between the breach occurring and The discovery of the breach was 647 days yep wow. Two of them were over a 1000 days.

[00:52:04] Brad Nigh: Two of them are over 1,001 of those that that was the same health to Singapore health. It was the names and addresses of the Singapore’s government’s health database and patients history of dispense medication. It’s a big one

[00:52:20] Evan Francen: right? There’s no hip over there. Is there

[00:52:23] Brad Nigh: uh another one

[00:52:25] Evan Francen: law they have there

[00:52:26] Brad Nigh: another one I was I was really um oh which one was that? I got to find it again. I think it was uh you can’t remember which one it was now I got to find it again scrolling through here.

[00:52:44] Evan Francen: Yeah well there are some interesting ones here so mary mary and took the took the province right?

[00:52:50] Brad Nigh: Yeah it was no the number one the at har the private information on India residents including their 12 digit I. D. As well the database that stored their identity and biometric information.

[00:53:07] Evan Francen: How long was that 1?

[00:53:08] Brad Nigh: It didn’t say it was unclear when it started when it was first breached but discovered in March of 18 and I I spent probably good I don’t know 2030 minutes trying to find a date and I could not find a different face full release when it started for having. I don’t know.

[00:53:30] Evan Francen: Well in terms of the longest time between breach and detection was mariage 1500 days yep and then sing health with 1160 Google the Google Plus Breach. Which man they just I hated the way they handled that but

[00:53:51] Brad Nigh: yeah they kind of dropped the ball a bit on that one.

[00:53:55] Evan Francen: Well they were just so nonchalant about it like so we’re google, what are you going to do?

[00:54:00] Brad Nigh: Right.

[00:54:01] Evan Francen: It’s like well seriously I mean you deal with it. I mean how much is there an organization in the world that has more or holds more data than google? Arguably? Probably not. No. And to be like nonchalant about a breach like that. Just crazy. How are they treating the rest of my data because you know they got oodles and oodles of data. I mean how do I not? How do they not? Right.

[00:54:28] Brad Nigh: No I’ll agree. So I did find I just started digging again. It be for that at heart the number one it was since at least sometime in 2013.

[00:54:39] Evan Francen: Okay so it would be longer than mary odd but we just don’t know the exact number of days.

[00:54:44] Brad Nigh: Right so Ballpark it you’re probably looking yeah right around the same time. 1500 1800 days

[00:54:52] Evan Francen: There’s this company called Check What What is that one maybe heard of? Check.

[00:54:57] Brad Nigh: I know g I hadn’t heard of some of these I should have put the number that they were so I didn’t have to keep scrolling all over the place on there to find it. Um Personal data including names, email addresses, shipping addresses and account names and passwords. It’s like uh I don’t know. Oh

[00:55:24] Evan Francen: yeah some company you’ve never heard of lost your information. So

[00:55:28] Brad Nigh: textbooks education technology company that sells textbooks. All right. So it’s gonna be targeting people that you know students that don’t have a lot of extra cash anyway.

[00:55:42] Evan Francen: Right? But someday they will assuming they graduate. Right? All right. So we have I don’t think we need to beat this one up too much. Uh It’s good reference. It’s good kind of entertaining reading. I think so again it’s the business Insider website. Business Insider com. The 21 scariest data breaches of 2018 if you know if you want to lead up on it. All right well I don’t have it really. Anything else to talk about today. How about you? Breath? Huh?

[00:56:15] Brad Nigh: No I’m assuming you want to get back to the nice weather and I’m gonna go put on some mittens because it’s like just agree that now

[00:56:24] Evan Francen: I’ve got writing to do. Okay? As I look around at the people walking through and around Starbucks uh getting inspired to start writing again. So I’m moving back at it.

[00:56:38] Brad Nigh: All right.

[00:56:39] Evan Francen: Have a good one man. We’ll talk next week. All right