Password Hygiene and Best Practices

Unsecurity Podcast

Have we lost our ability to reason? Evan is joined for the second week in a row for episode 123 of the UNSECURITY Podcast to discuss reason and how it applies to information security and life. The duo also dives into password hygiene—what the importance of passwords is and how they each tackle passwords. Give this episode a watch or listen and let us know what you think or what questions you have at unsecurity@protonmail.com.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: All right. Welcome listeners. Thanks for tuning in to this episode of the un security podcast. This is episode 1 23 123. The date is March 17th 2021. Joining me again this week, Two consecutive weeks is my good friend, Ryan Cloutier. Welcome.

[00:00:43] Ryan Cloutier: Thanks Evan. Glad to be here again.

[00:00:47] Evan Francen: Yeah, man we’re like friends and stuff. So this is like, this is like easy. You know, I can just talk and people listen and if they don’t like it, they just, you can just click the stop button on the according. Right? It’s cool. I dig it. Uh, so anyway, it’s uh, today is uh Wednesday and it is ST Patrick’s day. So for all the ST Patrick’s Day, people that do that ST Patrick’s day thing. Happy ST Patrick’s day. For those of you who don’t take offense to it. Just happy every day. Be happy today. That’s good. That’s

[00:01:25] Ryan Cloutier: good advice all around. I think that’s just sound advice. Try to be happy.

[00:01:29] Evan Francen: Yeah. Right. Trying to make somebody’s life a little bit better. I know that that’s what, regardless of how much we complain or hold people accountable or other stuff. Don’t confuse that with us being unhappy or confuse that with us not caring about people because honestly that’s the whole reason we do this, right? The security work we do after we care about people.

[00:01:51] Ryan Cloutier: It is it’s well can we say it all the time. Right? It’s not about information, it’s not about security, it’s not about technology, it’s about people, it’s about life skills.

[00:02:01] Evan Francen: Yeah. Yeah, totally man. So this past week I’ve had some really good conversation just like every week man, good experiences, awesome conversations, wonderful people. All these things I think, inspire us to do the best, you know, information security work we can. But they also give us things topics for us to talk about uh because there’s themes and all this stuff. So the topics that we have a really good show I think scheduled today we’re gonna start with talking about reason. You know the value in reasoning the value in logic where maybe it’s I don’t know you could almost like the case that in some places in our society we’ve lost that ability to reason. Um but why is it so important to security? Why is it so important to life? We’re gonna draw the parallels between the two. Um And then we’re gonna talk about passwords. That’s a great topic. Everybody likes talking passwords, right? Lambie loves passwords.

[00:03:07] Ryan Cloutier: I like the game show password. Do you remember that?

[00:03:10] Evan Francen: No, I don’t man.

[00:03:11] Ryan Cloutier: That’s fantastic. Yeah. If you ever find free time which we know you won’t but if you do go find it on the Youtube or on the game show network and the whole point of the game was you had to guess the

[00:03:24] Evan Francen: password. Nice. A bunch of, a bunch of little hackers like

[00:03:30] Ryan Cloutier: It. I’m pretty sure I dated myself. No, this is pre computers. This is like back in the 60s.

[00:03:35] Evan Francen: Right. Right. Nice. We’ll talk about passwords to about because I think a lot of times, you know us and security, we harp on these things. We don’t like them either. I don’t like passwords anymore than the people I talked to about passwords but I think we might miss occasionally why we even have passwords, why they’re important. We miss um what makes a good password versus a password using again, back to reason and logic. There’s a reason for it. Our job is not to make your life more difficult. Our job is to protect you as much as we can. Uh you know from some risks. And then I thought we would talk about what you and I do, you know and protecting our passwords. What habits do we follow? And I’ll be transparent man, I’m a transparent kind of guy. I’m not perfect at this Even 30 years of security. I’m not perfect.

[00:04:33] Ryan Cloutier: No, you’re human. And one of the things we’ll talk about when we get to that part is what are some of the human traits that are inherent that uh make passwords so difficult for us.

[00:04:45] Evan Francen: Exactly. Yeah. So we’ll get to reason, we’ll get through passwords and I mean seriously we can talk about any one of these topics for an entire hour or maybe an entire day, but we’ll move through that stuff pretty quickly and then we’ll talk about some mentions. I just want to mention when we get there about again the fr secure CSP mentor programs coming up about a month from now. So we’ll talk a little bit more about that. I want to talk about some developments about the s to me really exciting things happening with the S. To me, some of our listeners may not even know what the hell I’m talking about. When I say yes to me. You will, if you wait to the end, it’s really cool. And you want to know, uh, no. Close out with two news things. I just got to are, you know, two articles to talk about the news. Um, but that’s our show today. What do you think?

[00:05:35] Ryan Cloutier: Hey, it’s gonna be a good show.

[00:05:37] Evan Francen: Yeah, I think so too. Man, Look at, let’s talk about, let’s talk about reason. Um, this came up in a conversation, You know, like I said earlier, you know, the conversations I have with people get me thinking about,

[00:05:54] Ryan Cloutier: uh, you know,

[00:05:55] Evan Francen: what’s wrong? You know, what’s right, What do we need to do to make things better? And so you know, in our own, in my own backyard 11 Carver county Minnesota, right? Um, and the news this week in this neck of the woods is there’s a new variant of, um, coronavirus. And there’s still this sense of panic, Right? And so it got me thinking about, let’s reason through this. Let’s think through this, right? I’m not pro this or anti that. I’m, if I’m pro anything, I’m pro reason. Put the, put the emotions aside for a minute and let’s think through this together. Uh, that conversation led to this whole thing. Other thing, like I’m talking to another security guy about this and then I’m like, holy crap, this applies perfectly to what we do every day for a job.

[00:06:57] Ryan Cloutier: But you know what I find interesting about the word reason is it’s the root of another word reasonable. And so when you’re, when you’re asking yourself what’s my be, whether it’s information security, whether it’s dealing with this covid reason comes down to two major pieces. What’s my motivation and is my reason reasonable? Because if, if I don’t check my motivation, my reason may be out of line with reality. It may be out of line with what’s good or practical. Um, so for me personally, it’s, it’s checking the motivation for the reason and then it’s checking that reason against what I consider to be reasonable and, and just like in our, in our world of information security reasonable is one of those sticky terms that we throw around a lot, but doesn’t have a clean cut definition. Um, but I think generally speaking, we as a people have agreed that reasonable tends to fall within the middle of the scale, right? So whatever the issue is, there’s there’s going to be the extreme ends on either side. And we see this play out with Covid, we see this plan all right. You have extreme camps on either side. Uh, and then most of us fall in that reasonable place in the middle. So yeah, I think, I think one of the questions we posed is have we lost our ability to reason? And I think because we don’t do the two things that I practice, I think it’s because we’re not checking our motivations first. Mhm. And I don’t think we’re checking to see if our reasons are reasonable. And so I feel a little bit like we have as a, as a, as a, as a whole, you know, being a little bit of a blanket statement here obviously. But I think, I think we have started to lose our ability. And part of that is is, you know, the other piece of reason is debate. We’ve lost our ability to debate. We lose our ability to reason,

[00:09:08] Evan Francen: Right? Well, and I think, you know, in I like you, I’d like to defend people to, you know, I’m going to get why we are where we are. Things move so fast, right? You look at your calendar today, you look at all the stuff you need to take care of, right? And then you’ve got bills to pay, you’ve got, you know, if you have kids, your kids to raise, you have, you know, concerns about their health. I mean there’s just there’s a ton of things going on 10 and so we just jump, you know, we go fast, we jump to things assuming so many things and I think we even assume the route. You mentioned the definition of reason, even the definition of reason. So I’ll give you, you know, I have the I have the advantage of having a computer sitting here right in front of me. So if you’re in your car listening to this, you know, you don’t have this advantage. But the definition of reason is the power of the mind to think, understand informed judgments by a process of logic. So the keywords in that logic, logic is beautiful. I love logic and I think that’s what one of the things that makes security people really good is their ability to use logic because that’s how computers operate. That’s how programs operate. They only do what you tell them to do. They arrived at a conclusion only because something or somebody told it to arrive at that conclusion. So logic is beautiful. It follows a series of steps to get to a conclusion. Even we do that right with our A. D. D. You and I have this common diagnosis of A. D. D. I get to places where I get it may seem random to the person on the other side who’s listening. But I got there through logic, believe it or not, there are a series of steps that got me there, yep.

[00:11:07] Ryan Cloutier: Uh Well and it’s part of that is I think for us as those who have A. D. D. A. D. H. D. S, logic helps build structure right? And structures so important to navigating this in a healthy way and then structure is so important to what we do in our work, right? So we have to have that logic, we have to have and you’re right, those of us that are true practitioners of the craft, Not just those that maybe are in the business or sit in and seats of authority in the business, but true practitioners of the craft. We have to be logical because that’s the only way we make sense of all of this. I’ve got 10,000, you know, pieces of telemetry coming in, which one is an indicator of compromises. So I figured that out. What’s the process behind that? So I think it’s it’s very important and I wonder how many people take the time, especially we’re talking about, You know, I’m gonna pick on c cells, I’m gonna pick out cereals for a second, how many of them truly take the time to go through that logic structure. Go through the rationale behind the decision. How many

[00:12:19] Evan Francen: people, how many of them have the time. Sometimes

[00:12:22] Ryan Cloutier: this is true as well, that’s that’s

[00:12:25] Evan Francen: the that’s what’s also that’s why one of the things, you know, I say it it takes in in our industry become a really, really good security person. Three things because I like simple to write when you can boil down the complex logical things in the simple components. three things it takes to be a good security person. The intangibles, right? If you have the gift or you don’t have the gift, either you’re ethical and dependable or you’re not. Uh So one is the intangibles. The second is experienced, and the third is education. So when you talk about having the time, people that have more experience can process through the logic much quicker than those who have right? I’ve been here before, I’ve seen this before, I know where this goes, I know how this works now. And that’s one of the challenges with csos that don’t have the necessary experience. They haven’t been through this before. They can’t think that quickly because they haven’t seen it. It’s not because they’re dumb because efficiency in the way they process information. You just never processed this information before. This is new. That’s understandable again. And so, and you mentioned also, uh, you know, on the topic of logic, there’s a pendulum. I think so, I’ve always thought of this as being two sided, right? You’ve got logic on one side, I’m making decisions based on pure logic. If you make a decision based solely on logic, I think you miss out, potentially on the emotion piece. By logic and emotions seem to be somewhat opposed to each other. Right? So you’re on this pendulum. If you kind of like imagine it visually logic on one side, emotion on the other swing too far to one side or the other. Like I make a completely emotional decision logic. We got no logic, knee jerk. Right?

[00:14:25] Ryan Cloutier: Done.

[00:14:27] Evan Francen: There might have been a little bit of logic sprinkled in there somewhere because your brain is still you know, you can’t just use one or the other solely. You’re always influenced by one or the other because you can also go solely on the logic side because I have been accused I’m very I like logic but my wife has accused me sometimes of being where’s your emotion? Right? You’re too damn logical. Bring it back a little bit.

[00:14:53] Ryan Cloutier: Well that’s nuance for me. That’s nuanced. The emotional piece is the nuanced piece right? Because because you’re right, human beings aren’t just cut and dry. We don’t just fit into this tight neat little box. Um But I think even to your emotions there’s a certain degree of logic that can be applied. I know for myself as one who you know deals with the mental health aspects of of A. D. H. D. You know I have to ask myself sometimes why do I feel, right? So I have to take that emotion that thought I’m having this emotionally driven and in order to properly process in a healthy way, I do have to put that logic filter on top of it say, is this a reasonable way to feel right now? You know,

[00:15:39] Evan Francen: I don’t

[00:15:40] Ryan Cloutier: feel that way in a couple of days. Is that is that still reasonable?

[00:15:43] Evan Francen: Yeah, this is beautiful because if logic is on one side and emotion is on the other and it’s really not possible without I think a disorder of some sort mental disorder of some quotes, some sort I can’t make purely purely emotional decisions. There is some logic sprinkled in. I also can’t make purely purely logical decisions. There is some emotion sprinkled in. So let’s take that too. This thing we call information security, right? We were having a discussion. I’ve had this discussion many times. Are we secure? Well, what the hell do you mean by that? What do you

[00:16:27] Ryan Cloutier: what’s your definition?

[00:16:29] Evan Francen: Right. And so you know, we’ve we’ve had this conversation with you know, business executives. Well, it’s keep me out of the news. Why translate that in my logical brain to be keep me out of the news meaning eliminate risk. That’s the only way I could keep you out of the news. If there if there was zero risk we’re gonna have a breach. Right? So going back to that pendulum, zero risk not possible.

[00:16:57] Ryan Cloutier: Right. Well it’s it’s not right? There is no, I mean what’s the old adage, the only secure computer is one that’s powered off and put in a chipper shredder buried in concrete dumped in the marianas trench. And even that

[00:17:12] Evan Francen: anyway, you can have zero risk is to not exist,

[00:17:18] Ryan Cloutier: right? And even that, that, that then presents the risk of not existing, right? I mean it’s

[00:17:23] Evan Francen: right.

[00:17:24] Ryan Cloutier: And then the others that also often

[00:17:27] Evan Francen: spectrum to the other side of the spectrum would be infinite risk, also not possible. Right? So define, so we define reason, let’s define risk, risk is the likelihood of something bad happening and the impact if it did right? And so you do this balancing act. And the reason why this is so important is because in our craft in information security, the job is not risk elimination, nope, stop chasing that. It will never happen. And also isn’t just putting your hands up and like assuming that everything is going to go to shit because that also isn’t going to happen. It’s somewhere on that pendulum. So when I’ve had, you know, and I was telling you the story about the CFO who, you know, he was a peer of mine before, you know, when I had a real job. No, I don’t, I have a real job, I just do stuff, but the he would ask me every time, not every time, many times he would ask me Evan, are we secure? I don’t know what that means in my logical mind secure is somewhere on the spectrum, right? Somewhere on the spectrum between infinite risk and um no risk. You’re, you’re asking me for something definitive on where we had on that spectrum

[00:18:52] Ryan Cloutier: well. And I think to there’s a there’s a desire to want to eliminate that risk and by doing that, especially with a lot of the blinky light solutions out there, you end up introducing more risk and the risk you were trying to eliminate because to your point you can’t eliminate it, it’s it’s going to always be there. That’s why we have a term for it, residual risk, right? The risk that’s left over after we’ve done literally everything we can possibly do and we still have that residual risk. But I do think because of a lack of reasoning when we’re doing things like selecting solutions, when we’re deciding how to attack these risks, what are we going to do about it? Um I think because we’re not we’re not applying as much reason and logic to those decisions. I think a lot of times those decisions are more emotionally driven, A great sales call. I really feel good about this call about this product. It made me feel like I’m doing my job well, it makes me feel right. I think a lot of times those purchase decisions are rooted in that, not pragmatic, what does this really do for me organizationally, what does this do for me from a risk management mitigation limitation perspective. I see it all the time.

[00:20:19] Evan Francen: Right? And so you keep them on to my biggest beefs that if we could solve these problems, I think we’ll go a long way to solving lots more problems in our industry. One is our misunderstanding or not understanding what the goal is. The goal is risk management. In order for me to understand risk management, I have to first assess risk, make risk decisions. It feels very mechanical the first time you do it. But going back to the reason for that experience thing, once you become experienced in this and you get over the uncomfortableness of it, it’s second nature, right? When you see things around information security, it’s like that’s probably a risk that I’m not willing to take. Right? You make these risk decisions very quickly. You do assessments very quickly in your mind. Now you have to go through the mechanical peppery Yes, no question. Pain in the butt part. First, before you get there, one is my that’s the goal. Risk management. And people don’t do risk management. The second pet peeve a have or frustration in this industry is the inability to put risk in the context. Right? We see CSOs do this all the time. We see other security practitioners do this all the time. You can eliminate a specific risk. Maybe in the whole grand scheme of risks that you need to manage, Right? I eliminate that one. Risk at the expense of what? Right now, let’s take this. So that’s security stuff. Now, let’s take this to life, eliminate the risk of coronavirus potentially, but I locked myself in my house. I put a mask on by totally isolated. That comes with a cost. You write that. You didn’t put all the other risks in the context or maybe you did mental health issues, substance abuse issues, relationship issues, quality of life issues, on and on and on. The same thing happens insecurity. By the way, you focus on this one vulnerability. This one thing you’re now, you’re no longer focusing on training and awareness. You’re no longer focusing on governance. You’re no longer focusing on, uh, you know, logs, whatever.

[00:22:33] Ryan Cloutier: So, so what you’re telling me is if I focus on patching exchange while becoming blind to everything else, you mean the bad guys might still be doing something bad while my attention is elsewhere. Hey man, shocker

[00:22:47] Evan Francen: right? For us and for us it now with the experience that we have to wait. We can we can clearly say that. But obviously to other people in our industry, it’s not obvious because they make this mistake continually. Because I think when we’re confronted with the risk that we don’t understand, we have usually one of two things that we coat men do. One is we go ignorant, not my problem. I just I don’t care. I’m going to ignore it. I got security people who handle that. All right, well, that’s wrong because this is yours to handle. This is your risk. These are your risk decisions. That’s one thing. And I think another thing that we potentially do when we are confronted with a risk, we make ourselves victims because now I’m manipulated, right? I can be manipulated by fear. I can manipulated by somebody who comes and tells me that they can fix something. Uh, that maybe they can’t, but I don’t know any different because I didn’t take the time to understand what it is that I’m trying to protect myself against. You know what I mean?

[00:23:58] Ryan Cloutier: But you know, and this goes back to my analog human digital world and the incompatibility. I have a theory that we don’t process the intangible risk of the digital world, uh, in the same part of the brain that we process physical risks to your point about experience can help with that, right? Because we’ve seen it. We kind of become those creatures of habit. Oh yeah, Okay. The hot thing is hot, hot is not good. We learned these habits when we get into the digital world. We don’t have this, we don’t seem to have the same ability to look at the risk with our natural inherent risk center, right? As a human being. The reason you’re alive today is because there’s a part inside your brain that says risk. For example, if you’re in a car right now in the semi truck gets too close to you. You’re going to feel that there will be a physiological response to that risk, We don’t have that in the digital world. And I wonder,

[00:25:03] Evan Francen: but I do

[00:25:04] Ryan Cloutier: have a wolf,

[00:25:06] Evan Francen: I do have that in the digital world.

[00:25:08] Ryan Cloutier: Well you do, I do chris does like folks that are kind of fired our way. I think we do feel that. But the average person that I’ve interacted with it or yeah, out of dozens doesn’t see it the same way. And it takes it takes that time to explain it. It takes reasoning with that reason to walk them through this to say, hey, here’s a physical life risk. Yeah, I get that, that makes sense. Now let me do an analogy of a corollary to this digital and then they go, oh okay, ah ha I get it now. But I don’t think naturally it’s there. I think it is something that you have to train. So I wonder if part of being a C. So is you know taking some kind of exam to show that you can contextualize risk. Some, you know, there’s got to be some kind of requirement if you will um to demonstrate that ability. I know if I’m a ceo and I’m hiring a C. So if I knew that that C so couldn’t contextualize risk and I understood that the lack of that ability to put my business in danger, I would want to see. So who could protection lies risk. So I wonder how much of this is. We haven’t set the expectation. We haven’t shown the value around that capability. Uh, you know, because if the system started to know, hey, I have to be able to do that in order to be qualified for my job. I think I think that one kind of self solves that on its own right. But it’s setting that, but we can’t, we haven’t done, we haven’t done the necessary groundwork to have those conversations yet. Most ceos go to your point earlier. Well, I’ve got, I’ve got to see. So for that I’ve got a security guard for that. I’ve got, this is not my problem because I don’t understand that. It’s my problem.

[00:27:04] Evan Francen: Right? Yeah. Yeah. Well, and so you know when you mentioned, you know how the brain functions, it assures me the fact that I do know people that can reason through this. The fact that I do know people who have learned this behavior I wasn’t born with, You know, there’s not something magical. There are certain things for sure that are unique and beautiful and magical in people. But that’s not the things that are making me able to do things that other people can’t with security. What makes it, it’s a learned behavior. I didn’t, you know, fall out of my mother’s woman go, oh, that firewall is configured wrong. Right, right. You had to learn this stuff. And just like I had to learn physical risks, right. I had to learn. I had a parent who told me, don’t put your hand on top of the stove,

[00:27:58] Ryan Cloutier: right? And

[00:27:59] Evan Francen: even then, well, I don’t know if I believe you. So I’m gonna try it anyway and damn that hurt,

[00:28:04] Ryan Cloutier: yep. You know, but, and that’s to come.

[00:28:07] Evan Francen: I grew up in a car in the back seat of my parents car watching them drive. I knew yellow, light, green, light, red light, I knew that. Well then that light turns yellow. I could see my father looking both ways that can, you know, should I go stop with my speed? I mean, you can think through those things. It was a learned behavior and I think we can do that here. I just, we need more people to do it.

[00:28:31] Ryan Cloutier: We do. And it’s, and it is, you know, and I go back to, is your reason reasonable. Um, for myself, you know, we’ll talk on this covid thing for a second, right? So for myself, as you well know, uh, this has been a very challenging year for me, uh, to the point of, of, you know, even maybe spider personality change because of the constant at home and just the shutdown nature of, of the way things are bad around here. And so I took a quick little trip somewhere to get a taste of a life. I used to have and it was so good for me. It was so good for my mental health. It was so good now did I make some risk decisions? Yes, I had to reason through this. I’m going to get on an airplane. Oh my God, this is like the scariest thing ever. Right? And what about other people? I care about other people. It is my decision putting them at risk. And so as I thought through this as well, everybody on the plane made the same risk decision I did. So I don’t feel bad

[00:29:35] Evan Francen: or they’re just really ignorant

[00:29:36] Ryan Cloutier: or there is well let me say it differently. Everyone on that plane decided to get on that plane and with that came inherent risks. One of which could be covid, one of which could be the engines starting on fire in the plane going down. Right? So they inherently we all chose either consciously or subconsciously to accept that risk. Uh huh. But by doing so I traded wall one of of true bad places mentally of going to two levels of depression and other things that are, that are unhealthy or I could put a little bit of my physical health at risk potentially to save by mental health from further deterioration and as you also know, because that was so good for me when I got back, I quickly realized I need some more of that. So I will again be going and getting some of that that I need and again, I’m going to be making trade offs here making these risk decisions. But the reality is, is the risk of my physical health right now is less concerning to me then the risk to my mental health to continue to operate in isolation. You continue to

[00:30:49] Evan Francen: see and you have the ability to put risk in the context, right? Because you understand that physical health, mental health and spiritual are not inseparable, nope, just like information security, privacy and safety are not inseparable.

[00:31:02] Ryan Cloutier: They’re the same thing, Different names, slightly different. They’re very close. They’re all, they’re all say, well, I say it this way, they’re all parts of the same hole,

[00:31:12] Evan Francen: Right? And so because I also went through the same thing and um, and that’s why, you know, when Covid first started broke last year, I spent hours and hours and hours and hours hours. I mean, I’m not a medical professional. I’m not a, you know, I’m not a scientist like that. I’m a data guy. So I’m trying to make sense of this. Where is the reason and why we’re doing what we’re doing, what’s the reason behind because some people will just jump and just think it’s well you are a mass because you don’t get other people sick, you do this thing because you just a lot of people just kind of take what’s fed to them as opposed to let’s use some reason to figure out what’s reasonable like to your plan. And so I did all the, all the math I could think of. You know, I’m not, I’m also not a math genius, but so many of the things that we were doing didn’t make logical sense to me not to say that it wasn’t logical sense behind it. I don’t know. It just didn’t make logical sense to me. I couldn’t make those connections in my brain. Yeah, call me you know, because another thing that I learned that it just drove home so consistently and it still happens today and it’s maybe always happened is people who can’t defend their position do one of two things. They either change the subject or you attack my character. So when I tell you, I don’t understand the logic behind whatever, right? And something that’s as touchy and and fear filled and misunderstood as a coronavirus pandemic that none of us have ever been to before. Instead of engaging me in discussions about, let’s go down the path of talking logically reasonably about this. Normally, what happens is I get attacked, Oh, you’re an anti-vaxxer. I never said I’m an anti-Vaxxer. I plan on getting the vaccine. I’m signed up to get the vaccine. I understand the logic behind getting a vaccine to protect myself from a virus. I get that one right. And so you go forward to where we’re at today after a year and I’m still trying to make sense of things. Certain things I play by the rules, right? Because I do live in a society of rules, right? Society says in the state. I live in there’s a mask mandate. Well this is where I live. I will wear my mask, right? We can talk about the logic and all that other stuff trying to figure that stuff out. But another thing that frustrates me that I can’t, I’m trying to figure out right now is, um, you look at the state of California who did diametrically opposed things to the state of florida, right? Take the politics out of it. Take the emotion out of it as much as you can. Use logic. Use data. Why are the, you know, the rates similar in one state versus the other states, Right. And there’s all kinds of hypotheses and I like those too, right? Because you can, you might say, well, you know, you’ve got greater population density in California than you do in florida. Fine. Let’s go down that path. Let’s understand that. Because I want to make sense of all of this as much as I can so that I’m not driven by fear. So I’m not a sheep who just does what somebody told me because believe it or not, there’s lots and lots and lots and lots of people giving you information that don’t have your best interests at heart. I know that.

[00:35:01] Ryan Cloutier: Yeah. And we see that, you know, to bring the fear aspect for a second back to information security and how that plays a role. You know, a lot of folks today are very afraid of ransom where they are very afraid of being in the news, there’s there’s very much an element of fear and just like with the coronavirus, you know, part of that is the way the media is handling certain things. You know, whenever we hear about cyber attacks and events and a lot of times it’s very inflammatory language, it’s it’s very pumped up and puffed up. Um, and so if these leaders, you know, that’s where they’re getting their take on things, you know, now they’re now they’re in the sphere position. So when a vendor comes in and says I got you right, my thing, he does all the magic. It’s got invisible processes and quantum entangled wizards that will will magically fight the hacker story. Okay, I say to myself man, I’m afraid, and this person is the first person that says something that allowed me to start to anchor back to call

[00:36:10] Evan Francen: and they sound incredible,

[00:36:11] Ryan Cloutier: didn’t and they sound incredible. I need me some of that. And that decision again, because of the fear element back to what we said previously? That’s an emotionally driven decision. That is not a logic based decision logic based decision would be how many threats do I see against my network daily? What are the types of threats? Where are they coming from? Our their commonalities now taking that telemetry, that that fact based logic based data and applying that to this solution, I’m being offered that has, you know, to quote chris numpty. It’s in it. Um you know when I do that I go well that doesn’t actually solve my problem well and there’s the there’s already of this stuff that just gives me more stuff to look at in a busier screen that also alerts. So there’s

[00:37:07] Evan Francen: your keyword problem, what’s the problem

[00:37:10] Ryan Cloutier: correct?

[00:37:11] Evan Francen: Right. So logic would leave me one. Is there a problem if there is a problem? What is the problem? Right. And then the next question for me is is it worth solving? I have other problems, believe it or not. I have lots and lots of problems. Is this the one to solve right now or is this one I can differ for later and then? And this is all part of risk management too. Right. You can make those corollary, those correlations between risk management and the same process. Do I have a problem? Uh What problem if so what problem do I have? Where does it fit with all the other problems and then how would I solve it? Yeah. Right. That’s a logical approach to life mythological approach kind of everything? Right. Versus oh, should I have a problem? I better okay I better without going, do I really have a problem because when you’re driven by here, you expose yourself to that right? When you don’t And where does fear come from? Here comes from failure to understand something I’m not afraid of things I understand,

[00:38:21] Ryan Cloutier: right? Because

[00:38:25] Evan Francen: I don’t want to take that risk. So don’t confuse my avoidance with fear. There’s logic behind the reason I avoided it.

[00:38:32] Ryan Cloutier: Well, there’s logic behind your fear. Fear has kept our species alive until now. I mean, it is, it’s also killed us. It has. But traditionally the fear of unknown. If we go back to our biological roots, the fear of unknown is rooted in something in the bushes made some noise and that something might eat me. So I don’t know what that something was. So I’m going to create distance between me and it until I have a chance to properly assess the situation. Even gave reason

[00:39:03] Evan Francen: understanding, right?

[00:39:04] Ryan Cloutier: Yes. Even cavemen reason. They said, whoa, whoa. Bush’s move. Well, is that dinner or are we dinner? I don’t know. Let’s let’s back up a little bit. Let’s let’s assess the landscape. Oh, that’s a buffalo. Buffalo is good. That’s dinner. Let’s get it. We understand it. Ooh, what is that striping thing that I’ve never seen before. So it just ate my friend. Now we know now we know that’s a tiger. We stay away from those, right? But I think in information security, we’re still at a caveman status. We haven’t yet understood the world. We’re standing inside of enough to know that when the, but when the bushes are rustling? Whether it’s dinner or whether we’re going to be dinner. And I think that’s a core part of why we’re not able to effectively reason Is that we don’t truly understand what we’re standing in the middle of right now. We moved so fast and you and I talked about this all the time. We moved so fast and we built up something, take stock for a second and realized 25 years ago, life was very, very, very different. Mhm. The way we conducted ourselves, we went to the bank on a regular basis because oh yeah, you had to, you know, it was I just watched a documentary about blockbuster Last blockbuster, right? That whole part of life is gone now that that experience that we all shared of going and picking out a movie and going and just that whole process vaporised. Well that didn’t just go away with that so many other things went away and now we’re standing in this new world we’ve created and we don’t fully understand what we’ve done. And those seesaws that are responsible for those companies. Well, they’re just humans to who are also standing in this new world, not fully understanding what we’ve done?

[00:40:58] Evan Francen: Right, Well, and so there’s um you know, well as you’re talking, I’m thinking about how do you fight or how do you build better reason? How do you learn better reason? And I, and I think the way you do it is you question everything, why, why why I have, you know, I was just talking to a really experienced see, so with lots and lots of years of experience, I showed you your resume. This was monday. I show you his resume? He’d be like, damn. He knows what the hell he’s doing. Well. He he wants to leave the organization he’s working at and wants to go somewhere else, right? And and so you know, he’s telling me about this and I’m like, so where do you want to go? What are you looking for? Why? You know? And then I had another conversation that same day. So going back to the these conversations with people lead to these types of discussions. I had another person who I said, you know, he was saying what his goal was in this industry. He’s relatively new. He says I want to be a C. So so I said why? Uh huh. Why do you want to be a seashell?

[00:42:12] Ryan Cloutier: Yeah. Seriously? I mean really? Why why would you want to be

[00:42:17] Evan Francen: Right? And so I shared that discussion and that discussion went on for a long time and I shared that same discussion with another c. So friend of mine at a Fortune 100 company awesome guy. And I, you know I said, you know, did you ever think did you ever question yourself? Like why do you want to be a C. So he’s like, oh my God. Yeah, but it wasn’t until I got here right. You know,

[00:42:41] Ryan Cloutier: and he said I was out when I was really standing in, right?

[00:42:46] Evan Francen: So I think the way you reason through things is it’s okay to question. It’s okay to wonder it’s okay to ask why, why, why why are you telling me I need to do this? Why are you telling, you know, why do I, what do I behave this way? Why am I making this recommendation? Why all those wise it’s healthy do that because that provides a logical, reasonable foundation for why you’re doing the things that you’re doing

[00:43:18] Ryan Cloutier: well. You know, what’s interesting is it’s a skill that you have in your youth that we somehow seem to lose the value of as we keep if you’ve ever met a child Of what a five year old take a five year old. That is a basket of why every other word out of the child’s mouth is why why why? Why? What? Right? Because they’re trying to build understanding of their world and we in information security, I think could learn a lot from having that five year old mentality of curiosity and question because I don’t think we truly understand the world we’re in right now. I think we’ve built it up and it’s so complex and it happened so fast that nobody has really taken the time to step back and take stock and go, whoa! We fundamentally changed everything. That means we move the risk from the physical world into the digital, We’ve created a bridge where physical risk can have digital impacts and digital risks and have physical impacts. Great example is the data center that burned down in France and that was a physical event that has long reaching portal impacts to the companies that didn’t have a good day. Our plants.

[00:44:33] Evan Francen: Well, when I grew up, I grew up through this transition like you did. And so I’ve never been able to logically separate physical security from logical security. I’ve never been able to separate them because when we talk about information security, what we’re trying to protect originally and still today is information. Well, information comes in various forms. It’s always come into physical form. It’s always coming up, you know, not always, but become what I actually has always become in a logical form to through storytelling and things that people would exchange in person to person networking. So I was never able to separate them. I’ve never treated them as separate,

[00:45:12] Ryan Cloutier: you know, but many people do because they didn’t, they, you know, they, so many folks don’t understand how it works. I thought I had a conversation the other day with, uh, with a fairly well educated security person who you didn’t really no near as much as the resume would have led you to believe, right? They were asking some questions that were like, wait a second. I thought you had these accreditations. So how could that still be an open question. Um, and again, it’s that whole rush to do it and everything’s become very niche. I mean, how many times have in our career So we run into a network security guy but I wouldn’t let within 1000 miles of an application. I’ve met an application security guy that I wouldn’t let within a million miles in my infrastructure. Mhm. How many times? And and if you were to ask an outside person, you know? Well they’re both the same security person, right? They they work in information security, they work in I. T. That’s that’s the thing. But those two humans have a vastly different understanding of risk, risk profiles, how risk occurs and you know I I know I’ve run into the network guy that’s so laser focused on the network that it’s well the network you know it’s that where the whole perimeter idea of perimeter security came from and then you know the the ap team just needs to do their job better. It’s not me, it’s them. And then you know then we had to create a whole separate industry devops to deal with that

[00:46:41] Evan Francen: when how often do we feel intimidated to? I mean this is another bridge between information security just everyday life. How often do you feel intimidated by asking why? Right you’re in a meeting. I mean you’re in a meeting and you know someone says they want to do something to the infrastructure or whatever whatever the thing is. Right and it’s going to affect you and affect others and so but you’re in this meeting with your peers and everything and you’re like I gotta save face, right? I don’t want to look like, I don’t know what I’m talking about. I

[00:47:13] Ryan Cloutier: don’t know. We shame curiosity. I don’t know why we shame curiosity, but you’re absolutely right. It’s nobody wants. You wanted to go, hey, I don’t know. Even though the smartest person or by the way is the one that asked the most questions or

[00:47:25] Evan Francen: you are you, there’s this lack of respect to write because I may ask you the question why and you’re you and you take it as me challenging your authority, be challenging your um your decision making when really give me the benefit of the doubt. The reason I’m asking why is because I don’t understand and it’s okay to not understand. It’s not okay to continually not understand, right? But the only way I’m gonna get out of this not understanding bucket that I’m stuck in is to ask why is to question right? Take the same thing to life right? I don’t know if you’ve ever had a discussion with, I was talking this morning to Peter. Yeah. And I was talking about twitter right? How comfortable do you feel about stating an opinion or questioning why? Um on twitter, you know, if somebody says, you know, say something about politics for instance. So you got an anti Trumper or you’ve got an anti biting her, it doesn’t matter which way you go And they’re touting whatever, whatever, whatever. And you ask, why do you feel that way? Why are you saying that? Oh my gosh, you will be ostracized. You might even get banned from twitter for why I don’t understand. I’m not, I’m not trying to spread this information or anything else. I don’t get it. Help me right, that’s twitter. The same thing happens when I talked to friends, potentially if there’s not that mutual respect, right? I’m text and ostracized me if you want. I’m traditionally a pretty conservative guy right now.

[00:49:14] Ryan Cloutier: I would say yeah, but not, not wacky concerned. You know, I’ve known you for for some time and I can I can confidently say that yes, you’re conservative, but you’re not you’re not that wacky type. No.

[00:49:28] Evan Francen: Well and so and I say that because I want to be challenged is my world do incorrect? Am I wrong in the way I’m thinking? Because when I engage with people like, like I don’t use Peter, Peter’s more liberal than me. I love Peter right? We’re not going to let this get in the way of our relationship, I will ask him questions about why you feel the way you feel about certain things. He doesn’t attack me for it. He explains it to me. I’m like, okay, good and I’m not trying to change your mind either. I think if anything I want to make sure that you can defend your position. You are using logic to come to the conclusion that you’ve come to. Right? And so um this stuff has to happen, right? We have to have these conversations whether it be in life or over in information security, why? Why are you asking me to do change my password all the time? Why are you telling me I have to VPN all the time? Why are you you know all these things that we’re doing? Why? To what end? For what reason?

[00:50:36] Ryan Cloutier: Well, and to that before we move on to the password piece, Actually, we’re gonna

[00:50:40] Evan Francen: be passwords next week. I decided when we do passwords next week, is this longer than I expected? Okay. All right. I love by the way.

[00:50:48] Ryan Cloutier: So so you know, we asked the why one thing that I have found is when answering someone’s question about why it needs to be meaningful to them if you want them to understand it. If you give them a why that only has meaning to you. Right? So let’s pick on vendors for a second. So why should I buy your product? Well, let me give you all the reasons I think you should buy my product because my product does this cool thing that I care about. This cool thing that I care about, right? And so the why is coming from that perspective of the things I care. But if I want the person to really understand, I have to give an answer that is meaningful to that human. I use this when I talk to parents. Okay. So, so hey mom, Hey dad, you know, you need to do threat monitoring on your kid. Why? Well, let me explain a couple things first. Your kids more likely to use their school email address to sign up for accounts that you don’t know about. This is a great way to check that. Trust you the event. That’s a great way to stay on top of these things. Uh, if your child’s account gets compromised, their future is potentially jeopardize their ability to get credit, their ability to have an identity that is not flagged on the no fly list because it was used by the drug cartel as a false identity to move drugs around, right? You have to take the time to explain it in a way that matters to them. If you don’t, then I just say, Hey mom and dad, you know, you want to monitor your kids know I want to respect their privacy, right? So if I don’t take the time, you know, and if I just give him my wife, hey the boogeyman, right? If I get my wife, Yeah, Well you know what? There’s a lot of boogie man and I don’t have time for boogie men right now. But if I take time to explain potentially their future is jeopardized, whoa, I’m their parent. The last thing I want is their future jeopardized. I’m now going to do everything in my power to gain understanding on this topic so that I can reason because I want to keep my kids

[00:53:12] Evan Francen: safe.

[00:53:14] Ryan Cloutier: And, and the same is true in information security, you know, and if you are a vendor and you’re selling a product and you can’t help your customer understand why it matters to them. You’re, you’re doing it wrong. You’re part of the problem.

[00:53:31] Evan Francen: Well, I think so jay the advice I would give is, you know, is to ask ask yourself why often get comfortable with that. Get comfortable with. Why am I doing this? Why am I giving this advice? Why am I making this decision? Why am I leading in this way? Because that really opens yourself up for improvement. It does, it makes you a better person. It makes you a better leader. It makes you better security person. Um, it also makes me a better educator, right? I can explain to people why we do the things we do the way we do it. Um, so as as somebody who’s out there doing things question yourself. They also don’t beat yourself up. Right? That’s that’s a slippery slope question yourself. Why why? Why all the time? And also as a, as a questioner? Yeah. Get comfortable asking why now the challenge. There’s two things that I want to give for advice on that. Um, if you’re the person receiving the lie. So I’m taking a stand, whether it be in politics, whether it be in security, whether it be in the coronavirus, Whatever I’m taking a stand on something. Somebody asked me why I become an answerer. Here’s my advice to you. It’s a door opener. It’s not an attack. It’s a door opener. It’s an opportunity for me to share with you. The reason I believe the things I believe the reason why. Reason. There’s reason. Again, the reason why I do what I do. It’s an opportunity to make somebody else’s life better, right? It’s not an attack on me asked me why I asked me why all the damn time. Please. Maybe I don’t even know why the hell I’m doing what I’m doing and then I’m just wanting to like endlessly don’t let me do that. Ask me why. Right? So that’s that’s the answer now on the question or side of things. I know how uncomfortable it can feel to ask somebody a question, especially a touchy subject that you might get your ass beat for it, right? But as a question, I want you to feel like this inside that you are on the right path. It’s okay because people who can’t defend their position with reason, that means that they’re wandering right. They can’t defend themselves in terms of why they believe what they believe, why they’re doing what they’re doing. They respond in one of two ways. Either change the subject, right? So I’m gonna ask I want to talk to you about, why I’ll take something touchy that’s in the news right now, why are the death rates and things in California the same are similar to those in florida right now, that’s a touchy thing. People either change the subject or they’ll attack my character. So when you’re asking that question and somebody does that to, you know, that that’s that’s where it’s at. It’s okay.

[00:56:33] Ryan Cloutier: Well, and I’m going to add to that because I think there’s a way to limit that happening. So if you just asked why without some color around your motivations for asking why, I think you do create a more accusatory type of question. I think if you if you say, uh I would love to gain a deeper understanding of why you believe what you believe and how you got there. Like I’m interested in really understanding this and that’s the motivation behind my why. I’m not questioning your authority. I’m not questioning the decisions you make, that’s not what I’m doing here, I’m not I’m not calling into question you or your decision or saying that it’s right or wrong. I may do that later. But right now I’m simply trying to gain understanding so that we can communicate better. And I think you do need those extra words. I do think you need to, especially if you’re dealing with a personality that you know, is going to be more resistant or maybe they’re just a caustic personality and you know, but you should still, you shouldn’t shy away from asking why. But there’s a the answer of solid ground a little bit.

[00:57:45] Evan Francen: Yeah. And on the answer side of things too, if you do get that question that does seem like it’s challenging ask that right? Instead of just firing back some kind of like, you know, escalating the things you get, Hey, why do you feel that way? And you take that as like, are you questioning my authority? Ask that? Are you asking why? Because you really want to understand why? Or or are you asking why? Because you don’t think I you know, you think there’s some deficiency in me or this is some attack on my character. You can have these discussions when you have this basis of respect, right? I respect people enough to be to engage in this way. Right? And I think especially now in the world we live in, we’re going so damn fast. We don’t how you doing. I’m good thanks. And then off they go, right, let’s let’s get a little more going because we have believe it. I mean where we’re heading if you use logic and our experience that we’ve gained over the years in this industry where we’re heading is a very dark bad bad place.

[00:58:55] Ryan Cloutier: Yeah, it is, it’s quite scary actually.

[00:58:58] Evan Francen: It’s going to make the pandemic look like walk in the candy store

[00:59:03] Ryan Cloutier: just if you can stop using Orwell and Black Mirror as your guide posts for the society that we’re building. That’d be great. Just saying

[00:59:12] Evan Francen: please,

[00:59:13] Ryan Cloutier: if you could just five minutes just back away,

[00:59:16] Evan Francen: you know?

[00:59:18] Ryan Cloutier: Um No, I agree.

[00:59:21] Evan Francen: I’m sorry man, I I need to move forward because I need to get this, you gotta closing thing on that.

[00:59:25] Ryan Cloutier: Uh No, just just to say, I think you know again, you know the reason, what’s your motivation behind it is your reason reasonable. Have you asked enough of the questions why in a respectful manner of yourself and of others?

[00:59:40] Evan Francen: Yeah. And and here’s the thing for me, I mean and this is a closing, its okay to ask me why? Please ask me why? Ask me why about my political position? I don’t care, asked me why, I mean be nice if we knew each other a little bit first, you know, ask me why on, you know, why do security the way I do. Security asked me why I need that to if I’m going to become better so um and maybe we can learn learn that together. Alright, so mentions real quick, I want to mention just the fr security I SSP mentor program that is coming. If you don’t know where to find them, that’s on fr secure site, it’s 100% free, will always be free. Ah It’s awesome this year. You know, we’ve got, I don’t know what the latest number is but I think it’s over 4000 people that are signed up for that three training. Uh I’m an instructor there. You are an instructor there and Brad and I is an instructor there. That will be a lot of fun.

[01:00:37] Ryan Cloutier: Yeah, I’m looking forward to it. It’s a, it’s a great program and uh, if you, you know, are looking to get your CSP take it, if you are just even curious to learn more about, you know, security in general, it’s worth your time, you’ll learn something. Um, yeah, I’m excited to be part of it. I think it’s great and I love seeing all the folks whose lives we’ve, we’ve touched. I think that’s that’s the best part about being an instructor.

[01:01:05] Evan Francen: Amen brother. Well, yeah, and that’s why we’re in this industry, we’re here to serve. I’m here to make life better than what the less the less you fight me, you know, the more you align with me probably the better we’re all gonna be because my heart is in the right place. I don’t have all the answers. But man, I want to help. Yeah, for sure.

[01:01:26] Ryan Cloutier: Well, and to that point as to me, right, so we mentioned for, for us, to me, so for those of you that don’t know one of the many things that we do at security studio and fr secure to help the world be a better place is we provide real resources for people at no charge. And one of those is s to me this is a free personal risk assessment. Won’t take you very much time at all to complete it. A couple of things you’re going to get by taking this assessment, you will gain a better understanding of your own personal risk habits, You will learn how to improve upon those and reduce the risk that you and your family are exposed to at home as well as at work. The other thing that you’re going to get is an amazing benefit is a free threat monitoring. So the email that you used to register for us to me, we will then monitor for you going out onto the dark net and public looking for any data breach where your emails showing up And if we find one we push notification to you, this is a $20 a month value that we give away absolutely free. So I do encourage you to check it out. If you’ve never done it before, do it. And if you’re a leader of an organization or a security leader, it’s a great way to start to assess your talent and see just how at risk your employees are. The companies that have a security culture, are the companies that are least likely to be reached?

[01:02:57] Evan Francen: Yeah, exactly, man. And we we built this, you know, well before the pandemic, uh not really knowing the pandemic was coming obviously, but knowing that people are creatures of habit, you

[01:03:08] Ryan Cloutier: know what, I don’t understand them. I was coming up, I would I would have bought stock in johnson and johnson, Right?

[01:03:14] Evan Francen: Yeah, but it’s uh we built this because we knew that people are creatures of habit, The same security habits you have at all the same ones are bringing to work and vice versa. So, and we know that we have this problem of teaching people, reaching people um about information security, risk management, nobody is responsible for your security at home. Yeah. Oh yeah, ultimately it’s yours, right. You can point fingers and blame everybody else that you want. But you’re the one that installed that IOT device, you’re the one who couldn’t live without google home or Alexa or whatever else you plugged into your network. And even if they were responsible and he wanted to hold them responsible, meaning the people that sold you those things, how do you recover the innocence of a child? You’ve got a safety component here at home that you don’t have anywhere else. Uh you know, if your child’s been preyed upon online or whatever else happens, if you can’t get it back, it’s gone. And so that’s the this is just very, very important. Their life skills. It’s free. It will always be free. Always, always, always be free to you. It’s a risk management tool. It is an assessment, but there are recommendations on how to make things better. If we just told you all the things that are wrong, it didn’t give you any tips to make it better than were useless. Uh, so it’s https colon slash slash s to me dot io. That’s the site. Uh, the exciting thing about us to me is it’s really, really, really exploding in terms of popularity. We talked to a really big telco provider, consumer telco provider yesterday. They want to get, you know, provide this as a standard bundle to all people, All their customers, which is like in the 10s and hundreds of thousands. That’s awesome. We have the state of North Dakota made it available to all their citizens. Uh, that’s awesome. We have, you know, uh, other big, big associations, one that’s, uh, association for people my age and older. Um, you know that we’re, you know, working with to get it out to that population. I just got an email this morning about a fairly large bank that wants to make it available to their customers and then also wants to, you know, take it to their banking association and make it available to all those awesome free do it no strings attached. I don’t want anything. Well, co branded your stuff right? At the cost of it is to just co branded, right? We don’t want to do this to be a moneymaker. We want this to be a problem solver. Right? So I’m preaching. I can preach all day about that because damn it. That’s the whole reason I’m here,

[01:06:12] Ryan Cloutier: I’m not you and we are making a difference. And I can say that with all the confidence in the world that we are making a difference and I hope those of you that are listening that, you know, you’re you’re seeing this and taking it as an inspiration to make your own differences as well.

[01:06:29] Evan Francen: Yeah, I mean you and me and and others of us like us, we’re not, I’m not here for any other reason, then I want to fix this. I hate seeing people taking advantage of, I don’t want you to be taken advantage of anymore, whether it’s a business, whether you’re a customer of a business, whether you’re a consumer, whether you’re a parent, I don’t give two craps and I don’t care how much money I make, I don’t care if I make any money, I would do this for free if I could figure out some way to feed this big body of mine,

[01:06:59] Ryan Cloutier: right?

[01:07:00] Evan Francen: You know, But so that’s our motivation. Get on it. It’s yours, not mine, my responsibility. My responsibility is to give you the tools to try to help you solve some of these issues. It’s your responsibility to use them.

[01:07:16] Ryan Cloutier: Absolutely.

[01:07:18] Evan Francen: Alright, so news, I got two quick news things. One is the Microsoft released, this is from G B hackers dot com. I’m not going to go deep into either one of these. I just want you to be aware, Microsoft released a one click exchange mitigation tool to mitigate recently disclosed proxy log on vulnerabilities. So if you’ve patched uh your exchange server, you probably don’t need the mitigation tool, but go in review uh use the mitigation tool. You know, it’s it’s really really really significant uh very much exposed vulnerability because the thing is you have to expose your mail server, Right? It communicates with other mail servers on the Internet. You can’t close port 25 and expect that thing to work. So you need the mitigation get on it if you haven’t already.

[01:08:10] Ryan Cloutier: uh and uh if you’re 365, give it

[01:08:15] Evan Francen: time. Thank God. Because again, no such thing as risk elimination, it doesn’t matter if you’re in the cloud, it doesn’t matter if you’re in your backyard. Uh do you have risk? So you better understand it? The second one is uh this one ticks me off because again, I hate people taking advantage of other people. And you know, there is, there may not be a more vulnerable market in our industry today than the education market. Uh And this one comes from malware bites the FBI warns of increased, I’m sorry of increase in P. Y. S. A ransomware attacks targeting education. No, so education occurs uh reach out to somebody, reach out to us. Well, if you don’t have the resources, uh we’ll find some. I mean if I have to stay up late and help, you know, whatever I don’t want you to be at risk. I want to make sure that, you know, that you’re well protected against ransomware attacks, we’ve got tons of resources, we’ve got a free ransomware readiness assessment, you might find a little uh over the top. Mhm. But that’s okay, you reach out to us and we’ll give you that but and it’s out there and it’s getting worse.

[01:09:43] Ryan Cloutier: Yeah. And all I’d add to that is, you know, if you are uh there are small business or K- 12 limited resources, Air Gap backup, a good old fashioned, believe it or not cheap. Removable hard drive uh back up your data, back up your system images, store it completely off the network, it’s cheap and it’s a dirty solution, but it is highly effective.

[01:10:11] Evan Francen: Right? It’s always funny how the simple solutions often are the most effective.

[01:10:17] Ryan Cloutier: I mean it’s you know, if you can do proper redundancies, that’s great. But if you’ve got nothing today, go to best buy, go to micro center wherever your local retail or ordered online. Get a removable hard drive for series of them however your data footprint is and move that stuff off the network. You’ll thank yourself later when that ransomware event happens,

[01:10:40] Evan Francen: Right? And I’m a silver lining kind of guy too. So look for opportunities to educate educate your students, right, engage your students and things like this. So uh and I’m just as a hypothetical thrown out an example, let’s see. You do do tape backups, but you don’t have the time to switch out, teach, you don’t have time to do this or do that. Maybe this is an education opportunity. Maybe you can uh you know, talk to the school administration figure out a way that maybe you can do kind of a training program with your students and this is how you use tapes. This is why tapes are important. And then let them do the tapes, let them take the tapes out of the tape device and bring it to the vault and put in your tapes. You know what I mean,

[01:11:23] Ryan Cloutier: engage. And there are, there are districts today that do that with their high school students as part of their education program and some of them actually work part time for the district getting paid. So if anybody has any questions about that, feel free to reach out to me more than happy to put you in touch with schools. I know that are doing this, that can help you figure out what you can do to implement a program like that in your own district.

[01:11:47] Evan Francen: Love it. That’s awesome. Alright, let’s wrap this thing up. We did run a little bit late, but nanny, it’s always such a freaking good conversation. You and I could sit here and talk, I swear for a week straight, right? You have to bring my bacon in. You know, I’d have to get my wife to bring the bacon in. I need to eat. I like you bacon. Uh But let’s wrap up. So any shout outs this week and if you want to give a shout out to

[01:12:14] Ryan Cloutier: uh so the whole security studio team, they’ve they’ve done an amazing job this last week. I mean they always do a great job this last week, they really pulled it together, we just there’s so much stuff going on and everybody is doing a great job of keeping all the spinning plates spinning. So uh definitely want to want to recognize just the team and just the whole team,

[01:12:34] Evan Francen: awesome. I’m gonna give to shout outs actually, man, I’m going to give up three uh shout out to you for, you know, taking care of business last week, you know, while I was out, you know, getting some much needed R and R. You know, you kept the business running uh and improved in many, many places. So big shout out to you man and a shout out for stepping in last couple weeks for brad. I’m

[01:12:58] Ryan Cloutier: happy to, happy to it’s it’s all part of being part of the family.

[01:13:02] Evan Francen: Yeah, and I want to give a shout out to brad. I know that he’s reason he’s not here is not because he chose not to be he uh um he’s just got a lot of things going on right now and I want to give a shout out to him in support. Uh you know, I love the guy and uh I always love the guy, so you know, you’ll you’ll be hearing from him again real soon, and the third shot out I want to give is to, to john harmon. I love the way he’s running the fr secure team and the fr secure group. And I know what it’s like to be a leader, sometimes the top of the, you know, organization. Um, it feels lonely to be that person because nobody else can relate. All right, you got all this stuff going on and you’re like, who do I talk to shout out to him? Because not only is he leading that team amazingly well, but he’s also engaged in a can appear president group that I think is just providing amazing support for him, but you have to be aware enough to know that you need that support to go and get that support. So shout out to him. I got three shots. That was cool. I could keep going on shadows too by the way. But is it

[01:14:19] Ryan Cloutier: enough?

[01:14:21] Evan Francen: Alright, so thank you to our listeners, uh, encourage you to send us stuff that you’d like us to read like us to know about. There were things that we talked about in today’s show that maybe you want more information on, you know, we offered help in a number of different ways. Maybe if you missed. Um, you know, some of that reach out to us by email, we will respond. I’ve gotten better at that. So, um, email us at unsecurity@protonmail.com. If you like to socialize uh give shoutouts, man, spread the word, do whatever you need to do or can do or ask those questions with maybe set a good example on how to interact on social media, but reach out to us on twitter. I’m @EvanFrancen, uh, Ryan is @cloutiersec Brad’s @BradNigh, you can find our companies there as well. That’s all I got man. Good show. Thank you. Yeah,

[01:15:18] Ryan Cloutier: absolutely man, do it again soon. All right brother.