In this episode, Evan and Brad focus on the concept of PDEIS (Programmatic Distributed Empowerment of Information Security) and its ability to involve and empower others within the organization; not just CISOs, to make their own risk decisions. They also debate the trend of information security leaders facing legal repercussions in the wake of the recent SolarWinds incident. As always, they close with some industry updates such as the T-Mobile breach, and more.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: All right welcome listeners. This is episode 144 of the unsecurity podcast. I’m your host, Evan Francen and joining me is my good friend Brad Nigh. hey Brad.
[00:00:34] Brad Nigh: Hello, are you?
[00:00:35] Evan Francen: not too bad man. Recording on uh Wednesday started middle the week. I don’t know what happened to monday and Tuesday, do you uh you know
[00:00:47] Brad Nigh: that’s what I did this morning.
[00:00:49] Evan Francen: I know right when I’m my wife I’m getting all describe I haven’t been groomed uh you know I had my beard or moustache room for a while so she’s making an appointment I think should have made an appointment. So I got to go get
[00:01:04] Brad Nigh: yeah mine’s long enough now that it some waxing and it’s Oh yeah
[00:01:10] Evan Francen: we got it ma’am
[00:01:12] Brad Nigh: Islam. There you go. Yeah
[00:01:15] Evan Francen: crazy. All right. So last week it was fun. We had a good talk with the team ambush and then we talked a little bit about you know the work that you did uh def con the week before that was good. Yeah yeah
[00:01:32] Brad Nigh: there’s a good change of pace for me I mean even for those guys really in C. T. F. Says changes your thinking but it’s so valuable from an experience perspective.
[00:01:43] Evan Francen: Yeah yeah totally man. Yeah I think next year I’ll probably jump in you know maybe help out, see uh I can read p caps, like I said, I’ll do that.
[00:01:54] Brad Nigh: There’s some cool new tools out there.
[00:01:57] Evan Francen: Right? Yeah, I’m used to the old school p cap tools, so just give me something, know anything, I’ll be fine. All right, so good show today. Uh one come for a couple of things, you know, we talked a little bit about this thing called distributed accountability. I want to bridge off of that little bit more. Um, I still contend that many of our Csos certainly in state, local government. Miniver caesars, private sector are just in this position where they’re playing a game that they can’t win.
[00:02:34] Brad Nigh: Yeah, yeah. And I think one of the articles are going to talk about kind of proves that point a little bit.
[00:02:40] Evan Francen: Yeah, 100% The frustrating thing is you and I have been in this industry for 20 some odd years, 30 years, whatever and we still cycle through the same crap today that we did back then.
[00:02:56] Brad Nigh: I mean the technology has changed, but the basic premise is still the exact same.
[00:03:03] Evan Francen: Right? Well, and we continue to adopt and uh yeah, we continue to adopt new technologies faster than our ability to secure it and certainly faster than our ability to be responsible with it. And so if anything, the problem has gotten worse and you know, the goal, the objective is further out. Charter.
[00:03:28] Brad Nigh: Yeah, yeah. Well, and I mean a lot of times you’re looking at how many years of different people building on it. So then when you come in, you know, it’s like deciphering six different languages to understand why things were put together the way they were, what the band aids are. I mean we’ve talked about it the only way to to really be confident. It’s just start over and that’s not realistic.
[00:03:58] Evan Francen: Well, yeah. Well it’s either, I mean it will eventually come to the point where I think if you don’t get your stuff together now, the longer you wait, the harder it gets and eventually you’ll be forced to, you know, are you just no longer exist right? I mean it’s like, yeah like health, right? If you don’t take care of your health eventually you’re going to be forced to or you die basically. Yeah. Yeah. Uh We’ll talk about that and then uh you mentioned a news article. So one of the news article that kind of plays off of that is uh secure world. Uh, I don’t know The 5th. So almost two weeks ago I wrote an article Bruce uh man was the author, the title of the article is suing the sea. So Solar inspires back. So in this particular case, uh, a group of shareholders have filed suit against the sea. So the chief information security officer, tim Brown who is also the V. P. So VP of security and see so at Solar ends uh alleging certain things And then you know there’s this solo ones fighting back. So I want to talk about that because you’re barking up the wrong tree. That’s not the place.
[00:05:22] Brad Nigh: Yeah there’s a lot to unpack in that order. Do.
[00:05:25] Evan Francen: Yeah I would love to play uh it would be fun to be part of that litigation in terms of you know consulting on it. Um It’s kind of bullshit. Anyway people talk about that and then uh this last week you know the news the big news you know I think worldwide is to follow the Afghanistan again into the hands of the taliban. What does that mean for us in terms of information security is it going to mean anything? Uh you know we can speculate a little bit. We’ve seen big news in the past before. What does this one we’re going to do? Uh huh. Yeah. Yeah. Yeah and then a couple news articles. T. Mobile lost all your data. You know
[00:06:12] Brad Nigh: we’ll go into that. But when I right when I saw that I was like okay like all that isn’t already out there.
[00:06:21] Evan Francen: Well there’s that which is
[00:06:24] Brad Nigh: unfortunate right? That’s that reached the T. Yeah.
[00:06:29] Evan Francen: Well then uh in the last piece you know we’ll cover in today’s episode uh is you know the U. S. Government uh lost. Well actually never secured um Some information that their secret terrorist watch list with about two million records was exposed online. And insecure.
[00:06:50] Brad Nigh: Yeah there’s a lot to unpack in that one too a lot of questions.
[00:06:55] Evan Francen: Oh well and it leads to like a whole discussion that we had last week on the shit show where chris chris roberts was playing devil’s advocate about. Uh huh. Well if you can’t secure your stuff then why doesn’t the government do it for you? You know and I’m so against that because the government can secure their own crap, why the hell would I have them your mind and they have no vested interest in actually securing my craft. What they’re actually going to do is steal my crab. I’ll have no privacy at all be. I’m gonna already do it right the NSA and stuff but yeah no I don’t want to go there.
[00:07:34] Brad Nigh: Yeah I agree.
[00:07:37] Evan Francen: Yeah. So anyway first thing I want to talk about was that I give you a name because I think when things have a name to take on a new meaning, the name is programmatic distributed accountability for information security. So if you’re an acronym person which I think most of us are in this industry whether you like it or not uh called P. Days. So P. D. A. I. S. Program programmatic distributed accountability for information security. And where this came from. Was working with state C. Shows and take the state of Minnesota for instance right now we’re doing a proof of concept um in the executive branch of government. In the state of Minnesota by law. S centralized the ceo essentially the centralized I guess authority um is responsible for securing the executive branch agencies
[00:08:37] Brad Nigh: makes sense.
[00:08:39] Evan Francen: Yeah. So there are 95 agencies listed in that standard. So when you talk about you know the C cell for the state of Minnesota who is very good. I think he’s a great person um capable all that stuff But the way they do it today, they can’t win, they can’t play that game because you can’t secure 95 government agencies unless you get the 95 government agencies to played by
[00:09:08] Brad Nigh: and they all work differently enough. Yeah, there is no blanket solution.
[00:09:17] Evan Francen: Exactly. So that’s a yeah. So about that. So the way they do it today, you know, I think the best attempt is to take assessments, you know distribute assessments in the form of spreadsheets to, you know, the government agencies have them fill out their assessments and then you compile the results and try to do some reporting and try to enforce some requirements. Um Which on the surface doesn’t seem that bad. The problem is these 95 government agencies are not all the same. Some of those government agencies use policies that come from, you know central authorities, some of those have their own policies, some of them have their own c so some of them have known technology department. Yeah. Mhm. Yes, I think quiet like that, the terror prone,
[00:10:19] Brad Nigh: you know for sure.
[00:10:22] Evan Francen: No. So the challenge then is, you know, how do you define? So it’s actually, it’s funny because this morning I was working on working on a presentation and really I think it’s There’s 1234, was it 12 steps to the process you’re talking about in the state of Minnesota, take any state for instance. So the first one is your inventory of the agency’s right, What who are the agencies now? How many do we have Here? We have 95. I’ve asked other states before, you know, how many government agencies are you responsible for securing? And I get different answers. Um Even within the state of Minnesota, I’ve heard answers from 87 to 92.
[00:11:12] Brad Nigh: Yeah. You know, if I’m just thinking it’s funny how light you and I think because we’re working with like a out of venture capital that like a the company that owns investment firm against And they they’re looking at 30 companies to start with and we’re going to use S to R and have each one of those is a sub entity because then they can see everything and it rolls up and they can see what their risk posture is. And I mean it’s almost exactly what you’re talking about. It’s so funny.
[00:11:47] Evan Francen: Well it is and and that’s the reason why we built it that way to be honest, you know? But the first thing we have to start with is what are we actually trying to secure instead of, you know, physical assets or software assets at this level, you’re talking about uh an intangible asset, right? The agencies or the departments or the companies in your instance. So depending on where you’re starting in the process, if you’re starting as An investment organization or a company that owns 30 companies, well then you’re starting at that level. If you’re starting with the state, ideally he would start all the way at the governor. Uh huh. That’s right. Because they are the ceo of the state and then you would deploy through that, right? The government and all the things that were responsible for. We’re starting a couple of layers down here right now with the state of Minnesota, it’s not the governor, it’s not the Legislature. We’re talking about the C. I. O. And see so
[00:12:50] Brad Nigh: of these for a proof of concept. I mean, I don’t I don’t know if you necessarily starting at the very top it is going to, it would be a more representative. Mr
[00:13:04] Evan Francen: Yeah, well, eventually we’ll get there right. There’s a couple, there’s two states in the country, the National Governors Association. So, nga, called out to states are nominated, two states to do this thing called whole of state security, right? Which means you’re going to figure out a way to get the entire state sit here, right? And so those are different Washington and indiana are those two states um that takes distributed accountability to a whole another level. Right. It scales that way because the first thing is the inventory. The next thing is once you’ve got that inventory, who’s responsible for what in that inventory?
[00:13:49] Brad Nigh: You know it gosh, it sounds like the fundamentals we talk about every week, right? I mean it is it’s a different target, so to speak. Great. We’re not talking about your data in her hardware assets, but it’s the same exact
[00:14:07] Evan Francen: concept. It is, man, I mean that’s that’s the thing that most people don’t realize or maybe many people don’t stop to think about is information security as information security. The same concepts apply at home as they do in a small business as they do it to an entire state to entire country.
[00:14:26] Brad Nigh: Right? I think if mastering the fundamentals isn’t difficult, my understanding them knowing what do not difficult actually gain. Like you said, other people to buy in and doing them. That’s the hard part
[00:14:40] Evan Francen: well. And that’s the cool thing, man is we’re making progress. You know, there are some states in this country that are, I think um ahead of the curve, they are maybe taking more pragmatic approach and understanding Minnesota is one of those new jersey is another one I think hawaii Washington Iowa these are states that I know personally are marching down the right path right? And you go back to either do it now or do it later. Eventually you have to do it.
[00:15:15] Brad Nigh: Right. Well, I mean how many times have we heard a c suite member go? I wish I had known and done this or during the during the breach dear. And then a ransomware event almost every time they’re like, I wish I had known, I wish I had done something. Yeah. Proactive a lot cheaper in the long run run it
[00:15:39] Evan Francen: and it also helps you make more sense of just the organization itself. Right? When you go through the process. So right now I said step one inventory of the agencies. The next is the responsibilities as part of that inventory of of the agency’s it’s what are the criteria for risk in those agencies when you put them into context with everything else? Right. Maybe it’s the number of employees in that agency. It’s the importance of criticality of that agency to the overall functioning of the state government, right? Some are different than others. So if you take like the board of social work that would be different than, say the veteran affairs administration, right? If there were a breach or something, it was to just being completely obliterated. Right? I mean like when you talk about risk, right? It’s likelihood and impact. So let’s say that the impact, let’s say you just wipe them off the board Department of Transportation calling what does that do to the state. Right. So that’s one criteria that also has to go into this risk equation versus let’s say the zoological board.
[00:16:49] Brad Nigh: Yeah. think about Minnesota. Yeah the O. T. Isn’t here in the winter. Mhm. Is massively disruptive.
[00:16:58] Evan Francen: Exactly. So in that inventory of your agencies it’s figuring out the criteria for risk, one might be the number of employees, another might be the importance of criticality to the functioning of the body, another would be you know how much sensitive information do they actually collect, process create so on and so forth. Once you define that right now I can put things in the context. And you talk about the state of Minnesota, you talk about the executive branch of the state of Minnesota. Now I’ve got the agencies and I’ve got some equation of which one of these agencies or entities is more critical than not. Right?
[00:17:38] Brad Nigh: Almost like a business impact analysis. You know another fundamental weird I’ve seen a lot of similarities. Right right.
[00:17:48] Evan Francen: And then you go through okay uh you know those responsibilities who is responsible for each for security in each one of these entities. In some of those cases it will be um you know the agency had some of these agencies have a c so some of these agencies now the cool thing here is and one of the things we’ve gotten wrong I think we talked about distributed accountability is now I can get to distributed accountability right now I can go to that person and say here let’s have a discussion and instead of pointing it like I’m making you responsible. Therefore you must do these things. Instead the approach should be, you get to call the shots, this is your agency.
[00:18:28] Brad Nigh: I’ll present you facts and you decide, Yeah, okay. That makes it was going to say what if the person doesn’t understand security, but now I agree with that approach. Okay.
[00:18:38] Evan Francen: Yeah. Instead of us always telling you what to do instead of what we’re, what we are as the sea. So is we’re consultants. Yeah. Which was the simple approach from the very beginning, seesaws have two jobs. One consult the business on how to make good risk decisions and to implement those risk decisions to the best of your ability. That’s it.
[00:19:00] Brad Nigh: Yeah, Yeah. And you know, I think we talked about this when you first brought it up, but it’s the approach that I it’s similar because I would say, you know, hey, can we do this? Yes, but here are the risks involved. Are you willing to accept them? If not, here’s some alternatives. You tell me which way to go?
[00:19:19] Evan Francen: Absolutely. So at that point then the sea, so is accountable for those two things. Right? Ultimately, then now I pull myself out as the sea. So implicit or explain, I pull myself out as the person person is ultimately responsible for risk in this entity, right? This organization.
[00:19:40] Brad Nigh: Um, and yeah, something we breach the security. Be defining the businesses risk tolerance. No organization should be doing it. That should be at a C level board level at the theme, hey, here’s the level of risk. We’re willing to accept managers or whoever decision makers fall in line
[00:19:59] Evan Francen: with this. What it’s all and the reason why we suck at that for many reasons. One is we started communicating it well, you know, I mean if if I go to the Ceo or the owner of a business and say, hey, tell me about your responsibility for information security or actually just tell me what information security is to you. Yeah.
[00:20:27] Brad Nigh: Yeah.
[00:20:28] Evan Francen: What we usually get is we have we have an I. T. Guy who handles that for us the same. No, not a good answer.
[00:20:38] Brad Nigh: Yeah. Yeah. You hear some interesting things doing the assessments and yeah right.
[00:20:48] Evan Francen: It’s cool. It’s I think to three states are going to get off on a really good foot on this. You know Minnesota Iowa and in New Jersey are the three that I think uh just these are Csos that well Iowa doesn’t have a C. So which is interesting. That’s a whole nother thing. Um but I think it’s really cool because I look forward to the day when I can go to when we can the sea. So can go to the state of Minnesota, go to the legislature, go to the governor and say this is the current state of security today. What with the computers. Yes, yep. And this is the future state based on the risk decisions made by our organization.
[00:21:32] Brad Nigh: You know, again, funny, I was working on an executive presentation this morning, exactly that we started with the estimator. Where were they at? Not good. We’ve kind of done itself on the one. Okay, a little bit better. So the presentation is all right. We started here, what is our plan? Where are we going to be? What’s the goal and what does that look like at a high level? But it gives them something to work off of that. We can track over time.
[00:22:05] Evan Francen: Yeah, yep. And keep it simple. Right. I mean, one of the things that we love to do in our industry, because I think a lot of times we do it as you want to sell more crap or because, you know, my motivation really isn’t what’s best for you. It’s really what’s best for me as we overcomplicate things. So keep it simple. Yeah, yeah. You start with a new criteria and then expand out into others or go deeper. But start with the basics, the fundamentals, get that stuff figured out and then built.
[00:22:37] Brad Nigh: And the way I approached it was, you know, hey, look, we started with this, it had, you know, x number of controls. Our goal is to get moved up annually to that next level. We’ll hopefully have accomplished enough. No, it’s not okay. We know security is fluid, right? It’s a living program, things happen, new threats come up. What is the reality of plans? But at least we have some sort of a goal in in place that we can track our progress towards,
[00:23:12] Evan Francen: yep, 100% man. So yeah, I’m excited. I think when you think when you think it all through, when you think about logically how information security works, this is the only way to make it work. You can’t have a C. So be accountable. So you take this, you know, again, I’ll use the state of Minnesota for instance and all this stuff is public except for some of the details of what we’re doing together. But you can’t hold the sea. So responsible for risk decisions that are made in the department of Public Safety or the Department of Transportation.
[00:23:47] Brad Nigh: Yeah. You would hold them responsible if they don’t provide that guidance or a warning of hey, be aware of this. Sure, it’s not the season making that decision. Absolutely agree.
[00:23:59] Evan Francen: Yeah. So we’ll see how that plays out now that leads to our next discussion. So that’s program you’ll hear it again and again. So I’ll be repeating it because I’m going to build it out more and more. It’s called programmatic distributed accountabilities for information security. Right? So how do you programmatically do this because if you do it manually, its air prone, it’s inefficient. So you mentioned, you know, some of the things that are in s to Oregon on the security studio platform today? That’s really just the beginning, you know, where does it go from here? How do we build it out more? How do we make it more? Um just standard. Right, This is how you do security.
[00:24:39] Brad Nigh: Yeah, yeah, I like it because this is more prescriptive then red, yellow, green. What does that mean? That leaves things up to interpretation. Right? Let’s take that out. Yeah. With you.
[00:24:57] Evan Francen: one is the sea. So I am now playing a game I can win, I can’t play that. I can’t win a game when you expect me to make risk decisions or manage security across all these various pieces of the business and you want me to make the calls and you want me to do the enforcement, you want me to do all these things because they use, you know, take for instance, you know, hypothetically the Department of Transportation, the head of that if they don’t agree with the risk decisions that I make is c So what do you think is going to happen?
[00:25:30] Brad Nigh: No, I can supply.
[00:25:32] Evan Francen: Exactly. And then they have a breach and then who gets playing
[00:25:37] Brad Nigh: that? Was the person who made the decision? Well, not right, not the not the people that didn’t comply with the decision.
[00:25:46] Evan Francen: Exactly, exactly. So it also brings about this community of security where now you can have discussions with these other agency heads on a level that you couldn’t have before, right? There’s a common understanding about what security is, how it works. Uh And instead of pushing it out as, hey, you know, we’re going to make all these mandates, we must do this risk assessment. Instead, it’s, you get to make the calls, you get to be empowered, you know, how your business runs better than I do. You make the decisions on how risk works. We’re empowering you enabling. Yeah, yeah, that’ll work. Uh, so that leads to the next thing. So you talk about CSOS, um, you know, holding them accountable. Uh, like I said, secure world. Um, the title is suing the sea. So solar winds fires back. It’s thursday august Yeah, was when this was written. So almost two weeks ago and in this article, essentially the, there’s a lawsuit, the lawsuit was filed from some investors and the lawsuit claims that inaction around cybersecurity at solar winds led to deception for the investors. So they were deceived. Wow. Specifically that solar winds embraced intentional or severely reckless deceit on investors. That’s the quote. So let’s, let’s, let’s soon to see. So
[00:27:24] Brad Nigh: yeah, some of the claims that they may seem and
[00:27:30] Evan Francen: this, when I always go back the same thing man who ultimately is responsible for information security at solar winds,
[00:27:42] Brad Nigh: uh huh. People that should be making the decision right now if, if they say, you know in the lawsuit, there’s no password policies. Well, I can guarantee you almost any sense of worth anything is going to say, hey, that’s a really bad idea. But if the company says, I don’t care, I mean, what am I gonna do document the heck out of the fact that I argued against that. But I mean if you force it, but you’re just gonna lose the company.
[00:28:20] Evan Francen: Right. Well, in the one who, I mean, ultimately at at solar winds, you know, who’s ultimately responsible for security would be the Ceo. Because the Ceo is responsible for the performance of the company, responsible for the protection of the assets of the company. Uh they’re responsible for the structure of how things get managed within the company, Right? So they’re the ones who make the call, either them or the board or some combination thereof.
[00:28:48] Brad Nigh: The board would probably be the if they were this was the board would be the right target of this lawsuit in my opinion, not to see so
[00:28:57] Evan Francen: or potentially the Ceo you could make a
[00:29:01] Brad Nigh: final decision, right? Yeah.
[00:29:03] Evan Francen: Because I don’t know how many times we’ve screamed it from the mountaintops and everything else. That information security is not an IT issue. It’s a business issue. So we continue to bury it under the Ceo. In many cases, we don’t put it on the same level ground as say, the CFO uh as the chief are the C. 00. Other C. Level executives. They have the ear of the Ceo much more than the Ceo, you know, then much more than the sea. So does uh you know, that was in a a round table uh with a bunch of seat. Iose and I’m I probably won’t be invited back because they kept saying that speaking the language of the business, speaking the language of the business speaking, you know, they just kept saying it like it was the reason is a buzzword. I go, what the hell is the language of the business? What is that? Is that like annual that I can read or is it a
[00:30:03] Brad Nigh: Well, I mean, I think, yeah, I think I understand the concept. They just speak in a language they can understand, but I don’t think there’s a standard business language
[00:30:17] Evan Francen: well, and I made this so I made this case like many many of the Ceos were kind of complaining that uh, you know, there’s so many um demands on their time, their short staff, they can’t keep up with the demands of the business. Uh uh and in some cases they’re unrealistic demands. And I said, well then you’re not speaking the language you’re not because if you were speaking the language and they understood the language you were speaking, they would understand that the weight of some of the decisions that they’re making in terms of the ceo.
[00:30:56] Brad Nigh: Well, and yeah, and the risk that that’s putting organization in.
[00:31:00] Evan Francen: Right? So, and I’m talking specifically C. I. O. So let’s let’s let’s contrast the C. I. O to the CFO at any given time when you talk to the ceo do they not know the financial performance of the organization?
[00:31:18] Brad Nigh: I mean, yes, unless they’re not gonna be there long. Right.
[00:31:21] Evan Francen: They probably know roughly how much cash, roughly. They know whether they’re profitable or not. They know, you know, so they know the financial position or condition of the company to some extent. Probably now take that to the C. I. O. So you can talk about speaking the language of the business. What is the Ceo get in terms of the condition of the technology piece of the business?
[00:31:49] Brad Nigh: Hey, this is how much it’s gonna cost.
[00:31:51] Evan Francen: Yeah. I mean, they might have some weird metrics but there’s nothing standardized there.
[00:31:55] Brad Nigh: And I mean, I’ve seen that and what happens is you’ve been kind of perpetuating the cost center. Right. If really because it’s not get the cost center thought, but it’s not right,
[00:32:12] Evan Francen: we’ll take like a CFO. So the Ceo says this has this idea, you know what, we’re going to I want to investigate a merger with another company or an acquisition or do something. The CFO says that’s great Mr and mrs Ceo, but we can’t afford it.
[00:32:27] Brad Nigh: Right.
[00:32:29] Evan Francen: Mhm. It then something changes, right. It doesn’t happen. How often do you hear? See IOS tell the Ceo that you can’t do it.
[00:32:39] Brad Nigh: No. Yeah, I know or you know, they will do their due diligence from a financial standpoint. But I have no idea what they’re you know, inheriting from I. T. Or security issues, You know we’ve seen it with who the Hilton did that. There’s pieces of it. So
[00:33:01] Evan Francen: so I think there’s this upward lack of communication with the Ceo between the Ceo and the Ceo or lack of understanding. They’re not speaking the same language like C. F. O. Does the sound seems like. And then what’s the assets so he took it the assets of the CFO the assets of the CFR the dollars right? They know how much they have an accounting of every single dollar. Yeah
[00:33:24] Brad Nigh: and everybody understands it
[00:33:26] Evan Francen: right? I take that to the seat I owe what are your assets? We have hardware, software data is your coming. Yeah you’re not speaking the same language you’re not doing things the same way the business is used to doing things and then let’s bury the sea. So under that trap. Yeah
[00:33:50] Brad Nigh: it’s going through it you know a caesar speaking language that nobody understands. It’s being translated by the Ceo who’s speaking in a language that the his audience doesn’t understand but it’s now gone through two translations how you know. Yeah I can’t imagine why we’re in the position we’re in
[00:34:10] Evan Francen: totally. Yeah and so the and so that’s that’s a huge challenge so that you can holding the sea so responsible for these things now the Ceo does have the opportunity and does have probably some poll and reorganizing things setting appropriate expectations of this is what I expect I expect you to have a good accounting of your assets because I am responsible at the end of the day, I make decisions as the Ceo on asset protection, right on asset accumulation. We’re trying to accumulate cash, we’re trying to manage cash well, well then we need to do the same thing with our computer assets or other assets are human assets or physical assets seems to make sense. Uh
[00:35:01] Brad Nigh: no, I agree.
[00:35:03] Evan Francen: So anyway, in this, in this uh article, it’s frustrating because until we figure this out until you truly hold a Ceo or a board responsible for information security, this will not change. We’ll still be in the same boat. We are 10 years, 20 years from now. The only thing that could potentially happen that would shit the winds would be that the government does step in and does start mandating and does start taking control and I honestly don’t want to live in that kind of that kind of environment man.
[00:35:44] Brad Nigh: You think it’s rough now?
[00:35:47] Evan Francen: Mhm. Yeah, exactly. All right. So in this, in this article, uh summary of investor lawsuit against solar events, here’s some of the things they claim some of the highlights and this is public. So you can go and download and read it for yourself. But number one, uh the face of the case is a former solar winds employee who was hired nearly two years before the Iranian cyber tech and only stayed with the company a few months. He allegedly raised concerned about poor security. Well in the role of quote unquote global cybersecurity strategist. So I think in that allegation that there was somebody that was there that didn’t stay very long that had raised concerns and nothing was done about it.
[00:36:34] Brad Nigh: Yeah, but it feels like they contradicted themselves in some of the allegations. Yeah, one of them being, hey there’s there was no security team but your idol was global security. Alright. Doesn’t that imply that they have people insecurity right.
[00:36:57] Evan Francen: Yeah. Yeah. The case also says that the solar winds 1-3, he was the password in the company’s update server and it had been warned about that and didn’t do anything makes direct claims like you said no security team, no password policy, no documentation regarding data protection controls. The company did not limit. These are access controls, exposing the company’s crown jewels, quote unquote to potential cyberattacks.
[00:37:26] Brad Nigh: Here’s, here’s my thing. I mean guarantee you Solar winds pc I get certified right? They because they take credit cards for payment so at some point if they don’t have any of those things there, however their access er is either not doing their job or this is incorrect, write me that would be lot of this
[00:37:49] Evan Francen: but the the racket with PC and it is a racket is you can get, you can become pc compliant and then there’s a breach and you’re never pcr compliant.
[00:38:04] Brad Nigh: Oh I’m not saying that’s the case because there are always gonna be those controls. But I mean, these are the basic things that you have to have even get to that point regardless of how well they’re implemented if you have them. Yeah. Right.
[00:38:23] Evan Francen: one. Trustwave was the sea, they were the assessor for target. Obviously, I speak of that one because I know that one. So, and being the fact that, you know, 25 years, 30 years into this industry, not much has really changed. It’s the same crap. Uh, Terry was PC compliant. And when you look at the mess that I don’t,
[00:38:45] Brad Nigh: Oh, for sure. I mean, don’t get me wrong, Yeah. I’m not defending PC. I I’m just saying some of the things that they’re cleaning like directly in the face of being able to get compliance.
[00:39:01] Evan Francen: The other thing about Pcs, right, is it only applies to the colonel there, David, so I might be doing all kinds of crappy ass everywhere else. Yeah. Yeah. Anyway,
[00:39:14] Brad Nigh: and that’s not necessarily like, well, here we go, crossing out. It just, that struck me as odd.
[00:39:22] Evan Francen: Oh, yeah. This whole thing is odd, man. Uh, many accusations. So in the lawsuit, they say that the acquisitions, the accusations made by the shareholders Are corroborated by a group of 10 former anonymous employees. Uh, Solar winds also allegedly made misleading claims about the quality of its cybersecurity, especially on the website deceiving investors. All right. So solar rents fired back. Uh, and in the middle of all of this, by the way is, you know, the former my office for many more. He smith’s tim brown, the VPs security and see. So is in the middle of all this. Uh huh. Right. Um, there was like, who is that Equifax? Equifax preachers? Susan, I can’t remember her name, but she was also drug through the mud. Oh yeah,
[00:40:27] Brad Nigh: everybody wants somebody to blame.
[00:40:30] Evan Francen: It’s crazy. So the company’s responses, 48 pages long. Uh, the lawsuit itself was, I think 12, but here’s some of the things they say, quote unquote the compliant. The complaint does not contain a single actual allegations supporting any in France, much less a cogent and compelling inference that the solar winds defendants intended to deceive investors into believing the solar winds was immune to cyber attacks or otherwise smoke with severe recklessness. Such that investors would draw that conclusion, which to me,
[00:41:10] Brad Nigh: Oh, go ahead. Sorry.
[00:41:11] Evan Francen: Well, there’s no direct and that,
[00:41:14] Brad Nigh: yeah, I mean what we, yeah, if they had said, yeah, we’re, you’re fully protected from a cyberattack. Yeah, that would be, uh, nobody that’s good. I would never say that right.
[00:41:34] Evan Francen: But, and then the scope and sophistication, they attacked quote unquote investigators. Government officials and the press have uniformly characterized the cyberattack as the largest and most sophisticated cyberespionage operation the world has ever seen regarding at least 1000 very skilled, capable engineers. Um, yeah, not uniformly. I don’t think it was the largest and most sophisticated cyber espionage operation the world has ever seen. I think there was oversights.
[00:42:10] Brad Nigh: Well, I think that that are probably others that we don’t know about yet. Okay, this is probably the largest disclosed. Mhm.
[00:42:20] Evan Francen: Well I’m certainly sophisticated. I caught a lot of people’s attention. Yes, but I also don’t think that that’s that in and of itself is not offense against some of the other allegations that were made. You know,
[00:42:34] Brad Nigh: isn’t that the common man? Right. We did, we did what we could that this was something that nobody could have expected. Right.
[00:42:46] Evan Francen: This one was interesting shot here. They do make a They fired back on a specific point. The allegations about the solar winds 123 password are simply a red hearing Plaintiff does not and cannot plead any facts suggesting that the solar winds 123 password or the update server was used in the cyber attack. So that’s almost an admission that solar winds went to three password was on an update server. However, that update server or this password was not used in this particular attack.
[00:43:18] Brad Nigh: Yeah, they very much like almost an admission but it’s if there’s no mhm saying yes this is the case. They’re saying if it were it doesn’t matter. Right.
[00:43:32] Evan Francen: So it’s interesting. I like following these things because at the end of the day, it does set some precedent. Uh The sad thing is you have this back and forth fought by lawyers and um at the end of the day, it just never seems like the person that should have been held accountable was held accountable. Mhm.
[00:43:54] Brad Nigh: Yeah, but that last piece with the group of employees, I thought it was interesting but Darwin’s is claiming none of them, I would have had access to anything within the security infrastructure, none of them worked on the Orion software platform. So that’s an interesting, that would be interesting. Yeah, I’m with you, this will be a really interesting one to follow.
[00:44:21] Evan Francen: Well, yeah, especially on that point, these are anonymous employees. So how do they know that, you know, I don’t know, I have to read more into it.
[00:44:31] Brad Nigh: My guess is they know, you know the turnover in those departments very well.
[00:44:37] Evan Francen: Yeah, you think so, but you know on the other hand to it, I know enough about, you know big companies and know enough about solar winds to know that their security wasn’t as great as they are claiming it was either, you know what I mean? The truth is somewhere in the middle of all this.
[00:44:59] Brad Nigh: Yeah, no, I would agree.
[00:45:02] Evan Francen: And I would love to see at some point and maybe this isn’t the breach, maybe there is no uh you know nobody to hold liable on this side. Right. Certainly the Attackers if you can ever find them and get them and hold them accountable, you know, ultimately that’s that’s where it goes, but the where there is negligence? I would love at some point for us to actually hold a ceo accountable or their negligence with respect the information security so that we can set some sort of precedent get, you know, something to get Ceo’s attention that we need to take a lot of this stuff more seriously. I need to put it on the same level playing field as everything else in my business. I understand it’s hard, right? There’s so many things competing for CEOS time but we like what we like what we do, you know for instance, we provide a number, this is your current state of your security. This is the future state the same thing we do the CFO does with money. Right? We currently have x number of dollars next month. We will have y number of dollars. It’s the same kind of thing.
[00:46:12] Brad Nigh: And I think the Ceos need to wake up and pay more attention because if you have a security event that’s probably going to be one of the most disruptive things that could happen to the company.
[00:46:24] Evan Francen: Right? But until unless I think was because I’ve read other studies, I read a study that more than half of Ceos think that information security is a waste of resources
[00:46:36] Brad Nigh: until they have a ransomware attack and are suddenly willing to invest
[00:46:41] Evan Francen: or until it helped personally account.
[00:46:45] Brad Nigh: Yeah.
[00:46:46] Evan Francen: I mean take the, you know the colonial pipeline breach the Ceo gets up and says, I’m extremely sorry, okay, what does that do?
[00:46:58] Brad Nigh: Nothing
[00:47:00] Evan Francen: in some point, you have to have the first one, right? The first one, it’s not going to feel like it’s fair. Right? So if you were to hold there, you know, the colonial pipeline ceo accountable, right? And find them or do whatever criminal, whatever you wanted to do, it’s not gonna seem fair. And the reason why it doesn’t seem fair is because you’ve never done it before.
[00:47:21] Brad Nigh: Yeah. You know, I’d say same thing here. Like there’s got to be due process obviously because it could have been a defensible thing and somebody just made a mistake. They could have had all the controls. We say it’s a matter, not a matter of it as a matter of when. So if it’s found that they were underfunding security, that requests were being, you know, denied. Yeah, I’m accountable. They had all the things that you would expect in place and were supportive and gave a budget. Oh, well, and at that point, I’m sorry, the satisfactory.
[00:47:57] Evan Francen: Right. And I think maybe that would be something that would help would be is if you had maybe we do have actually, I think it’s just putting it in this context, but we have a set of things that if you’re not doing, I would call them negligent For one having an asset inventory. If you don’t have an asset inventory. And I understand that assets change on a regular basis. Well then get your hands around it figured out processes. Figure out technology to get your hands around your ass sets. Yeah, I don’t have an ad and it’s great Three. How could you claim that? That’s not negligence.
[00:48:36] Brad Nigh: Oh yeah. And It’s not difficult stuff. It’s like I would say what less than 10 fundamental things that you need to have in place and implemented appropriately. Not just happened, right? Yeah. Is that beautiful and exercise to Mhm.
[00:48:55] Evan Francen: Well, maybe work on that. And the, well, the next thing I want to talk about was what if anything do we expect from the taliban taliban news this week. You know, the things happening in Afghanistan.
[00:49:06] Brad Nigh: But honestly, I think it’s going to be the same thing we see after every major disaster with the increase in phishing emails looking for donations to help the uh refugees. That type of thing. I don’t I wouldn’t expect to see any other types of attacks.
[00:49:24] Evan Francen: Yeah. Yeah. I think I agree with, I agree with you there. You know, I think in a longer term sense it’s interesting to see how china is positioning themselves. That could work out into something kind of funky. But I agree it’s going to be things that playoff the humanitarian aid thing, you know, pull at the heartstrings. It should look like.
[00:49:46] Brad Nigh: Yeah. And people have to be very vigilant right now because you also have, you know, the earthquake in Haiti now they’re getting hit by the tropical storm. So you know there that we’re going to see an innovation of those. So there’s a lot going on right now. You’ve got to you on your toes right?
[00:50:04] Evan Francen: Yeah. If you want to donate thing that stuff you know go about it yourself right? Search for right places you know don’t respond to a damn email that you didn’t ask for. Yeah it’s news things. We’ve got three news things. Actually two news things will go through those pretty quick so we can wrap this thing up. The 1st is a mobile. Thanks.
[00:50:31] Brad Nigh: Yeah. Yeah. I think the only thing on that one that really concerned me was the I. M. E. I. Number speed taken because that’s probably one of the few things that hadn’t up to this point. Everything else I know for sure my date of birth, Social security number you know? Well the pin the plaintext pin which is oh my god but you know and this will be interesting to see again how this was done
[00:51:03] Evan Francen: right? No I agree with that same thing. The fact that all of this data It’s probably been leaked in the thousands of breaches that have happened over you know the 30 years chances are really good that my name, my date of birth, my social security number driver’s license number.
[00:51:25] Brad Nigh: And I think I’m at the point of just I assume that stuff is all known. Yeah accordingly.
[00:51:33] Evan Francen: But then you know the I. M. S. I. And the I. M. E. I. Data that you’re right that that probably hasn’t been leaked before.
[00:51:43] Brad Nigh: Yeah, it will be interesting and I want to see how they didn’t notice that 100 gig was downloaded. Like uh is that not normal? That’s normal. How did how did this get mixed?
[00:51:55] Evan Francen: Well and again man, it’s the basics, the freaking basics, it’s over and over and over again, you know it ingress and why do I have a firewall in places? It just to be a crunchy shell or should I not be using it the way it was actually designed to be used, which was to limit what goes out as well, ingress. Egress. I mean the same thing happened, you know, we’ve already mentioned the target breach, you know, it all went up to FTp, why do you have FTp? Open up? Yeah, I don’t know.
[00:52:29] Brad Nigh: Yeah, that would be a fun one to follow as well.
[00:52:33] Evan Francen: Right. Well, at least with the I. M. E I and I am s I like those are used for people who don’t know those are used essentially on your sim card. Right. And they identify your phone on the phone network, if I had that data, I could potentially replicate a sim card and do a sim swap without having to call t mobile.
[00:52:52] Brad Nigh: Yeah. Yeah. And so I would assume anybody that’s affected will be getting a new sim card,
[00:52:59] Evan Francen: I hope so on the But you know the thing that doesn’t bother me about those is I can change.
[00:53:08] Brad Nigh: Yeah sure
[00:53:10] Evan Francen: I can’t change my name but I can but probably not going to because they’ll just lose my damn name again. Can’t get a new social security number. I probably can. But again it’s not it’s not true. It’s not trivial driver’s license number. I mean those things the thing that sucks about those things is that are permanently out there and I can’t change them. Yeah. Uh huh. Alright. So the way the data was exposed uh there’s light ups everywhere about this um essentially somebody broke in to T. Mobile found the data and extracted it. Yeah this is your run of the mill attack. It’s not what we just left something hanging out there somewhere. Now somebody infiltrated exfiltrate id.
[00:54:09] Brad Nigh: Yeah. Yeah. I’ll be interested to see that results of the investigation.
[00:54:16] Evan Francen: Yeah and in this case it’s what 100 million customers
[00:54:20] Brad Nigh: Uh they are claiming 100 immobile’s claiming 40. Yeah.
[00:54:26] Evan Francen: Yeah.
[00:54:27] Brad Nigh: The other thing was if you read I was reading something about it and the attacker was saying it was like in retaliation for U. S. Cyber espionage. They weren’t asking for a ransom or anything. This is a retaliation attack which you know what I don’t understand why you’d go after right or you know a company not the government but yeah that could be a significant ramp up of. He was rad.
[00:55:00] Evan Francen: Well I need to you know that some government employees probably have personal T. Mobile accounts or their family members do. So there’s a back door there as well
[00:55:10] Brad Nigh: usually. Absolutely.
[00:55:13] Evan Francen: Alright so speaking of the government thank you. We just uh the FBI has this thing called the from the terrorist screening center. So TSC for sure if you just google FBI TSC you’ll find some information. But their job essentially is to maintain the no fly list. You know make sure that terrorists are being suspected, terrorists are being tracked. Um The information on the watch list is shared with the Department of State and Defense. You know numerous international partners staff have access to it. Customs officers. Um Part of that TSC part of that um terrorist screening center list is the no fly list. Uh So a bigger list part of that because most people have heard of the no fly list. A lot of people haven’t heard of TSC before.
[00:56:09] Brad Nigh: Yeah but no fly list is a subset of bigger watch list
[00:56:14] Evan Francen: yep. So this was exposed on an elasticsearch server. Let’s just hanging out there.
[00:56:22] Brad Nigh: You know the most unusual part is a, well it was on a rain I. P. Wasn’t a. U. S. A. P. That way. Okay.
[00:56:35] Evan Francen: No you’re right so it might have been someone that we shared with one of our international parts and
[00:56:39] Brad Nigh: yeah in it was left online without a password or any authentication and it’s on a non U. S. A. P. I don’t know what our relationship with bahrain is but you know could be we shared it with someone. They exposed it. It could be, hey do we have was this leak? So I think there’s a lot of what you need to know about this one?
[00:57:09] Evan Francen: Yeah, I agree, man. And the fact that it was a bahrain, it does kind of lend itself to the fact that it was shared with bahrain or a partner, a partner country who then exposed it inadvertently. Yeah. So it was discovered on July 192021 by a guy named Bob Dyachenko, Bob Dyachenko, you know has his own company and you start researcher out there doing a lot of this good staff Uh found on July 19. And I think it was taken down. When was the date we have that?
[00:57:48] Brad Nigh: This is three weeks later.
[00:57:50] Evan Francen: Okay. So it is, it is gone now. The data that was exposed on the 1.9 million records. Full name, gender, date of birth, citizenship, passport number. TSC watch list ID. Uh
[00:58:04] Brad Nigh: And the no fly indicator, yep. Yeah. You know in the three weeks they keep harping like there’s no nobody knows why are you kidding me? I’m not such all by that because it was probably reported to some very little level and it took that long to get to somebody who could make that decision, right? No.
[00:58:33] Evan Francen: Yeah I agree. Now this doesn’t affect me personally because I don’t think I was on this list, but 1.9 million people were now the actual list. Do I mean, you gotta point out there are people on that list that probably shouldn’t be on that list. People not on that list. That should be
[00:58:52] Brad Nigh: and we don’t know. Is it even a legitimate list?
[00:58:59] Evan Francen: Yeah. He’s got some screen, he’s got a screenshot that shows some of it. And yeah, I don’t know.
[00:59:04] Brad Nigh: I mean, that’s another thing we, we have to take into account.
[00:59:09] Evan Francen: Yeah, totally, man. So I think the, and maybe I’m reading more, but just for listeners who think that the government is so good at security, they’re not, they’re just not, there are parts of the government that are good at information security, but most, most of them aren’t the same chapter talked about with states. You know, think about the complexity in a, in just any state. When you talk about all the things, take that and multiply that, you know, take that to a factor 100. That’s your federal government.
[00:59:46] Brad Nigh: Yeah. They can’t compete salary wise with the private sector, right? I know anybody historically, right? That people would go there, get experience and then go get hired and so there was a lot of turnover in some of those positions.
[01:00:04] Evan Francen: Yeah. Yeah. It’s a mess, man. And I guess buddies and cease and I was talking to one of them about some of the things that we’re trying to do. He’s like oh that’s a good idea. I’m like you’re the one, you’re the damn government. You’ve got all the resources in the world. I’m like a dude in my guest bedroom. Yeah. Come on. I’ll give you the methodology. You can do it please fix these problems. That’s the thing about Sisa to not only is Sisa, you know the Department of Homeland Security transfer government things, but now cisa the way they’re set up its let’s go out and help everybody else, let’s go out and help state Scotland, help, you know counties and cities and everybody. It’s like why don’t you get your own house in order first?
[01:00:54] Brad Nigh: Yeah. Yeah. And you know, honestly it probably would be easier to start small. You’ll see more a more tangible results faster. Would be a lot easier for a county to implement some of these changes than department of Transportation for the U. S. Government.
[01:01:13] Evan Francen: Yeah, but what’s going to have the most impact man.
[01:01:17] Brad Nigh: Yeah. And this is a this is a business, this is where that business needs to make a decision, right? The organization to say, hey look We can pick off these 15 things introduced. There is my ex and take this long or we can do this one thing that is more, it’s gonna take twice as long and cost twice as much. Yeah what do you want to do?
[01:01:39] Evan Francen: Yeah good point man. All right, well, good episode. Uh You got any shout outs?
[01:01:47] Brad Nigh: Yes. I’ll give a shout out to our ah 15. I think you’ve been very supportive and encouraging that just on a personal level. But also like to the organization.
[01:02:02] Evan Francen: Yeah. That’s cool man. I’m gonna give a shout out to my mom because she’s here visiting me from wherever she comes from and she birthed me. So that’s kind of good. I’m thankful for that. The crazier the world gets some kind of thinking like, yeah, maybe you should have saved your time on that because it’s getting crazy out here. But no, it’s my mom. She’s she’s a wonderful person who you know, I think you did a good job mostly. Um Alright, well, that’s it. That’s that’s the rap. Absoluteing 45 next week. I’m gonna try to get some states. He says maybe join us and some of these.
[01:02:38] Brad Nigh: That would be fine.
[01:02:39] Evan Francen: Yeah. I’d love to hear kind of their perspectives. Obviously they live it and walk in it and I want to help as much as we can. Uh If you want to socialize with us, you can email us at firstname.lastname@example.org. We’re not very good at actually.
[01:02:59] Brad Nigh: Mhm following that email, but I don’t find anything critical there.
[01:03:01] Evan Francen: No, nothing timely no way where you can follow us online too. I’m @EvanFrancen for twitter. You’re at brad and I we’re also on late then you can find us, we’re all over the place. We get talks and put a you’ll find us. That’s it. Have a good one.