The Reality of Information Security

Unsecurity Podcast

CSO Online published an article outlining the “six hard truths that security pros must learn to live with.” Evan and Brad take episode 81 to break down their list and the reality of information security.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: welcome back. This is episode 81 of the Unsecurity podcast. I’m your host this week Brad Nigh, today is May 26th and joining me this morning as usual as Evan Francen. Morning Evan

[00:00:34] Evan Francen: Good morning Brad.

[00:00:36] Brad Nigh: How are you doing?

[00:00:38] Evan Francen: Good.

[00:00:38] Brad Nigh: You go. And I saw a couple of pictures from your camping, got out over the long weekend and got away a little bit.

[00:00:47] Evan Francen: Are we facebook friends?

[00:00:48] Brad Nigh: No, I don’t have facebook, but our wives are

[00:00:52] Evan Francen: okay. So your wife’s on, you haven’t seen what was posted. Uh, you know, it’s hard enough to figure out what day today is, uh, you know, so then you get another day off, I think. Mhm. And I’m, you know me, I’m an idiot. Right? So, um, we get back from this weekend and then uh, yesterday afternoon we got back and I took a nap and I woke, I slept until five in the afternoon. And I woke up with all this energy. So I get up, I put the camper away, uh, started a campfire, not a campfire, like a whatever you called it treatment. It’s at your house on fire. Yeah. And then killed a whole bunch of ants like a billion ants. That was fun. Uh, then I decided I was going to rip the Facia off of, you know, below uh, bay window because we’re gonna put a sliding door there. Uh and then uh tore out a baseboard hitter. This is all like 9:00 at night yesterday.

[00:02:06] Brad Nigh: That’s funny, I’ve done the exact same where you just get this Mhm Random yeah, energy or whatever and go

[00:02:15] Evan Francen: yeah, I mean it’s just it was a great weekend, but man, that was that was dumb yesterday, so my wife is like, you’re not going to bed tonight, are you

[00:02:25] Brad Nigh: get to get out the energy so you could go to bed?

[00:02:28] Evan Francen: Yeah, yeah, I did get a little bit sleep. So you made you made some bad ass ribs? I saw that

[00:02:34] Brad Nigh: I did, I would love to send that out on twitter and yeah, I got some painting done in the house. Uh it was raining, we put uh yeah lavender for uh why? For Mother’s Day, yep, those are my ribs, they were so good. Yeah. Uh But you know, we’re playing, I play indian we have like a little garden running alongside the house, it’s like three ft wide or whatever. So doing like lavender plants along the whole side of it because she likes it. So why not? So get that done bunch of other, just landscaping and you know the yard and just unplugged.

[00:03:21] Evan Francen: That’s cool. You said you know in your show notes that I always have some sort of stories that was part of it and then uh we went to Wisconsin this weekend, which is much more open than Minnesota, they have their campgrounds open. So he decided to take the RV over there. And I had um, I had dinner in a restaurant. Mom. I know it’s like the first time in like 2 1/2 months. That was weird.

[00:03:56] Brad Nigh: Well yeah, I came by. When did they come by? Is it friday? It was friday.

[00:04:02] Evan Francen: Right,

[00:04:03] Brad Nigh: so hitchings go are all blurring together. Yeah, stop by the office. And First time I’ve seen any of the people there in person since 12 months, March 17 basically.

[00:04:19] Evan Francen: Yeah. You had only been in the office like when nobody was here once. Yeah, came

[00:04:23] Brad Nigh: in one time to pick up some stuff and that was it. So it was, it’s cool to see everyone. It’s kind of weird but definitely uh makes you realize how much you miss the energy and you know how good it is to just be able to pop in and collaborate with someone. So it’s just very different

[00:04:45] Evan Francen: online, but

[00:04:49] Brad Nigh: it is what it is.

[00:04:51] Evan Francen: Here’s what it

[00:04:52] Brad Nigh: is. Um, so last week, what did you do, work wise, Anything fun or exciting?

[00:05:01] Evan Francen: It was all fun. It was all exciting. Everything I do is very, very exciting

[00:05:08] Brad Nigh: as you quickly look at your calendar to remember because we have nobody knows what’s afternoon anymore.

[00:05:15] Evan Francen: Go. Yeah, I did that meeting. Yeah, a whole bunch of meetings. It looks like uh huh there’s a great, yeah, it was a great week last week. We um man, there’s a lot of stuff going on. I want to say a bad word. Uh Yeah, the security uh Should show is good on Thursday night. We went an hour and 42 minutes. So that was super long. Uh Yes, men, you know some insurance place or some some information security risks stuff with a new insurance company called cow bell driver. That was really cool. Oh crap. I gave a talk last week to, it’s weird because you know, I’m not much of a a business person I didn’t think, but I’ve been asked the last couple twice the last two weeks to give business leadership talks. That’s weird.

[00:06:11] Brad Nigh: Oh maybe because you’re not, but quote unquote traditional. Yeah, Ceo. Right. It’s a different take on things,

[00:06:20] Evan Francen: definitely not the traditional ceo, that is 100% true. They do not look like this.

[00:06:28] Brad Nigh: Yeah. Yeah,

[00:06:32] Evan Francen: no, it was a good week though, man. A lot of stuff got done. This week is gonna be a short week. I’m taking off on friday afternoon on a motorcycle ride with my wife. Uh my buddy and his wife and we’ll go go right from, we’re spending the weekend a town called lanes borough. Mm.

[00:06:53] Brad Nigh: I have no idea where that is.

[00:06:54] Evan Francen: It’s a small town south east Minnesota.

[00:06:58] Brad Nigh: Okay, we’ll be good. So let’s be gorgeous on friday. So it would be good.

[00:07:03] Evan Francen: Yeah. And I need some riding, so that would be awesome. How about you? How was your week?

[00:07:08] Brad Nigh: It’s good. We started our internal uh annual risk assessment of ourselves. It’s always fun because we try to have, it’s an opportunity to have maybe a new person or in this, you know, last year had Pinky do it, it was just like third week here and we’re like let’s just see how it goes. But it’s great training for them this year. We have one of our associates victoria doing it. So she passed her CSP earlier this year. I don’t even remember when um but it’s always fun because it’s a, you know, it’s a little bit of pressure to see how they perform doing the assessment on the people that are, you know, training it and all that, but it’s it’s a really good opportunity for them to also be like, alright, time out, take off his sister hat, I’m not sure how to ask this or what am I looking for here. And so just being able to kind of give them some advice on, you know, what what to do, how to do this correctly. And it’s kind of cool to see how people, how they think about it and do it, you know, approach it sure.

[00:08:24] Evan Francen: Um What is r. S to score, Can we say it?

[00:08:28] Brad Nigh: I don’t know yet. We’re not done.

[00:08:29] Evan Francen: What was it last?

[00:08:33] Brad Nigh: Um

[00:08:35] Evan Francen: That puts them a spot right there.

[00:08:37] Brad Nigh: I don’t remember. 686 85 right in their range I think.

[00:08:42] Evan Francen: Right. And we’re probably I’m guessing we probably score ourselves harder than most. You know what I mean?

[00:08:50] Brad Nigh: There’s a lot of yeah no we don’t have that documented that we know what to do because that’s what we do. Um I think our store this year will be much higher. We had just hired her for our first full time it person in like february last year and did the assessment in March. So like a lot of the formal documentation around some of that stuff from the I. T. Perspective wasn’t there that we now have. Right. Um Mhm. So you know it’s one of the things there’s different expectations that they Kind of a 50 person company or a 40 person company than a 70 or 100 person company. Right? And I think we’ll see those Mature and move forward with. Your score will be over 700 this year. Are three pretty close to it.

[00:09:44] Evan Francen: When is it supposed to be done?

[00:09:45] Brad Nigh: Um I think or we should be about done with interviews I think this week. Um And then I’ll just be the scanning. Okay. Which is another interesting thing with yeah everyone being remote for internal standing. Right.

[00:10:07] Evan Francen: Mhm. Uh huh. And then when we’ll get the results shortly after that I’m guessing Exactly

[00:10:16] Brad Nigh: okay. Today the 26 are probably mid june we’ll have everything buttoned up

[00:10:25] Evan Francen: because you know we we complain a lot about Ceos who aren’t involved in information security. I want to be one of those Ceos who actually wants to know the score. Yeah, yeah, set the example

[00:10:37] Brad Nigh: for sure. Yeah, I think the biggest piece we had was we were I know our biggest areas, we were working on like the business impact analysis for B. B. C. P. S and all that and updating that. And I think we had like two more sessions to go and then coronavirus hit, right? So everybody’s remote that threw everything off so we didn’t get that done before the assessments. I know we’ll get hit on that, but I mean we’ve got probably 85% of that completed, so we’re getting there.

[00:11:10] Evan Francen: Yeah. Well, progress, man. I mean progresses defensible. Right,

[00:11:14] Brad Nigh: yep. Yeah, we know where our weaknesses are. I mean there’s no uh we’re pretty, pretty fair with ourselves and like you said, I think if if some other companies that I assess were where we were at, they would not score themselves as harshly. I guess they’d be happy with what we have and it’s like that’s not quite enough for us, so.

[00:11:39] Evan Francen: Right. Yeah, being a security consulting company, you sort of want to set an example. Right, yep. Yeah,

[00:11:49] Brad Nigh: yeah, that was a big one and then um beside our monthly VT. Oh, so that was really good. It was, you know, just four hours, five hours in the afternoon and getting just planning and talking and understand where we’re at, which is always good. I was bummed. I couldn’t make it into that, but mhm. It worked. Well,

[00:12:12] Evan Francen: it was video stand for

[00:12:14] Brad Nigh: uh visit vision traction organization. There you go. Right. Yeah, that’s what’s gonna get me in trouble. I guarantee you Renee is going to yell at me for uh

[00:12:27] Evan Francen: does Renee listen to these.

[00:12:29] Brad Nigh: Uh I think she does

[00:12:31] Evan Francen: All right, well you’re in trouble.

[00:12:33] Brad Nigh: No, no, it was good. It’s right. You go through kind of where we’re at planning for, you know, the next segment of time and prioritizing things going through issues and just yeah, it’s good. It’s really good uh to go through it because it’s like, I want to say a safe space, but it’s a you know, there’s definitely some times where there is yeah, contention, but at the end of the day, everybody’s on the same page going for the same goal, so it always works out and they’re fun to do good, good group stop. All right. Yeah. So, I guess we’ll go ahead and

[00:13:20] Evan Francen: talk some security stuff, man. I couldn’t go out.

[00:13:23] Brad Nigh: So I think this is the nose all weekend. I had no idea what doesn’t write about. I just had I was trying to distract myself with like painting and landscaping and doing all these things and just had no idea. I don’t know if it was right. Like I said, the monotony of the quarantine where we’re all just like every day is just kind of blurring together or all the breaches like there’s just no maybe it’s too much going on or yeah maybe it was just the writer’s block side. Um I sat down last night at About 5:00 and it’s like I have no idea where this is going to go but I’ll start with news and maybe something will and sugar and luckily it did. Um So I found that article for the from Cso online uh six hard truth Security pros must learn to live with. And so overall I actually thought it was a pretty good article, there was some definitely some parts that I did that I was like no that’s that’s not the right approach but overall

[00:14:31] Evan Francen: talk about let’s make sure we talk about those two.

[00:14:34] Brad Nigh: Oh yeah I definitely was. That’s kind of where I was like yeah we can let’s talk to that. So I don’t know what did you think of it just at a high level before you kind of go through the six um six truths

[00:14:49] Evan Francen: um You know I I guess I did mm I didn’t I didn’t really like it but um but I think it’s good fodder for us to talk about, you know what I mean?

[00:15:05] Brad Nigh: Is this a good info in it. But yeah

[00:15:09] Evan Francen: yeah I just thought, you know we’ve we’ve read about so many of these things before, I don’t like, you know, well first off, you know Cso online I think is I remember when you just used to be able to go to the website and like get the article but now you have to stupid

[00:15:26] Brad Nigh: sinan

[00:15:28] Evan Francen: become an insider today crap. I mean why did who thought it would be a good idea to make all our websites as complicated as possible

[00:15:38] Brad Nigh: about

[00:15:38] Evan Francen: ads and pop ups and live streaming crap. I mean it’s just my God, I just want to I just want the damn article, you know what I mean?

[00:15:48] Brad Nigh: I did intentionally agree with that. So

[00:15:53] Evan Francen: yeah, we’re on that when I got past that I was like okay. Yeah,

[00:15:57] Brad Nigh: No I thought it was interesting because a lot of the stuff is is things that we’ve been talking about for 80 episodes of this, right? But it was interesting, I thought it had some good, you know, good points and good data in it. And then there was some some stuff that I was like yeah, so I think we’re on the same page so we’ll go through it. Just talk about it and talk some truth. Uh The first one is that hackers are probably inside your network right now and you know, it says that there are two types of companies does that have been hacked and those that have been hacked and don’t know it yet. Uh huh. I don’t know if you can necessarily say they’re probably inside your network. But yeah, I mean we do see it up more often than not uh 200 days to identify a breach. That’s not surprising. Uh 70% of CSOS reportedly discovered malware on their networks. That’s Yeah. Well yeah

[00:17:02] Evan Francen: and I think that data is one thing but we’ve we’ve used this same the same statement for years, right? Hector’s are probably inside your network right now, you know, and it gives off this like sense of like fear. Mhm. When you know, are they? I mean just because it takes that long to identify an attack and you know all these data points that we have. I I still think that our industry just in general sucks at data, you know, being such a what we’re supposed to be such a data driven and I should premise all this, I’m kind of in a pissy attitude today because because of our you know just some industry things that you know reading and going through but I I just that’s one point where it’s like hikers are probably inside your network right now. Uh huh.

[00:18:05] Brad Nigh: Yes

[00:18:07] Evan Francen: man, I mean I don’t know that. So why would I say that?

[00:18:09] Brad Nigh: It seems a little click baby right like right like the the and I I get it right, we know it takes the 200 days or whatever and then you found malware. Well I mean that would be interesting to read, I didn’t really click through to see what they define as malware Is that like you know the ASC network or some of these like browser bars are an annoyance but not really actually doing anything.

[00:18:39] Evan Francen: Right. Well and those are two different data points that represent two different things. So the fact that it takes on average companies an astounding 200 days to identify a security breach, doesn’t say anything about the likelihood of a data breach for you or The probability that you’ve already been breached just because it takes on average 200 days

[00:19:04] Brad Nigh: well. And again. And that’s the one where we are stuck with that poem and study. Right? That’s where it came from. Which is a it’s the best we have. But is it really how good is it? How representative is it?

[00:19:22] Evan Francen: All right. So I think the fact that it takes people so long and I I sort of agree that it usually does take people quite a while, you know, depending on the type of breach. Obviously. I mean if it’s ransom where you’ll know about it right away. But uh you know, I don’t debate so that it takes people a while but I still disagree with the fact that you know, hackers are probably inside your network right now. I don’t I don’t see the correlation

[00:19:54] Brad Nigh: well and what got me on this first one is that what can you do? Right. So what can you do is consider deploying threat hunting tools that create honey pots and other advanced techniques. Yes. People don’t even have acid inventories don’t have the basics. And you’re saying, oh, do a honeypot, Which has its own huge legal implications. Yeah. Hey, I was just I read through it. I was like, yeah, okay, we’ve seen that and I got to that what can you do? And it’s like, whoa, no, Stop. Please don’t anyone do a honeypot unless you know exactly what you’re doing. It should be like security researchers and that’s about really about it.

[00:20:41] Evan Francen: All right. I mean, if you’re missing the basics who gives a crap about your threat hunting tools and your honeypots. Right. Right. I mean the people that are best at securing their environment or the people who know themselves the best. So if I know myself really well, I know my environment really well. I know what my network looks like really well. I know where my applications are. I know the application data flows, you know, I know what’s normal baseline traffic. I know what’s abnormal. I mean if you know yourself well, that’s the basics, right. I mean start there start researching yourself.

[00:21:17] Brad Nigh: I could say of all the IRS in the last, you know, a year and a half or so, maybe you wouldn’t one two that had a solid enough program in place that you know, and one of them is is, you know, we’re winding down and they have one of the better programs in terms of like their team. And like usually working I ARN you get you can get some combativeness from the staff right? Because you’re telling them all the things you’re identifying all these problems all these holes or whatever, right? So they were very protective of their work and he says open wanting to learn more and just like Ben really act all things considered very enjoyable to work with. A very good collaborative thing and you know even then they have good medicine that you know it was separated, their backups are separated, they had all that, they’re doing all the right things and they still got ransom. They would be one of the few that would even be maybe ready for more of that threat hunting tool. But for the most part people don’t have yeah, they’re not doing the basics. There’s just no way they could manage a threat hunting tool if Right. And it’s just a honeypot I think is sort of on reckless irresponsible.

[00:22:59] Evan Francen: Well it’s irresponsible if you haven’t covered the basics and if you don’t know what the basics are. Well then pick up a book and start learning sometimes. But you know the so I mean what we’ve gotten so far is the first truth, You know I said six hard truths. Security pros must learn to live with. And so your first truth hackers are probably inside your network right now isn’t a truth. Mhm Maybe. I don’t know show me the data and if you’re using the data of, You know, 200 days to identify a security breach, that’s a different thing.

[00:23:36] Brad Nigh: Yeah. Well, and then, yeah, the the malware versus right. There’s that malware covers such a huge range of things. I don’t know if you can validly say, hey, now wears covers everything, like, Right? Yeah.

[00:24:03] Evan Francen: So the first truth is wrong. Let’s go to the 2nd 1.

[00:24:05] Brad Nigh: Yeah. Yeah. This was so I didn’t I didn’t like this truth either or the way it was. I

[00:24:11] Evan Francen: didn’t either. So, so far around the same page,

[00:24:15] Brad Nigh: you can do everything right? And a careless injuries that can ruin everything. All right. Right. And look, that’s just so I don’t know, it’s just disrespectful to the users. It’s not like I don’t think they’re being careless. I don’t know many what I would consider careless. Now. Maybe they’re uninformed. They your training wasn’t good. They don’t know what they’re doing or they made a mistake, but call people careless indicates that, I mean, they they don’t care and I don’t think that’s true at all right. They may not know any better. But um and I like the assumption of you conduct extensive in user training on a regular basis. And I know a lot of companies don’t

[00:25:03] Evan Francen: Right? You’ve done everything you can do and still that dumb user clicks on the right?

[00:25:12] Brad Nigh: Uh Yeah, I mean, we know that and the numbers in there, I truly, I think those those look accurate, right? Like Verizon data breach, 32% of all data breaches involved fishing um When they went back and investigated fishing was present in 78% of cases. Yeah, I don’t doubt that, but to blame the end users, I don’t like that well. And you

[00:25:41] Evan Francen: know, I mean if you take, if you take it at its word right, without reading anything, you know, just trying to be as straightforward as possible, you can do everything right? The careless user can ruin everything. That is true, but you’re not doing everything right, I guarantee you. Uh huh. And yeah, users will do what users do. Um

[00:26:11] Brad Nigh: Yeah, I just I agree with it, right. In terms of the majority of the incidents come from what we said, it’s easier to get through the secretary than the firewall. Right? It’s just human nature, but I don’t like how it was. I think this goes to part of the problem in the industry, right? It’s the US versus them mentality. It’s true.

[00:26:35] Evan Francen: Yeah, I mean that’s that’s the part that I take exception with. The truth is true. It’s the way it stated. I think that we should take exception to because um you’re right. That s versus them mentality doesn’t help. It’s trying to figure out, you know who these people are, what motivates them understanding that everybody is going to make mistakes and if I’m so egotistical to think that I’m that I can’t make a mistake. I can’t click on a phishing email. I haven’t, but that doesn’t mean I can’t write

[00:27:13] Brad Nigh: or you know what kills you know, how many times do you hear your something along the lines of like, well, it was just those end users, you know, or whatever similar to that thought and you start looking into the organization and their everyday account is their domain admin or Right. So these fundamental things, it’s like, well, you’re doing a bigger risk than some of these other things,

[00:27:38] Evan Francen: right? And if you refer to your users kind of this way or imply that they’re somehow less smart than you or more careless than you or whatever, They’re not going to want to work with you because who wants to work with you to test?

[00:27:52] Brad Nigh: Right. Well, it’s it’s the we’ll say never punish on a phishing attack, right? When we do so, any social engineering uses education, never use it as a a reason to punish your shame, your employees. Yeah, just you want them bought in you. If the better the more bought in they are to your program, the better your program is going to be. So if you’re telling them like, well you’re peerless and you’re an offender, how is that gonna help have them buy in. I think they’re just gonna be like whatever.

[00:28:25] Evan Francen: Yeah. And then the way you can do on that one. You know, that’s that’s not news to anybody, You know, using a third party anti phishing service.

[00:28:34] Brad Nigh: Yeah. And I mean, those they are where they are they still what stopped maybe 85, Which it helps. But you’re still going to have stuff come through.

[00:28:45] Evan Francen: Well, that’s what you’ve always preached from the very beginning. That information security is risk management. It’s not risk elimination. So you’re always going to have this. So live with it and learn how to manage it, right? You reduce the risk as much as you can, you know, within, you know, within uh, you know, cost and everything else. I mean, you have to run a business,

[00:29:10] Brad Nigh: you know, the way the difference or with that.

[00:29:12] Evan Francen: But things do you have in place, you know, security expert person, you know, to to detect when something bad happens without the user having to warn you. That’s something that happened. You know, maybe there’s some things you can do there. And then what would your response be? You know, you still 70 some odd percent of organizations in the United States still don’t have an incident response plan. Yeah. You know, So, there are some things that you can do plan for it.

[00:29:42] Brad Nigh: Yeah.

[00:29:44] Evan Francen: So plan for it.

[00:29:45] Brad Nigh: The odds that you’re doing everything right? Or probably lower than

[00:29:51] Evan Francen: well, you’re not right. I mean, even if I had a security program with all my, you know, years of experience and all this stuff that and I was able to start from scratch and got every single thing that I asked for and I still wouldn’t get everything right.

[00:30:06] Brad Nigh: No, you can’t Just too many variables. Exactly. So All right. So I would say over two ish.

[00:30:16] Evan Francen: Okay, I’m gonna go uh you know, like I said, if I stay, if I take take it at just what the statement says, uh I’ll give you credit for that. I just think it’s a stupid statement

[00:30:28] Brad Nigh: over 1.5. We’ll give them half credit. There you go. Alright. Uh Third one facing critical staffing and skills shortages, all that.

[00:30:38] Evan Francen: That’s not what it says you face.

[00:30:40] Brad Nigh: Well, you face. Yes,

[00:30:42] Evan Francen: Do you do we do I? Uh huh.

[00:30:48] Brad Nigh: Yeah, I think we keep hearing is a whole and this is the first one that I actually thought there. What can you do is pretty, pretty good. It’s kind of what we’re trying trying to breach and do a little bit more of um you know, but they’re saying, you know, the iC squared uh Security Global Security Workforce is reached four million jobs. uh North America they’re saying a summit to run 550,000. Uh huh. So there what can you do is relaxing? Sometimes rigid requirements that applicants have specific certifications or years of experience, recruit and train employees from other parts of the company and cross training uh is important as well. So integrating the security teams with other groups such as devoPS or networking. So security as part of everyone’s job takes some of the burden off of uh, the design security professionals, actually, that’s probably not a bad piece of advice. Right? Got to start looking outside the box, working with others. Getting buy in across teams because yet you can’t you can’t do it all without their help.

[00:32:05] Evan Francen: Well, I think a lot of those falls on the hiring. Yeah, I mean, a lot of it falls on the hiring manager and the hiring practices to, we talked about this in the, you know, with me, well, kind of last week on the, on the like marketing piece, you know, going out and buying tools, Right? Why would you buy a tool first to find why, you know, why do I need a person? I need them specifically to do? So instead of asking for all these credentials and all this stuff that is oftentimes unrealistic ask for somebody who can do the things that you need done, right? And do what we do hire for those intangibles.

[00:32:44] Brad Nigh: I think part of it is people are afraid you keep seeing all this, there’s a shortage and all that. So they don’t want to train somebody up and have them leave, which it just compounds the problem if you train someone to treat them right, They’re gonna stick around all right. Like, you know, our tech services, you know, there there’s not a lot of, there’s there’s not a lot of protesters out there. Right? Or in terms of demand to staffing levels so find good technical people find people that are good. You have that right mentality of I mean a lot of it’s just the troubleshooting mentality right? Like you look at things differently your whatever higher than and get them trained up there. You know what’s Burt we don’t have very much turnover if you treat people right and higher for like you said those intangibles for the for the position rather than well this person has X, Y. And Z. Certification. You’re going to be better off.

[00:33:52] Evan Francen: Well yeah I mean if you train somebody up and then lose them it’s still going to be less costly than hiring somebody with all this experience and you know dealing with the baggage that they bring usually and then they’ll leave anyway because they’re probably not there for your culture, there are probably more there because it’s another job where you know I can get paid so I don’t know and I hear a lot about this facing you know facing critical staffing short and we’ve seen both sides of the coin on this. You know all these studies you know I ski squared and I. S. S. A. And um yeah saying we’ve got these huge shortages of talent yet I talk to people all the time who can’t get a job.

[00:34:41] Brad Nigh: Oh I think I think this is where there what can you do is is right right there’s this talent talent shortage or lack of people but the reason is, is there like, hey, this isn’t, you know, you see it all the time entry level job that requires five years of experience,

[00:34:59] Evan Francen: right? But I even got a guy like talked to you last week, his name is Jeff hall, so shout out to Jeff, he’s got, you know, a lot of experience and information security, you can’t find a job. I also talked to another guy last week Quentin uh that I met out in san Diego. Uh he’s like, I’ll do anything. You know, I mean he’s got experience to, he goes, I’ll do, you know $40,000 a year and just take those triage phone calls and brought them to the right place. I mean whatever it takes, I just need a job. No.

[00:35:35] Brad Nigh: Yeah, I think, I think you’re right. It does to some of the hiring practices where you’re filtering through maybe h hour that is missing the boat.

[00:35:45] Evan Francen: Yeah, I mean, I wonder how much of this we shoot ourselves in the foot because we don’t even know what we’re asking for.

[00:35:49] Brad Nigh: Yeah, that’s probably pretty true. All right. Next one IOT creates new and unforeseen security problems. Uh huh. Who I mean it’s not wrong.

[00:36:03] Evan Francen: There is some truth to that.

[00:36:05] Brad Nigh: Um it was, it was interesting on something like the Z scaler analysis where they were saying, you know, 2000 pieces of IOT based malware per month in May of 19 and by the end of december of 19, it was up to 14,000 attempts per month. You know, there are some interesting things around that but yeah, um what can you do focus on gaining visibility into the existence of unauthorized IOT devices that are already inside the network? Well, if you’re doing everything right from above, you should already have that. So I’m not sure we’re there’s a there’s your first problem um putting out a on a separate network, yep, I would have that’s good segmentation or stick restricting access to the IOT device from external network. Yeah, changing default credentials, yeah, strong passwords if they allow it and security and firmware updates, which again you’re kind of at the mercy of the IOT vendor which we’ve seen a lot of uh yeah, that’s not their top priority. Mhm.

[00:37:21] Evan Francen: Yeah, I mean goes back to, you know, inventory management, understanding yourself, you know, um people can start plugging stuff into your network, you’ve got this, you know, if you’ve got unauthorized IOT devices in your network,

[00:37:41] Brad Nigh: the hackers are probably already on your network, kevin. Right.

[00:37:46] Evan Francen: Yeah. And they’re your users, you know, they’re the people who you’re allowed to just plug stuff into your network. So Yeah, I mean you talk about careless, I mean who’s careless there

[00:37:58] Brad Nigh: anybody

[00:37:59] Evan Francen: to plug stuff into my network without any authorization without any control, I mean user for that or do I blame myself,

[00:38:09] Brad Nigh: well, careless users, they should know that you’ve provided extensive training

[00:38:14] Evan Francen: a lot of times they and I think a lot of times you just wouldn’t even know,

[00:38:18] Brad Nigh: I don’t know

[00:38:19] Evan Francen: they wouldn’t even know that this is an unauthorized IOT device because you know, and who would expect them to I don’t, you know, I don’t understand finance and marketing. So unless somebody taught me what it is.

[00:38:32] Brad Nigh: Right.

[00:38:32] Evan Francen: The same thing with like users, you know, if users are bringing stuff in and you’re allowing them to plug stuff in your network that’s kind of that’s just snobby. Nadia need.

[00:38:43] Brad Nigh: Yeah, that’s a fundamentally should be focused on before we’re in about honey pots.

[00:38:48] Evan Francen: Right. And and this is IOT or not. Right. So this under the banner of IOT creates new and unforeseen security problems. That’s a security problem period IOT or not IOT or a laptop or anything else, you know, and I know it’s easier said than done, you know, to disabled ports or do some type of network access control or port access control or something like that. But I mean

[00:39:16] Brad Nigh: I mean it’s got a bigger problem which is which is harder, you know, disabled important that aren’t used and only enabling when they have values or an instant response recovering from ransomware. Right. Yeah. I would rather manage my ports and not have to deal with the incident.

[00:39:36] Evan Francen: Right. And I know there are new technologies out there like micro segmentation and things like that, which can help but uh yeah, I mean I agree with the statement for sure IOT creates new and unforeseen security problems but that’s not a new problem. No people are plugging and authorized unauthorized things network it’s just

[00:39:57] Brad Nigh: it’s new things not a new problem.

[00:40:01] Evan Francen: And segmenting the network. That’s also not new.

[00:40:03] Brad Nigh: No. Oh goodness. Yeah. Changing the credentials and all that and patching I

[00:40:08] Evan Francen: think restricting access to your IOT device from external networks. That’s not new.

[00:40:12] Brad Nigh: No, those are the fundamental they got the right but if you’re if you’re already if you’re the yeah, hopefully that’s not

[00:40:22] Evan Francen: changing default credentials, not new, requiring, you know, strong passwords, not new. And I agree that these are hard truths but the thing that it said in the hard truth is IOT creates new and unforeseen security problems. Those these aren’t new.

[00:40:40] Brad Nigh: Yeah, I agree with that. All right, next one. You sometimes feel misunderstood and underappreciated. Well, I think, I mean, yeah, that could go for like literally every employee ever. This is not limited to that but um and yeah, security teams face an uphill battle in a number of key areas of funding, executive support, business unit cooperation and employee resistance. Well I’m gonna say three of those four and the fourth one being funding Our results of the other three. I think a lot of that comes back to the attitude security people have

[00:41:23] Evan Francen: Right well not like this one. I actually like I don’t necessarily like the, the truth per se, But I think the author is dead on in what you can do, right? As a security professional. It’s on you. If people are misunderstanding you, not appreciating you, that’s your problem, not theirs. So making that concerted effort to reach out to the business building bridges, uh, try to be fun for credible.

[00:41:56] Brad Nigh: Well, I fully agree. And I think that’s where I was kind of sort of trying to go. It’s the people, the security keeping a lot of times, that’s not what happens, right? It’s the my way or the highway approach or I know better. So you guess this is what we’re gonna do, which causes employee resistance, which means business units aren’t cooperating, which means that executives are now going to be, what are they going to hear? Well, securities, I can’t do this or we can’t do this because of security. Right? Instead of being proactive in reaching out and working with a company or with the business, you’re a lot of times we say they’re causing this happen to themselves,

[00:42:36] Evan Francen: right? And it’s a two way street, right? If you go back to the second truth, you can do everything right? And a careless user can ruin everything. Does that make them feel misunderstood and underappreciated. You know, so it’s a two way street. If you, if you take your time to understand people understand the business and make them feel appreciated. It’s crazy how reciprocal that is.

[00:43:01] Brad Nigh: Oh, for sure. Yeah, yeah, I actually did like this, but you know, I think the the key areas and then what can you do? We’re dead on uh like you said, and I felt like maybe that truth was a little vague. They could have tightened that up,

[00:43:19] Evan Francen: Right? And I don’t like that, that one because that’s that’s another buzz worthy thing and what you can do. But I’m just being nitpicky now is, you know, security is everyone’s responsibility. It’s like everybody has a responsibility in security, but security is everyone’s responsibility.

[00:43:38] Brad Nigh: Yeah,

[00:43:40] Evan Francen: but if I’m the C so it’s my responsibility.

[00:43:44] Brad Nigh: Yeah. That may be rewarded that everyone has a response, has some responsibility for security or something, but it’s not. Yeah, I can see where you can kind of get a little you could have Yeah,

[00:43:57] Evan Francen: I mean, I’m not picking there, but you know, I just, you know, I

[00:44:01] Brad Nigh: think the overall message for that, what can you do is is good, right? Like reach out, work together, right? Alright, last one is stress anxiety and burnout. Come with the territory add up all the hard truth listed above and you get a profession subject to high level of stress anxiety and burnout. I mean, I can’t really argue on that one. Mhm. If we see it all the time.

[00:44:32] Evan Francen: Yeah. And again, I think a lot of times we bring this on ourselves, right? Um stresses, you know, if you’re taking things a little too personally, you know, maybe you don’t understand yourself what you’re what really, what your role is now, you take on the responsibility of being the risk decision maker when really that’s the businesses, right? So if you go back up to the next one and the previous one, you understand them and they understand you well, you know, so the others, right? You know, the truth listed above do kind of add to this one um anxiety. I mean, I don’t know what’s there, I mean, I guess I get anxiety, but uh where’s cool? Worst case there’s a breach, you get another job. I mean, it’s or, you know, you have a good incident response and you can defend yourself, right? It’s not like you’re not going to be out of work or anything. Well, unless you’re like some of the people that are trying to get jobs right now, that can’t Yeah, burnout is a big one for me, man. I but I bring that on myself too. I worked too damn much. I don’t have to work as hard as I do, but I do,

[00:45:54] Brad Nigh: yeah, I think it’s I actually like there. What can you do? Um you know, no easy answer, but security practitioners need to open up and talk about stress with their colleagues and make a determined effort to improve work life balance. I I really agree with that. I think there’s a lot of um uh self pride or whatever in terms of maybe not talking about it and just working. Mhm. But yeah, you can’t do this alone, you need to have somebody to talk to, right? So, yeah, I

[00:46:34] Evan Francen: think we all have our own ways of dealing with that kind of stuff. But I mean that’s such an individualized kind of thing.

[00:46:42] Brad Nigh: Mhm. You know? Well, but I mean even like what you’re doing with with the uh daily insanity thing, right? Just being able to be there and make yourself make it known, hey, if you need to talk were available because I don’t I don’t know if maybe they don’t want to make that first effort or they don’t know if they can or what, but you do see a lot of it where people just hold it in and just, it doesn’t usually end well. Right? But but I thought, yeah, they all they all really do tie together at the end of the day. Or like if you if you can reach out and work with your end users and your business units and get buy in from the executive team and you know, you’re probably gonna have less stress, right? Users are going to be more engaged and have ownership of your program. So you’re probably gonna have fewer, you know, fishing clicks there. Do you know, not to plug anything into the network except for what is given to them, Right? So you think, yeah, a lot of it does come down to, you know, that being better at communicating with the business units and becoming a team with them versus an adversary. Yeah.

[00:48:04] Evan Francen: Right. Well, it just goes to show to that information security is, I mean our jobs are like puzzle pieces, right? There’s so many pieces that fit together and yeah, you can’t rush your understanding of information security. A lot of that stuff comes with experience, just takes time to get there. Mhm. Well, so don’t be so damn hard on yourself, Just take your time, slow down a little bit. Um you know, information security is not going anywhere. Um Nobody’s got all the answers, nobody’s got the silver bullets that doesn’t exist, you know what I mean? It’s just like, well, but also be skeptical of things, you know, when you hear things like hackers are probably inside your network right now, you know, ask for some day to ask for some like proof, what are you talking about?

[00:48:52] Brad Nigh: Well, I would even say with all that, just focus on your fundamentals, right? If you can get your basics in place and have a really firm grasp on, I’m just keep talking about, you know, your asset management, your um identity, you know, and access control. I know there’s kind of two different things, but if you can have those basics covered, a lot of other stuff becomes not nearly as stressful,

[00:49:23] Evan Francen: right? And I think a lot of it even, you know, just like even before that like just roles and responsibilities, you know having a candid discussion with the ceo of the company, assuming that that’s somebody who hired you or maybe it’s the ceo of the company and maybe you asked this even before you get hired who’s responsible for what?

[00:49:42] Brad Nigh: Yeah.

[00:49:43] Evan Francen: You know because I like simplifying things and I think the more you can simplify things, I think that also leads to a lot less stress, a lot less anxiety. So in the simplest terms if I was hired as a C. So I’ve got two jobs I’ve got one. I consult the business on information security risk right? My second job is I implement the businesses risk decisions to the best of my ability.

[00:50:10] Brad Nigh: Yeah. Yeah not make the risk decisions.

[00:50:14] Evan Francen: And so if we start off on the right foot on the right page with the CIA or the ceo whoever I’m reporting to in most most cases unfortunately it’s the CIA but it’s having those, those candid discussions of who is doing what, who is going to make the risk decisions. Who’s going to back me up when I implement your risk decisions because the business won’t be happy business people maybe in other parts of the organization may not be happy about some of the decisions you make, you know, but it’s it’s just defining those fundamental information security roles and responsibilities right out of the gate and then you can go onto these other things and at least I know that I’ve got that foundation to stand on. Yeah. Then you can start getting into more detailed things like, okay, like asset management. What who’s responsible for the asset inventory? Do we have different people responsible for hardware, software and data asset inventories or is it a single asset inventory? How we reconcile the asset and I mean just all kinds of things right around assets. But if we don’t, if we’re not clear about who is responsible for it, it will just never get done.

[00:51:29] Brad Nigh: It’s a really good point. Yeah. Okay. All right. I like those good, good discussion.

[00:51:38] Evan Francen: It was a good discussion and they’re always good discussions with you. That’s why I dig doing this. Good. All right. We’ve got people that listen in on this stuff. But you know, if if nobody listened and I just got to sit here and talk with you for an hour. That’s I dig it brother.

[00:51:54] Brad Nigh: Any time. All right. So a couple of news stories. 1st 1 is ransomware that attacks you from inside a virtual machine. I thought this was really interesting and slightly terrifying. Thought of naked security by so foes. Um, it is the Radner locker ransomware. So basically there’s a it’s a runs within a Windows XP virtual machine. They get alien network. They downloaded copy of oracle virtual box. Run the Windows XP VM and run their ransomware inside of it. And what what’s scary is that basically it bypasses your whatever important protection if you’re not blocking, you know, hyper visor virtual box or others, then you may not know that this is ever running because it’s running a VM that sheltered from your host machines productions. This is where application whitelisting would be the way to go

[00:53:09] Evan Francen: 49 kilobyte ransomware. Yeah,

[00:53:15] Brad Nigh: it’s not yeah I well it doesn’t take much

[00:53:19] Evan Francen: simple man. Right. Simple is best.

[00:53:22] Brad Nigh: Yeah. So I thought that was really interesting and uh we haven’t seen that yet knock on wood but don’t be a tough one to to track down I guess. Right. Uh next one is off of threat post people know reusing passwords is dumb but still do it. Okay.

[00:53:46] Evan Francen: What happened? Who did what?

[00:53:48] Brad Nigh: Sure. So more than half of people haven’t changed their password in the last year even after they’ve heard about the data breach in the news of the survey called psychology of passwords, The online behavior that’s putting you at risk. Um Yeah. Yeah it was uh I mean obviously I think it was last pass that did this. So yeah, there is that it’s like you know, take it with a grain of salt but honestly it’s really not surprising to see that people are not using strong passwords and don’t change them. Right. So I didn’t think it was interesting to read kind of some of the the statistics around, you know, what are people saying and doing and things like

[00:54:40] Evan Francen: that and you know it isn’t surprising uh you know people know that we’re using passwords is done but still do it. So why?

[00:54:51] Brad Nigh: Yeah. Well so the one thing that the one part in there is is a 42% of respondents they said they think their accounts aren’t valuable enough to be worth a hacker’s time. So I think again a communication and education issue here, they don’t think that it’s worth it. Um 60% said they are afraid of forgetting their login information. Mhm And 52% said they want to quote be in control and know all their passwords. Well. Uh huh. I think it that goes back to like the education and piece of this and communicating what the risks truly are. Right.

[00:55:36] Evan Francen: Well yeah I mean they’re when they’re telling us what they’re telling us wise and I wonder how much we listen to it either. You know what I mean? It’s uh so they don’t think that they have accounts that hackers would want. Yeah I mean it’s interesting that they see that I wonder if they don’t think that their accounts are what they want. You know what I mean? I wonder if there’s a like a personal piece to that like I don’t think this account is important enough for me to protect. Is that another way to say that

[00:56:15] Brad Nigh: I think well I don’t I don’t think they realize what data they may have access to. Right? So they don’t know how valuable the account is.

[00:56:26] Evan Francen: Right because this is an age old problem. Right? You know you talk about the psychology of passwords you know it’s not so much the same. I don’t know how much psychology there is here per se because we’re not I’m not hitting on the right answer. Yeah. You know you know the password behaviors passion behaviors have been studied forever. But like how do you change, how do you change it?

[00:57:00] Brad Nigh: Yeah. Yeah. I don’t know. I think that seeing some of the reason the wise. Yeah there’s more that you could dig into. But I think that that was that’s the first time I’ve seen some of that info. Right? So I think there’s now like okay what does that mean? Right. Why what do you want to be in control in oil your passwords this understand that. Right. So I think may have uncovered other areas that we can now look at and understand why this is like you say why it’s going on. It’s not you know it’s not the be all end all by any means. But I think it’s a good maybe a good first step to to understanding that and moving forward. Yeah, gaining deeper. Alright. Um Next one info security magazine North Dakota’s contact tracing Axons user data to third parties and we I don’t know if you’re going to have a lot of buy in and we need to have contact tracing when these things happen. Um Yeah, yeah. So jumbo privacy said that the app 19 app Was sending user data with four square and other 3rd party services? Uh Yeah, that’s not good.

[00:58:34] Evan Francen: And anything for the anything in the name of money. Right. Yeah. I thought that whoever thought that that would be a good idea. I guess somebody within proud crowd LLC

[00:58:49] Brad Nigh: Yeah. And 4Square confirmed that they receive it, but they probably discard the information and don’t use it for anything.

[00:58:56] Evan Francen: Of course they do.

[00:58:58] Brad Nigh: Right, okay. Even if you take them at their word and say, okay, that’s true. Why are they even getting it? What, how is this set up in a way like this is not gonna, we’re not gonna get good been buying for contact tracing if this is what’s happening, it’s a privacy issue. It’s just

[00:59:17] Evan Francen: not. And you know, it’s it’s just, it’s gonna be, there’s going to be so many instances of this because the only way that this would ever work is if you could actually trust people and I don’t trust anybody. I don’t, I mean I don’t trust anybody. I don’t trust a company called proud crowd. I mean just by the name of the company, I’m like, I don’t know if I want.

[00:59:45] Brad Nigh: Yeah, No.

[00:59:47] Evan Francen: Yeah. And the government, I mean when when did we start trusting them with data, you know?

[00:59:55] Brad Nigh: Yeah, yeah. It’s gonna have to be some sort of an open source fully vetted solution. It’s gonna be a while. It’s not gonna it’s just gonna suck.

[01:00:05] Evan Francen: Right? And I’m not gonna rip on North Dakota because you know, we have friends there, but you know, they’re they’re this probably should have been vetted before we went into production.

[01:00:19] Brad Nigh: Yeah. Yeah. And we are we don’t know right what their process was and they’re, they’re saying that it’s not being sent anywhere and then they do it outside of the contract, you know, we’ll see that. I just thought that was unfortunate.

[01:00:37] Evan Francen: Yes, it’s super unfortunate.

[01:00:41] Brad Nigh: So uh and the last one was off of threat posting in clever phishing attack bypasses mm fader knob Microsoft. Oh 3 65 credentials. So not, not great. But basically, you know, there it’s kind of like the uh okay uh like not the time attack, right? But it was interesting. It’s the Oh often eitc and just about a little bit more technical in terms of, you know, how this, how this happens. Not it’s not new, but I don’t know. Pretty interesting. I think it’s a lesson from this is M. F. A. Doesn’t mean you can relax and assume you’re safe. Still gotta be aware and vigilant.

[01:01:45] Evan Francen: Right? All it means is you have two factors, right factors. Both need to be protected. Right? If you expose both factors will then your two factor or multi factor authentication is useless, right?

[01:01:58] Brad Nigh: Yeah. We’ve had I. R. S where people clicked the notification on their phone. Right. I mean users will you know is that they were logging in and they kept popping up. They didn’t know like why is this not whatever and I say it’s not foolproof. Oh

[01:02:19] Evan Francen: right. So in this particular attack uh Yeah. Anyway a lot of these attacks I’ve seen you know where uh you convinced the user to change settings or give certain permissions applications once they’ve already been authenticated and then you can you know usually use that as a as a way in. Uh Yeah I mean that’s the thing it’s like you get this false sense of security like well I’ve got multifactor authentication so I’m good. There’s always I mean you’re just never good. Right? I mean if good if good means you’re never going to be compromised. You’re never going to be breached. You’re never going to be good. Right? So define a different good a different good might be. Yeah. You know one of my accounts are multiple. Many of my accounts might become compromised. What would I do? Yeah. Instead of panicking and being like oh my god my accounts are gonna have any kind of a personal incident response plan. Do you have anything to deal with it when it does happen because then you live a much less stressed full life. Yeah. You know I’m not looking for silver bullets because I know they don’t exist. So I live with risk.

[01:03:40] Brad Nigh: Yeah we’re planning ahead and being prepared is takes a lot of the stress away. Weird,

[01:03:47] Evan Francen: right? Yeah.

[01:03:50] Brad Nigh: So Yeah. All right, Well, that’s it. That’s it. Episode 81 is a wrap. Even any shout outs.

[01:03:59] Evan Francen: I do have one shout out for Shelly Grove. Uh just a great person who’s on our daily insanity check ins, you know, fairly often works up in northern Minnesota. Um Yeah, in our mentor program, just busting her tail to make a difference. So

[01:04:21] Brad Nigh: I think mine would be the non security people at are secure. They are going through the mentor program and have made it through this far already. You know, we’ve got multiple of our sales team and you know like Renee or ceo and just it’s tough for even for people that are, you know, security focus, so shout out to them for Toughing it out. And we got what? three classes left, so that’s cool, huge Thanks to

[01:04:56] Evan Francen: our

[01:04:57] Brad Nigh: Yes, tomorrow. Yes,

[01:05:00] Evan Francen: crap. What am I teaching to another class left of? Like

[01:05:03] Brad Nigh: Yeah, there’s one class left of material and then I think Maybe a 1/2 glass. Next monday and then we’ll do uh practice steps.

[01:05:17] Evan Francen: Actually have to teach teach then what you’re saying.

[01:05:20] Brad Nigh: Mhm. Yeah, we have to figure out the on the practices because I am not doing uh those alone again. That was that was so stressful. I was like, my palms are all sweaty on this question was like no, well, it’s uh you know, put yourself out there. Yeah. Alright, huge. Thank you to our listeners. Keep the questions and feedback coming. Send us things by email at insecurity at proton mail dot com. And if you’re a social type socialize with us on twitter, I’m @BradNigh and Evan is @EvanFrancen and you can also follow @StudioSecurity and @FRSecure for more goodies. That’s it. And talk to everyone next week.

[01:06:07] Evan Francen: All right, have a good week.