Security Principles and Incident Response Handling

Unsecurity Podcast

Evan and Brad walk through the security principles FRSecure has in place for the organization. Principles are vital parts of every information security program as they serve as guidelines and reminders. The two of them will give an inside look at the FRSecure security principles (and why they exist) so that you can get a better understanding of how you can apply similar principles to your business.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Good morning. This is the un security podcast again. Uh, this podcast is by yours truly. That’s me Evan. Say hi Brad. So highbrow, awkward.

[00:00:34] Brad Nigh: No, no. I’d say how high Evan. It’s early. Those are my witty things that I was working on.

[00:00:39] Evan Francen: You were working on that, you know, Okay. It is early and it’s cold 10 below today when I got up 17 below yesterday. Yes.

[00:00:51] Brad Nigh: Yeah. I’m I’m about done

[00:00:54] Evan Francen: Winter can just die. All right. We hope we hope that the listeners are noticing some of our improvements were trying to improve sound quality all the time. We started our first, the first podcast not knowing anything about podcasting. Do they have classes for podcasting training?

[00:01:13] Brad Nigh: Probably some like broadcasting training you could take,

[00:01:17] Evan Francen: Yeah, we should have probably done that. Yeah. Either way, we’re learning we’re gonna we’re doing our own podcasting one on one. Yes. Alright. So sound quality is getting better uh, in you and I think are also getting better. More comfortable talking into the this is not like I’m talking to the microphone now. I’m talking to you. We look at each other now, which is weird. So we’re learning that and we were recovering last week. We did the podcast with our wives. How do you think that went?

[00:01:48] Brad Nigh: Thank you actually went pretty well. I did too. It was it was a little risky thing. But yeah, turned out, turned out good and

[00:01:56] Evan Francen: it was really cool just having them sit here with us, give them you know, have them, give us their perspective. Do you feel like your wife told the truth the whole time?

[00:02:06] Brad Nigh: Yeah. I think she was maybe issues a little nicer than maybe. I think that was probably both sides to you though.

[00:02:13] Evan Francen: Yeah. Did your wife listen to the podcast?

[00:02:17] Brad Nigh: She actually started playing at the other night in the living room on her phone. Like, I was like, oh, I don’t want to

[00:02:24] Evan Francen: listen to myself. But she she doesn’t mind listening to herself.

[00:02:28] Brad Nigh: She hated it. But she, we got to listen to it together. Okay, suffer

[00:02:33] Evan Francen: together. So through our podcast, you might have improved your marriage because it was something you could do together. Yeah,

[00:02:39] Brad Nigh: yeah. Yeah. I think this weekend I didn’t pull out my laptop at all based on some of that what came out of the podcast, which felt weird and not not normal.

[00:02:56] Evan Francen: Right? So, you And it’s weird because I was, as we were talking before the podcast, my wife is out of town this last weekend And with my daughter. So I had an empty house. It was me and three dogs and all I did was work. I went totally on the other side. I I don’t know, 20 some odd hours. I had 190 GB of emails to get you for an investigation.

[00:03:23] Brad Nigh: That’s, yeah, that’s a lot of it’s a lot. That’s a lot.

[00:03:27] Evan Francen: Well, I have, I think I have like 12 terabytes coming in the form of VTB files, but we’ll figure it out later. All right. So, I was, yeah, I think we’re both grateful for our lives. We’re grateful for the support that they give us. And uh, yeah, I mean, I think there’s multiple ways to tell the truth, right? I mean, you can tell the truth. Like, you know, the cold hard truth or the truth with love. And I think I felt the truth with love.

[00:03:57] Brad Nigh: I think that’s a good way of putting it.

[00:03:59] Evan Francen: If she wanted to make her case about other things, She certainly has that, Right? And, and I think she should be right in doing it too. All right. Well, this series we’re gonna dig into. Uh, so this is kind of a more relaxed episode today when I didn’t want us to get into anything too deep. You know, last week was cool. I just wanted to kind of ease and do it. So, and I haven’t, I was dawned on me this week that Every year I go and just review our information security principles and for those who don’t know, we have 10 principles that we’ve we defined back when we started fr secure and every year I review it to see if they’re still relevant and I figured why not review it with you and the listeners? So that’s what we’re gonna do this week? Uh this is episode 17 of the Un Security Podcast, 17th consecutive weeks. We have not missed a week yet. It’s pretty impressive. It is pretty impressive, especially for somebody I don’t know if you are like this, but I’m very inconsistent. Are you consistent?

[00:05:10] Brad Nigh: What’s? Yeah, that’s more like spontaneous. We’ll go, we’ll go with spontaneous. Not inconsistent.

[00:05:18] Evan Francen: I think I’m both because I can’t like no, two days for me or ever the same. Yeah, it’s very true. I get up, I even get up at different times. Some people can get up at the same time every morning. Some mornings I get up at six other mornings, I get up at three. Yeah, just it’s weird. So, uh the fact that we were, we’ve been able to stay consistent for 17 consecutive weeks is good job, man. Uh and I am the host today, so I’m not. That’s why, Well, I probably do most of the talking anyway. It seems like I talk more than you do. Do I talk more than you do just in general?

[00:05:54] Brad Nigh: I’m okay with it because I do. I think I talked more during the day during the regular, of course, a business, so that’s okay

[00:06:02] Evan Francen: you’re saving it up for later? All right. So, what, what else have you mentioned that you didn’t you didn’t open your laptop at all this last weekend. Anything else exciting this weekend? We’ll get to the week recap here in a second.

[00:06:15] Brad Nigh: Just super exciting stuff. We got our new uh get some exercise equipment. So at home exercise, you know that was the other thing that that was from my wife. So

[00:06:27] Evan Francen: google that. I know. How do you spell that? He x is it? It’s

[00:06:31] Brad Nigh: something okay. But yeah, so that was it was actually kind of find this guy like a tablet built into it so you can watch trainers and they like run on the beach or through the alps, but then you can do stuff and I pretended not be

[00:06:49] Evan Francen: like a politician thing or something.

[00:06:51] Brad Nigh: Yes, it’s from nordic track.

[00:06:54] Evan Francen: Yeah. I just looked at exercise. I don’t think I want to do that.

[00:06:57] Brad Nigh: No, I was I did it yesterday, well saturday and yesterday and I got done yesterday. I came up to my wife was like, I remember why I hate trainers. They’re just so excited all the time to be miserable running. But you know, you got to do

[00:07:15] Evan Francen: it. That’s cool. Yeah. I just worked. It’s so weird having a house. I realized this weekend I only need four rooms and I think you could fit all four functions in a room and all. I would need this one room because I was in the kitchen, the bathroom, my bedroom and my den place where I do all my work. Yeah, that was it.

[00:07:41] Brad Nigh: Thank you. On a separate office and bedroom though.

[00:07:44] Evan Francen: I don’t really care though. I don’t think. I don’t know. I mean, why wouldn’t I? Then I then I could just work and then sleep, just fall asleep.

[00:07:50] Brad Nigh: You associate your bedroom with sleater with work and you don’t sleep well. There’s all kinds of studies around that. Uh All right, So That’s cool. 3, 4 arrows. Thank you. Wanna go with four. You probably want the bathroom in the, in there too.

[00:08:06] Evan Francen: Well, you know, I just need a bucket in the corner. I’m very low maintenance. Really? Alright. Well, so that was, that was our weekend and it was cold last week’s show. We talked a little bit about that. Any closing thoughts on that last

[00:08:22] Brad Nigh: week feedback I’ve gotten is it was a lot more entertaining than people thought it would be.

[00:08:28] Evan Francen: Yeah. Well, they picked up on things that I didn’t even pick up on when we, when we recorded it. They were laughing at like, they thought, like I said, have you had brad’s meat? And I thought that was like, no, no, no, no, no. He makes really good, like, barbecue

[00:08:45] Brad Nigh: meat, ribs and why

[00:08:47] Evan Francen: do people’s minds go

[00:08:48] Brad Nigh: there all the time? You know,

[00:08:50] Evan Francen: whatever? Because my wife risk, you know, laughing. You didn’t pick up on the sexual innuendo. And I was like, sexual innuendo? What? What are you talking about? And she’s like, well, you

[00:09:02] Brad Nigh: know, we’re security guys. Yeah. Barbecue insecurity.

[00:09:07] Evan Francen: I said, oh, okay, you gotta have a thought there for a second, right? And yeah, so the feedback we got from the listeners was good. Uh, tell me about your wheat bread

[00:09:19] Brad Nigh: more. I ours

[00:09:21] Evan Francen: all rights and

[00:09:22] Brad Nigh: responses um closed. Mhm. Three out and started another one. And when we started was pretty, pretty bad.

[00:09:32] Evan Francen: I was at that when you were talking

[00:09:33] Brad Nigh: about pretty much six or seven trojans. And yeah, it’s a lost cause. Yeah, at least eight months of compromise before they found an issue. So not that those are, yeah, those are really uncomfortable to deliver the news about. Yeah. Yeah. You just don’t want to tell someone. Guess what?

[00:10:00] Evan Francen: That’s your, it’s depressing any any indication Where the ground zero was and

[00:10:06] Brad Nigh: that no logs didn’t go back. I’m sure nearly that

[00:10:10] Evan Francen: far. It seems like you walked into just a complete disaster.

[00:10:14] Brad Nigh: Yeah. And yeah, it’s tough, you know?

[00:10:19] Evan Francen: Yeah. Occasionally you get those. Yeah, I know. And you see you, you’re like me, we take this stuff personally.

[00:10:24] Brad Nigh: Yeah. Well, and just hearing, you know, the people in charge like Going through, it’s almost like, what is it? The 7th. Yeah. And then, and then realizing

[00:10:39] Evan Francen: like, oh crap, they’re just lost everything.

[00:10:41] Brad Nigh: We oh yeah, yeah. They’re angry. And then denial and I need time to adjust. Figure this out. It’s really tough. Are you?

[00:10:53] Evan Francen: Uh Yeah, there’s such an emotional side to information. Security. I think a lot of times we don’t notice, you know, people’s lives are affected by these things, you know, this, this company, you know, sounds like they may not survive. Which

[00:11:09] Brad Nigh: yeah, we’ll find out. Hopefully they think they had some, um, some suburb insurance. So hopefully that’ll help. But we’ll see.

[00:11:20] Evan Francen: Yeah, it sucks. That’s for sure. You know, I think a lot of times you don’t, they don’t realize it until

[00:11:29] Brad Nigh: yeah, right? And then hearing them realize that while you’re delivering the news is

[00:11:35] Evan Francen: God. So it’s like watching, oh

[00:11:38] Brad Nigh: yeah, it’s like you can just, yeah, you can feel the, you can just feel they’re, they’re the stomach drop out. Right? That feeling of just, oh, the gut punch. You can hear it in their voice

[00:11:53] Evan Francen: when, if there’s a need for like security grief counselors. I mean seriously to get people to walk, talk people through that stuff because it is, I mean it’s bad, Right? It’s just your whole life is kind of shaken turned upside down by. So it seemed like an innocent thing, right? Maybe I’ll have a virus from my computer is not working correctly. And the next thing, you know, nothing is working correct. Nothing is recoverable. Everything is gone. Yeah. It’s like, uh, this week we had the book signing event and one of the people that I had worked on, the incident, response for another company was here right? There. He’s from another company that we partner with in a lot of our incident response work when we’re when we’re overloaded and this was the last one we worked on was the riot ransom where it run rampant through this organization and that was a dead. I mean, I was already starting to prepare them for like look. Mhm. Uh you know, you start over as coming right? If we if we can’t, these next couple of things won’t work, we’re gonna have to start over. Yeah. And they and there’s a miracle the work that our friends did, the work that we did and the work that crowd strike came in and did some really good work with us to uh it’s able to get that company back up on their feet. Only a few days of outage. Yeah, it’s that was a happy and that’s good. But you do have the sad endings. And then sometimes like I had, I got an instant response and not really an instant response uh investigation. Uh Companies being sued by another company is a class action lawsuit and so We need to look through emails for evidence and I have like 190 gigs email this this weekend that you look through. Uh and then probably like I said a couple of 10 ish 12 terabytes coming. These were just big fat PSD s. I thought I was done two so remember I told you a screenshot I texted you on saturday and I thought, okay, well I got through it. I actually got through it much faster than I thought I would write. And then uh I noticed last night as I was uploading my results, uh there was another file there and it was another 36 gig zipped PST. I was like where the hell did this one come from? And so it turns out inside of that as a 49 gig PST. So I still have one more

[00:14:44] Brad Nigh: like the worst part about doing those like the e discovery searches and it just takes so long, right? You know, it’s a lot of test test. Okay, I’ve got it right Ron and wait and you know,

[00:14:59] Evan Francen: Yeah, and it uh PST s you know, they’re not supposed to be 50 gigs, you know, they’re not supposed to you’re not supposed to let them get that big, but sometimes now people that will take emails off of an exchange over, put them into a PST so they can pour them move them places so they export them that way. Uh Sometimes with just an ADP file itself, there are utilities that you can use to extract some PST s out of it. Um But what I was having trouble with is a uh was finding who’s getting software to load it.

[00:15:35] Brad Nigh: Yeah, yeah, at that size,

[00:15:37] Evan Francen: yeah, because there’s tons of tools out there and, you know, we could have used even some of some of our forensics tools, but none of those were loading. So

[00:15:48] Brad Nigh: yeah, you have to have pretty beefy machine to write to handle

[00:15:52] Evan Francen: that. So I’d even put out feelers like somebody know how do you know how can I most efficient way to do? Run eight search strings on this 49 gig PST. Nobody I didn’t get much but the uh so I found a tool called PST walker. If you heard of that? I haven’t heard of that one. Yeah I’ve never heard of it either. I tested probably 67 of them on saturday morning and then found this one, loaded it up. It just sucked it and it was like you know when a tool works too well you question like uh maybe it’s not working like I think it is. So I ended up on saturday running like I do a search strength you know and it would come back with some results and extract those results and then uh I went through some more P. S. T. S. And I was like just seemed like maybe it was too much too easy. So I went back and researched it you know researched it again. Yeah it was it was legit. So PST walker if you have a huge PST files that you want to get through PST walker it’s good to know. Yeah 80 bucks. That’s what it costs for the business license. So there was that uh pen testing what did I have from my notes about pen testing political capital. O yeah it’s funny how are weeks get so busy? I couldn’t remember on saturday, I couldn’t remember if it was last week that I went to New Jersey. It was a week before. I couldn’t remember which week it was. And uh, so it turns out it was last week he was monday Tuesday and on monday. So I had a set agenda that I was going to work through okay with the team and Get there on Monday, start our day 8:00 in the morning and that they get this email about their pen test results. Right? So I’m like, okay, well, let’s let’s go through the pen test results together. So we opened them up and I’m reviewing it. The first ones are critical. And I’m like, okay, we’re gonna have to remediate that. So I started reading and it turns out This domain is a 2003 domain. It’s a big company, right? But anyway, long story short, instead of going with the agenda, we have a huge remediation

[00:18:24] Brad Nigh: issue. That’s not an easy quick fix.

[00:18:27] Evan Francen: Right? So essentially the domain is compromised. Or you have to assume that domain is compromised, right? There’s no malicious activity that we’ve detected in the domain. But the fact that I threw a pen test, here’s the avenue to compromise the domain. So just to close the door and then assume that nobody ever got through that door. I can’t, I can’t say that’s true. You’re talking about the domain? You’re not talking about a file share.

[00:18:56] Brad Nigh: Yeah. Well observers, this is, this is the

[00:18:59] Evan Francen: kingdom, right? So it’s like, okay, well we need, we’re gonna need to communicate something to management. We’re gonna need some some significant resources, what have you. So uh spent that morning instead writing a report on this pen test and along with this is what we need to do sort of step by step. There were seven steps that were in the remediation plan. And, and then uh, and nobody was happy that I was giving this to, you know, that okay guys and over they’re all sitting around with nothing to do. But uh, it was really cool though because, and this is the political capital piece, um, that they took that remediation plan And within 24 hours it was a P1 priority project. And it was already, you know, scheduled, it went through all the the proper authorization channels and everything school. Yeah. And the cool. And I, and so this brings me to the, you know, so I thought about what, you know, in big companies things don’t go this smoothly all the time. And so I was trying to kind of play it out, you know what, what I learned in in this and uh, I think a lot of it comes down to political capital. I don’t know if you

[00:20:12] Brad Nigh: it yeah, I’m burning political capital in the past, right? For security things. Yes. Absolutely.

[00:20:18] Evan Francen: If this project goes to crap, I’ll lose some political capital. But the fact of the matter is I had enough political capital in my account that I didn’t get pushed back. I think that’s that, that’s kind of the point. I think sometimes there’s security people, we don’t recognize how much actual capital we have to spend on things. If I’m sitting there bitching and complaining all the time, I’m not supposed to be bitching by the way because I think that’s not politically correct. But if I’m sitting there just complaining all the time, uh, and I’m not no guy, no guy, no guy. Those are,

[00:20:51] Brad Nigh: yeah, you are.

[00:20:53] Evan Francen: Next thing I go, I got no political capital. So then I actually do need something. Nobody’s gonna listen to me because they’re gonna

[00:20:59] Brad Nigh: Yeah, exactly. It’s one of the things I think a lot of, I’ve seen a lot of people struggle with security people with where it’s, we have to lock it down. We have to do. And then we have an issue and everybody’s like, like tunes you out right now. It’s that balancing the see saw that we talk about all the time. Super secure, but nobody can do any work. Everybody can do what they want, but we’re not secure. What’s, what’s the right balance. You know, every organization is a little bit different too

[00:21:29] Evan Francen: when I felt like what’s really helped in this particular company because it is a big companies a lot of times in meetings, you know, I’ll be invited to meetings and I won’t say anything, I don’t have to be the guy, I don’t have to, you know, take control. I can sit and just listen and I can even follow up after the meeting. I mean, you have to be careful because you know, you want to make sure that people know you’re there, that you’re paying attention, but they know that because I usually follow up after the meeting. Yeah, I know, and I don’t and I don’t get involved in politics, right? I think every time you get involved in politics, I’m spending capital, I’d rather just stay out of it. Follow up, get things done, stay focused on what we’re trying to do. But anyway, it was cool to see that political capital must have been there because yeah, we’re done. We had the book signing event on thursday, what do you think of? That was fun? Yeah, when I was a thursday night too, so all of us were probably just getting tired too. It was

[00:22:27] Brad Nigh: good though. It’s nice to see that turn out for your book and

[00:22:30] Evan Francen: yeah, it was cool. It was really a humbling kind of experience because I’m not I’m not comfortable with that

[00:22:37] Brad Nigh: stuff. Yeah, your little speech was you could tell you’re not not comfortable with

[00:22:44] Evan Francen: that and I didn’t prepare anything for that. Mhm. So yeah, the and so the insecurity book, if you haven’t gotten it, get it because it’s about our mission and yeah, we’re going to fix stuff. But it was a good book signing event. I think we probably had I don’t know, 80 fish people. Yeah.

[00:23:02] Brad Nigh: I don’t know. I felt like so

[00:23:03] Evan Francen: many right? And then All right, what else? Anything else last week dig into some some principle stuff? No, I

[00:23:11] Brad Nigh: think we we covered most of it. We can dig into principles.

[00:23:14] Evan Francen: Yeah. I can’t remember the rest of the week to monday and Tuesday were in Jersey.

[00:23:19] Brad Nigh: Yeah, like the biggest thing for me. I just I ended up blocking off like three hours on friday and closing my email and putting Skype and everything and do not disturb and just getting caught up on a couple of pretty

[00:23:34] Evan Francen: big. That’s right. You had a good chunk of time where you can work on some research.

[00:23:38] Brad Nigh: Yeah. I was with the next CSF-1, one that just came out last year and updating a lot of our tools and things. So I was just falling behind and I was like, no, I just have to do it.

[00:23:51] Evan Francen: Speaking of falling behind that last week, I had a week before last we had the Anita B. Thing and somebody, one of the ladies was really having trouble getting in to security. They tell you about this. Okay, well it’s a it’s a black lady and she uh you know, raised her hand, there were a bunch of people there. She raised her hand, she said I’ve got I’ve got I. T. Experience solidarity experience, I have a degree and in uh whatever and I can’t break in. And you could just sense kind of the frustration. I was like, you know once you send me your resume, you know, and I’ll look it over, maybe there’s something I can do that, you know, in your resume. So she sent it. But she sent it on like monday, right? And I finally got to answering it on sunday yesterday and I thought oh crap. You know, I made sure that she knew that don’t take the delay in response is meaning less importance here. So the week must have been super busy uh Wednesday. I think I give a talk somewhere. L. A. Men. Yeah. It was a crazy week. Most weeks are crazy weeks. Yeah. Right. Uh We always go through this. Um If you want to get a hold of us, give us some input, give us you know if you want to be a guest on the show or if you know of a guest you’re going to have a guest next week. You think you will wind up

[00:25:21] Brad Nigh: week after would be yours? Right? I think that was

[00:25:24] Evan Francen: Our schedule me that I get the next one. You hit the next one. Okay thanks for Me one.

[00:25:29] Brad Nigh: two weeks often. And a guest every 3rd week.

[00:25:32] Evan Francen: All right. Yeah. Yeah. You’re right. Yeah. See you got a better memory, Right? So, if you wanna get ahold of us, get ahold of us at un security at proton mail dot com. Jump us an email. Let us know what you think. What you’d like to see different if you like. If you have a topic you’d like us to cover. Both. Both brad and I are very much uh you know, we’ve been around a long time. What combined, probably 50 years maybe and secure. It’s crazy. I’m old. I know, but I guess what that means is

[00:26:03] Brad Nigh: wise.

[00:26:05] Evan Francen: Why? Well, and we’ve uh we I think today we’re at A level where I’m not a necessarily a specialist, anything uh used to be. But now, you know, you kind of raise up and then you’re kind of a generalist and a lot of things. So

[00:26:24] Brad Nigh: yeah, that’s a good way to put

[00:26:25] Evan Francen: it. Yeah. So I can speak in general on just about anything in security with some

[00:26:31] Brad Nigh: authority. But you’ve got experience in the past, but it’s not in the weeds

[00:26:36] Evan Francen: anymore. I’m not the guy that’s gonna be pen testing for you anymore, right? I mean, yeah, I’ll break it. Okay. And then uh get us on twitter to brad brad is brad are at brad and I. B. R. A. D. N. I. G. H. And I met Evan francine. That’s good. Let’s move if our secure information security principles, you know these I do good because that would be an awkward if we would have hey, you know, these principles like what? I’m sorry.

[00:27:03] Brad Nigh: You know, so I was like, I almost wanted to come in and be like, I didn’t, I didn’t even read the notes until this morning. So what are we doing? Yeah,

[00:27:14] Evan Francen: So we started with these principles, so my background, um I did information security, a lot of big companies and I got frustrated a lot because I felt like we couldn’t do things the right way. We took a lot, we shortcut it a lot of things. We spent a lot of money on things that weren’t the biggest risks. A lot of politics. I mean, there are people that would be on our team that didn’t do anything and you couldn’t get rid of them because they’ve been there too long. It was just so frustrating.

[00:27:42] Brad Nigh: Yeah, that’s interesting kind of contrast so well, because most of mine has been in more like mid size, uh and it’s a different struggle where you don’t have enough people to do the things that need to be done and you’re kind of just making do. So it’s, it’s an interesting, uh no difference in coming up, but having the same

[00:28:09] Evan Francen: approach, I think in big companies, you know, it seems like we almost make things more complex on purpose just so they can get more resources to

[00:28:20] Brad Nigh: do it. Yeah, I think, you know, one of my first jobs was contracting for a large international company and it was like an eight or 12 month contract and when it was done, I was like, no, nope, I’m gonna work small to midsize, like stay where I can actually feel like I’m making a difference and doing things rather than just Yeah,

[00:28:45] Evan Francen: it was, yeah, and I like, I like simple. Yeah. Big companies can do things, I mean oftentimes they can do things so much more simply simple or whatever the word is, then they do right, you know, I don’t know, it’s a six sigma still think it was really super duper popular, like, you know, as far as I know it is okay, so it seems like all the big companies were doing six sigma something, something to try simplify processes and I don’t know how many of them actually were successful,

[00:29:20] Brad Nigh: Just add another layer of complexity because now you have six sigma on top of other things that didn’t actually ever go away.

[00:29:27] Evan Francen: Yeah, yeah, so yeah, exactly, so we started fr secure 2008 and uh it was the last big company had worked for, it was a pharmaceutical company and then we came here decided uh let’s let’s establish our principles, what, how we’re going to do our work, what do we, what we believe in so that we can check ourselves off, like every project I do everything I do should be checked off against these principles, did I meet him or did you know what I go against them? So they’re guiding, You know? Like I think all principles are supposed to be. It’s funny because after the last, I mean in the last 11 years it’s been 11 years. They haven’t changed much, which is good. Yeah. He sort of wanted to. Yeah, hopefully. But it doesn’t mean that I don’t review So you know, I still review them every year. I want to make sure that uh they’re still relevant that we can still, you know, enforce them and run our business this way. So what I figured we do today is we’d cover our principles and kind of go through these four questions about each principle. So first is what does the principle mean to you? Or to me? Do you think it still applies to the work we do today and every day? How well do you think it aligns with our mission? So our mission is to fix a broken industry doesn’t align with that or as a counter. So one of the principles to make it, if it was we’re in business to make a ton of money, that’s different than the first principle which is a business is in business to make money. That would be counter to our mission. It’s not that we don’t want to make a ton of money, but not at the expense

[00:31:09] Brad Nigh: of ambition. Especially the this is the result of Yeah.

[00:31:14] Evan Francen: Then would you change it? If you could if so how so the first principle Our businesses and business to make money. What this means is information security must align with business objectives to some people that seems obvious to others. Not so much.

[00:31:29] Brad Nigh: Well, I mean, yeah, I wasn’t playing, but yeah, that’s the seesaw analogy I just talked about and finding that balance and understanding, yes, we need to. There’s no point of having information security if their business isn’t successful, Right? So it’s gonna

[00:31:47] Evan Francen: Yeah, totally. Well, in the way, I always check off on this thing is uh a lot of times when I am just quiet in a meeting and I’m thinking through things, I’m trying to figure out how one to assess risks so I can because I always feel like I have two jobs just to primary jobs. One is to give executive management really good risk making a decision making material around risk, right? So I can advise them. Here’s the risk, this is what it means. And then that’s one of my jobs. The other job is to implement their risk decisions to the best of my ability. So if they say yes, we want that mitigated, then I mitigated what I’m saying. So I try not to be the the risk decision maker, right? Which then takes me out of the business flow, right? I don’t yeah, I’m not fighting the business. I’m with the business, right?

[00:32:43] Brad Nigh: Yeah, that’s a good point.

[00:32:45] Evan Francen: So that’s how I always apply number one, and I always look at controls. if we put a control in place or something as complex. Uh And it restricts our ability, restricts the company’s ability to make money. It’s the wrong control, right? Probably unless the risks outweighed.

[00:33:02] Brad Nigh: And that’s a yeah. Yeah, it’s easy.

[00:33:06] Evan Francen: Yeah. But I don’t make that decision. Only security people think that,

[00:33:12] Brad Nigh: no, I think

[00:33:13] Evan Francen: a lot of security people making risk decisions.

[00:33:15] Brad Nigh: Also, one of the things that’s interesting is with um you know, with our roadmap process, we’ll all items get asked, can you make the recommendations for for this? So we’ll do a lot of kind of like, hey, here’s what we think, but I would say it’s ultimately it’s your call. You can override us on the evening of these decisions were just telling that these are the ones I think you need to address. These are the ones you can except, but and then people, they’re like, oh you’re wait, we decide that you’re not telling us it’s your call, it’s your business, right?

[00:33:54] Evan Francen: Yeah. So one has served as well. I think the second principle information security is a business issue. And the reason why that’s there is it’s not an issue, right? And that was that that that that’s probably been one principle where I’ve gotten push back more than any of the others. Uh And I’m not sure

[00:34:19] Brad Nigh: why, I think it depends on who you’re talking to. So if we’re talking with the I. T. People because they’ve been cast growth information security. They love that. Right? But I mean the business should be telling me how what’s the R. T. O. R. P. O. S. Of the for backups? Not I’m just backing it up once a day because nobody told me anything else like getting that support is huge. But then the business side of it there like but that’s a security thing. Just let them deal with it.

[00:34:48] Evan Francen: Yeah and you’re right. It’s it’s it’s been I. T. Uh I think it is we actually push back mark sort of like well no it’s an I. T. Issue like well maybe maybe it is in your company but it’s not supposed to be right. You know what I mean? Because we need to go back to just what our definition of risk is or I’m sorry information security you’ve got the administrative and physical controls there. How does it traditionally doesn’t do a very good job anyway with people.

[00:35:19] Brad Nigh: Right. So I don’t know maybe it’s just about how it’s framed.

[00:35:24] Evan Francen: Right Well just because that’s the way it is in your company doesn’t make its way it’s supposed to be true. And so a lot of times when we go and talk to you know work with a company and if they are treating it like an I. T. Issue. You can almost notice that right away and then you account for that in your strategy. I need time with

[00:35:43] Brad Nigh: going for the assessment. The only people there are I. T. People there’s no business functions for the entire time.

[00:35:51] Evan Francen: Yeah. That’ll tell you it’s a red flag # three. Information Security is fun. Yeah. Do you have fun and try to have fun? That’s all I do is have fun. That’s why I worked all weekend. I think it’s fun.

[00:36:07] Brad Nigh: You know when people scoff at that one all the time they do and uh every time uh especially with like talking with new customers or you know, explaining it to them and how we approach him, I guarantee you it doesn’t matter how bad and painful you think it’s going to be you at the end of this. If you don’t have fun, let me know and we’ll figure something out to make it right and haven’t had anybody come back and be like, yeah, I know it was no fun. Right? Gotten feedback specifically around it. They said this wasn’t nearly as painful as I thought it was gonna be. Isn’t really really helpful. Yeah.

[00:36:47] Evan Francen: Yeah. And then every I’ve done the same thing, you know, gone and started a project and said or a lot of times in our proposals, We’ll have these 10 principles and we’ll say information security is fun and you’ll hear them. Yeah, whatever. No, no try me. We’ll have a good time doing this. We don’t have to trudge through it and a lot of its frame of mind.

[00:37:08] Brad Nigh: Right. Right. Yeah.

[00:37:10] Evan Francen: I mean if I’m like this is gonna suck. Well, yeah, it’s probably gonna suck then, but if you go into it like no man, this is cool, This is fun. You’ll have fun. Right? So yeah, Excuse me. So that was that’s number three so far. These top three, I think we’re solid. I think so. People are the biggest risk, not technology. Yeah. We suck at people, not we, but the industry. Well, I

[00:37:40] Brad Nigh: mean, in general, technology is easy to configure and then it just does what you tell it to do, right? Right. It’s not want to see a set it and forget it. But yeah, once it it’s like it’s changing and as unpredictable.

[00:37:56] Evan Francen: Right? Yeah. I mean, my favorite saying there is it’s easier to go through your secretary than your firewall, you know, because that’s consistently true. And I think most security people must come through the technology, you know, way most of them were it first technology focused and then whatever. And I think it’s sort of overall does us a disservice because if the biggest risk is not technology, the biggest risk is not digital. It’s analog. If it’s people we really have to insert more of the psychology security into this. I mentioned the political capital thing, you know, that’s just one trick that I use all the time is maybe it’s just an inside thing when, you know, okay, I’ve got some political capital left or I don’t have, you know.

[00:38:52] Brad Nigh: Yeah, it’s just weird. I think the one thing on that one, we as an industry, we have to be careful about those shaming. Right? Right. It’s not like people are doing this intentionally or maliciously most the time. Right. It’s I just don’t know better. We haven’t done a good job in training. We haven’t done a good job in setting them up for success. Right.

[00:39:16] Evan Francen: Yeah. It’s about motivating people. Right. Not. Yeah. So anyway, for is one that I like because it just keeps me focused on what really is the issue here? Uh five complaint insecure are different. We shouldn’t confuse the two. That’s the fifth principle.

[00:39:37] Brad Nigh: How many, how many credit card breaches was the company compliant?

[00:39:44] Evan Francen: Well, yeah. Well, after the investigation, you find out that actually none of them because it’s a racket. Well, that’s the way busy I works. But anyway. Yes.

[00:39:52] Brad Nigh: But it’s just checking a box? It’s not, it doesn’t look at the whole thing is any of these. Yeah.

[00:40:01] Evan Francen: Well, if you just look at the fundamental definitions between those two words, different ones about managing risk. One is about doing what you’ve been told to do. Right.

[00:40:09] Brad Nigh: Well, that’s what, you know what I tell people when we’re doing it. Yeah. If you want just a checkbox compliance approach, we’re not right. We’re gonna do is try and do this securely do this correctly. And in the process, you’ll become compliant. Yeah, that’s a big difference.

[00:40:28] Evan Francen: Well, let me let me ask you this, your gut because we don’t have any data to support it specifically. But your gut. What percentage of all information security investments do you think are driven by compliance versus versus security,

[00:40:45] Brad Nigh: man? You know, immediately. I don’t I think Price 60, 70%. Mm.

[00:40:53] Evan Francen: Yeah. Yeah. I think I maybe I maybe a little more pessimistic on this point. I was thinking more like

[00:40:59] Brad Nigh: 80. Yeah. Well, you know, because Yeah. Is that is that enough? Right.

[00:41:08] Evan Francen: Yeah. I mean, some of these projects and so many of these things that happen in our industry, people wouldn’t do it unless they were told they had to,

[00:41:16] Brad Nigh: You know, actually. So I was just thinking immediately like the PCI the high trust, but all the regulatory requirements, we have to be compliant. Yeah. It’s got to be closer by 85, Thinking about

[00:41:29] Evan Francen: which is sad. Access the wrong motivation. Right? Because then what they do is they do what’s because I’ve heard it billion billions many, many times. Uh just get me over the bar, just do what do I need to do that I need to do to get compliant. It’s like, but that’s not how security works. But I think over the years, things have changed for the positive. I think it there are more companies today who want to do security Because they want to do security then there was 10 years ago. Yeah. When we first wrote this one. But GMM what else? Uh I had a thought, I forgot what it was compliance insecure. Uh Oh why people spend money on information security? This would be a good study. I wonder how we would get this done because we could we could pull our own folks. I wish you get a research company to get out there and be here for us. Because I’m guessing if I were to guess, you know 80%, maybe are spending money because they’ve been told they had to. I think if you split what’s left over half of it is probably you got breached something bad happened. So now you’re spending money on security, right? And usually you overspend then.

[00:42:53] Brad Nigh: Yeah. Right. Yeah.

[00:42:54] Evan Francen: But now I’m desperate. I’m just gonna put all kinds of crap in here over reaction yet. And then you have the last bucket which you know based on these kinds of guesses is maybe 7.5% of the six million companies in the United States are doing security because they want to do security. Right? Yeah. It’s crazy. Huh? We’ll keep fighting that one.

[00:43:17] Brad Nigh: We got a ways to

[00:43:17] Evan Francen: go. Yeah. Number six. There is no common sense in information security. If there were we’d have better information security. What do you think on that 1? Yeah.

[00:43:31] Brad Nigh: Yeah. You know, I agree with that. But it’s weird because it’s just what we do. But then I realized we’re not normal and that’s that’s the problem or take that however you want, right?

[00:43:50] Evan Francen: Well, you know, I was doing some stuff this weekend and I made a circle that represented the United States, the population of the United States. And then on that circle I’ve plotted us security, people, people do security for a living. And the, the red circle for the United States is like 9.7 inches, Okay, The circle for us is .012 in so then you put that in there, you can hardly even see it. So the one circles read our circles blue and I wanted to just get this visual perspective of There’s one little teeny circle, we’re making this one little teenage circle responsible for securing this big that Yeah, right, Because everybody, you know, it really sunk in like, holy crap. Yeah, we really have to get people on board here.

[00:44:46] Brad Nigh: Yeah, I guess yeah, looking at it that way. I know. Mhm Mhm. Yeah, that’s weird. It is weird because

[00:44:55] Evan Francen: all the graphic,

[00:44:56] Brad Nigh: there’s been many times, like, especially speaking engagements where I’m like, am I what is there? And I really do anything, this is kind of basic and people come up and they’re like, I never thought of this this way, and it just uh I don’t know, it’s just how I do it. Yeah, it’s normal, so that’s weird.

[00:45:20] Evan Francen: Well, I mean, you’ve got people on all different parts of the spectrum, right, in terms of skill levels experience levels and everything else. And you know I think a lot of times people that are more experienced think that what they’re saying, people just know right? Like it was on the way in today and they were talking about bohemian rhapsody, the movie. And the guy who was reviewing it said he didn’t like it was like, really? I haven’t seen it yet. Have you seen it? Uh Because I’ve heard like everybody loves this movie, it was up for like an Academy Award or something to write. And the reason he didn’t like it is because if you didn’t already know who Queen was he wouldn’t they went too fast. The movie pace went too fast. They didn’t lay out like these are the characters. Well so for like a generation who doesn’t never heard of Queen, they’d be completely lost. I think it’s kind of the same thing with with us. We just assume that people know

[00:46:21] Brad Nigh: the basics definitely have fallen into that trap.

[00:46:26] Evan Francen: And then you look at him like the hell and they’re like looking at you like what the hell? And there’s there’s such a disconnect

[00:46:32] Brad Nigh: that’s closed back to everyone speaking the same language and when you do it. Yeah.

[00:46:38] Evan Francen: It’s weird. I was with a global C. I. O plots and lots of experience and we were talking about, you know information security and I had said something along the way on the importance of asset management. And I said, we really need to get our hands around and figure out asset management because I can’t secure what I don’t know. I have like a light bulb went off in his head. He’s like, that’s brilliant. I’m like, dude,

[00:47:04] Brad Nigh: seriously? Yeah,

[00:47:07] Evan Francen: That’s it. This is the c. i. o. and who’s probably like 30 years experience.

[00:47:11] Brad Nigh: He’s pretty on top of smart. Yeah. Yeah. Yeah. That one I mean I agree with it, but it’s still just seems weird. It seems weird, but it’s

[00:47:23] Evan Francen: correct. Yeah. And it reminds me they try to meet people where they’re at trying to understand. So I ask a lot of questions, you know, I’ll ask, you mean, how many times have you heard me asking your definition of information security? I mean I’ve said it so many times. I hate hearing myself say it now, but it’s got to have that consistency. I have to understand where we’re at.

[00:47:45] Brad Nigh: Yeah. I’ve started with I’m not trying to be, you know, I don’t want to make any assumptions. What do you know about this? Where are like, it’s kind of the same thing because I’ve gone into a topic and then about five minutes in I see them the glaze of I am so lost because I’m like the wrong level, right? So I’ve tried to start getting better about starting the conversation with where basically where are you? Right? Am I talking to my mom or am I talking to somebody who knows what they’re, you know, something about

[00:48:21] Evan Francen: this? And have you ever gotten like weeks into a project before? You figured that out? Yeah. So I have to I was like, like, what the hell? Yeah. Oh, God.

[00:48:31] Brad Nigh: Yeah.

[00:48:32] Evan Francen: Like the wrong foot at the

[00:48:33] Brad Nigh: beginning, the policy projects are where those were ones. Yeah. You like, All right. And then they make a comment and you’re like, oh, no.

[00:48:43] Evan Francen: Well, yeah. And I think sometimes people think it’s like, uh, you know, security people have to talk down to people. That’s not true. Because I’ll tell you there’s been lots of times, it’s gone the other way where I’ve interviewed somebody either as part of an assessment or in a meeting and I have no idea what the hell they’re talking about. You know, especially like when you start talking some of the new technical things that are happening in environments, I’ve had people I t guys come in and WMD development and I’m like, I don’t know what the hell any of that is, man, Let’s bring that. Yeah. Yeah. It’s okay to admit, you don’t know.

[00:49:21] Brad Nigh: Right? Well, I’d rather admit it and figure it out and get it right then. Yeah. Make that assumption.

[00:49:26] Evan Francen: There have been times. So when you’re in this environment or in a meeting where uh the the the culture or the feeling in the room isn’t doesn’t permit me to admit that? I don’t know. Have you ever had that, where, where it’s it’s almost like a bunch of experts using a bunch of big words blah blah blah blah blah. And I just sit there and I’m like, okay, there are certain things that are happening in this room right now that I don’t know what they’re saying. So what I do is I end up taking notes and then I google the crap at all this stuff afterwards. Like okay, that’s what that

[00:50:01] Brad Nigh: is. Yeah, definitely. Yeah. When the taking notes for sure, like nodding along,

[00:50:09] Evan Francen: Yeah. Great. Absolutely. Jim. That’s exactly what I

[00:50:12] Brad Nigh: do. Great idea. Yeah. Oh no, I just told him to open

[00:50:16] Evan Francen: up stupid. All right. So that one works. Six is good. Seven secure is relative one of many reasons for ongoing measurements and comparisons. So you’re never actually secure if you mean eliminated risk, right? You’re always at some point in the spectrum,

[00:50:34] Brad Nigh: your comment that I’ve totally taken is you want to be totally secure? Shut down. Shut her down. That’s it. It’s the only way

[00:50:44] Evan Francen: like it was going to say something. Say something about your bad taste though. Your I. R. Yeah, you’re secure now. Yeah. There’s nothing left. That

[00:50:55] Brad Nigh: sucks. Yeah. But yeah, it is relative. It’s it’s a sliding scale. It’s always moving right? You can’t you know, we’ve had, you know, companies have done the assessment been done fairly well and then they come and come back and they get a lower score because they didn’t continue improving their just status quo like, oh we’re at a score, we’re happy with, we’re just going to keep doing this. Why did we drop? Because you just kept doing what you were doing two years ago? You haven’t adopted adapted to right to the new things out there.

[00:51:36] Evan Francen: Yeah, that’s very true, Secure as always. And that one came from that one was personal for me, a lot of all these are personal for me actually. But seven uh I used to get asked from, I worked at a big pharma suitable company before I was my last real job

[00:51:55] Brad Nigh: and I think I would keep saying real jobs like I do the same thing. Yeah.

[00:52:00] Evan Francen: For me it was like this isn’t like a job. I know, you know, but the then he would ask me all the time before executive meetings. So Evan we secure. I’d be like, look, let me tell you again, that’s relative. You know, we’re on a scale. Yes, we’re more secure or less secure. I can understand that because that’s also relative, right? Yeah. So secure is always relative. You’re not going to get there if getting there means no risk,

[00:52:31] Brad Nigh: depends on what you’re

[00:52:32] Evan Francen: asking about. Alright, so eight information security should drive business. And the point here was ah look for areas where you can actually not be a cost center. Can I streamline processes, save the company money and make us more secure win. Right? And that’s more money in my in my political capital account to that I can use later for other stuff.

[00:52:59] Brad Nigh: Yeah. Yeah that that cost center I mean that’s just such a hard hard thing to break or mentality of I. T. And security is just sunk costs and I only want to put as little into it as I can because I’m losing money and you know. Yeah. I’m talking about the I. R. S. You know, you’re looking at hundreds of thousands of dollars in damages and lost weight. I don’t just overall few had spent what $20 a year on some tools and some logging you could have prevented. Yeah

[00:53:41] Evan Francen: at least on an assessment. So you know where the you know where the gaps are you know so that you can watch those gaps or me, you know, walk them up. Yeah. Yeah. Well you said it prevention is worth uh a pound of prevention is worth £2 of cure to bones, whatever. Yeah. Just prevent it if you can. Yeah.

[00:54:03] Brad Nigh: Yeah planned outages way better than an unplanned

[00:54:05] Evan Francen: outage. I’ve tried to get that point across before with utilities before because so many of their utility systems, they didn’t build their old they didn’t build redundancies in dome. So you can’t patch things because you patch them, you’re gonna take everything down. I’m like well but that’s better than the alternative. I mean at some point you’re gonna have to do this I think. I don’t know or it’s going to be done for you. And we used to run into that actually in pharma too because FDA validated systems, you weren’t permitted to make changes to them. And back then that meant you also couldn’t patch them, wow. So it was like, I would rather patch them knowing that I’m making legitimate changes versus not patching them leaving holes in them so that Attackers can change the crap out of which. All right to information security is not one size fits all. So no, two businesses are exactly like that makes sense

[00:54:59] Brad Nigh: sort of way. It’s fun doing this. It

[00:55:01] Evan Francen: is totally fun. Always a challenge. I mean, there’s so many different dynamics in building a good security program for a company. I mean, culture is huge, right? I can’t, I have to go along with the culture. Right. But this is a cool part two is this culture might be really insecure. It’s just an insecure sort of mentality mindset here in this company. I don’t know if you’ve ever thought of it this way, but sometimes I go, I’ve gone into companies and go, my job is to socially engineer the entire company. Mm, you know, take them from here and influence them over to here.

[00:55:38] Brad Nigh: We had one customer who we were talking, you know, did the assessment and they scored very poorly on administrative controls and like, well, yeah, but as a company, we just don’t do policies, it’s just not what we do, we don’t want it written down, they want to be flexible and uh they didn’t there was no changing. Yeah, that mindset is

[00:55:59] Evan Francen: like,

[00:56:02] Brad Nigh: okay,

[00:56:03] Evan Francen: yeah, so you do the best you can with what you’re given, right? I mean if exactly if the business makes those types of decisions, you know, we that’s just one more or one less thing we have to work with. Yeah, but it’s what makes it fun, you know? There’s, I don’t know, ever hundreds of companies, maybe 1000 companies over the years and No two of them in the same Alright, in 10, there’s no easy button, so stop looking for one that’s for sure. I know it’s so crazy though, because

[00:56:38] Brad Nigh: but you mean advanced ai deep learning technology with next gen we just keep looking. Doesn’t solve it.

[00:56:47] Evan Francen: Right? Yeah. Well, like, so this is kind of relevant right now with uh you know, I. M. F A two factor authentication and stuff, you know, people thought, well I put it in so I can click that, click links as much as I want, you know, you can’t and then sure enough, you know now, and that’s where I’m going on friday by the way it is to see roger roger grimes talk about 12 ways to hack M F A Well, yeah, you still have to do the work, it’s just not gonna get away from that, you know, you still have to take the garbage out, you still have to clean the toilet.

[00:57:22] Brad Nigh: Right? Yeah there’s not a quick fix

[00:57:27] Evan Francen: and they’re never there never will be right. You know it just

[00:57:31] Brad Nigh: goes back up to I gotta go back up make sure I get it right. # four.

[00:57:36] Evan Francen: Right. Right. I mean that’s when that’s the thing too. So people are like well a I write a I. That will get people out of the equation more. It’s like well who built A. I. Right. There’s still somebody

[00:57:48] Brad Nigh: there’s still biases built into the ai

[00:57:50] Evan Francen: that almost scares me more because you know how you know how many bugs there are at software. Right? How many errors there are software development? Yeah I mean what happens when you make significant errors in ai

[00:58:04] Brad Nigh: and then it starts snowballing.

[00:58:06] Evan Francen: They’ve got people people say well then the A. I can fix the ai well what if that ai has bugs in it? You know I mean it’s just somewhere there’s a ground zero issue which is the human being. But anyway it’s sort of fun to watch other bonus wisdom, if something is insecure the core then it will always be insecure at the perimeter that one came from my days with anti for anti for had an insecure colonel and no matter what we did we couldn’t get it right. Getting an intimate understanding of information security and risk all of security and compliance flows from these two definitions. That’s why you hear me preach it all the time. Yeah, I mean all the time and

[00:58:46] Brad Nigh: Yeah,

[00:58:48] Evan Francen: it’s just the way it is, yep can’t prevent all breaches so you better be able to detect them and respond to them.

[00:58:55] Brad Nigh: Yeah, every one of these IRS nobody’s had a plan. I

[00:58:59] Evan Francen: know it’s sad and you just wish you could turn back the clock a little bit and be there before this had happened Because we were here, we’ve been in business now since 2008. You could I mean we were here open arms, give us a call and you know how we work. I mean, yes, we are like most security people, we are expensive because our talent, you know, I mean buildings and everything costs money. But uh man, it’s a lot less expensive than the alternative every time.

[00:59:29] Brad Nigh: Yeah, without a doubt. And yeah,

[00:59:33] Evan Francen: yeah, and this is, this is also a quote I use all the time. A wise man once said complexity is the enemy of security. That was Bruce Schneider was the first time I ran into that, I don’t know if he was the person who gets credit for that saying, but I love that saying. So I’m always looking for like, like if I sit down and you’re going to explain something to me and if you can’t get it out and like five minutes at least an elevator pitch, 30 seconds. That either tells me you don’t know what is your response? You know this thing you’re trying to explain to me or it’s too complex, Right? Right? Either way we got

[01:00:12] Brad Nigh: an issue.

[01:00:14] Evan Francen: Yeah. Be able to get these things out quick because it shows that you master, you’ve mastered whatever this thing is enough to talk, to communicate it and hopefully, you know, it’s gonna be simple,

[01:00:25] Brad Nigh: right? Yeah. The more difficult you make it, the more uh opportunity that airs get introduced.

[01:00:32] Evan Francen: I hope I like that one. Yeah. Bruce Schneier is a smart dude. Uh, I used to read a lot of his stuff, but some of this stuff is just kinda out there because he’s so smart. I think sometimes it’s like, I don’t even understand what he’s saying here. I don’t know how to apply what he’s saying.

[01:00:49] Brad Nigh: Yeah, I think that’s a good yeah, that’s a good point. I have no idea how that’s I don’t want to irrelevant, but right? To what we yeah,

[01:01:00] Evan Francen: How can I do that? Right. All right. We got some, let’s wrap this thing up. We went through our principles. I think we’re good. Right? Let me know if you think of anything else you’d like to add her and

[01:01:12] Brad Nigh: thank you for let me be part of this. Oh, I didn’t realize it was the first time you had someone else help out Until I read the

[01:01:19] Evan Francen: notes. Yeah. No, no, just, just me. Well, I knew then you put it out there and nobody, you know people or like dude, I don’t like that one, I never get that. But

[01:01:30] Brad Nigh: because we’re all a Freddy, I’m afraid of me why

[01:01:33] Evan Francen: I’m just a pussy cat. Alright, so here’s some news uh icon uh urges adopting DNS sect down. A DNS sec has been out for a while. Yeah it’s not new but it’s also not easy to get everybody on the same page because DNS is an interconnected interconnected. It’s a hierarchy. It’s uh of name resolution. Right? So everything in DNS sort of has to play with each other. Yeah, publicly available. Yeah it’s tough. Well the reason why is because the Iranians supposedly are attacking DNS there manipulating records so pointing. Yeah

[01:02:22] Brad Nigh: we’ve talked about that a couple of times with uh was a google being redirected through Nigeria to china and Yeah.

[01:02:31] Evan Francen: Oh yeah that one was what was that? Was that was that the BdP?

[01:02:36] Brad Nigh: That was B. G. P. Oh yeah it was B. G. P. Yeah.

[01:02:39] Evan Francen: Yeah. Which is that that’s that’s another one. That’s yeah

[01:02:44] Brad Nigh: it’s another problem.

[01:02:45] Evan Francen: But if you’re responsible, you know. Yeah if you’re responsible for DNS uh it’s time it’s time to implement DNS sec. I think there’s a and actually I looked at our own and we need to get this set up. Our DNS has uh managed a cloud Cloudflare. Uh So yeah it’s time to get it set up. So what DNS SEc does is it implements cryptography, public key cryptography I believe to uh yeah you know to validate records to sign records so that you know, you can’t have these unauthorized changes in DNS uh which then would stop a lot of the attacks have stopped these Iranian Attackers. They’re doing now. The next one is and there’s lots of different news sources for that. So I’m not going to cite one news source for the Icann wanting people to do DNS SEc just look up I can and DNS SEc and you’ll find plenty of picking the resources. They’re really trying to get the word out there. The next one is uh which goes along with our principles this one’s from dark reading and uh it’s security experts, not users are the weakest link. And the point in the author’s article is we don’t manage people well. People are part of this system. People are part of our definition of information security. And so if you don’t treat that treat the system like that, it’s you. Yeah, well you’re not doing a good job, not them.

[01:04:21] Brad Nigh: Yeah, I agree. And we’ve talked about that right multiple times.

[01:04:27] Evan Francen: And so the traditional like well we did awareness training right? That’s where it stops, that’s lazy, right? Yeah. It’s so much more than that. You have to establish this culture of information security. It’s ongoing constant and it’s not mandatory stuff. You don’t make it mandatory you want people to block.

[01:04:46] Brad Nigh: Yeah. Yeah.

[01:04:48] Evan Francen: So I really like that article, I think it uh made a lot of sense. Uh, the next one is from helping that security. Half of business leaders say a breach could end their business, others remain unaware. Unfortunately, you’re, you’re living this one out with a client right

[01:05:03] Brad Nigh: now. Yeah. I’m surprised at half or it is half that are aware of it. Right. I would have expected that to be a much lower number. That would be cognizant of the fact that yeah, bridge could be the end of us.

[01:05:21] Evan Francen: Yeah. Well, and I mean it’s you don’t really, I think a lot of times because we maybe we evolve oversold fear to sometimes to get people to do things. But, uh, I mean it’s the truth, right? And unfortunately you won’t know it if you don’t know it, you won’t know until it’s too late. Right? Yeah. So yeah, a majority of 58% of executives at SMBS are more concerned about suffering a major data breach than a flood, a fire, a transit strike or even a physical break in at their office.

[01:05:55] Brad Nigh: So maybe it goes to show that I thought the process is changing.

[01:06:00] Evan Francen: So it’s good. Yeah, I hope so. Uh, the last news which I won’t cover, it’s in the, in the notes, uh, posted on my website at Evan francine dot com is security pros agree cloud adoption outpace his security. And this is just how things are getting away from us. You know, in a traditional security model and people keep moving things out to the cloud? We’re losing control. We’re losing visibility, all that kind of stuff. So it’s, it’s a pretty good article. And I think that’s about that brad. What do you think

[01:06:33] Brad Nigh: I stayed the whole time? You did say those things get kicked. This

[01:06:35] Evan Francen: was a great show. That’s right. Oh, crab. Yeah. I didn’t even go to that. My notes. I got humorous. Was it funny? I thought

[01:06:42] Brad Nigh: I thought it was funny. All right,

[01:06:44] Evan Francen: So brad is yes, bread is still here. It was a good show. We went through our principles. Not the most exciting stuff for some people. We didn’t get all techy and geeky, but these are really important things. If you don’t like our principles get your own have principles, have something to guide, you know, all this stuff that we do all the time. So I would really advise people to get principles. You can use ours. We’d love it. The more people marching down the same path with us the better. All right. That was episode 17. Again, I want to remind people that give us suggestions. That insecurity at proton mail dot com. Uh, next week. Oh yeah, I’m going to our essay on friday. I forgot to mention that just one day. I can’t handle the sales stuff man. I’m going to see you buddy give us talk, have lunch with him and then I’m out. It’s not the worst. No. And I already found. So, I mean, somebody on linkedin was already like, hey, are you gonna be at our essay? I mean, they get a lot of that. But then I was like, I’m just going on friday. You know, I figured I’d reply because this guy seemed like he knew right. He’s like, oh, well, let’s get together for drinks after your lunch, you know? Yeah, I don’t want to be sold to anything. Right? Mhm.

[01:08:02] Brad Nigh: Yeah.

[01:08:03] Evan Francen: Well, that’s that. Next week. It’s yours.

[01:08:06] Brad Nigh: Yeah.

[01:08:07] Evan Francen: Uh talk i ours, you know, okay, I are planning and let’s do it in response. I love it’s

[01:08:13] Brad Nigh: gotten yeah, we got it’s been rampant. So

[01:08:19] Evan Francen: yeah, yeah, I got a lot of we both have a lot of experience and I are,

[01:08:25] Brad Nigh: I think both both focus on that. Get a little more geeky as it were.

[01:08:29] Evan Francen: Good. I like that. All right. So next week Brad’s got it. We’ll see you then. Thanks