The vCISO Handbook
If you’re a loyal follower of the UNSECURITY Podcast, you know that from time to time Evan takes trips down to Mexico to get away from everything so he can write. Well, he’s back. This time, he’s co-authoring a vCISO Handbook with Brad. In this week’s episode, the co-hosts (and soon to be co-authors) talk about what readers can expect in their upcoming piece—which hopes to be done before fall of this year.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: Hey there, thank you for turning tuning in to this episode of the Unsecurity podcast. This is episode 113. The date is january 5th 2021 I believe. Happy new year. I’m your host Evan Francen joining me as usual as my good friend and coworker Mr Brad Nigh. Good morning Brad.
[00:00:41] Brad Nigh: Good morning Evan. I’m jealous. It’s sunny there. It’s still dark and cold here.
[00:00:47] Evan Francen: Yeah.
[00:00:52] Brad Nigh: But you know before the show we were talking about kind of a, you know, a beautiful weekend.
[00:00:54] Evan Francen: Yeah, I swear, man, sometimes this stuff just follows me around this thing like nothing. You know, you have a plan for a trip. This is how it’s gonna go and it never goes that way. So eventually you just get to the point where like I’m not planning any more. I’m just going to go with the flow.
[00:01:13] Brad Nigh: Yeah, yeah. You got to be able to kind of wing it.
[00:01:17] Evan Francen: Right? So for the listeners, I’m down here in Cancun, Mexico writing a book again. Getting started on the book. That brad and I are gonna co write together. We’ll talk about that in this episode. So I think it’s going to be a really, really good book. I wouldn’t, yeah, I spend my time on something different I think. Um, so on the way down though to Mexico. So saturday morning, we were flying down here, Me and my wife and my 16 year old daughter. We get to the checkout counter and my wife realizes she’s lost her passport. Yeah. Right. She also had like dental surgery plan down here six day dental procedure. Because down here in Mexico it’s it’s the same quality. Uh It’s $5600 for her procedure here. 35,000 in Minnesota. Yeah.
[00:02:09] Brad Nigh: Yeah. Yeah. That’s crazy.
[00:02:12] Evan Francen: Right? So all that stuff happened and I was telling brad about the whole episode. I lost I lost my cell phone and in a taxi cab after I didn’t tip the taxi driver because he was a church to that. Yeah, we got my phone back. That was an adventure. And then. Mhm. It looks like my wife might be able to get her passport yet today, which then brings her down here in enough time to get her procedure done. So at the end of the day might not work out but man, what a shit show.
[00:02:49] Brad Nigh: Not not relaxing. Start to uh your trip that you were hoping for.
[00:02:54] Evan Francen: No man. And it’s like 2021. You know you start out this year. But excuse me with these great hopes And then it’s like the first week we’ve already been through this. Are you kidding me? It’s 2020 is still going.
[00:03:08] Brad Nigh: Yeah, I mean you can’t help but you just have to laugh about it. It’s just it’s it just crazy.
[00:03:18] Evan Francen: So anyway, in today’s episode, we’re going to talk about the book. We’ll talk about you know what people can expect in that book. Like I said, I think it’s gonna be a lot of fun. Is a really useful for people who still leads. Mhm. I mean, we’ll do the audio version two for people who don’t need because it seems like that’s a lost art or losing part. Yeah. Uh we’ll talk about the book and then we’ll spend another part of the show talking about our predictions for 2021. Uh I’m a real positive guy, brad. But I’m kind of Debbie downer on security in 2021, man.
[00:03:56] Brad Nigh: You know, I’m with you. I always try to be pretty optimistic. And I mean, yeah, we’ll see what we’ll see. Right?
[00:04:08] Evan Francen: So, having said all that too, I mean, I am in Cancun. I’m at uh Starbucks coffee shop. You can’t go inside. So, I’m sitting outside. So there might be a lot of background noise. I might drop internet if I do brad. You can just keep talking. You’re good at talking.
[00:04:24] Brad Nigh: I’ll just make stuff up about you.
[00:04:27] Evan Francen: Yeah, I would. All right. So, the book, man. Uh we had a do you remember? I think it was maybe last year at this time, or maybe it was a little bit before that. I wanted to write a book with you. Yeah. Uh And the reason why I want to write a book with you is one I think it’s a really cool experience of getting you involved in that be cool. I also want I would love to see you get out there a little bit more in terms of you have so much value. Was telling Oscar this on monday. You’re smart dude man. And you’ve got really good security chops. And I want more people to know that because they benefit from it.
[00:05:06] Brad Nigh: Thank you.
[00:05:07] Evan Francen: Well, it’s the truth man. And so, you know, us writing a book together just adds more credibility to the brad and I name uh but I also wanted to write a book about something that would that would really help people. So last year we were going to write this book. Information security for normal people, right? And then Covid happens and everything happened. So that that’s what got put on hold. And so then latter part of this year I was thinking, let’s write a book because I see another thing happening in our industry. I see a lot of people practicing information security that are good at it.
[00:05:52] Brad Nigh: Yeah. Yeah. And not that they don’t want their doing it on purpose, right? They don’t know.
[00:06:02] Evan Francen: Yeah, exactly. And I think and that it’s on both sides of the fence. It’s people that are hired and working for a company as an employee. And it’s also these consultants. I think there’s just a lot of, you know, not great advice, Well, bad advice I guess. Uh that’s right.
[00:06:23] Brad Nigh: A lot of security around like blinky lights, not really things the right way,
[00:06:30] Evan Francen: right? Or there’s a lot of people who know the fundamentals but don’t practice them knowing them and doing them are two totally different things. I could give two craps about what, you know, what do you actually do, right? There’s a translation, there’s a thing that has to happen between what you read in the book, you know, The NICCSF or CS Top 20 and actually applying those things in a way that benefits the company or the organization. That’s a that’s an art, right? Some people, lot of people struggle with it. And like you said, it’s not because they’re bad people, it comes with a lot of this stuff comes with experience and you know, trial and error, man,
[00:07:16] Brad Nigh: well, and there’s like you said, it’s an art to to how do you do security and balance the business and there needs to function and implement something in a way that and if it’s the company and secures them at the same time, hey, the balancing act,
[00:07:40] Evan Francen: it really isn’t one of the things we see over and over and over again with information security is alignment with the organization’s mission. What is the mission? What does the organization exist for, right? Your job then is to align with that mission and provide value to the company or tv organization and achieving that mission with what you do? Which is security stuff?
[00:08:04] Brad Nigh: Right? Yeah and yes, so many times. I mean how many, how often do we see security being no the no guy right? Or the the enemy, you know the employees see security and they’re like uh just impose that guy,
[00:08:23] Evan Francen: right? And this goes way beyond firewalls. We’re talking about an organization is marching down this path. Your job is to march down that path. If you’re not providing value, why are you here? Right? And so and some people say, you know, and actually I’ve gone a little bit different, you know I’ve always said businesses and business to make money so if you’re not helping them make money, you know your counter right? It’s even beyond that because when you think about, you know it’s the same thing we say that if our secure, if you serve the mission you will make money. He served the money. You have the mission right? Until then I started a bunch of Simon Sinek stuff. If you never, you know that dude speaks that gets me.
[00:09:08] Brad Nigh: Yeah, I agree.
[00:09:11] Evan Francen: So he was rene actually just sent me a article or a video from Simon Sinek this morning actually as I was, they’re thinking about the book and things and I don’t have to see it but it’s
[00:09:32] Brad Nigh: oh yeah, yep as as a business do not exist to make money.
[00:09:38] Evan Francen: Yes, I was like yes business business to serve a mission a purpose. So what’s the mission? What’s the purpose? And I think we skipped over that so often in information security where we don’t know why does this exist so that I can. And I’m figuring out our security strategy. I’m not going to steal from or take away from that mission right? Instead I’m going to enable it.
[00:10:06] Brad Nigh: Yeah. Yeah. You don’t want to be the enemy of the business. Yeah
[00:10:14] Evan Francen: we got enough enemies. Right?
[00:10:17] Brad Nigh: So yeah
[00:10:18] Evan Francen: so this is gonna be the VC. So handbook but I think and it’s written I think certainly D. C. So as well we meet virtual chief information security officers will benefit from it. But it’s also written for the business if you’re going to hire A B. C. So for God’s sake make sure they do these things
[00:10:37] Brad Nigh: what should you be looking for?
[00:10:40] Evan Francen: Yeah. If they’re not doing these things that they’re not providing this service to you. If they’re not measurable if you don’t know exactly where you’re at, where you’re going when you’re going to get there, how much it’s gonna cost. You don’t know all these things you don’t know what the BC. Show is doing to align with your business. If there’s a disconnect in any of those things you’re not doing it Right. Right. Yeah. So keep dropping my mask. Sorry because people come by and to put it on. But the, so I think it benefits the business. It’s good. It will be a good business read. I’m not a technical jargon guy. So I’m not going to kill a bunch of no, I’m going to go like I don’t know what you’re saying.
[00:11:20] Brad Nigh: Well that doesn’t fulfill the mission either, right? We we write it in a way that people don’t understand it and it’s what’s the benefit of it.
[00:11:30] Evan Francen: Exactly. And I think the third audience, you know that it’s for is other just even employed employee, you know, chief information security officers or
[00:11:42] Brad Nigh: or security professionals in any at any
[00:11:45] Evan Francen: level. Right? So I’ve been in a lot of, I know when we were earlier on and you know are secure. Ah people would hire me as their E. C. So They would pay, you know, five, $10,000 a month. And honestly I was doing it. I mean I was doing some things but nothing to nothing structural, nothing that I could communicate that was actually providing value. And so a couple of those customers, I would say, hey look, why are you paying me? Right. You know, is I don’t feel good about taking the money feeling like I’m not driving right value. And they there’s still, I think they’re all still customers today. Uh You know 5, 10 years later, but they said, well we like just having you around and we need you. I’m like you don’t have to pay for that. Yes.
[00:12:47] Brad Nigh: Right?
[00:12:48] Evan Francen: You can call me anytime you want. I’m not going to charge you for calling me if I’m actually going to do something. Well then yeah. Right.
[00:12:57] Brad Nigh: Yeah. I’ve got a one that is kind of feel similar to that in that they’ve got a really solid program and it’s very low touch point and kind of like my providing value. But they’re they say, yeah, absolutely, okay, let me know how can I help you? What do you need me to do? Because honestly, they, you know, they had some internal vulnerability issues, but they’re scoring them kind of that 7 20 range on the S two. I mean, once you get to that point there’s, it’s more upkeep and maintenance. It’s not a lot of things that you can fundamentally change. Right?
[00:13:43] Evan Francen: A lot of tweaking
[00:13:44] Brad Nigh: Yeah. Working on things like trying to get a fire table talks scheduled, do do some of those more mature things. Looking at is an internal audit program, something that, that you want to pursue. Because that’s kind of weird. That’s it. No, not really. Okay. We don’t do that then. Right.
[00:14:07] Evan Francen: Right. Yeah. I’m excited for the book because we’re going to show people how to do it systematically objectively in a way that you can measure it. Uh Yeah, it’s gonna be a lot of fun. You know, when you get the business involved in this decision making process as opposed to you just going it alone and feeling out on an island, you know, justifying budget. Everybody struggles with budget because they don’t understand what the hell they’re buying right? They understood what they were buying. You wouldn’t have money getting money, you wouldn’t have a problem getting money for it
[00:14:42] Brad Nigh: right when it goes back to the art of were happening really communication. Right? How do you translate texas are speak into normal? Right. And but I think that that’s probably one of the biggest areas that security professionals struggling that I’ve seen is they don’t relate or they just don’t know how to not that they can’t they don’t know how to right translator or relate to the business too often attic security doesn’t focus on understanding the
[00:15:18] Evan Francen: business right now. Sorry what’s the question? Yeah I don’t I want coffee too. And the coffee places open bahrain yeah. Uh Yeah. So the name of the book right now is the B. C. So handbook um I think it’s gonna be a lot of fun. We uh we’ve already talked a little bit about on the side uh if our secure has been doing this thing called the facts system for a while, I think it’s been really really successful. It’s one of those things that continues to mature, yep there’s no perfect system. So if you’re looking for something perfect, you’re not going to fight.
[00:16:04] Brad Nigh: You know we actually just rolled out kind of halfway through the year last year, the next iteration of what this is going to look like. Those will start, we’re gonna start seeing what has happened here. You know, it starts, I guess starting uh, to roll out. But yeah, it’s, it’s an ongoing, I like to always say it’s like we give our consultants a framework, the tools, how they use them is gonna vary per customer, Right? So it’s like, hey, we’re gonna put you in the playground and how you use the monkey bars of the slide. Everybody could be using it just slightly differently, but they’re all using the same framework, the same tools to get to that point, but just kind of being flexible with meeting the businesses where they’re, where they’re at.
[00:16:56] Evan Francen: Yeah, Well, and it’s uh, it’s that measurement to getting everybody on the same playground as opposed to Yeah, sure playground, you get your played down. Can we translate between between playgrounds? No, because they’re different things, but when you get people playing on the same playground, but then you give them the flexibility with, you know, on the playground to be themselves, right? Every organization has their own nuance. There are things that they do. But can we create a construct a playground that you can play in that will let you be you while this other person can still be them and we can still translate together
[00:17:33] Brad Nigh: actually. Absolutely.
[00:17:35] Evan Francen: Yeah. That’s that’s, that’s the way we started it, man, and that’s the way it’s moving. And and last last weekly, the fact system was originally named fr secure
[00:17:47] Brad Nigh: and dance construct for trust.
[00:17:49] Evan Francen: Right. And see that’s what happens when you have a security person do marketing. All right. They come up with, you know, dumb names, but nobody changed it. So you know, whatever. But we discussed last week we are going to change it. I think if we want to help more people, even outside of the f are secure ecosystem, we’re going to have to make things available. Mm hmm, yep. There’s lots and lots and lots and lots of business out there. I think, you know, I’m guessing there’s a few million companies that heavily been touched.
[00:18:25] Brad Nigh: Yeah, I’m sure.
[00:18:27] Evan Francen: Oh, so we’re gonna rename it the functional, accurate and comprehensive trust system.
[00:18:34] Brad Nigh: Yeah, I think that’s a good description. And when you see that you understand exactly what it is right away, yep,
[00:18:45] Evan Francen: yep. It’s functional. It’s accurate because it is, it does have measurement built in and throughout all of it it’s functional because it’s it’s the same guidance that applies for really everybody. It’s almost like step by step.
[00:18:59] Brad Nigh: Right? Yes. The basics, the is we’re not going to give you pie in the sky, you know, things. It’s how can we implement this in a functional manner.
[00:19:13] Evan Francen: Right. Exactly. And comprehensive. Because one of our big beach over the years is all the people who treat information security like it’s an IT issue. It’s not and never will be. It’s got integrations all over the place. Nowadays you can’t even separate information security firm personal safety, right? So it’s got to be comprehensive. It’s got to be very broad. Uh huh. And trust you know it’s a system that’s objective. It’s hard to not it’s hard to not trust something that’s truly objective, right? My interpretation doesn’t really matter. Are you doing this are not black or white one or zero to false right in her minutes? This is how it works. So yeah, that’s it’s gonna be a lot of fun man. I’m excited. Are you excited for the book?
[00:20:06] Brad Nigh: Oh yeah, very much so.
[00:20:09] Evan Francen: Yeah. So I should have some stuff to send to you hopefully the next day or two just get your thoughts. I’ve got an outline sort of built out. Yeah, sure.
[00:20:23] Brad Nigh: Yeah. I mean I am looking forward to it and I think you know we’ve we’ve talked about it and both have kind of some some ideas that it with look at things so closely are similarly I guess. But from slightly different angles. So it’s gonna be I think it will be good because you know from from the fundamental piece of that we agree.
[00:20:48] Evan Francen: Exactly. Well that’s the beauty of logic and reason. If you use logic and reason you end up in the same spot. Yeah, you may have started in different places but you know, meaning that different perspective. The logic and reason leads you to the simple version almost always. Mhm. Yeah. Weird. Yeah and I think sadly you know, one of the things and just in the world today and it’s not just information security is a lot of people can’t reason or they choose not to reason.
[00:21:23] Brad Nigh: Yeah. Yeah. Well, yeah, there’s a lot of lack of critical thinking,
[00:21:29] Evan Francen: right? And they just kind of take their spoon fed ideas and thoughts. So this is what we’re going with. It’s like, no, no, no, you’re so much more beautiful with that. You’ve got more in there. I promise use it.
[00:21:41] Brad Nigh: Yeah, I agree.
[00:21:44] Evan Francen: Good stuff man. Uh as far as catching up, how are you doing, how is your New Year’s?
[00:21:50] Brad Nigh: Good Quiet was nice. Kind of took some quiet time with not like you really go do anything. Um You know more than I had our 18th anniversary
[00:22:04] Evan Francen: at the anniversary. What was, what was that
[00:22:06] Brad Nigh: The 2nd, January two.
[00:22:09] Evan Francen: Congratulations man.
[00:22:10] Brad Nigh: Oh yeah, we were talking about that. I think we’ve known we’ve known each other 27 years. We didn’t start dating until you know, we met in high school, but didn’t start dating until college.
[00:22:22] Evan Francen: Oh wow, that’s cool.
[00:22:24] Brad Nigh: Yeah. Long time.
[00:22:27] Evan Francen: When was her last show? Who’s
[00:22:32] Brad Nigh: going home, was that? Yeah, you were your home? It was last Tuesday. Hi night
[00:22:38] Evan Francen: and I’ve already done the wedding thing with my son, right. Yeah. Yeah, they’re still married, so it’s in two weeks almost. Well they they’re doing great. Uh there was a quiet week last week, we didn’t do anything for new years. I did stay up until midnight. But that’s because I was playing a game on my phone because I was paying
[00:23:05] Brad Nigh: attention jane. My
[00:23:09] Evan Francen: Wife was in bed at 10:30.
[00:23:11] Brad Nigh: That’s about yes it’s about when getting into bed. Yeah
[00:23:16] Evan Francen: man we’re getting all the way. Uh Yeah Yeah I’m 50 now so that hurts.
[00:23:23] Brad Nigh: Yeah. Yeah yeah we’ve been working you know luckily finally you know the I. R. S. With the solar winds thing for the most part seemed to be pretty benign. Find a couple of suspicious things that like we need to look into this but nothing no smoking guns or anything at this point. So that’s good.
[00:23:49] Evan Francen: Yeah it sounds like just the city out west. Pretty good sized city that had a confirmed uh there’s some commanding control traffic, right?
[00:24:00] Brad Nigh: Yeah I was playing uh to whatever the domain. She it was confirmed I think we saw that august september. Okay.
[00:24:12] Evan Francen: And then there was I’ve talked to Oscar yesterday we have our checking on Mondays and he said yeah just a lot of threat hunting exercises. There was the one organization that left uh I. P any any open to database.
[00:24:28] Brad Nigh: It was a a mis configuration a change that went bad.
[00:24:33] Evan Francen: You think so? Yeah any any if somebody actually approved without you know. Yes.
[00:24:42] Brad Nigh: Which
[00:24:45] Evan Francen: but what was amazing to me was how quickly the Attackers found it. How quickly they had gotten in already executed. I mean they already had full compromise.
[00:24:57] Brad Nigh: Oh yeah and within
[00:24:58] Evan Francen: like 40 minutes
[00:24:59] Brad Nigh: and I think yeah it was like really fast from the time the change happened to so when they got compromised
[00:25:07] Evan Francen: right? So you can assume, I mean when you when you see that type of efficiency that they already have a script set For when you find 1433 open or when you find whatever, do that, get this, execute, get S a blah blah blah blah blah Because that was very efficient. 40 minutes means that’s that’s an expert, that’s something that’s automated. That’s not
[00:25:32] Brad Nigh: yeah that’s not script kiddie.
[00:25:34] Evan Francen: No, but you know the good thing is is that this company is uh you know they’re smart, they had backup, they had all that stuff and they were able to restore really, it sounds like no disruption of the business really.
[00:25:51] Brad Nigh: Yeah I think I haven’t haven’t been as up to date on that one, but it sounds like they were, you want to do things right? Like they realized it was an accident, it was a mistake, this wasn’t negligence or you know they did they didn’t know it was it was an honest mistake as it were. Yeah and there they were doing things correctly. So it is always good to see. Yeah
[00:26:20] Evan Francen: so uh yeah that I’m down here in Cancun and hopefully my wife will get down here and hopefully I’ll be able to concentrate on my writing.
[00:26:28] Brad Nigh: Yeah and the other the other thing I did last week is I finished up the C. M. M. C. Oh yeah practitioner. So I got my official word yesterday that I’m certified for CNN the registered practitioner and if our secure did they? R. P. L. So we can help companies prepare for CNN C certification?
[00:26:50] Evan Francen: Yeah because you have to do one or the other. You can’t do prepare and audit
[00:26:54] Brad Nigh: Right? Yeah. The one thing they said is if you’re the c. three pl um you can do a readiness assessment but you cannot offer any consultant advice during it. It would simply be a pre audit and hey here’s our findings and then that company cannot nobody from them can assist with anything on remediation.
[00:27:20] Evan Francen: And so we were much better built at helping people that we are auditing people. So I think it’s perfectly with us.
[00:27:27] Brad Nigh: Yeah and you know it was interesting uh you know How they were saying you know we will need to collect two pieces of evidence. You have to have two or 3 D. Types of evidence um to satisfy it. There is no uh Poland the plan of action milestones. It’s either it’s pass fail. It’s not like the fars where you can say yeah we’re deficient in these areas but here’s our plan there is none of that. It’s you better have it and you have to have I think the words they used were significant time I think is how they said it. But basically you have to show that that these things are ingrained in the company’s culture and practice. So if you know they come into audit and you’ve got policies and procedures and evidence that’s you know a month old, you’re probably not going to pass.
[00:28:17] Evan Francen: Mhm. Well that’s good. Let’s take next week. You lied, you lied the show next week. Do you want to talk about see MMC give some good folks. Okay. It’ll be a good show. It’ll be I’ll learn a bunch because I didn’t go through the CMC stuff. I know what I’ve read but you can expect to earn some stuff.
[00:28:36] Brad Nigh: It was I’ll say this it was good training there was a lot of good things out of it that I got out of it but oh man is it dry? It was tough.
[00:28:46] Evan Francen: Yeah I can imagine. Oh that reminds me too. We’ve got the we’ve got a meeting this week for the 2021 C. S. Sp metro program class. Yeah they’re planning for that on friday.
[00:29:03] Brad Nigh: Yeah I mean the kids to be that time again already.
[00:29:07] Evan Francen: No right one and we have to do something. Do we need to update our training materials and stuff like that you know and it will be good. Uh But yeah I don’t know how many people we have, I just had another request for endorsement come through yesterday.
[00:29:21] Brad Nigh: Yeah. Okay. And I have lost track in terms of how many? Uh huh. How many people have asked for it?
[00:29:32] Evan Francen: And so cool, man. You know when you think about that being able to affect that many lives? Ah I love it. It’s so cool. It’s so it’s so core to our mission. Yeah. Yeah. I still remember the first day, man. I mean, We had six students still mom actually to one of them. He sent me an email last week, Ryan Kalu. He was in that very first class.
[00:30:02] Brad Nigh: That’s cool. That’s very cool.
[00:30:04] Evan Francen: All right. So, uh All right. Let’s get to predictions, man, What? 2021? I think a lot of people are like, you know, we’re looking forward to the new year and I don’t think they actually believed that everything was going to change magically overnight. What came? Maybe there are some people who feel like that. But one of the things I heard a lot was, Yeah, I’m so excited for 2021, over. It’s like it’s not
[00:30:30] Brad Nigh: now. I think it was Well, it’s almost I think a mental health thing, right? Like we’re starting over, it’s not gonna be good, but hopefully we get to start over fresh and started climbing out of all the crap we had to deal with over the last year.
[00:30:47] Evan Francen: Right? So what about, you know, from the information security Perspective We had a lot of things happen in 2021 beer ended out on a sour note with, you know, with the solar winds, sunburst trap.
[00:31:06] Brad Nigh: Yeah, I think you’re just going to see more fallout from that. Uh huh Yeah. How many companies? Yeah, aren’t going to do the right things out of it and get compromised because they still, you know have this out there
[00:31:24] Evan Francen: and I don’t like to sensationalize things, you know, but when you see this many organizations across the industry not doing the fundamentals, just relying on relying on, you know, a program for series of programs to do the work that you should be doing. You know, you’re just not ready for that yet. Obviously you want to automate because there’s efficiencies in automating. But if you’re automating because you’re raising or automating because um I mean sometimes you’re not, you’re just not ready to use the technology, you don’t know how to use it, you don’t know what it does.
[00:32:04] Brad Nigh: Well, yeah exactly. If you’re putting a blinky light in place, you know, and don’t take the time to configure it properly and harden it, then you’re not really helping.
[00:32:14] Evan Francen: No, you’re making it worse man because complexity is the enemy, right? Make the more shit you had to hear environment, the harder it gets to secure it green best. There you go. There’s logic and reason again. There you go. You know, it’s not like Oh really? Oh you must be really smart. The whole it’s beats me. Yeah. You know, I’m not, I’m not a Debbie downer man. But 2021 is not going to be a good year for security. It’s just can’t you keep adding more and more blinky lights, keep adding more and more stuff into people’s homes, keep adding more and more technology. We had this just insatiable lost for new features and new blinky lights and things and it’s going to come, the chicken is going to come home to roost.
[00:33:05] Brad Nigh: Yeah, Well, we’re already seeing, you know, the IOT devices being used for Diaz attacks and you know, you’re, the more you add, the more that are out there. It’s not like they’re hard to find
[00:33:22] Evan Francen: one and it’s hard, it’s just, it’s baffling to me how far behind we are from a legal and regulatory perspective on addressing any of these issues. Right? You don’t have, you don’t have a federal data breach law. We don’t have a federal privacy law. We don’t have a federal, uh, reach notification law. We don’t have a federal, any kind of crap like that. The primary law that we used for for prosecuting computer crimes. Federal
[00:33:53] Brad Nigh: was 2000
[00:33:55] Evan Francen: offended. Yeah. Okay man. You just have a lot of work to do. And I think people are still struggling with, they don’t see it physically.
[00:34:08] Brad Nigh: It’s hard to visualize.
[00:34:10] Evan Francen: Yeah. When you haven’t got somebody comes up to you with a gun. You’re like, yeah, that’s bad. When I choose this crappy password.
[00:34:19] Brad Nigh: It’s yeah, It’s kind of this intangible, uh, concept that people don’t mean they don’t understand kind of the security to begin with. It was back to the communication. We haven’t done a good job educating them. And so they’re like, I don’t get it. What’s the point? And then people talk over them and they tune out. It’s kind of like a that down is a self serving, you know, feeding cycle, right?
[00:34:49] Evan Francen: So 2021 will be worse than 2020 because we still haven’t either. We haven’t resonated with people because I wouldn’t expect like, you know, like where I live, I was talking to you before the for the show, you know, one of our US Representatives Tom Hemmer’s his office helped my wife get an appointment to get a new passport. I’m so grateful for that. Uh But you know, when you think about our politicians, time members or any other politician there, the reason why they do what they do is to get re elected not to actually help things. So yes, people aren’t calling for the constituents are calling for a computer, a new computer law.
[00:35:38] Brad Nigh: Why would they do it?
[00:35:40] Evan Francen: Right? Why? And so what’s gonna what what is it gonna take for people to cry out for for action? It is going to take education, which is what we’ve been dying for because the other thing that’s going to take is something catastrophic to happen. Where lots and lots of people get hurt or die. Mhm. And then they’ll be like all up in arms and now you’ll see all kinds of legislation?
[00:36:06] Brad Nigh: It’s all so reactive, we’re not proactive, which is what we should be doing right and that’s what we’re
[00:36:14] Evan Francen: fighting. I don’t want to see people suffer, man, I hate that. But maybe that’s what’s going to take sadly.
[00:36:20] Brad Nigh: Yeah, I mean, you know, talking to Debbie Downer, you know, one of my things that unfortunately I see happening is we’re going to see more deaths from that. We can directly correlate to security incidents, right? Being hacked or ransomed or whatever. I think we’ll see more.
[00:36:42] Evan Francen: Yeah, I agree. I think 2021 we’re gonna see more of that. I don’t know what the retaliation is going to be on the part of the United States, you know from the sunburst attack, but expect tit for tat tit for tat. Yeah, something actually Oh, it’s diplomatically
[00:36:59] Brad Nigh: well, it’s kind of like we had the cold War that mutually assured destruction and this is a it’s really big kind of, I would say breach of that, right? This is a huge escalation.
[00:37:16] Evan Francen: It really is. So And so you’re gonna expect a retaliation by the United States. You think sometime in 2021 and if you don’t if nobody gets punished for this then why wouldn’t they just do it again? Why wouldn’t they just do it? Why wouldn’t they just continue? There’s no repercussion Yeah, 2021 I think is going to, we’re going to see more of this on the global steal the cyber war is going to escalate.
[00:37:43] Brad Nigh: Yeah. And the sad part is look at all the collateral damage of innocent businesses that were not doing anything wrong. We’re not, you know, just have, we’re using a tool that is a good thing to be using,
[00:38:02] Evan Francen: right? Yeah. My mother, you know, I told you, I think last show my mom had called and said what can I do? She had heard about this and maybe it’s because her son does this for a living, so shoes, she called Mrs So what can I do about this? Might practice your saying good information, security habits uh and just be prepared for being collateral damage because you don’t work in italy. Mhm Yeah, I think 2020, but you know, I think we’re going to see an escalation in the cyber war. We are going to see more people actually die, which just baffles me because there’s so many of these things we can do better. Yeah um somebody’s going by in a cart so they get us. Yeah. Mhm. I think we’re going to see yeah, you know, nothing that happened last year that was sort of not well covered, not well exposed was you know that potential of 427 hospitals being ransomed within one week time frame. Uh the potential for that very very, very much exists and sadly I think our capabilities as a country to respond to cyber attacks of that nature are
[00:39:35] Brad Nigh: chip, I mean, yeah, that many at once. I don’t do we have that’s a lot of incidents to handle it all at once.
[00:39:47] Evan Francen: Right. So we need much better. I’m hoping that this year will on a positive side of hoping this year will have better coordination among security organizations.
[00:39:59] Brad Nigh: We gotta work Yeah, well we’ve talked about this, we can’t do this alone, we have to work together.
[00:40:08] Evan Francen: Right. F fire I can’t do it by themselves. Sisa, you see now the one of the, one of my beefs with Sisa uh there are great organization, I think their hearts in the right place. I think they’re doing a lot of great things but you cannot do everything right. You are going to need to let go of a lot of these things provide some instruction and framework with how these things must be done in our industry but don’t try to do it. Yeah. Yeah. So like take the incident response, you know, one of the things I’d like to see from our country is you need to be certified, your company and you need to be certified and it can’t be a money grab type certification,
[00:40:51] Brad Nigh: it’ll
[00:40:52] Evan Francen: be something that that’s affordable, need to be certified to do incident response on all critical infrastructure, All 14 industries. So if you want to do instant response for a hospital, you need to meet these requirements, You better know, do it, you better follow the rules and one of those rules is information sharing. Mhm. So instead of no, we’ve been doing a lot of threat until information sharing but that you have to be a government entity or I have to pay for a lot of that stuff, I’m talking like within, so that way hospital in florida is getting hit by ransomware and I’m in Minnesota working on a ransomware investigation, I can check this database real quick and say, oh, florida’s getting hit with the same damn thing right now. Yeah,
[00:41:40] Brad Nigh: yeah, who’s working on it? Let’s you were both, Yeah. You know, I think we did see that to some extent and we have seen it with the solar winds, you know, being with where fire, I put out all their rules to find their tools and all, you know, we’ve seen a lot of really good,
[00:42:01] Evan Francen: but thank God fire, I was the one that got hit. It wasn’t joe blow’s incident responses,
[00:42:08] Brad Nigh: but but I think it’s a star, right? You have to start somewhere and well, it’s a good model.
[00:42:14] Evan Francen: Yeah, I agree. But I think you have to have a you have to have something formalized, you have to
[00:42:21] Brad Nigh: Yeah, yeah. If you don’t have a what goes back to the framework, right? If you don’t have this fundamental framework in place, we’re not going to get consistent data to use. Right, would, you know, if everybody’s throwing, you know, different information out in different formats. And how long does it take to, you know, translate that and understand what they’re saying. And so, you know, like I said, I think I think what we’re seeing with solar winds with some of this communication is a good start. Yeah. Yeah, I’m with you. We need to have something, it would be great to have something centralized where, you know, I’m working on the one I. R. And I found an execute herbal in Windows temp and it’s like, well that looks a little bit well that’s a little shady. There’s some weirdness going on here and now trying to reverse this and try to figure out what it is, where it come from. How did it get there? It would be great if there was a central database, right? This, you know, we’ve all got these different tools, but I know somebody’s
[00:43:27] Evan Francen: well you have to go in order to be certified. So this is the idea in order for you to be certified to work in critical infrastructure, you must share information regarding these things in this format in this location. So it’s all consumable by everybody else. You know, most of the IOC’s 90% of the IOC’s you share don’t have anything that identifies the victim
[00:43:50] Brad Nigh: or don’t know, file hashes behavior.
[00:43:54] Evan Francen: Exactly. Because I’ve heard that excuse to from other incident response shops, like we don’t share that stuff because you know, it’s confidential information Like bullshit. It’s not confidential information.
[00:44:06] Brad Nigh: Yeah,
[00:44:07] Evan Francen: they’re the database. I’m asking you to share hash files of Mallory found.
[00:44:12] Brad Nigh: Right? Uh the the executed, well, I found has nothing in it regarding the who I’m working with. Right? Like there’s there’s no reason not to be able to go find this and trust me if I’ve looked and you know, Oscar’s look and there’s there’s not much out there. It’s all it’s a mess.
[00:44:36] Evan Francen: Right? Well, and so our team, our team truly is very highly skilled. Fire Eyes team is very highly skilled. There’s lots of highly skilled teams if we can what differences aside, come and agree on this thing. This framework is information sharing framework outside of I don’t want really the government to handle it if I can help it because they like to mix best things up. It’s political quick.
[00:45:02] Brad Nigh: It’s almost like a kind of P. C. I for yes response.
[00:45:08] Evan Francen: Yes. Yes. 100%. And then when you’ve got somebody who doesn’t have as highly skilled team that we have, he’s working on an insulin instant response in another part of the country. But they’ve been certified, they’re going to follow the rules how to do this. Uh They can tap into the database and tap into your brain tap into fire ice brain tap into Dell’s brains happen to, you know? Yeah. Just brains, man. We’ve already done the research. How much time do you spend on tracking down IOC’s right,
[00:45:41] Brad Nigh: the majority of it
[00:45:43] Evan Francen: would be great to already tap into somebody’s already done network, Save yourself a whole bunch of ours and work on remediation.
[00:45:50] Brad Nigh: Uh
[00:45:52] Evan Francen: That’s the kind of thing that we’re going to need if you get 427 hospitals getting hit at the same time.
[00:45:57] Brad Nigh: Right. Well, I mean reality, I spent two or three hours yesterday just trying to figure out what the hell is this file does, where did it come from? Like, you know? And and of course it got dropped in May and they don’t have their log their event logs on that server go back, you know, two weeks,
[00:46:18] Evan Francen: right. You know, chances are you’re not the only one who’s seen No,
[00:46:24] Brad Nigh: no, no. And you know, there’s a lot of kind of like fragmented information, but nothing that, you know, you’re having to put this together and having to try to determine what the code is doing and now it’s a mess.
[00:46:39] Evan Francen: I saw predictions so far not not good.
[00:46:44] Brad Nigh: No. You know, I will say one here’s here’s a positive because we do like to stay a little bit optimistic. I do think that we will start seeing a change in thinking from businesses as a fallout from the solar winds. You know, we’re already starting to see it a little bit with some of the I. R. S that come in and some of the questions we’re getting from our customers. Uh in terms of being more proactive in understanding what’s on the network and you know the fundamentals. So I’m hopeful that we’re going to start seeing that change in organizations that maybe hadn’t taken security seriously.
[00:47:25] Evan Francen: Right? Yeah, I think I think so too. And I think one of the things and that’s you know, ties in our book, do I think one of the things that’s missing in our industry, there’s nothing knowledge, it’s the application of the knowledge. And I think maybe this year we focus a lot more on how do we actually do these things measure these things, communicate these things in a unified manner. Our industry working together as opposed to I don’t like your thing, don’t you like me? Well, because it’s not my thing. Well, that’s a shitty reason. I feel like my thing, right? Don’t you work on my thing with me? Or we can make it our thing.
[00:48:07] Brad Nigh: I mean. Well, yeah. Yes, I agree. I don’t eat. There’s so much ego,
[00:48:16] Evan Francen: right? And and what what what and what this is, this is what ticks me off is like what gives us the right to have any ego? We suck at this,
[00:48:26] Brad Nigh: right? Well, and what’s to say? You know, if you if you’re if you think you’re the smartest person in the room, you’re in the wrong room or whatever. You know, there’s so many people that are like, well because I’m whatever, you know, you can’t know everything, you can’t other people have great ideas that you can learn from and prove yourself right, work together, I’m with you.
[00:48:52] Evan Francen: Alright, so I’ve got, yeah, if people want more formal predictions get in touch with, I do think the negative side, it’s going to get worse before it’s gonna get better. The positive side is going to get better. We will see more movement on the federal side. I think in a number of different things, I do think you see better collaboration in our industry, you know, fire. I did a great job. Ah you know, and they’re not the first ones to do a great job in sharing information. Uh but I point them out, but I think they’re probably the most recently comes to mind.
[00:49:27] Brad Nigh: No, I’m probably the biggest magnitude of impact. Right?
[00:49:31] Evan Francen: So, and chances are most of us, I mean coronavirus will be hopefully well in hand and will be passed that sometime this year, that’s got to be a huge mental relief for so many people. It’s one less thing to distract you from other things that you should be doing. Mhm. That’s a very positive. I’m so looking forward to
[00:49:53] Brad Nigh: hanging out with friends
[00:49:54] Evan Francen: again, you know?
[00:49:55] Brad Nigh: Yeah. Amen to that.
[00:49:58] Evan Francen: Yeah, so that’s going to happen this year and uh what’s up one more positive, I gotta come up far more positive.
[00:50:06] Brad Nigh: Yeah. You know, I think, well, kind of selfishly, I think fr skier, we’re gonna we’re taking that next step, you know, I think we were really got lucky or not lucky because it was you make your own luck I think, but we’re well situated to handle the pandemic and the craziness, you know, I think we had from a sales perspective december was our with our best december ever ever, and so I think we’re going to continue growing and it just goes back to the mission before money when you do things the right way, it works out. So I think, look, we’re going to continue seeing that that growth and that yeah, upward trajectory as we continue to to mature as an organization.
[00:50:57] Evan Francen: Yeah, I see that too, it’s like a diving board, Yeah, 2020 was like this part as we recover is going to think, you know, it’s going to take
[00:51:07] Brad Nigh: that’s a april through june july was the below part. Yeah, and it started to bounce back,
[00:51:18] Evan Francen: that’s when the, some of the toughest decisions were made, you know? Uh Yeah, but you know, I think, you know, looking past that, trying to figure out what you’re gonna look like on the other side of it, you know, the decisions I make today are going to be in a, going to affect the things that we do and December in January 2021, so, but things might, we have to sacrifice now too benefit later, the team just did such a great job,
[00:51:48] Brad Nigh: man, just yeah, it’s that looking forward, not being weak too weak. Quarter to quarter Montiel year to year and its so called to be part of growing this organization and doing that. So I think that’s a really something I’m I’m looking forward to.
[00:52:07] Evan Francen: Two. I totally, yeah. All right. I’ve got three news articles. I shot him to your email prior to us. Some of it is, you know, whatever. But the first one is the hacker news. The title is Microsoft says solar winds hackers access some of its source code.
[00:52:29] Brad Nigh: Yeah, yeah. How
[00:52:32] Evan Francen: do you get to my stuff? Source code That’s got to be wow.
[00:52:37] Brad Nigh: Yeah, I like I like that they said that viewing source code isn’t tied to elevation of risk and that they weren’t able to tamper with the source code but uh it just makes me nervous, you know, just go being where intel and video. I have found the sunburst malware on their networks. That’s the it’s gonna get worse part.
[00:53:05] Evan Francen: Here’s the quote, you know, one of the quotes in this article, we detected unusual activity of a small number of internal accounts and upon review We discovered one account have been used to view source code in a number of source code repositories. It’s like jeez that’s you’re in deep man when you’re in Microsoft. Source code repository.
[00:53:28] Brad Nigh: Yeah, yeah, I think I would hope that that that’s not an easy thing to get to right so
[00:53:38] Evan Francen: sure. Yeah. Well what it means to us, you know, I’m sure Microsoft will continue their investigation gets more patches and things, but you know, eventually you get to a point like you did with NT four where you’re just gonna have to create a new operating system again, you know, the michigan knowing source, but as you know exactly what the application is going to do when given these types of things, this type of input, it’s a vegetable. And so what I mean? Yeah, it’s a very good intel piece for Attackers.
[00:54:14] Brad Nigh: It saved them a lot of work.
[00:54:16] Evan Francen: Right. And it gives them some pretty sweet ass bragging rights too. Thanks Michael. But I stole a copy of Windows 95 from Microsoft bulletin board server before it was released. I’ll tell you that’s about that story.
[00:54:31] Brad Nigh: I think so.
[00:54:33] Evan Francen: Right. The statute of limitations has long passed. So I’m okay, but I was such a thought. I was so cool man. Found out our bolton board server, which I don’t know, I didn’t hack Microsoft anything, but there was a copy of Windows 95 26 poppies downloaded that thing. Uh 14 4, It’s, you know, 14,400 bits per second. Yeah, Yeah. And I had window 75 running on my computer before any of my friends did. So I used as look at who I am. That’s funny. That’s what we used to do now. We don’t now nobody does that. It’s all money money money. Mm Yeah, All right. Well the next one is hack read uh and the title of this one is backdoor account found in 100,000 plus Zeisel firewalls, VPN Gateways. I picked this one because you do remember the model of the firewall that I was in changing the password on my own network right to reach last week?
[00:55:44] Brad Nigh: Well it was created it’s hard coated admin level account. No, you shouldn’t be hard coating. That’s mm look,
[00:55:58] Evan Francen: but I wonder if that was put there on purpose because I know that the central likes to have that control.
[00:56:10] Brad Nigh: Yeah. Uh huh. Mhm. So I don’t know. That’s at least they did release a for more patch. Right.
[00:56:21] Evan Francen: Yeah you kind of have to I mean if it was put there on purpose you sort of have to release the patch when it becomes public. Uh Here’s the deal with software development, don’t use backdoors
[00:56:34] Brad Nigh: but so it had the undocumented account. The password actually wasn’t a bad password if you look at it, but it was started plain text.
[00:56:44] Evan Francen: Right, So who cares? Yeah, so and for the listeners I think Last episode or was it two episodes ago? No it was look on our list of episodes but we did a couple episodes of you know one of them was changing passwords on your home router, go do it. You haven’t um
[00:57:09] Brad Nigh: the patch, that’s the other thing, that’s the only way you’re gonna fix this one
[00:57:14] Evan Francen: yep and patch so go back to do what I said, log in and you’ll find an update probably in the advanced whatever, maybe we’ll do a show on there. Uh that’s you know 100,000. Uh huh nasal firewalls are out there Zeisel. It was wrong probably a lot. Yeah, but uh your basics, your basics would cover you from that just saying after the patch. Pre patch chemistry. Yeah, The last one is also from hack read and it’s hecker selling 368 million users records stolen from 26 companies. Mhm
[00:58:03] Brad Nigh: Yeah, shiny Hunter. This isn’t the first time we’ve heard of them, nope.
[00:58:11] Evan Francen: Yeah, so shiny Hunter. Get a dump uniform. 21 Data breaches of 21 these websites are already known. Seven of them are new ones, so we already knew about some of them, some of them didn’t. So it sucks to find out about these things from somebody else, especially the attacker like hey just wanted you to know you just shit.
[00:58:36] Brad Nigh: Yeah. Well what’s funny is if you read in there a couple of, there was one that was like your breached um your data is there like right,
[00:58:49] Evan Francen: so these things, you know, in terms of, you know personal home users and things like that, this will start showing up in, know your data breach, report things The next month or two. So you know if you’re not monitoring your accounts there’s so many free services and most of them are pretty good to do that. Uh, last pass our password manager that we use has that built in. Yeah, yeah, that’s to me. We’ll have that built into the next release. So
[00:59:20] Brad Nigh: I know firefox as well. If you visit a site that’s had a breach, it’ll pop up a warning. Hey, this site, if you have an account here, like check here to see the evidence count was compromised. So there’s some good things out there.
[00:59:35] Evan Francen: Yeah, So like Yeah, it’s a lot of users, a lot of accounts, you know, protect what you can to protect yourself if your account is one of those accounts, you know, don’t change passwords idea what you’re doing business with companies that are strong hashes of your passwords and you chose a strong enough password that you’re not going to. You know, they’re not going to easily find a collision and get your account. That’s why we do things the way we do things that way. But you know, some of the people we do, we do commerce with online. Don’t follow good security practices. Don’t hash passwords, don’t hash them. Well, so it doesn’t matter how strong your damn password is. They still got it
[01:00:16] Brad Nigh: Right. Exactly. You can have a 30 character password if it’s stored in plain text, who cares? Right?
[01:00:22] Evan Francen: So it is important for us. You know, even if you are choosing really strong passwords and confident in that still pay attention to these things
[01:00:31] Brad Nigh: 100%.
[01:00:33] Evan Francen: All right, well, that’s uh got you got anything else to add before we wrap this sucker up?
[01:00:39] Brad Nigh: No, I’m just jealous of the blue sky behind you.
[01:00:44] Evan Francen: Yeah, well hopefully I’ll be able to enjoy it now that you know. Yeah.
[01:00:49] Brad Nigh: Little less stress story about. Yeah.
[01:00:53] Evan Francen: All right, well, thank you to all our listeners. Send us the things you’ve got in there, good for you. Yes way. Yeah. What’s that? I don’t know. I haven’t got any of that song, Michael. Yeah. Well, I’m gonna go there after this. You have a nice day. Thank
[01:01:12] Brad Nigh: you.
[01:01:15] Evan Francen: Alright, so thank you to all our listeners. Send things to us by email at un security at both town and mail dot com. If you like to do the socialist social things brad’s on twitter. He’s @BradNigh I’m also on twitter. I’m @EvanFrancen. Uh listen you can call our companies to we do some cool stuff. Sometimes we announce something or something FRSecure is @FRSecure and security studio is @StudioSecurity. That’s it. Talk to you again next week.