Unsecurity Podcast

Evan and Brad wondered, what happens when you Google cybersecurity? Evan is known for saying that the information security industry lacks a common language, making it hard for us to be on the same page. So they perform a Google search of “cybersecurity” on this episode and discuss their findings. Hopefully, this will shed some light on the challenges the industry faces in easing confusion.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: Good morning and well. Well, good morning, Good afternoon. Thank you zoom for some issues this morning. Good afternoon and welcome to episode 90 for the Unsecurity podcast. Today is august 24th. My name is Brad Nigh and joining me as always is my co-host. Evan Francen. Good morning Evan.

[00:00:39] Evan Francen: Good morning Brad or afternoon.

[00:00:41] Brad Nigh: I’m just reading off the reading the notes off the show notes

[00:00:45] Evan Francen: well and you know, depending on what part of the world you’re in. It is morning somewhere. Right? Bulgaria are all our developers. It’s morning for them.

[00:00:54] Brad Nigh: There you go. Yeah, I know we tried to get on this morning and had some issues with zoom and then it ended up working out well that we couldn’t record because I’d go pick up my daughter from uh, soccer because it got cancelled as the thunderstorms early so it would have sort of had to be sitting. Right.

[00:01:14] Evan Francen: So now with the, yeah, now with the back, back to school stuff and um, sort of everything going on with, you know, schedules, we’re going to start recording on Tuesday mornings, is that right?

[00:01:28] Brad Nigh: That is correct. Yeah. So you’ll see. It started me start next week. Um, well we put these episodes out on Tuesday mornings, awesome. Yeah, kind of nice. We can be flexible about it.

[00:01:44] Evan Francen: Oh yeah. I mean it’s our show man, we can record whenever we want to do that.

[00:01:50] Brad Nigh: or travel or other reasons, so

[00:01:54] Evan Francen: Right. It’s just the 94th consecutive week we’ve done this. It’s like, it’s like a year and three quarters ish.

[00:02:04] Brad Nigh: Yeah. I mean We’re like 10 episodes from two years to be

[00:02:10] Evan Francen: or do you still remember the first episode?

[00:02:13] Brad Nigh: I remember doing it and it was like, it’s definitely awkward and kind of weird to do, but we’ve come a long way. Crazy. I don’t know, I couldn’t listen to it. I don’t listen to any of the ones that I’m on. But uh I know, I know we’ve come further just because they just closed better.

[00:02:38] Evan Francen: Right? And it’s 90 for. So if you figure an hour an episode, that’s 94 hours, that’s like two weeks, 2.5 weeks of straight talking me and you

[00:02:51] Brad Nigh: plus prep time and

[00:02:54] Evan Francen: Oh yeah, I do want to get into that. Probably like, well, I mean if you take like this morning, it was about 15 minutes of prep time. That’s when I started writing the show notes.

[00:03:02] Brad Nigh: Like Power. Typically.

[00:03:06] Evan Francen: Yeah, it depends on how Wordy I want to get like sometimes, you know what I was doing the writing this, you know, notes for the women in security series. It was a little bit longer. Kind of wanted to give them a little more, you know, a little more to the spotlight because I thought they were just awesome.

[00:03:22] Brad Nigh: Yeah, yeah, yeah, yeah, Tuesdays next week. Uh It’ll be good. Uh So what’d you do last week? I do this last week,

[00:03:36] Evan Francen: man, last week was a good week. I had super busy. You know, sometimes you have those super busy weeks where you just don’t feel like you were very productive. Last week was a week where it was super busy, but it felt like I actually got some stuff done. So that was uh that was really good and had some good meetings, shout out to uh Schneider downs, which was a company that we talked to really as a partnership potentially with security studio and fr secure um did that hand off this morning and then had another good meeting with VIP cyber defense. Another company that I think might be a good uh partner with studio, just stop with the state of Minnesota on their third party information, security risk management stuff.

[00:04:24] Brad Nigh: Getting into that.

[00:04:26] Evan Francen: Yeah, you’re probably getting roped into the, securing the elections stuff with the

[00:04:33] Brad Nigh: Yeah, yeah,

[00:04:37] Evan Francen: yeah. So saying, you know, the states such a big thing, I mean like left hand sort of knows what the right hand’s doing on that one, but I don’t, I don’t think please uh and then shout out also to cow bell cyber, if you’re, you know, that’s another integration. We did a real integration between security studio and cowbells cyber to really improve the platform and that’s awesome. You’ll be getting some probably training or something on that fairly soon. Uh I went camping with fr secures president Mr john harmon this weekend.

[00:05:16] Brad Nigh: It was uh was roasty. Uh

[00:05:21] Evan Francen: Dude, we, I got roped into hiking and I’m like yeah ok hiking, it sounds cool. You know how hard can that be? We went up the freaking mountain, It’s like I was dying. I was like, it’s like I just got dipped in the water man, I was so sweaty.

[00:05:42] Brad Nigh: It was on sunday. I don’t know the yard, it was the backyard, I’ve been putting it off. It’s been so hot and backyard was like seven inches. I was like okay if I don’t know it, I’m not going to be able to go it more, can’t handle it. Yeah, it was like 90 degrees with like 60% humidity. You just walk outside in your damp.

[00:06:03] Evan Francen: Yeah. I mean actually, you know I kid the hike was awesome man. It felt good to get some exercise and you know, hang out with john. I really really dig that. Dude. So

[00:06:12] Brad Nigh: very cool.

[00:06:13] Evan Francen: That was fun. Yeah and then it’s about it. How about you? What was your click?

[00:06:18] Brad Nigh: Uh It was busy. Um We had a webinar with countries Oscar myself last Tuesday around some managed service providers and incident response um here that went really well. Yeah really well attended and uh all the feedback we’ve gotten is really good. There was a lot of questions like really good, you know, kind of like requests and stuff. Um so that was cool. I got some attendees to the webinar, got a free fire risk registration. So it was decided to give them that, that was a pretty nice, nice given with $1000 value. So

[00:07:01] Evan Francen: if you wanted to drum up some business, you could have just given, giving out some free Alexis.

[00:07:07] Brad Nigh: No, uh, no, not doing that. Uh so that’s not,

[00:07:14] Evan Francen: that’s not fixing

[00:07:15] Brad Nigh: the broken industry, not so much. Uh, Wednesday we actually went, we have our dogs at obedience training, they’re doing an eight week only show off leash training. So Wednesday, we got to go see them for the first time since august 1st and uh, 2.5 weeks, the kids just lost their minds, They were so excited and the dog’s as soon as they were like really well behaved and then as soon as they solve the kids, they were just like, you could just see them like lose it. It was really cool, but that’s going really well. So it was fun to kind of get away. I was basically the whole afternoon. Um it was actually really nice on Wednesday, so that was not bad, thursday. We had our monthly VT oh, so it’s just kind of, what’s the state of the company and fourth quarter and starting a plan for some of that stuff and, and then friday. Uh you know, it’s funny, I had a really good week and I woke up friday, it was just, I had one of those days, it’s just been, you know, I think everybody’s kind of suffered through some of those through the pandemic and I was just like, I don’t know, I just don’t have it today. Uh, so it, it took it a little easy. I did get a bunch of kind of pet projects I guess I would call it versus, you know, maybe some of the other things that I’ve been working on just to kind of get back into the groove a little bit. So it’s kind of nice, but I feel much better and raring to go, Thanks.

[00:08:51] Evan Francen: Well, that’s cool man. Yeah, this will be a well with, this week is going to be like, I’m trying to train my dog right now so I can’t separate myself from this thing, which is good. I mean we’re bonding, but it’s like, it’s hard to get work done when they just keep sitting on your

[00:09:06] Brad Nigh: lap. Yeah, It’s really hard when you got like £85. Well, yeah, that’s one,

[00:09:17] Evan Francen: This one’s like 10 maybe. Yeah. Yeah, But lots of good things going on, man. Where security studios actually kicking some butt and sales too. So I’m excited. I think given Covid and everything going on and kids going back to school, this is usually when business picks up in the cyber security or information suit industry, I’m seeing, I think healthy signs I think once the elections done no matter which way it goes. I think that also give us some certainty.

[00:09:49] Brad Nigh: Yeah uh This week I’m excited. Is it this week or next week? It might be next week. I’m going to mean that as excited. Yeah it’s uh hi this week uh Yeah this this week and next week. Yeah I’m working on creating a uh our maturity assessment for our by our team to be able to use uh kind of similar to how we used to work for B. C. So uh this will be difficult. It will be much more in depth than the instant response portion of the S. U. R. Yes and going to support detail there but by that and work on that so I’m really excited to start cranking on that. Hopefully get that done here in the next 2 to 3 weeks. So mid september I should have something the first draft of that.

[00:10:40] Evan Francen: That’s cool man because section eight there’s 8182 of these two. Orig talk about incident management. You know this could be a really good supplements so that if you score well enough on 81 and 82 maybe it’s time to mature or graduate into a more in depth assessment like the one you’re developing

[00:11:02] Brad Nigh: and the goal is I want something that can be done in in a four hour window right a half a day. That should be enough time to really dig into an incident response program and have a good feeling without overwhelming people because you could definitely make it much longer and warned death. But I think at some point you kind of hit that we talk about that point of diminishing returns.

[00:11:26] Evan Francen: You know what I was gonna write, I’m gonna write this week, I’ll send it to you uh incident response. Pro tips that uh kind of pro tips that nobody really talks about uh which might be interesting. I mean, I think it’s, I’m just gonna write it because I feel like writing it. Uh but things like getting ascribed, whoever thinks of that, but if you have a pretty significant incident, you’ve got the war room going and all that other stuff having described is really important because people come and go from the incident response and rather than having to bring people up to speed over and over and over again, it’s like here, read the, read the notes when you’re done reading, when you’re done reading and you’ve got yourself up to speed join the,

[00:12:13] Brad Nigh: you know, the party. Yeah. And you know, Oscar’s got that our team, they do a phenomenal job with note taking. Mhm.

[00:12:23] Evan Francen: Yeah, that’s another thing. But if you’re going too fast to write down everything, you’re going too fast.

[00:12:28] Brad Nigh: Yeah. Yeah,

[00:12:30] Evan Francen: that’s cool, man. So now do you ever watch the, do you ever watch the shit show? Have you ever watched one yet?

[00:12:37] Brad Nigh: You know, it’s

[00:12:38] Evan Francen: 10 o’clock at night? It’s 10 o’clock at night. You got kids?

[00:12:42] Brad Nigh: Yeah. And I always, I always forget, I’ll be honest, I’m like, oh, I need to watch it. And then by the time we get through bedtime I’m like fried. And I don’t even, I’m like, you know, kind of oblivious to the world at that point. And then I’m like, oh, I forgot to do it again.

[00:12:59] Evan Francen: We always go long. It’s funny because we get just so caught up in the discussion of whatever we’re talking about that we look at the clock, you know, after a while now, Oh, it’s 12:30 AM already.

[00:13:11] Brad Nigh: Yeah. That it’s easy to do. Especially you’re just talking and kind of be messing with guys you like and get up now.

[00:13:22] Evan Francen: Yeah, there are members of your own tribe, right? It’s hard sometimes to, I can’t relate, you know, I can’t share a lot of things with my wife with my friends unless they’re in the information security industry

[00:13:36] Brad Nigh: and get that blank look on their face. And I like uh great,

[00:13:41] Evan Francen: right? Which doesn’t make me feel any better. Makes me feel like I’m crazy because because they look at you like you’re crazy. Like okay, I’m going to cut the cucumber now.

[00:13:53] Brad Nigh: Yeah. Yeah. Or you get to the uh that’s great and you know, they’re just completely turned out.

[00:14:02] Evan Francen: So is that like identity theft? No, it’s not. But okay.

[00:14:09] Brad Nigh: I appreciate you trying.

[00:14:10] Evan Francen: Yes. Yeah, I know. And then you start to feel condescending to like, I feel like just a jerk. So yeah, at least when I talked with these guys, you know, we can all be jerks to each other last week was funny. We did an episode is called they’re listening. We’re talking about how, you know, all your devices are listening, whether it be not all but you know, your iphone your your android unless you’re not, I configure it correctly, Alexa google home, just all that crap. And uh, it was really cool because chris roberts played the devil’s advocate. So he played the guy who was four of these things uh huh And uh Ryan and I just, I mean he chris’s once chris is one smart cat. I mean he held his own better than anybody because I think both Ryan now we’re just

[00:15:07] Brad Nigh: uh that’s not an enviable uh topic to defense.

[00:15:13] Evan Francen: No, but chris if anybody can do it, it would be chris uh he did a stand up job. We were checking which kind of chatting while we were having this conversation because it’s live, so there’s people watching it on Youtube and people are commenting while we’re talking and I think sometimes the people on the, on the, on the Youtube channel think that we’re actually arguing. Like does he really believe that that’s a good idea. So we’re chatting on the, on the zoom chat. You know, while all this time what’s going on like just laughing. It was

[00:15:52] Brad Nigh: cool. That’s funny. That’s awesome. Yeah

[00:15:57] Evan Francen: so that’s that too. I don’t know what the topic is going to be this thursday. It’s christmas choice so each week one of us chooses the topic

[00:16:06] Brad Nigh: it’s easier to go that way.

[00:16:10] Evan Francen: Well yeah I mean it gives people like christmas chris is mhm smart I mean smart dude so he he can talk about a I you know kind of fluently you can talk about hacking planes obviously. Um So yeah it’s good that I talked more about kind of administrative things like my my last topic was the week before last it was mental health, you know how I feel about that. So it was a good that was a good conversation to you know I think we all struggle with something. Right?

[00:16:47] Brad Nigh: All right. Like I said I had a really bad tough day friday. It just it happens it hits you you know just sitting in the chair going like staring at the screen like I just don’t want to do this like it’s just everything. So yeah I kind of took a took a walk and recenter and worked on kind of like I said this pet projects and had a good conversation with peter and Oscar and that helps. Yeah you gotta know how to take care of yourself.

[00:17:16] Evan Francen: Yeah totally man, totally, totally. All right. What’s are still about this week so we’re kind of transitioning this week.

[00:17:26] Brad Nigh: I know it’s weird. I was like, wait, no guest, I have to have to work again. It’s so much cheaper if you just talk to a guest and just kind of like let that flow versus you know, because I guess kind of brings their own topic too joe. Um So yeah, what are we gonna do? Uh So right now we are between series, we finished up the women and security series a couple weeks ago and last week we caught up with Oscar uh remains with our secure on def con this week. We’re going to do something educational. So the idea is we’re just gonna do a google search of a word this week. We’re the cyber security and we’re just going to discuss the first result. We think,

[00:18:15] Evan Francen: oh, I take it, man. So we don’t know what’s gonna come up in the first page of results when we type in cybersecurity.

[00:18:21] Brad Nigh: Yeah, no, I have it typed up and I legitimately have not looked at it yet, so Okay, I’m ready to see what All right. All right. Oh. Mhm.

[00:18:38] Evan Francen: Is that what you see what we’re gonna say?

[00:18:40] Brad Nigh: Oh because they only about 504 million results.

[00:18:44] Evan Francen: Oh shit. Doug, hold on, this is what happens from home.

[00:18:51] Brad Nigh: I’m starting on uh Oh, I had cyberspace security, not cybersecurity. One word, only 100 and 36 million results now, but now I know it all thinks about cyber security. Yeah,

[00:19:06] Evan Francen: exactly. Well yeah I’d put them on mute. Somebody came in the house. He’s you know guard dog, you did. You do cybersecurity one word or two

[00:19:13] Brad Nigh: words? I did. I realized I did it two words. Uh but in the one word. So I did one word. So you can actually reflect the number of results.

[00:19:24] Evan Francen: To what? How many? You have?

[00:19:26] Brad Nigh: 136 million.

[00:19:28] Evan Francen: I haven’t heard 34 million. Yeah, I’m getting chipped. I’m getting dripped out of two million results. Okay sugar, should I go to google support?

[00:19:40] Brad Nigh: I wonder if you’re so I I always I know it doesn’t really help a lot but it just makes me feel better. Is I’ll always do google searches. Incognito. Oh no, I didn’t do that. They filter and kind of give you curated based on your search history. I always want to see the unfiltered number. So that’s probably the difference there? Yes.

[00:20:09] Evan Francen: You gotta get old kiki on me, don’t you? You know how many of our listeners know how to go into incognito. Do you think it’s really easy. Top right. I mean you can do to keep our truck up to

[00:20:23] Brad Nigh: I see now my my little bit of geekiness is coming out of control shift. P. And firebox control key, right chrome

[00:20:35] Evan Francen: I always just go a long way because I can’t I forget shortcuts but if you go it’s control shift and

[00:20:43] Brad Nigh: that’s right. Yeah. And And firefox.

[00:20:49] Evan Francen: Try using Firefox for using chrome.

[00:20:51] Brad Nigh: Firefox.

[00:20:53] Evan Francen: I’m using chrome and I’m also in incognito and I still have about 134,000 results

[00:21:00] Brad Nigh: interesting. Yeah, I’m pretty sure that that we’re not gonna ever know or notice that.

[00:21:10] Evan Francen: No, that’s kind of cool. So you’re incognito all you googled the cybersecurity one word. What’s the what’s the what’s the first thing shows up on your

[00:21:21] Brad Nigh: page? So it’s that featured snippet from search security dot tech target dot com. Definition of cyber security cyber security is the protection of internet connected systems such as hardware, software and data from cyber threats.

[00:21:37] Evan Francen: She don’t have an ad.

[00:21:39] Brad Nigh: Uh Well, I’ve got I do have uh I promise you that you’re wrong. Yeah.

[00:21:47] Evan Francen: You got dude, you gotta just go straight up on this. Yeah, kinds of blockers and

[00:21:53] Brad Nigh: stuff. Sorry?

[00:21:58] Evan Francen: No, you’re just just too good at this security thing.

[00:22:02] Brad Nigh: Alright. I’ll turn it off.

[00:22:05] Evan Francen: Yeah, let’s see what the first ad you got is.

[00:22:09] Brad Nigh: All right. Yeah. What

[00:22:16] Evan Francen: do you got?

[00:22:18] Brad Nigh: I still have that. What what have I can’t even

[00:22:23] Evan Francen: You can’t even get ads when you ask for them. I get them.

[00:22:26] Brad Nigh: What bitch. I’ve got. It’s my network. I’m not gonna against.

[00:22:33] Evan Francen: All right. Well, my first one is a is an ad for online cyber security bootcamp from the University of Minnesota make it attend attend virtual cyber security classes taught by industry professionals and learn from home. Jump start your career and become a cyber network defender. 24 weeks. 24 weeks.

[00:22:58] Brad Nigh: Ok. I was able to get in and see ads. I do go and pass himself. So yes, I see that you’re right now. And then do you have that add to yep. And then I have one from frontier for enterprise cybersecurity and then IBM cybersecurity manage or cyber defenses.

[00:23:22] Evan Francen: Yeah, I have the I. B. M. One is the second one. Same one manager cyber defenses. So if you click on those links, I wonder how much it costs.

[00:23:35] Brad Nigh: I don’t know. I know it’s probably pretty expensive. I know that from our marketing team there’s certain ones were just like it’s like just insane, like crazy to pay per click so you just don’t do it

[00:23:51] Evan Francen: six. No. Yeah. Especially where like cybersecurity right? It’s all bid so that those are

[00:23:56] Brad Nigh: expensive. I think it’s a fruit. Okay. I know you guys. Oh no, I was trying to think of what the the big ones were for marketing and what they don’t go after the I don’t remember I was trying to think what they were though.

[00:24:19] Evan Francen: You know the weird thing about being uh this whole covid thing, everything is half duplex like all your discussions, all your discussions like I have to say something. Wait and then you say something

[00:24:34] Brad Nigh: way

[00:24:39] Evan Francen: you can’t really talk at the same time. Yeah.

[00:24:42] Brad Nigh: So I want to know why we’re not on google’s list of cybersecurity companies?

[00:24:50] Evan Francen: I don’t really want to be in Google’s list of anything to be on the list.

[00:24:55] Brad Nigh: How was I mean I’m sorry.

[00:25:00] Evan Francen: Not that, but but they’re all product companies. We don’t sell product.

[00:25:04] Brad Nigh: I’m looking yep. So

[00:25:09] Evan Francen: All right, so your first result result like non ad is which one? What is

[00:25:15] Brad Nigh: it the search security target dot com. The definition. What is cybersecurity? Everything you need to know?

[00:25:22] Evan Francen: Everything you need to know. Yeah, everything.

[00:25:26] Brad Nigh: Apparently

[00:25:27] Evan Francen: I’m clicking the Crap out of that one. Let’s click it.

[00:25:31] Brad Nigh: Let’s see. Oh,

[00:25:34] Evan Francen: alright. Job. It is it is everything I need to

[00:25:36] Brad Nigh: know. Let’s see.

[00:25:40] Evan Francen: This is absolutely everything we are done. Why don’t we just prefer all our clients to this?

[00:25:47] Brad Nigh: Did you know the goal of implementing cybersecurity is to provide a good security posture.

[00:25:52] Evan Francen: What is a good security posture?

[00:25:56] Brad Nigh: I don’t know that cyber security is a continuously changing field. That is true. I got this right. I can’t I can’t use this browser. There’s so many pop ups and jumping

[00:26:11] Evan Francen: around. I can remember when when tech target actually used to be a nice just almost text.

[00:26:19] Brad Nigh: I have to go back to my lockdown browser to actually read anything. All right.

[00:26:28] Evan Francen: Risk management, cyber security, cyber security is the protection of internet connected systems such as hardware, software and data from cyber threats. What do you think of that?

[00:26:40] Brad Nigh: I mean technically that is correct definition. I think

[00:26:47] Evan Francen: internet connected though doesn’t have to be internet connected.

[00:26:51] Brad Nigh: Yeah.

[00:26:57] Evan Francen: Yeah, because you know me, I’m a little I’m a little guy.

[00:27:00] Brad Nigh: Yeah, it should be. Yeah. Network connected.

[00:27:03] Evan Francen: Do you remember when when we were in uh like school and the teacher, the english teacher would tell you a word and it would say it was made. It’s made up of these two words. Are these three words put together? You know what I’m saying? So cyber security would be cyber insecurity put together. So cyber is according to if you open up another browser, type in cyber, you’ll get a definition. This is relating to or characteristic of the culture of computers. Information technology in virtual reality. Yeah. So cyber itself, cyber itself doesn’t say anything about internet at least in that definition.

[00:27:47] Brad Nigh: No, that’s a good point. And you know, I think about it, you think of those like skating systems and things that are air gapped. Those are still facing cyber threats. So we’re still on a network even though they’re not internet connectors. Mhm. You

[00:28:06] Evan Francen: see, and you know me man, I’m a nitpicker and I’m very I’m very literal when it comes to information security and cyber security and these things because there’s so much confusion. Yeah, we just take just take this stuff for granted. So if I’m around, if I’m out preaching cybersecurity is the protection of internet connected systems, then you might think that if something is not internet connected, then it’s not, it doesn’t relate to cybersecurity at all.

[00:28:36] Brad Nigh: No, that’s a really good point people.

[00:28:39] Evan Francen: So I mean I think I see and and and I’m not even gonna call out who the author is because that’s not the point. The point isn’t point fingers. The point is to settle on something. That’s actually a true, you know, just like definition of these

[00:28:55] Brad Nigh: things. I can absolutely see because I didn’t, I didn’t click it with me at first either. I can see how you could use that definition without, you know, they get anything of it

[00:29:09] Evan Francen: well and people like us who have been in this industry for a while, we do that a lot. I mean I I catch myself doing it all the time where I’m just like I read through it quick and and I don’t pick out those words, but you know that somebody, I think probably somebody who is newer to the industry who would probably be the one most likely to be searching for. What is cybersecurity would really dwell on each one of these words. Each one of these components, potentially.

[00:29:38] Brad Nigh: Yeah, that’s a very good point.

[00:29:41] Evan Francen: Yeah. So I said the and then the next sentence is the practice is used by individuals and enterprises to protect against unauthorized access to data centers and other computerized systems like that one either. It’s more than just it’s more than just unauthorized. Ex

[00:30:04] Brad Nigh: yeah, I’m stuck on it as well because it could be Yeah. I don’t like I don’t like listening just unauthorized activists the rest of the day like

[00:30:21] Evan Francen: sons. Yeah, I think yeah. one

[00:30:24] Brad Nigh: yeah. They probably to to bring another against threats to data centers.

[00:30:32] Evan Francen: When I always like to think of information security. Security is all about managing risk, right? It’s not eliminating risk. It’s not, protection to me is kind of a funky word because protection to me always means like

[00:30:47] Brad Nigh: um it’s an absolute right? You’re protected from

[00:30:52] Evan Francen: make it. Yeah,

[00:30:54] Brad Nigh: that’s it. Uh huh To produce risk from threats to data centers or to manage risk. Yeah.

[00:31:07] Evan Francen: Yeah. What’s that?

[00:31:13] Brad Nigh: I don’t like that sentence at least the middle part. I like the first part in the last part. The middle third is the problem.

[00:31:21] Evan Francen: So we both agree, we both agree on that and it’s okay if we didn’t agree to. But the uh and that was the number one non add result. Is that then you always have that people also ask peace in the middle that first page? Do you ever did you do you have that too?

[00:31:44] Brad Nigh: Hello? They say hold on, let me get back. Oh yeah, yep.

[00:31:49] Evan Francen: What you’re doing there,

[00:31:51] Brad Nigh: What is cybersecurity with the space?

[00:31:55] Evan Francen: Mhm Oh, okay. Yeah. So this one’s comes from Kaspersky.

[00:32:00] Brad Nigh: I would say, yep. Mhm

[00:32:05] Evan Francen: defending and they say cybersecurity. Two words cybersecurity

[00:32:12] Brad Nigh: and they do. They that’s interesting. They’re they’re blurred is uh Is definitely written differently than that tech target one. So cybersecurity is the practice of defending computer servers. Mobile devices electronic systems networks and data from malicious attacks. Yes. Again I don’t like the practice of defending

[00:32:33] Evan Francen: but I don’t like the word malicious attacks

[00:32:37] Brad Nigh: but they at least got the the target better. Yeah. Right because they’re not calling they’re calling out the different pieces without saying internet facing or anything. Yeah. Yeah. It’s also known as information technology security or electric. Electronic information security.

[00:33:01] Evan Francen: See and I do like that because they make a differentiation between cyber information technology electronic those are all sort of the same thing as if you look at the definition of cyber yep that sort of fits because what they’re not saying is that this is information security.

[00:33:19] Brad Nigh: Yeah I was thinking that but then it’s electronic information. I’m like no I think that there is a different energy here that yeah I think I probably wouldn’t use the electronic information security because I think it would confuse people but I like the I. T. Or information technology securities.

[00:33:40] Evan Francen: Yeah. And and the only thing I don’t necessarily like is the practice of defending computer servers, mobile devices. Electronic systems networks and data from malicious attacks

[00:33:55] Brad Nigh: because it’s not always malicious.

[00:33:57] Evan Francen: Well it’s not always malicious too. And it’s and if you go by that sentence it’s exclusive to computer servers. Mobile devices. Electronic systems networks and data. You know it might be a little narrowly focused. I don’t know I’m being a nitpicker because whenever you’re gonna give me a definition you better get it right.

[00:34:19] Brad Nigh: I don’t know. I would I’m going to disagree with you on. I don’t like the defending peace but the list of systems I think that covers I can’t think of any other uh I think I do like that. They call out and say like here’s examples without being you know overly. They’re not overly broad. It’s I think it’s the right level to give people the idea of what that covers.

[00:34:47] Evan Francen: Yeah, I can see that too because computers sort of curious covers a lot. Right

[00:34:54] Brad Nigh: servers or electronic system. I mean I could see maybe like sand but you could also argue that that’s under your data. Right. True. I think that their their coverage is good. I just don’t like the defending Mhm.

[00:35:09] Evan Francen: Or the malicious attacks.

[00:35:11] Brad Nigh: Yeah, the malicious

[00:35:14] Evan Francen: see this is cool man. I like this. This is fun. I’m learning stuff.

[00:35:19] Brad Nigh: Uh All right. What’s your next one on

[00:35:22] Evan Francen: lines? What skills are needed for cybersecurity

[00:35:26] Brad Nigh: and it’s from online at champlain dot E D. U

[00:35:32] Evan Francen: champ lane college Online.

[00:35:34] Brad Nigh: All right. Top skills. Now this surprised me. This is not what I was expecting when I clicked it. I was expecting a list of like certifications and stuff. Right? So the list is problem solving skills, technical aptitude, knowledge of security across various platforms, attention to detail, communication skills, fundamental computer forensic skills, desire to learn and an understanding of bathroom all with that last one? I mean yeah I think understanding it would be helpful but I don’t think that that’s necessarily required you know it’s to be good at this. Uh But that’s actually a pretty good list I think

[00:36:18] Evan Francen: it’s a pretty good list. Yeah I don’t know how much you need for computer forensic skills either and if you’re

[00:36:26] Brad Nigh: not going into mental right like but

[00:36:30] Evan Francen: if you’re not going into the technical side of things like I’m doing you know writing policies I don’t know how much I need that but potentially I mean it’s a good list

[00:36:40] Brad Nigh: even if you’re writing policies you’re going to need to write and and have some guidelines and higher level things around in your IR policy. Right? Yeah

[00:36:51] Evan Francen: potentially don’t

[00:36:52] Brad Nigh: turn off the machines do these basic steps

[00:36:56] Evan Francen: that he’s got the maybe. Yeah I think it uh that’s the one that I that one I don’t I don’t feel terribly comfortable with but it’s a better listen I usually see

[00:37:09] Brad Nigh: I probably would have put it below a desire to learn how to put a desire to learn probably a little bit higher but I really don’t have any issues with it. It’s definitely not what I was expecting when I put the little button.

[00:37:26] Evan Francen: No me neither. I was expecting a lot more like you said certs and things like that. What’s your what’s your next one

[00:37:32] Brad Nigh: is python good for cybersecurity

[00:37:36] Evan Francen: Hell yeah, it is. What do they say? Mhm.

[00:37:41] Brad Nigh: Oh, I was like I started to figure out what the heck that you are l was start a cyber career dot com like Huh? Didn’t look great. Uh python is an extremely useful language through cybersecurity professionals because it can perform a multitude of cybersecurity functions, including malware analysis, gaining and penetration testing tasks. True.

[00:38:05] Evan Francen: I concur

[00:38:06] Brad Nigh: All right. I

[00:38:07] Evan Francen: think you’re gonna learn any programming language, you know, if you don’t know any and your insecurity python would be a great once you start

[00:38:16] Brad Nigh: with hate programming so much. But I’m definitely uh we’ve been doing I’ve been doing like some captured the flags at lunch just to kind of break up my day and it’s let’s be honest is fine. And uh I’ve been having to learn some more of it. Program is just not my thing, but that’s

[00:38:36] Evan Francen: okay.

[00:38:39] Brad Nigh: All right. Next one I have is what are the types of cyber security? You have the same one from mind to mind. Dash core dot com. Yeah. All right. This will be this is gonna be fun like it. All right. Number one. Critical infrastructure security. Critical infrastructure security consists of the cyber physical systems that modern societies rely on. Oh, okay. I mean Yeah. Critical infrastructure is I don’t know. All right. All right. I don’t like this application security? Network security? Cloud security and IOT security.

[00:39:31] Evan Francen: Well, when I think why would you have to name main types of cyber security. When Yeah, most don’t even understand what cybersecurity is anyway. Yeah, I don’t know. Yeah, I just don’t like it. I don’t know whatever it is.

[00:39:47] Brad Nigh: You don’t know how you break those. They’re so intertwined. Yes, those are different parts of it. But they’re not like you can’t have critical infrastructure security without application and network security. You can’t have a IOT without application. And network security security can’t be done without network security and applications. You can’t do just one piece of that. All right. All right. What’s your next

[00:40:18] Evan Francen: one? What are the four types of what are the four types of cyber techs? It’s only four.

[00:40:25] Brad Nigh: Well, what’s interesting though, you click it and there are more So it’s a Cisco uh link and they have it listed. It’s common types of cyber attacks.

[00:40:38] Evan Francen: Right? Where do these questions usually come

[00:40:40] Brad Nigh: from? I think it’s uh they have some algorithm that if people look for this, they also look for these things.

[00:40:48] Evan Francen: Okay, so they are search common search things that people tight related

[00:40:55] Brad Nigh: to cybersecurity that for cyber.

[00:40:58] Evan Francen: Right. So somebody typed, you know, ask the question of google what are the four types of cyber attacks. Where

[00:41:07] Brad Nigh: did you get that?

[00:41:09] Evan Francen: You know that’s the part I’m a little bit more concerned

[00:41:12] Brad Nigh: about. Let’s see So I do. I think I found it. So I actually clicked on it. And the third one is four types of cyber attacks. Cyber dues? Aon insurance out of Australia. So they do. How do we work?

[00:41:35] Evan Francen: It’s an too right it’s like serious insurance. Like an is one of the biggest insurers in the world.

[00:41:42] Brad Nigh: Do you want to know what the four are according to them? Yeah, email phishing malware, ransomware and a watering hole attack. Okay wow that’s where that came from.

[00:41:58] Evan Francen: No, no there are more types. Trust me.

[00:42:01] Brad Nigh: Well look at look at that, that’s just the one is much better than that and it still doesn’t have everything that you see but it’s at least more comprehensive malware phishing man in the middle of denial of service sequel injection zero to exploit DNS tunnel E. You know there’s there’s a lot more than that but that’s at least a pretty good list to start with.

[00:42:25] Evan Francen: Right, he’s tired. Yeah so that’s where the question came from. Somebody. Aon has four types of cyber attacks

[00:42:35] Brad Nigh: and I’m sure they paid a lot to get some ads out around it and that’s where that came from. Oh

[00:42:47] Evan Francen: Yeah. Well then the next one is what are the three types of security?

[00:42:51] Brad Nigh: Oh no really? I have. How difficult is cybersecurity. Oh my three pretty far down.

[00:43:01] Evan Francen: Why am I getting chipped on my search?

[00:43:04] Brad Nigh: I’m telling you we gotta get rid of all your filtered results and then I have, can I learn cybersecurity on my own. What do you need to know for cybersecurity. Mhm. But you know what? Mhm. Uh One day,

[00:43:27] Evan Francen: but that L B M C L BMC dot com is three categories of security controls. BMC.

[00:43:36] Brad Nigh: So I will say I clicked on my, what do you need to know for cybersecurity? And it’s it’s from E C P I dot E D U. And send things you need to know to study it. Uh There is a cybersecurity short skills shortage. It security intelligence is underutilized employee negligence can compromise network security. Downtime? Can cripple businesses attacks cause loss of customer trust trust. Most companies avoid encryption and IOT will represent new security challenges and 27 so I can actually go there. Um christian mobile phones can cause security breaches for email security poses major threats. Most cyber threats can be prevented. Well, maybe maybe most identifying most. I don’t like the way that’s worded but Oh, I just close my garage. Uh That’s actually not a bad list. Oh

[00:44:42] Evan Francen: three categories of security controls by oh, BMC. I don’t like them. What is management security? So it’s management security. Operational security and physical security.

[00:44:53] Brad Nigh: I mean they’re just basically saying administrative, physical and

[00:44:58] Evan Francen: well, sort of but their operational is management security is the overall design of your controls. Operational security is the effectiveness of your controls. Physical security is the protection of personal data hardware etcetera from physical threats that could harm damage or disrupt business operations.

[00:45:15] Brad Nigh: All right, interesting.

[00:45:19] Evan Francen: Uh It is All right. So it’s still it’s still another one. It’s still one more thing

[00:45:29] Brad Nigh: that cyber

[00:45:29] Evan Francen: security. Let me research Still only have 134,000 results. Getting so Egypt.

[00:45:36] Brad Nigh: How does internet security work?

[00:45:40] Evan Francen: You have that one

[00:45:42] Brad Nigh: have that one. Uh Internet browsers and web servers have a secure way of talking to each other called http secure or https. It works by combining certificates and encryption. A communication technique that scrambles the information as it crosses the internet. The S is for secure. Uh huh. Well there you go. I know I know everything about internet security.

[00:46:07] Evan Francen: Uh All the uh do you like simplification but uh

[00:46:18] Brad Nigh: do I need that type of security

[00:46:21] Evan Francen: tomato?

[00:46:22] Brad Nigh: Do any math. Math. Oh here’s one, here’s one. I think we should end on this one. All right. There was a week to cybersecurity work. Yes.

[00:46:33] Evan Francen: Oh my God, is this somebody else there?

[00:46:36] Brad Nigh: Yeah.

[00:46:37] Evan Francen: And how

[00:46:40] Brad Nigh: many hours is how many hours a week do cybersecurity work? Right. That is angry and head off verbatim done.

[00:46:53] Evan Francen: I don’t feel like that’s an english sentence.

[00:46:56] Brad Nigh: It’s the Illinois work net center is the first resolve here. I’ll throw this in. Uh I don’t have that one. Yeah. Cat so you can read the article.

[00:47:09] Evan Francen: Did you do chat? That’s a thing that goes here. All

[00:47:14] Brad Nigh: Hours set work a set schedule. Most work. 40 hours a week. May work evenings and weekends to meet deadlines or solve problems will work. He means or weakens to solve problems. Mhm. And then they travel if you’re working as consultant that makes sense.

[00:47:36] Evan Francen: It’s the Illinois career information system brought to you by the Illinois Department of Employment security information security analysts. Working conditions in a typical work setting. Information security analysts under interpersonal relationships have a high level of contact with users managers, inventors communicate daily by telephone, email and in person. The occasionally write letters and memos are somewhat responsible for their somewhat responsible for the work. Okay. There’s somewhat responsible for the work done by other workers. Often work as part of a team of computer professionals. Fair, it is fair. Yeah. Yeah. Physical work conditions always work indoors. I know one who doesn’t at least one

[00:48:34] Brad Nigh: as I don’t know about always. But I was nearly always. That would probably be more accurate often. Mostly. Yeah.

[00:48:44] Evan Francen: Work indoors work near others such as when sharing office space. Not anymore. Her performance must be sure that all details are done and their work is exact errors. Could seriously endanger companies data files. Mhm. Regularly make decisions that strongly impact a client company and co workers. They must make most decisions without consulting a supervisor first. Wow said nearly all their daily tasks and goals without talking to a superior first. Oh, must meet strict weekly deadlines. Working a moderately competitive atmosphere. May repeat the same mental tasks. This is actually not that bad. I mean I think

[00:49:33] Brad Nigh: it’s pretty, pretty close.

[00:49:36] Evan Francen: Yeah.

[00:49:37] Brad Nigh: Up until the hours and travel. Mhm.

[00:49:40] Evan Francen: Mhm. Yeah, I guess. Yeah, I get it depends, you know, I guess everybody’s got their balance, you know, I mean some people 40 hours, others it’s 80, 90

[00:49:50] Brad Nigh: I guess. It depends on, you know what you’re doing if you’re just coming in and clocking in at a sock. Yeah, you’re probably working 40 hours and that’s it. Alright, so I guess we have to look and see what what exactly they define. Yeah, the job is safe. Uh At a glance

[00:50:15] Evan Francen: Wages information security analysts earn $101,806 per year.

[00:50:23] Brad Nigh: They set up plans to protect companies information and technology from outsiders. Mm That’s not a very good description. Yeah, let’s see.

[00:50:35] Evan Francen: It’s a cool site though. Did a great job

[00:50:39] Brad Nigh: even though I was laughing at the the preview but it’s actually really good. Uh They’ve got a really good overview work with companies to build secure computer systems installed software that protects the information of changes to existing software testing systems. Once changes are made, training staff on how to use it may build firewalls if the data is available over the internet, right rules and procedures for replace to follow. And security systems in place may also be responsible for physically locking down the hardware by an equipment to do that and monitor data logs that report all activity on a system, looking for strange activity in the records. That’s actually really good over to you.

[00:51:28] Evan Francen: No, I’m gonna put a link to this in social media because it’s they do a great job this ill and I work net center. Yeah, because because if you go under skills and training they’ve got interests, knowledge, skills and abilities helpful, high school courses, preparation, licensing, certification, training programs. I mean this is quality. Mhm.

[00:51:54] Brad Nigh: Yeah. Yeah, this is actually I’m really impressed.

[00:51:59] Evan Francen: Even have a video uh you can do the video in english or spanish. All right, that’s cool. We should put a link to that. Uh apps eps dot L dash work dash net dot com.

[00:52:20] Brad Nigh: Yeah. And then you probably be able to drill down but we’ll make sure we get that to Brandon and let him also get like include that in the blink or something. Mhm.

[00:52:38] Evan Francen: Oh there’s a computer specialists to they don’t make any more money than computer analysts or security

[00:52:44] Brad Nigh: analysts. I’m gonna send bringing a message real quick before I forget as that will happen.

[00:52:56] Evan Francen: Coders, they get chipped, they had $89,000 a year.

[00:53:01] Brad Nigh: It is more of them database

[00:53:04] Evan Francen: administrators. I only met three database administers that I like

[00:53:11] Brad Nigh: just got something I’m particularly fond of.

[00:53:16] Evan Francen: Not particularly fond of.

[00:53:20] Brad Nigh: All

[00:53:21] Evan Francen: right, good. That was kind of fun, man. I felt like I was being really critical and I probably was. But so I think if we’re gonna look for cybersecurity, we’re going to be critical and because like I have uh I think it’s only fair that I give my definition and then people like it. Great if they don’t. That’s great too. So it’s all driven. I always view cybersecurity is being a subset of information security because information security is more broad. Yeah, because it’s all about protecting information, whether it be physical form cyber meaning, you know, over pertain to computers or whatever else. So it’s managing risk uh to, you know, unauthorized disclosure, alteration, destruction of data using administrative, physical and technical controls. That’s my definition of information security just slash off administrative controls and slash off physical controls. And that’s my definition of cybersecurity.

[00:54:22] Brad Nigh: Yeah, I agree with you. Yeah, this is definitely fun. It’s gonna be fun. But I sure do a couple more of these. We can do some fun ones with like machine learning and ai and next gen

[00:54:36] Evan Francen: for sure, man. Well maybe make this a feature where we just google something and talk about. Yeah,

[00:54:43] Brad Nigh: it was definitely yeah, it’s fun not to look at it beforehand either. So I really didn’t know what was going to show up.

[00:54:53] Evan Francen: Yeah, I didn’t either.

[00:54:55] Brad Nigh: All right, well, hopefully listeners learn something or more likely shut up in their chair disagreeing with what we said. But either way we’ll see what feedback we get, it will be fine. Um So real quick some news uh to wrap things up. First one is from hack raid dot com ai firm exposes 2.5 million sensitive records online and yeah it was that’s not not good. Uh

[00:55:29] Evan Francen: huh. No so this is a new york based ai company called Sense C. E. N. S. E.

[00:55:35] Brad Nigh: Yeah and he said uh shockingly a mis configuration that exposed the information. So we found Two folders, one containing 1.58 million records. And the second was 830,000 records. I mean yeah not good. See there was no find it

[00:56:09] Evan Francen: good at all. So I just found by Jeremiah Feller I’ve seen his stuff before.

[00:56:14] Brad Nigh: Yeah I actually really good research. He’s got a post on secure thoughts um Where that he wrote it, wrote up about it. So I was actually reading that one. Um Let’s see the mis configuration and exposed data restored directly on the same I. P. Address as since his website when removing the court from the I. P. Address. Anyone with an internet connection could directly access the staging quarrel.

[00:56:43] Evan Francen: So now control. Yeah. Really whatsoever

[00:56:47] Brad Nigh: and verifying the owner of the data set easy. But could also it also potentially exposed other areas of their network by keeping their entire cloud infrastructure in one place.

[00:56:57] Evan Francen: Two folders, one containing 1.58 million records and the other containing 830,000 entries.

[00:57:06] Brad Nigh: Now the database was open invisible in any browser publicly accessible. Anyone could edit, download or delete the data without admin credentials.

[00:57:17] Evan Francen: Oh man see it right excess as well.

[00:57:19] Brad Nigh: Yeah. Or at least at it. Yeah modify however you want to look at that um

[00:57:26] Evan Francen: patient names, insurance

[00:57:30] Brad Nigh: man, payment and collection amounts and totals and then I. D. Addresses ports, pathways and storage info that could lead to exploit across deeper into the network. I’m gonna guess that the ocr is going to be talking to them. Uh huh.

[00:57:58] Evan Francen: Yeah. I mean it’s the sad thing is I don’t know I don’t know sense. But if this is a company that develops a I I hope to God you don’t develop your Ai as sloppy as you configure your servers

[00:58:13] Brad Nigh: mm You

[00:58:15] Evan Francen: know what I mean? Because ai makes decisions right on our behalf. Part of it is artificial intelligence. And so there’s not much if you build a dumb ai I don’t know I’m just saying it’s this is security 10101 stuff.

[00:58:33] Brad Nigh: So July seven is when he discovered it. And july eight he said the second message confirming that public access had been restricted and the data is no longer exposed. But nobody replied to his initial notification or follow up message. No one from since has provided a statement or comments regarding the data incident at time of publication. So yeah it’s like that that company has offices in new york city in Mumbai India. Oh yeah. Oh that’s yeah that sucks.

[00:59:14] Evan Francen: This suck. They have nothing posted on their blogs.

[00:59:19] Brad Nigh: Well we’ll get to another one here about what happens if you don’t take uh some responsibility and try and cover up. All right, so the second one is from threat post fritz frog botnet attacks millions of ssh servers uh peer to peer. But net has hopped on the scene and has begun has been actively reaching ssh service since january so mhm. Please patch. Mhm. See to encrypt a mining. Who was the uh looking this? I can’t remember where the I got in. Oh yeah, we passwords of the immediate immediate enabler fritz frog attacks. He’s a strong password and public key authentication and you should be good basics. You’re on mute. Um you know

[01:00:30] Evan Francen: sorry man. Yeah, it’s a speech by itself doesn’t do anything right? You have to you have to protect the front door, right?

[01:00:36] Brad Nigh: If your password is password

[01:00:40] Evan Francen: our default credentials right?

[01:00:41] Brad Nigh: Exactly.

[01:00:43] Evan Francen: And I think this is specifically going after a lot of home systems, you know, routers, anti devices, things like that. So

[01:00:51] Brad Nigh: it’s dropping right? So yeah, they’re going to go for those that don’t need enterprise level systems for that.

[01:00:59] Evan Francen: Right? And crypto mining often goes undetected because it doesn’t, it slows things down but you may not be enough that people will ever notice. So people are using your CPU cycles on these systems to you know my encrypt I want I mean if you don’t like criminals using your stuff. Probably did us to carry your stuff.

[01:01:20] Brad Nigh: Yeah yeah, not good. So change passwords, make them strong.

[01:01:30] Evan Francen: There you go. And pet. Pet Right, basically. Wanna one stuff man.

[01:01:35] Brad Nigh: It is. Alright. Third story, the hacker news Microsoft issued uh emergency chute bet emergency security updates for Windows 8.1 and server 2012 or two. So this was a flaw in um the remote access service and the way it manages memory and file operations and could allow remote Attackers to gain elevated privileges. So get your patches out of that Cbe 2020 15 30 15 37

[01:02:09] Evan Francen: patch. And these are high severity vulnerabilities. They’re not like critical severity vulnerabilities. So it’s kind of its unique the reason why Microsoft, you know, did these emergency security updates just because the widespread usage I think more so than like you’re going to die kind of thing.

[01:02:28] Brad Nigh: I also wonder how much of it is potentially trying to okay get a little credibility back after not patching for two years. Right.

[01:02:39] Evan Francen: That last

[01:02:40] Brad Nigh: one. Yeah,

[01:02:42] Evan Francen: On Windows eight, Windows 8 one and Windows Server 2012 are no longer support it. Right.

[01:02:50] Brad Nigh: 024 hours to go off already. I don’t remember, I know when I’m pretty sure it was eight dead but mm uh

[01:03:06] Evan Francen: Lifecycle dates have been extended. That was in 2000 and 2020 I

[01:03:10] Brad Nigh: Think that extended is January 10 2023 so it’s still under the extended which it will be at the critical

[01:03:18] Evan Francen: extended but you have to or those critical

[01:03:21] Brad Nigh: so you’re not gonna get the normal are the rest of the stuff. Right. Security

[01:03:29] Evan Francen: Isn’t that crazy. So that’s 11 years. Yeah. Right. It’s an operating system, it’s 11 years old. If it’s 2023

[01:03:40] Brad Nigh: It’ll be 10 years old at expiration came out in November of 2013 began two mainstreams of what it was november 25th 2013.

[01:03:51] Evan Francen: It’s crazy. That’s a long time for an operating system be run in production,

[01:03:54] Brad Nigh: yep.

[01:03:56] Evan Francen: Typically.

[01:03:57] Brad Nigh: Well they’ve got their Windows Server 2016 came out in October 16 and goes in that extended is January of 2027. So it seems like about 10 years is for the most part on some bigger ones.

[01:04:13] Evan Francen: Yeah I suppose

[01:04:16] Brad Nigh: hey I’ll patch you are basics. The next one. Uh You had G. B. Hackers actually had was looking at this because we had a mix up on my my notes, didn’t send for the for the uh news articles and stuff. Uh I don’t know what happened but uh former Uber sie so joseph Sullivan charge for helping hackers for 2016. Uber hack. Uh G. B. Hackers is the one you have and On this one I actually don’t like that that title. It’s not I don’t think he wasn’t charged for helping, he was charged for writing them. Yeah. Right.

[01:05:04] Evan Francen: Words. He was he was trying to cover it up. Right. Right.

[01:05:08] Brad Nigh: Yeah but I don’t he wasn’t charged for helping him, I don’t want that title. But Uh, for encasing up the company’s 2016 breach. uh, he paid him with $100,000 and like falsely claimed that had an India or something.

[01:05:27] Evan Francen: Well, he’s currently so are the chief security officer clouds clouds later?

[01:05:34] Brad Nigh: How long it will last?

[01:05:37] Evan Francen: Yeah. No. Yeah. I don’t know what the outcome of this is all gonna be. But uh, I think, you know, there’s always that mm hmm. You know, a temptation, you know to maybe stupid under the rug and maybe hopefully nobody will find out kind of

[01:05:55] Brad Nigh: thing. Yeah,

[01:05:57] Evan Francen: but not a good idea. It’s best to play above board. But also might, I mean we all make mistakes too. It’s right. So I don’t want to come crashing down on somebody and be like, you know, step all over them. But you know, when you’re an information security integrity character is you just can’t compromise it. Right. I mean one bad, you know, all we have is trust and credibility and you know, not being in a church. So mm hmm If you wrote that trust, it’s hard to get it back. They’re just not supposed to make decisions like and just joseph he goes by joe Sullivan he’s also a formal former federal prosecutor himself way back when He was Associate General General Counsel in 2008 at Facebook. Associate general counsel up a panel 2006 – 2008. So this he’s got some cops. Assistant United States eternity eternity attorney From 2000 and 2002 computer hacking and i. p. unit northern district of California. Yeah so usually usually those usually those people that have that have been there you know what I mean? There’s like this brother slash sister hood so the fact that they’re prosecuting him it’s he probably knows some of these people that are prosecuted.

[01:07:25] Brad Nigh: Yeah so almost friends hack read who had one of the other ones that has a better I think it has a better right up so his charged with obstruction of justice after covering up the data breach. Um Yeah he like changed the report. He edited data like edited to kind of hide what data was taken and then try to get an NBA with the Attackers

[01:07:56] Evan Francen: right? Yeah you should have known better.

[01:07:59] Brad Nigh: Yeah it’s uh it’s a bad day.

[01:08:02] Evan Francen: It is a bad thing one. Mhm. You know he’s been living with the stress of this since 2016. That’s when that hack happened. So the last four years he’s been under investigation and probably had to answer a lot of questions.

[01:08:21] Brad Nigh: I wouldn’t want like and all you did if you just come clean why would you why would you hide this stuff. But yeah everybody everybody gets type you see it every time it happens.

[01:08:35] Evan Francen: Well there’s always those pivotal moments right? When you’re at a crossroads. Go left go right. Yeah if you have more time and you really think it through and you think about the consequences and all those things, you know, you might go to the right, but I might be able to get away with it and you play this risk little game in your mind and say, you know, I’m going to go left once you’ve already got, once you’ve gone left, it’s too late. You’re not, you can’t go back. You know what I

[01:09:01] Brad Nigh: mean?

[01:09:03] Evan Francen: So he just made a, I mean, I don’t know, you know,

[01:09:06] Brad Nigh: absolutely. It probably didn’t help. He was cooperating with the FTC in an existing investigation about an unrelated 2014 Uber data breach and the data security practices overall when he tried to cover up, we paid 200,000. They probably were pretty pissed when they figured this out. Oh yeah,

[01:09:27] Evan Francen: I’m sure. Yeah, because you put other cases, you put other cases that you may have been working on or supporting at risk when you ask your, when you like integrity yourself. So yeah, it’s a bad thing all around. And I feel, again, I don’t know the guy personally, but I would uh, he’s been around for a while and you know, and I doubt he’s, you know, I think, I think you just made a bad serious choices to be honest. I don’t know.

[01:09:58] Brad Nigh: Yeah,

[01:10:01] Evan Francen: now he’s got himself in a big pickle, you know, it’s just going to have

[01:10:05] Brad Nigh: to, I mean, even if he comes out of it, you know and doesn’t, you know wins or whatever. I can’t imagine trying to go through this just because Yeah. Anyway. Yeah, not not good. Alright, last one uh from Info Security Magazine is travel site exposed 37 million records before missile attack. So coming down, what’s that? That’s it. Uh

[01:10:41] Evan Francen: for just 43 just 43 gigabytes of

[01:10:43] Brad Nigh: data. India’s most travel booking sites teeth. So what’s

[01:10:53] Evan Francen: the name of the site?

[01:10:55] Brad Nigh: It’s a government backed travel marketplace rail ya tree. Yeah. You all right

[01:11:04] Evan Francen: on there all the

[01:11:04] Brad Nigh: time. Yeah.

[01:11:07] Evan Francen: This is an elastic search in elasticsearch server without password protection or encryption. Mhm

[01:11:15] Brad Nigh: 37 million records. 700,000 unique users. The mobile app had been downloaded over 10 million times off of Google Play. Yeah. Just the

[01:11:28] Evan Francen: basics man. The basic basic basics.

[01:11:31] Brad Nigh: The full names, age, gender, physical and email addresses, mobile phone numbers, booking details. Gps, location and names. First and last four digits of payment cards. That’s uh I’m gonna guess there’s gonna be some identity theft.

[01:11:51] Evan Francen: Yeah, that’s a bad spot to be in right there.

[01:11:54] Brad Nigh: Yeah, but then the Alba delegated all but one gig of the 43 exit data. Hope you have backups.

[01:12:04] Evan Francen: Right. Oh yeah. Alright. So your elastic uh servers. Your elasticsearch server’s password protect them and encrypted.

[01:12:18] Brad Nigh: Yeah. Please ethics. All right. Well I think that will do Episode 94 is a wrap, you didn’t even check out.

[01:12:31] Evan Francen: I wanna give a shout out to uh john harmon. President of fr scary. Really had a good time with him last weekend and know where his heart’s at. He’s a great leader, I love what he’s doing. Uh The company. Uh Yeah just keep up the good work. Uh

[01:12:46] Brad Nigh: I’m gonna give a shout out to uh Oscar and peter just being there without realizing it. Just being good guys and and helping me get out of my sunken, get back onto it without me directly, say anything. Just always positive and so just so fun to talk with them. So

[01:13:05] Evan Francen: that’s cool man, that’s great.

[01:13:07] Brad Nigh: Yeah look I left the T. V. Yeah. Uh you two men so if you’ve got any questions or suggestions for us and those things uh Yeah man I can’t talk anymore. You

[01:13:23] Evan Francen: got like 2 2 more minutes you can make it. I

[01:13:26] Brad Nigh: know and I totally flubbed it. We have to start over uh send thanks to us by email at insecurity at proton mail dot com. Your social type socializes to uh

[01:13:41] Evan Francen: on Twitter.

[01:13:42] Brad Nigh: I’m @BradNigh and Evan is @EvanFrancen. Oh you have it in here again. And if you’re not uh last week all of the show on twitter is @UnsecurityP and follow the companies we work for security studio @StudioSecurity and @FRSecure. Talk to everyone again next week.