Evan and Brad give an inside look at what is a virtual chief information security officer — what makes a good one, who needs one, and more. Give it a listen and let us know what you think at unsecurity@protonmail.com.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: All right. Welcome to the un security podcast. This is episode 43. I was going to do some sort of non standard opening this time. Uh this is kind of non standard now that I just said it’s non standard,
[00:00:35] Brad Nigh: I’ll chime in before it says I’m supposed to. So now now it’s non standard
[00:00:39] Evan Francen: we are Were all thrown off now. All right, well this is episode 43. I’m Evan francine. The date is sometime in late august because we’re actually recording the friday before Labor Day because Labor Day is a day when you and I are not going to work. We’re going to put things down. No, you gotta do it, put it down one day. Just do it.
[00:01:02] Brad Nigh: We’ll
[00:01:03] Evan Francen: talk about why that may not be possible for bread. But I am Evan francine and joining me is my partner in crime. Mr brad ni brad’s already said sort of hello?
[00:01:13] Brad Nigh: Yes, I’ll say it again formally. Hello Evan.
[00:01:15] Evan Francen: Well, you’ll notice in the show notes that all throughout you brad does brad. So you’re going to have to do brad. The whole
[00:01:22] Brad Nigh: show. That will be interesting because I think our our whole team is getting a little punchy so this could be fun. I know.
[00:01:29] Evan Francen: Well that’s what happens when you record a podcast to on a friday. I was traveling to, I don’t know Wednesday thursday in New Jersey comeback this morning and you know, six back to back meetings and I’m ready ready to cut bait on this week. All right. But we do have a packed show. The, the show notes were actually put together in about 15 minutes. We didn’t plan as well as we normally do, but I think we’re gonna have a great show anyway, so stick with us
[00:01:56] Brad Nigh: like, hey, you lead people to believe we plan. That’s why I appreciate that.
[00:02:01] Evan Francen: I know right. Well they mean
[00:02:03] Brad Nigh: we’re opening the curtain.
[00:02:05] Evan Francen: Yeah, stop that. Alright. But we do have a packed show. We’re recording like I said, we’re recording the episode on friday monday is Labor Day. I can’t believe we’re at this point where summer is already
[00:02:16] Brad Nigh: over. This year’s been flying by. You know, I’m not crazy.
[00:02:21] Evan Francen: What the hell? My daughter went back to school. I only have one daughter still in school. You have a couple no dot well you do have a couple daughters and a son um who started high school. I know man, I look at pictures of her, You know, 5, 6 years ago. It’s like what the hell happened?
[00:02:39] Brad Nigh: I will say I saw her a couple of weeks ago walking and from behind across keeps like who is, I didn’t record, I thought it was an employee. She’s gotten so tall. I
[00:02:47] Evan Francen: know she is tall. I don’t know where she got her tall nous from your tall. I’m not, I’m six ft, I’m kind of above average. Anyway, summer is over. Uh, we are going into Labor Day weekend brad. You got any plans this weekend?
[00:03:02] Brad Nigh: Uh, got to cook out with some friends on sunday, but hopefully hopefully some relaxation. We’ll see.
[00:03:09] Evan Francen: God. I hope so too. All right. Uh, what am I doing this weekend? I’m going to uh loading up the camper and heading to Apple River family campground. Yeah, it will be fun. My wife doesn’t believe that I’m not going to be working as well because when you travel for a couple days on a client site, just everything
[00:03:32] Brad Nigh: stacks up. Everything gets thrown off.
[00:03:34] Evan Francen: My task list right now is at 71 of 71 things on my task list.
[00:03:39] Brad Nigh: I won’t, I was telling somebody how many I clean up my mailbox at the start of each year. Just put it into a folder for previous year. And it’s just how many emails I’ve gotten and how many I currently have that are in red. That I just, it’s like, right, yeah, I’m embarrassed by it, but I think we’re I, and I stay on top of things. It’s nuts how much is just going anyway.
[00:04:04] Evan Francen: Well, I wonder if we’re not a typical of other security people. I mean we’re all swamped if you’re if you’re trying to make a difference in the world as a security person.
[00:04:18] Brad Nigh: You’re swamped. Yeah, I think a lot of it is of my own and red ones are uh in chains where I’ve read the last email and they just don’t clean up my mailbox.
[00:04:30] Evan Francen: Mhm. Well, the same thing happens even with our sales people right yesterday, the emails, I mean, I was watching the emails as I was getting off the plane and Alex, one of our sales people on the fr secure side replies to an email, sorry, I was at a soccer game, and he replies to the client, you’re like, oh, I already replied to the client. He’s like, oh, I guess I got two emails, you know, everybody is it happened, everybody’s busy and we’re not even in fourth quarter yet, for the fourth quarter’s traditionally uh the one quarter where we’re just slammed.
[00:05:03] Brad Nigh: So I’m gonna now spend the weekend crying in the corner. No, I’m kidding, I’m kidding.
[00:05:07] Evan Francen: There’ll be a path at the end of all this. All right, So hopefully our listeners by the time they listen to this, they had an enjoyable labor day weekend. Hopefully they got uh you know, they were able to put work away rest, spend some time with their families. Uh we get so wrapped up in our work all the time, you know, I’m guilty of it. I know you are that we forget sometimes what really matters, and what really matters is your spiritual life, your family life, that stuff comes before this work stuff, so yeah,
[00:05:46] Brad Nigh: kids grow so fast.
[00:05:48] Evan Francen: Yeah, I wanna, and that’s one piece of advice, I would give any security person, it’s so easy to get burned out, you know, and if you don’t have some checks and balances in place, you’re going to find yourself in a bad spot. So keep that in check. Hopefully you had a good weekend back to school, back to the grind. And speaking of, back to the grind, we’re gonna talk about a topic that, uh, that always seems to be something we’re talking about. We’re going to talk about incident response again. Ah, because, you know, we have more lessons to learn right now what we do and certainly that our clients do. Um, so let’s share some of that with our, with our listeners, but let’s try to keep it short. We have other things we want to talk about and I think people are probably getting, do you think they’re getting tired of incident response talk?
[00:06:38] Brad Nigh: I think, you know, I don’t know the story, nobody seems to get tired of the stories about what we’re finding. I think if we keep, you know,
[00:06:47] Evan Francen: if we were doing something hypothetical stuff. Yeah, so this is a real story brad. Uh, and, and an and an entire incident response team and I’ve been pulled in a couple times just to kind of keep me in the loop of things.
[00:07:04] Brad Nigh: Uh, you’re a good sanity check because once you start getting deep into it, you’re, I mean so I’ll say we’re from a team perspective since It’s been about two weeks, 15th or so. I think it’s when it started uh we’ve put in over 250 hours as a team. Yeah. Like and that’s just on this one. So your eyes start to cross a little. You you’re like all right, wait and so having you know, you have to pull in and do that. That’s sanity check because you’re fresher and you’re not like I’m not in the weeds in the weeds and it’s really helpful. So I do appreciate you. You’re doing that
[00:07:42] Evan Francen: when I appreciate you guys bringing me in. Uh It um It’s good to still keep in touch with sort of reality. We thought you guys are going through. Um And it does bring back memories. I mean I shared with the team on Wednesday night we’re going through them. Like the last time I actually went fire logs Like in detail was picks 5 20. Uh And it was all text. You know we had flopping. I mean it’s just it’s been a long time. So it’s really cool to see that. But you know the one thing that’s true, the fundamentals are still the same version four is still I. P. Version for
[00:08:16] Brad Nigh: so have the right logging levels turned on regardless of what you’re using. Yeah.
[00:08:20] Evan Francen: And save those logs. My God. All right. So what are some of the recent lessons? So this week has been this one incident response and for people that may not remember? Um This is an incident response that started off with emails being sent from one of their mailboxes and they weren’t sure why they initially suspected
[00:08:43] Brad Nigh: was brute force. That’s what it was. This was the brute force one, right? This wasn’t even know right? That people were having trouble logging in. We thought was they were getting locked out. They were getting DDOS basically from a brute force or tens of thousands of failed logins. So it started with that and it’s now moved to that just was something else. That kind of, that they were kind of lucky that that that happened to catch what’s really going on.
[00:09:13] Evan Francen: And so, and I remember because this is a good sized organization and the C. I. O. Is a friend of mine. So he had called me and I triaged it in the truck coming back from ST cloud Minnesota. And I thought, you know, this happens all the time and we always see scans and attempt
[00:09:35] Brad Nigh: not, not like this. Right? This is a pretty pretty gnarly.
[00:09:40] Evan Francen: So I sort of blew it off. And that was my lesson learned as I made an assumption out of the gate. But thank God, the client wanted more answers and engaged you and the team. Yeah. And now we found ourselves in this complete compromise. I mean, it’s what’s not compromised here.
[00:09:59] Brad Nigh: Um not all the workstations yet, but they could be right. Uh How about this? Everything we have in point monitoring on at this point with the tools we’re using, uh we know okay. Unfortunately they don’t know everything that they have, right.
[00:10:14] Evan Francen: And we talked about this last week and one of the one of our listeners had commented on why don’t you just uh white list? It’s like, well we we sort of can’t because this is rooted. Uh huh. And so our white lists and
[00:10:29] Brad Nigh: ineffective. So the other thing we found is that the the Attackers are using file lists, attacks, injecting malicious code into legitimate Windows processes. So even if you whitelist the process, it’s not stopping anything. It’s using like spc hosts and rep manager, a couple other things. Great. So yeah.
[00:10:55] Evan Francen: Yeah. So what so the latest lessons are we didn’t get the client would wasn’t able to get us firewall logs until just this week. And when we look at the firewall logs, there wasn’t really sufficient information there for
[00:11:11] Brad Nigh: one. Well it was it was, yeah, we’re still trying to comb through them. Um did you
[00:11:17] Evan Francen: ever get the egress logs?
[00:11:18] Brad Nigh: Are there any they’re supposed to be the same. So we have to go back and look at that. It’s there not a really clean format. Thanks to proprietary logging. Thanks guys. Uh Yeah. Who needs open source for anybody or standardization anyway? Uh Yeah, so from a lessons are the biggest, probably a couple of handful of things I can think of off the top of my head do internal external vulnerability scanning, this could have been stopped are really mitigated if they had done some external scans originally because we found it immediately in the scans, um some of the major points uh power shell logging, turn it on, lock them into a central location. We would have, if they had had that turn on, we would have found this malicious power shell running much faster. Um Yeah, and then just whatever use an open source tool, but aggregate your logs don’t storm locally on the device is if you can, you know, those three things alone would have made world just a huge amount of difference.
[00:12:28] Evan Francen: And so those are sort of basic things that everybody should be doing. Right,
[00:12:33] Brad Nigh: right. No, it’s it’s not hard stuff, you just have to do it
[00:12:38] Evan Francen: and I’ve and I agree, you know, with all of that, certainly the power shell logging, I think a lot of people are running
[00:12:43] Brad Nigh: without, it’s not turned on by default by Microsoft. So nobody thinks to do it.
[00:12:48] Evan Francen: So if you’re listening and you’re running a Microsoft environment, turn that on now, go ahead and pause the podcast and come
[00:12:56] Brad Nigh: back when you can send it to a network location and have it all you have to do. Right.
[00:13:04] Evan Francen: Yeah. And start there before even diving head first into a sim
[00:13:09] Brad Nigh: solution. Oh yeah, that’s an easy thing you can do at no cost group policy done.
[00:13:15] Evan Francen: So other things that I’ve sort of noticed in uh just in my peripheral view of this, one of them sort of came up this morning, uh is, you know, and we stress this at, you know, one of the first ones where you going, Yeah, you know, one of the first time, you know, we we always stress communications and how important internal and external communications are keeping everybody in the loop, that should be in the loop, because this morning I got a text and you you got a text saying our exchange server is down. It’s like, oh God, what? Well, he comes to find out that um an admin who didn’t tell anybody in the middle of the night last night decided what to expand the database on the exchange server or expand
[00:14:05] Brad Nigh: the disk, it was running out of the drive, was running out of size of space or something, or he’s getting
[00:14:09] Evan Francen: low, I don’t know, right? And then they couldn’t get it back up for whatever
[00:14:14] Brad Nigh: reason. Well, because we put a block on all files power shell, because we identified that as a method of spread. So in Microsoft support tried to run Power Shell, they couldn’t they couldn’t because we were blocking it, thank God, and they were like, they spent, I guess hours trying to figure this out, and we got in were like, well, yeah, no, it’s not gonna work because we’re blocking it.
[00:14:39] Evan Francen: So just the crappy communication. So this admin, who knew that we’re in the middle of this has been involved. Yeah. Uh So that wasted a whole bunch of ours. And when you’re doing an instant response, you really try not to waste. Hours. Hours are expensive.
[00:14:57] Brad Nigh: And from our side we don’t yeah, we’re very careful about doing that. We don’t want to take advantage of the situation. And when something like this happens, and it sets all of us back, we don’t have a choice, right? It’s not the right use of that time. No, I don’t have a choice. You don’t have a choice.
[00:15:14] Evan Francen: Yeah, we get that. And so we get that text and we’re like, okay, all hands on deck, what’s going on? Right? Okay. What? So yeah, waste of time. Waste of
[00:15:24] Brad Nigh: money. Is that the double face palm? Right?
[00:15:28] Evan Francen: And just because just because an admin who knows the process doesn’t follow process, Right? And if you have admins who just will not follow process, then they’re not. Yeah, they can’t be there.
[00:15:41] Brad Nigh: And I mean, we’re looking at they’ve been they’re still down on their exchange as far as I know, Really. It’s been over 12 hours at this point. I don’t think it’s back up yet.
[00:15:52] Evan Francen: Okay. And are we? That’s not our
[00:15:54] Brad Nigh: it’s nothing we can do. Okay. We’re just we just put the in point agent into a monitor and fingers crossed, nothing hits
[00:16:02] Evan Francen: it. Damn. All right. So there’s some lessons uh be proactive
[00:16:10] Brad Nigh: please.
[00:16:11] Evan Francen: Well, and just basic, right. I mean, if you have change control process, follow change control process. If you uh turn on the power shell logging, do vulnerability scans on a regular basis and actually look at the results.
[00:16:24] Brad Nigh: You don’t just do it. Yeah,
[00:16:27] Evan Francen: don’t do it. Check the box. And that’s one thing that I actually busted. Uh didn’t bust them. But I’m the V. C. So for a large organization. And that was one of the things that I found her team doing was you need to review these
[00:16:43] Brad Nigh: C. I always did uh we just did automated tickets for all that stuff. Any of those routine things that needed to be done. And I actually had it happen where generator check, we needed it and it was there was no gas, no diesel in it. So we went back
[00:17:02] Evan Francen: and without testing it. You wouldn’t have known
[00:17:03] Brad Nigh: until disaster. But no, no, it was like we had like an eighth of a tank of fuel when we needed it. So we went back and looked at the the help, the tickets and someone was filling it out. Check check check. Here’s what the levels were. They didn’t actually do. And apparently they were doing it. Oh boy. So, but it’s accountability to right at that point. That’s you have to do it.
[00:17:32] Evan Francen: Well, I would I would assume that there is going to be some accountability in this incident uh, at
[00:17:38] Brad Nigh: some point. Yeah, I would be stunned. We’re not going to speculate, no, I would be surprised if there was. Yeah. Anyway. Yeah.
[00:17:49] Evan Francen: Well, so, okay, so that’s kind of where we’re at with this current incident, just incident management management in general. Um I was writing a presentation for the hacks and hops are event coming up in September 19 at the US Bank Stadium. Uh, we’re, I’m getting the opening talk, but then we have this awesome panel,
[00:18:12] Brad Nigh: right? I’m really looking forward to this.
[00:18:16] Evan Francen: I am too. We have and we have a cyber uh, insurance, uh, expert locked in there, chris roberts. Uh, and if you don’t know that is just look up chris roberts, an airplane, find something. Uh, we have JD Hansen the sea, so for code 42 then we have Mark Landerman who is one of the best, one of my favorite kind of forensic experts on that panel. Uh, but as I was writing this presentation, I realized how uh, really without an incident management process, you’re negligent. Oh yeah, if you follow the logic. Uh, and then I found this, this study by IBM that says 77% of organizations. So, and so I interpret that being the logical kind of guy. I am that 77% of organizations that are negligent in my
[00:19:14] Brad Nigh: opinion. I would not argue that from an incident response perspective in seeing what we’ve seen. Yeah. Right.
[00:19:24] Evan Francen: So
[00:19:25] Brad Nigh: well that’s not true. Most of them say, well we have we have a plan
[00:19:29] Evan Francen: in call insurance. Yeah. Or they or they have a plan where they took the plan, found a template online to change the name
[00:19:37] Brad Nigh: and slept a logo on it and
[00:19:38] Evan Francen: grid. Yeah. So incident management is not a check box. It’s not about how you plan, it’s about operational. Izing the processes for incident response. And I’ll give you an example like uh the V. C. So client that I’m working with now, the only one really that I do work with, uh there’s events and incidents. Right? So defining what an event is and what an incident is. And I’d like to keep it simple to me, an incident is just an event with a negative consequence. Right. And so every event that has a negative consequence. What do we do with it? How do we identify it? How do we triage, how do we, because if you look at this incident that we’re talking about today, this major, impactful huge incident is actually a collection of smaller incidents that happened along the way that nobody noticed responded to. So before you get to this catastrophic. Oh my God. And very expensive. Right. I’m talking quarter million half million dollars. Had you operationalize your incident management capabilities. You would have identified other incidents along the way and kept the cost down in the description. Probably eliminated.
[00:20:53] Brad Nigh: I would agree.
[00:20:55] Evan Francen: So it’s not just having an incident you know response plan.
[00:20:59] Brad Nigh: Yeah it’s
[00:21:01] Evan Francen: got to be part of your
[00:21:02] Brad Nigh: operations. Yeah. Yeah you can’t just say we’ve got one it’s it’s over on the shelf. Everybody has to understand what is their role and responsibility in the plan including not just I. T. Staff or your I. R. Team everyday employees need to know they have roles and responsibilities and people are don’t don’t think about that. A lot gets get that part gets overlooked and that’s that’s your first line.
[00:21:27] Evan Francen: It is absolutely and you hear companies you know say well yeah we got an incident response plan and you look at it and you can see that it’s completely dysfunctional. This is not a plan that’s gonna work here And then you say well how do you use this plan? And they usually say well we test it once a year because that’s what the checkbox says. Right? Well incident response plans are meant to be tested continuously. Not tested once a year. You may test a high severity critical
[00:21:55] Brad Nigh: through tabletop once a year where you really pull everybody
[00:21:58] Evan Francen: in. Yeah it’s like a critical one. You just simulate that but really you should be testing your incident response plan continuously. It’s part of your business. Yeah
[00:22:08] Brad Nigh: yeah your ire whoever is responsible the commander manner or whatever you want to call it anytime. Anything that should have constant lessons learned. A constant update of the plan constantly. Just yeah. Yeah, improving it anyway.
[00:22:23] Evan Francen: Yeah. So lots of lots of lessons learned. I think you’ve covered three or four. I covered a few there. Uh there’s some good nuggets there hopefully for people to improve their own capabilities. Because truly on the one side we don’t we don’t mind the revenue, but on the other side we hate that people suffer
[00:22:40] Brad Nigh: because plan. Well, I’d rather help them be proactive and have that lower revenue than then watch them go through this because yeah, I mean they’re good people working really hard that are just their suffering. Yeah. Yeah. It’s not it’s not fun to watch that now. The actual threat hunting and pulling stuff apart. I won’t lie that that is fun. But but watching the lab, yeah, I’d rather Exactly. I’d rather be able to do that off to the side and not, no, there’s probably going to be some job loss and all the other negative side, you know, consequences to us.
[00:23:20] Evan Francen: So anyway. All right. So moving on, a topic came up this week when I was talking with an investor because you know, I’ve been talking with investors on security studio. Um, and he asked, you know, the the term VC. So uh huh. And I think it’s sort of an overused term in our industry. So we asked what is a V. C. So, and I thought, you know, we just kind of take things for granted like everybody knows what the VC. So is. Yeah, so I figured we’d talk about that?
[00:23:51] Brad Nigh: It would be interesting. So you know, like he said, I got these notes like 10 minutes before. So this will be good. I didn’t get a chance to prep. So we’ll see how how close we are on our, I’m sure our definition
[00:24:02] Evan Francen: come on. We worked we’ve worked together for a while now. All right. So let’s let’s discuss and and be clear on what a VC show is uh what they do. Uh And then let’s discuss some things like you know what makes a good VC? So what makes a bad VC? So uh so first defining what a VC so is well what it stands for, right? Virtual Chief information security officer. So what it is is a fractional right? It’s not a full time employee that works for the company. It’s a consultant that serves as the company’s sort of de facto see. So um that’s what a VC. So is
[00:24:45] Brad Nigh: do you agree with that? Yeah, like I like to describe it were there to provide strategic guidance, high level strategic forward looking and then tactical response when appropriate. But that tactical should be pretty limited. You wouldn’t be paying a true see so to look through logs, you’d be telling you no more strategic guidance and so
[00:25:07] Evan Francen: yeah, I think that’s exactly. Right. Uh So what another question then is you know, why do we need, why is there a need for V. C. Cells? Why is this a thing?
[00:25:18] Brad Nigh: Well there’s a we’ve talked about it. There’s a huge shortage of talent but also when we kind of are sweet spot of company size they can’t justify a full time the salary demanded or needed by those and then they honestly that a lot of times they don’t have the work to justify a full time. You know if you’re looking at anywhere from, excuse me, our smallest is for employees. And then I think the average customer base right now is 2 50 to 400 range of employees right? In that range. So decent sized companies that have good I. T. Staff, they just don’t need they don’t they can’t justify. I see so and even if they hire one it’s just somebody that’s going to leave for more money as soon as they get the job right? So potentially. Yeah. So I think why do we need them? Because there’s a huge gap out there of companies that need that guidance and that expertise versus who can justify the full time expense associated with it.
[00:26:29] Evan Francen: 1 1 thing I know is wherever there is a gap it gets filled right? So there is a gap and so then it gets filled, it gets filled with companies who provide BC. So services and I don’t want to bad mouth any company because I don’t do that. But what I will bad mouth you know potentially are different ways to approach the VC. So practice right? Because I agree with you a VC. Show is what a typical C. So would do which would be strategic direction laying out plans, laying out the structure of the security program, how we’re going to do things and the actual doing things. You might be an I. T. Person, might be some security staff. Um And I can only speak from my own experience recently uh because I only have one client today and that’s a big, You know, I don’t know how many employees, maybe 50,000 ish, I don’t know how large they are. Um And they even if they wanted to hire a C. So At the time we started the engagement about 18 months ago they would they weren’t they weren’t even mature enough to have a,
[00:27:41] Brad Nigh: You know that’s a really good .2. Yeah. Yeah. If we uh yeah yeah I don’t know that structure, having the maturity. That I think that’s a really good, we’re really good at getting people from You know 02 567. And then that’s when you can justify and say Okay we need a full time person
[00:28:01] Evan Francen: because then at that point you know what you should be holding so accountable for, they know what they should be doing, you can create a job description actually fits the company as opposed to just taking some job description off internet your name on it. Um And and you’re right, we have there is such a good security staff at this company but all they need is some strategic direction right there. I don’t need to do much
[00:28:26] Brad Nigh: some accountability. Hey you said these tasks we’re going to get done. I got it right down. It’s not done when the board asked her whoever asked, I’m telling them the truth.
[00:28:37] Evan Francen: Exactly. So we try to do our VC. So service to scale down but then also to scale up and different I think experience levels of the of the consultants fit with that too. Right? You wouldn’t want to throw a junior. It’s my first time being a C. So kind of person, you know at a 10,000 employee company.
[00:29:02] Brad Nigh: Oh I’m just kidding. Right. Really? No I’m kidding
[00:29:05] Evan Francen: now you told me. Uh Yeah. And so one of the things that you know we did this pc. So service, we identified this as an issue probably, I don’t know six now I’m probably more than that but maybe nine years ago. And so we had a service to fill this gap. Like I said whenever there’s a gap somebody’s gonna fill it, something is going always going to fill the gap. So we had this VC. So service and the way we did it was you just pay us a monthly fee and we would serve as your V. C. So so when it up happening is people would just pay five grand a month just and you weren’t doing anything. Yeah so it was only a couple of years into that where we were like this is not fixing the broken industry which is our mission. Let’s roll back let’s and so you go back you go to clients and say you know look Stop paying us five grand a month because you’re not getting anything and then they would still pay you five grand a month because
[00:30:00] Brad Nigh: yeah it’s a security blanket.
[00:30:03] Evan Francen: Yeah so we rolled it back and then we we redefined what a visa show was for us because what we needed in our VC. So program was something that the client could hold us accountable to as as the sea so and something that we could hold the client accountable to as the client or as the company. Um So we developed this fact system which it seems I love what you guys have done with it since it was kind of originally released a couple of
[00:30:33] Brad Nigh: Years ago. It was funny so you know I started in July of 16. And the fact as it is that came out in like October 16 and then what it was from october till Most of 17 was still figuring it out where it is now is yeah I’m pretty proud of what we do.
[00:30:57] Evan Francen: Well I am too
[00:30:58] Brad Nigh: I guess I’m just watching that growth and taking taking an idea and then every single analyst they are invested in are constantly hey I think we should do this or here’s what I’m doing to make things better and like that constant sharing that constant improvement. Yeah it’s pretty awesome to that’s
[00:31:18] Evan Francen: that and that’s what’s far exceeded my expectations because what I did is I just created a framework, you know, because I was sitting like, I’ll never forget, I was sitting on the uh take a chair that we have in our living room on a saturday and I was like uh we got to figure this thing out now because it had been a couple of years since we rolled back the VC. So and we just needed to provide something here. So it was a weekend through something together. You guys took, it, made it so much better than what it was, but it was just kind of kick starting it, right? And so now the way the VC. So service works is it? And it’s the same way you would do it if you hired me off the street as you see. So the very first thing that I would do would be to do an assessment
[00:32:00] Brad Nigh: honestly though that approach is what makes it so successful. I agree every single one is we’re like okay, we are with, we’re invested in the company, so let’s do this the right way, here’s what we’re gonna do
[00:32:13] Evan Francen: because that would be the first thing I would do right? I gotta I gotta know what I’m working with and you see that, see IOS do the same thing C. O. S do the same thing. C. T. O. S do the same thing. So it’s like okay let’s do an assessment. Well let’s use our flagship assessment that we’ve been using for ever. It’s evolved into so many it’s involved into something so awesome. So we use that s Tuareg used to be called Fisa Score.
[00:32:38] Brad Nigh: Has that been announced for you? Just break breaking news? I don’t know if you
[00:32:42] Evan Francen: know me. I don’t
[00:32:43] Brad Nigh: know. I don’t know if they’ve done like the full marketing fanfare now now it’s done well. No it’s on the it’s on the website. So yeah your uh
[00:32:53] Evan Francen: but so you start with the assessment and then from the assessment you build a road map and from the road map. I mean this is how simple it is from the road map you’re assigning some things for the VC. So to do and you’re going to do some things.
[00:33:03] Brad Nigh: Yeah we’ll help you identify. Is it internal staff? Is it a MSP is it another partner? Uh
[00:33:10] Evan Francen: So then everybody knows who’s responsible for what and now we’ve got this accountability piece back and forth because you can hold the sea so the VC. So accountable for his or her tasks but then the visas VC. So can also hold you as a client accountable for your tasks
[00:33:27] Brad Nigh: and I think what you know kind of differentiates us is we do it at a base level to start. Right? So a lot of I’ve seen it, they’re going to charge you x amount a month, regardless of what they’re gonna end up doing were like, no, no, we’re going to start with, we know we’re going to do these things regardless of what we find in the assessment, regardless, you’re going to get these services. Now, if you need additional, let us know what you want us to help with and we’ll work that out. But they’re not going to we’re not charging people for, like you said, not doing anything. I know. Yeah.
[00:34:00] Evan Francen: Yeah. So it’s been really successful and I love what you guys have done with it. I think, you know, as we go on the security studio roadshow and start getting more people, you know, sort of understanding how a V. C. So program is supposed to work. It gets everybody on the same page, right? Uh We’re looking forward to because we have to somehow defeat this fragmentation in the security industry where you’ve got a billion different ways of doing something without any kind of common ground.
[00:34:32] Brad Nigh: Yeah. Yeah. And you know what’s funny is you even you’ll hear that we’ve had customers that are now are in fact subscribers that are coming from other VC. So services and, you know, we had one, they were subscribed, they were with them for two years and had four or five different Vcs os in two years, how do you have any continuity, Right. And they said every time they came in, they’d have to basically start over because everybody was just a little different. Right? When
[00:35:06] Evan Francen: you got a system in a construct, you know, in place, then you can switch out personnel and not have to redo
[00:35:13] Brad Nigh: things. And obviously everybody’s kind of slightly different takes on things. But your experience as the customer is going to be the same. It’s gonna be the same medium format. It’s going to be the same approach. You’re just gonna get maybe a slightly different, but, you know, background based on their experience.
[00:35:29] Evan Francen: Exactly. Yeah. So I think that’s what makes a good VC so a good VC so we’ll treat the client like they are the actual see
[00:35:39] Brad Nigh: so and every one of our analysts absolutely does. Sometimes it’s a little where they cook slow down like calm, calm yourself.
[00:35:49] Evan Francen: Yeah. Being a little too ambitious here.
[00:35:52] Brad Nigh: Which is about what I love having that problem. I’d rather have that than rather
[00:35:57] Evan Francen: reel them back a little bit. Yeah, try to motivate them. It’s like, dude,
[00:36:01] Brad Nigh: you’re going to Yeah, Yeah. Move it.
[00:36:05] Evan Francen: Uh So if you’re looking for a VC. So uh and I’m going to ask you as objectively as possible because we do do VC. Sos but if you were a client, put yourself into the client shoes, what would you demand from abc.
[00:36:19] Brad Nigh: So is that like that accountability? Not just for for yourself, but what am I getting out of this? Right. Um And I’ll be honest. That is a hard thing to to convey exactly what we’re gonna provide. But we were honest and transparent and try to do that. So that’s what I would look for is you know, do they do you feel like you understand you’re what you’re going to get? Is it going to be consistent? Um Do they have a methodology or is it just you know hey they slap some marketing on, you know this I. T. Provider is now your security Vcc because they sell in point protection, right? Or is it do they have you know qualifications and certifications and the experience? Uh
[00:37:05] Evan Francen: Yeah. Well I think that’s that those two things that I would look for if I was uh see so again, you know in the real job because we also have CSOs who hire the CSOs because VC. So can make a C. So look good. Right? It’s not doesn’t have to be a
[00:37:25] Brad Nigh: and honestly that’s a I like those too because I’ve been in that position to or you’re the only one there like yeah we’re here on your behalf. We’re going to support you and it’s a sanity check. It’s a sounding board to bounce things off. Am I looking at this right? And what am I missing here for sure
[00:37:45] Evan Francen: that when we all need that. Right. I mean
[00:37:47] Brad Nigh: all the time I asked gary and all this all the time. That stuff
[00:37:50] Evan Francen: that was the call on
[00:37:51] Brad Nigh: Wednesday. Yeah. Yeah I initiated that. What’s going on. What am I looking at? Right.
[00:37:57] Evan Francen: Well so what I would look for for a C. So or a V. C. So uh would be um yes definitely the accountability because I want to know what I’m getting for my money that’s me. I want to know what I’m getting for my money because I have to tell that to the board or
[00:38:16] Brad Nigh: how do I justify this expense? Yeah here’s what we’re getting for it.
[00:38:21] Evan Francen: Yeah and I’d want um as much objectivity as possible. Yeah. Uh And I’d want like you said somebody with experience because and I’d want somebody with consulting experience. And the reason why I’d want somebody with consulting experiences because um a good consultant steals good ideas from all their clients.
[00:38:43] Brad Nigh: Well that’s the benefit for two to go with a good consulting. You’re going to get the best of everything we’ve seen.
[00:38:50] Evan Francen: Yeah I mean I learned so much from, oh yeah other clients like oh my God that’s it’s awesome. Well not not only I’m now making that mine.
[00:38:57] Brad Nigh: Yeah. Well not only that you also learn what to look out for right? Which is one of the biggest struggles I think is is people tend to get tunnel vision. You know your environment and no it works but that doesn’t. I mean that’s the best way we may have seen something right somewhere else. So we’re like, wait, no, no, you shouldn’t be doing that this way. You need to tweak these things, Right?
[00:39:21] Evan Francen: Absolutely. And so what I and for listeners, um, if you want, because if you’re a security person who wants to know how to become a VC. So because I think it’s, it’s a great job because you get to go from place to place. You don’t carry the stress of being in it all day every day, the same company.
[00:39:40] Brad Nigh: But there are some, some, it does. It’s not for everyone. No, no. The consulting thing that we’ve had, people that don’t work out who need to have, you know, the corner office with the windows.
[00:39:55] Evan Francen: That’s probably not going to be
[00:39:56] Brad Nigh: right. But we’ve seen it. And then, yeah, they don’t, they don’t last. It’s a very different, yeah, different things, but absolutely rewarding.
[00:40:06] Evan Francen: Yeah. Well, the one thing I like the one client that I have, I’ve reminded them numerous times, You know, that look in about, um, two hours I’m going to get on an airplane and I’m just being completely honest with you, I’m not going to think about you again until about an hour before our next meeting when I’m preparing for it. And what I’m trying to stress there is not that I don’t care about you, but that this is your security
[00:40:31] Brad Nigh: program and I’m here to support you. But ultimately, if something happens and you’re not doing what we recommend. It’s not my neck on the
[00:40:40] Evan Francen: line. Well, that’s also true, right? Here are my recommendations. If you choose not to accept those recommendations, I have no problem with that.
[00:40:47] Brad Nigh: You just need to know because I wouldn’t let me.
[00:40:50] Evan Francen: All right. And I wouldn’t have any problem with that if I was your C. So either these are business decisions. If the ceo or the business decides not to take my recommendations as their full time. See? So don’t take it personal document, it, move on. You’ve got other rather risks that are that are still there. All right. Anyway. Uh So, if you want to become A. B. C. So what I would say uh in whether it’s working at fr secure working at some other company. Um Give us a ring. I’d love to because if you’re looking at starting off in your own consulting practice or uh you know, whatever you want to do if VC. So is something that you’re interested in. I think both you and I would help them build.
[00:41:36] Brad Nigh: I just learned from. There’s so much to learn from our mistakes. Oh yeah. There’s no shortage of of uh
[00:41:43] Evan Francen: Yeah, I’d rather collaborate, collaborate than and get people doing it in a similar way because the customers benefit from that rather than let’s all decide on our own methodology and confused the crap that everybody
[00:41:56] Brad Nigh: every time they, you know, switch. Yeah. New start all over.
[00:42:02] Evan Francen: All right. So, last topic for today. The show before we get into some news. Uh, something came up in a recent VC. So engagement. So this is the one customer that I was talking about. But it demonstrates gaps between what good guys can do in testing and what the bad guys can do in their actual compromises. There’s always a gap and the reason why there is a gap is because we have the good guys have rules, right? There are boundaries. There, there’s a line that we won’t cross in terms of like testing. So take like a pen test. For instance, pen test has a scope, it has an objective, it has whatever. And even in red teaming exercises, there’s certain things that we won’t do right, that a bad guy doesn’t
[00:42:46] Brad Nigh: care. No, I don’t
[00:42:48] Evan Francen: hesitate. I don’t care what your boundaries and your objectives are and everything else in testing. I’m gonna find whatever way and I can find and do whatever I’m gonna do. So, uh, and there was one email that I got, uh, that demonstrates this and I didn’t get this email personally. Client got this email, but it demonstrates a line that, that we won’t cross. But a bad guy minded. So the email says the subject is respond to escape. And there’s nothing wrong with the uh, the subject line there in terms of, you know, it’s not misspelled or anything. Uh, then it goes into the body of the email says, someone asked me to kill you for your information. I am not sending this message with my email address and internet service provider. Just in case you want to prove.
[00:43:39] Brad Nigh: I know it’s
[00:43:41] Evan Francen: hard to read just in case. Just in case you want to prove. Smart and stubborn. Excuse me. Anyways, I like someone like that because I will be so happy to put a bullet in your skull. My boys have been watching your steps for a few days. I’m giving you a chance to live simply because my oracle show me that you don’t have a hand in what you’re accused of. You are to pay me $10,000 and I shall terminate the operation after that. I will give you the info of the person that wants you dead, You could call the authority and have them do patrol in your area 24/7. That didn’t stop me from hunting you and your loved ones down. We are invisible reply to this email address and then there’s an email address, trinity something. Gmail dot com. So you would not see a test phishing email come from uh secure that said
[00:44:41] Brad Nigh: that. Not not so much.
[00:44:43] Evan Francen: And so this email was sent to uh the CFO. And so the CFO forwarded this email and actually asked uh is this, should I be concerned exactly now. We’re security people. We speak a different language. If I receive this email would be like whatever. Delete it. I wouldn’t even give it a second thought. Not everybody speaks our language a CFO forward to this, asking if this was legitimate and wanted to know how we should handle it. Whether we should call the FBI called police. Uh, so we assume that tell us it seems ludicrous. But uh, some portion of the population out there, this is a legitimate email and they’re scared, right?
[00:45:30] Brad Nigh: Yeah. And, and uh yeah, part of it is also the that it was that company that it came from. You know, look and see, uh, you guys got to compromise. And did you know, you’re sitting this stuff out,
[00:45:44] Evan Francen: Right? So that’s um, and and and I just want to cover that quick. You know, the fact that there’s a gap because we can’t test this. And so how do we we have to communicate it somehow to let people know that these things are not legit, but it doesn’t stop them from using some other tactic. That is
[00:46:04] Brad Nigh: Yeah, that’s a good point. Yeah. That’s tough because yeah, we can’t. You mean that’s against our moral code and everything we can we do. You can’t threaten someone. And during the test,
[00:46:18] Evan Francen: one of the things that chris had Maggie when I took his social engineering class out of black out a few years ago. That was one thing that resonated with me, he said always leave somebody better off for having met you. That was the rule. And so when you’re doing your social engineering attack that keeps you honest and not doing things like this, they won’t feel better off for having met you when you go this into these
[00:46:41] Brad Nigh: extremes. Yeah.
[00:46:43] Evan Francen: And I guess the point here is if you’re a c, so if your security manager, somebody who’s responsible for information security, just understand that no matter how much testing you do, you’re always going to have this gap and so it goes back to risk elimination versus risk management.
[00:46:59] Brad Nigh: You know, so good point on this. You get this, use it for training for your staff. You can sanitise like the emails and who is to and all that. But I would absolutely use it as hey, this is what they’re doing. Just be aware of these are the tactics where we are seeing
[00:47:17] Evan Francen: and this will be in the show notes to, you know, I will sanitize or anonymous this and then put it into the shot outs. All right. So on the news, we’ve got just four news things to cover today. The first one, Uh, we’re still talking capital one. Still talking about. I think the reason being, is it’s so sort of unique how one person who appeared to be a legitimate user that’s me again, uh, kind of kind of turned rogue if they weren’t already rogue, but caused all this damage, not just for Capital One, but for 30 other customers or 30 other companies. So this comes from silicon silicon angle, uh, the title is alleged Capital One hacker indicted For hacking 30 other companies. So this is that page a Thompson who uh was a man became a woman and she is the alleged hacker behind The theft of more than 100 million customer records from capital one. And they’ve been, she’s been indicted wow. With additional charges of 30 other companies. So this story will continue to sort of evolve. I haven’t seen any Uh notifications or breach notifications or announcements from these 30 other companies. I don’t I haven’t seen I haven’t actually read the indictment. Don’t know is it unsealed? It’s got to be if they’re talking about, I don’t know if those companies are mentioned in the indictment or not, but
[00:48:52] Brad Nigh: research, it says in there. It hasn’t they haven’t been identified. Okay, I’m just, here’s the joy. I’m reading it right now as we go. Oh yeah. So am I. I thought I saw something Justice Department did not reveal the companies act state agency out of the state of Washington telecom conglomerate outside the US and a public research university outside of the state of Washington. Uh huh. So it does line up with companies speculated. Unicredit Vodafone food mode. Yeah, I can’t talk ford motor michigan state and Ohio Department of Transportation or speculated.
[00:49:34] Evan Francen: Yeah, keep your eye out on this one. There’s much more to come on this on this story. All right, well that’s really all I had to cover on that particular one. I thought it was interesting just because it’s not dying out ransomware gang, breached data backup software used by hundreds of us dental offices. I don’t go to a dentist. Do you go to the dentist? Yeah. You got nice teeth. Okay. I still have most of my teeth. All right. So there’s a gang of ransomware Attackers. Uh we’re going after Perk soft. This story comes from T N W T N, which is the next web dot com. The title is ransomware gang uh breached data backup software used by hundreds of US dental offices. I think it’s interesting because they’re targeting specific software
[00:50:31] Brad Nigh: now identified a weakness and are targeting it,
[00:50:36] Evan Francen: yep. And so taking down then the software itself, which would then essentially render the the dentist’s office inoperable because they won’t be able to get to the dentist records and process, you know, payments and everything else. Uh So to Wisconsin based software companies have been targeted. One is Perk Soft and the other is Digital Dental Record DDR, they provide a solution called DDS safe that delivers triple layer protection. Yes. Triple layer. So that sounds really sophisticated. So if you’ve got a I and Blockchain, probably
[00:51:14] Brad Nigh: if you if you look at it um if done right, that’s actually what you should be doing. I guess that was poor implementation implementation. So the triple layer is sensitive records to the cloud, to an offline workstation and in off in office hard drive. So it’s got three levels, but if they’re able to encrypt all three then yeah. Something wasn’t done
[00:51:41] Evan Francen: right when they’re going through, I think the GDR safe solution itself.
[00:51:45] Brad Nigh: Right. So yeah,
[00:51:47] Evan Francen: So they’re going to
[00:51:47] Brad Nigh: actually, I can see where those companies would be. Uh I mean if you just saw that. Yeah, Yes, that’s a good solution. Right, poorly implemented.
[00:52:00] Evan Francen: Yeah. So I would assume did they close the vulnerability? I don’t think they have yet. Um I don’t see anything.
[00:52:06] Brad Nigh: It just says that the alert immediate, I’m sorry. And remediation efforts continue.
[00:52:11] Evan Francen: Yeah, roughly. 400 dental practices across the country are affected by the vulnerability and the DDS safe uh and they’ve had their files locked out by ransomware. The ransomware itself is are evil. Uh Yeah.
[00:52:26] Brad Nigh: So they do say they have a decryption tool for it.
[00:52:32] Evan Francen: That’s
[00:52:34] Brad Nigh: good. But man. Yeah.
[00:52:37] Evan Francen: Well, it’s it’s the method I think that is you’re sort of
[00:52:43] Brad Nigh: newsworthy. I will say this there. There’s one thing in their uh mentions a link to propublica investigation how insurance companies are fueling rise of ransomware threats by covering the cost. You know, that story. I’m so glad to see that being called out though.
[00:52:58] Evan Francen: Absolutely. So yeah, I’m not happy about that actually at axon hops when we have, I forgot his name. Uh I apologize that, but the uh, the locked in several options. That’s a good question to ask him in the panel. Yeah. All right. Uh next one. Top reasons businesses make a cyber insurance claim. What do you think it is? What’s the top reason you’re looking at a thing? But if you were to guess this before,
[00:53:27] Brad Nigh: I would say ransom where it’s going to be number one. And then I saw I just looked at it but I would have said probably ransomware or email compromise would be the top two for sure. And they are it was backwards from my Yeah, I thought but absolutely that would be the top two without question.
[00:53:45] Evan Francen: Yeah. So from bit bit defender uh the title is the top reason businesses make a cyber insurance claim. Uh and number one is business and email compromise. 23% of all cyber insurance claims received by a I. G. Which is a big insurer. Our business email compromise.
[00:54:06] Brad Nigh: Thinking about it it makes sense. It’s a really easy thing to compromise and it’s not cheap to validate and Clean. So we had one earlier this year and they’re being about 75 hours to fully understand the breadth of what happened and do the full investigation and all the resets and all that and you have users click on stuff all the time.
[00:54:33] Evan Francen: Oh yeah, no it’s not surprising at all. Uh Number two is ransomware. Number three data breach by hackers. Number four data breach and number three and four are tied data breach by due to employ negligence and see that. Yeah, it’s interesting how they I mean I wonder you know, and I guess I’ll have to read the study more specifically how you define these.
[00:54:56] Brad Nigh: Yeah, they do have the city data the wrong person, so they’re going to have to file a claim for covering fines or whatever.
[00:55:05] Evan Francen: But interesting article uh on the insurance front, interesting stuff. Alright, the last news article I have is this google play apps ticking malware time bomb just exploded, leaving 100 million people at risk. This comes from hot hardware. I’ve never been to this site before. It’s probably probably just been fished.
[00:55:29] Brad Nigh: Thanks actually
[00:55:31] Evan Francen: funny look malicious ad. Oh there you go. I just went to the website on this on my ipad,
[00:55:37] Brad Nigh: see have firefox with a bunch of plug in so I didn’t get it.
[00:55:41] Evan Francen: No, no, it’s whatever. It’s just a malicious ad, like I don’t get those. Yeah, I just block them. All right, so the uh
[00:55:51] Brad Nigh: I’m telling you, it’s been a long couple weeks in a little punchy.
[00:55:56] Evan Francen: So this is the uh so trouble in the google play store, surprise surprise. Uh and this is just because of the open source nature or the open access nature of the google play store. Right? It’s not like the apple store where things have to be vetted so much ah but a threat comes called cam skinner uh which is a popular app I suppose I don’t I don’t use, I’ve
[00:56:23] Brad Nigh: enjoyed. Yeah, well I do, but I don’t have that one thankfully.
[00:56:26] Evan Francen: But allows you to create pdf documents using OcR technology, optical character recognition developed by a chinese firm called CC Intelligence. I would not trust the chinese firm called CC Intelligence.
[00:56:39] Brad Nigh: I’m reading that and I’m going, well, I guess I’m, yeah, just not normal because I’m really careful about what I actually install. Right? Yeah. Okay. Anyway, yeah. Your security guy. Yeah, I don’t think normal.
[00:56:57] Evan Francen: So anyway, this compromises the system or the android device, whatever android device installs it. It’s been downloaded a total of 100 million times since it was initially released. Um, yeah, trojan dropper android os dot necro,
[00:57:18] Brad Nigh: by the way, I can’t wait for for one of the team to listen to this and isolate my comment of I don’t think normal. And and use that against me. I know that’s coming.
[00:57:27] Evan Francen: Of course. Right. So anyway, how do you how do you stop yourself from this? Well, one only use apps that you’ve vetted, Right. Don’t just download things.
[00:57:37] Brad Nigh: And, and there are legitimately good or good being relative, I guess. Uh, protection software, antivirus or, or scanners that you can put on your phone, You know, you know, the big name players use, you know, have them. I have one on mine. And, and uh, I’ve downloaded what I’ll admit what I thought was a legitimate or a good looking app and it it throws up the warning before we it does the install of or was trying to do the unsolved. Did you know? It was trying to do these things and I’m like, whoa, that’s not what it said it was doing, nope. Delete and it’s caught, you know? So there are good ones out there. Uh, we’re not going to name names, but if you got android put put something like and and and me, like a big name, like don’t just pick some random whatever. There’s some good ones out there,
[00:58:32] Evan Francen: and that should be a basic protection for any android device, you know, just to have malware malware. Those are all the
[00:58:37] Brad Nigh: first thing I did on my, you know, on this phone, on my daughter’s phone in my life zone.
[00:58:41] Evan Francen: And then also recognize that that will only be a mitigating control, right? You’ll still have to practice good discernment, especially on android devices, you have to you have to be a little more sophisticated, you have to do a little more research. You have to be a little more careful. IOS is a fairly closed ecosystem. And even that’s not completely
[00:59:03] Brad Nigh: Yeah, yeah, I’m I’m willing to trade that off for the flexibility just because I’m because you’re a geek. I’m yeah, I’m not normal. There you go. It’s good
[00:59:12] Evan Francen: to be a geek, man, I’d wear that badge with honor february. Yeah. All right, Well, that’s uh that’s the end of the show, that’s how it is another episode in the bag brad nice job. Even though for friday with 15 minutes of preparation for the show.
[00:59:27] Brad Nigh: You know, you did. It’s funny, we were just talking with Ben after you did is the one and he’s like, how do you guys do that? What do you mean those notes? Those aren’t showing. No, it’s those are that’s like an outline, like yeah, that’s all we do. We just talk. That’s that’s all we need. This is fun.
[00:59:45] Evan Francen: I like talking with you. All right. Uh So yeah, that leads to my next comment. It is a pleasure. Always a pleasure spending an hour with you talking security man. Special thanks to our listeners. Keep up the good comments. We do appreciate them. Send them to un security at proton mail dot com. We do read them and uh I have some ideas on how on some future shows based on what they’ve
[01:00:09] Brad Nigh: I finally marked it on my computer side. Check it more regularly. Not when I just like, oh I should check that. I actually checking out on a regular basis.
[01:00:19] Evan Francen: We do have some great episodes to come in the future. Uh if you are a social type socialize with us on twitter. Uh I’m at Evan francine and brad’s at brad and I breads. It’s not just an I. R. N. Y. R. N. Y. E. S N. I G H B R A D N I G H. And I’m not going to spell my name for you,
[01:00:40] Brad Nigh: you’re not there. You don’t have to.
[01:00:41] Evan Francen: That’s right. I’m super important. Okay, talk to you next week.
