After getting a ton of questions about it, and realizing just what kinds of search volume it’s getting online, Evan and Brad decided to take episode 80 and clear the air on Zero Trust. What is Zero Trust? Is it really new? Is Zero Trust security even possible? If I want Zero Trust, what do I need to do? What common mistakes should I look out for?
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
[00:00:22] Evan Francen: everyone. Welcome to the Unsecurity podcast. This is episode 80. The date is May 18th 2020 and I’m Evan Francen with me. Today is my co-host, Brad Nigh. Good morning Brad.
[00:00:34] Brad Nigh: morning Evan.
[00:00:47] Evan Francen: it seems like, you know, we were just talking Microsoft. Uh It seems like Microsoft. We’re almost back to having to reboot once a day.
[00:00:58] Brad Nigh: Yeah. Great. Everything sick with all right.
[00:01:03] Evan Francen: Just fat fat applications everywhere.
[00:01:06] Brad Nigh: Yeah,
[00:01:08] Evan Francen: Pdf used to be speaking of that. Remember when PdF used to be just a document format? Mhm. Now, if you want to get pdf reader it’s how big is it?
[00:01:19] Brad Nigh: Oh gosh, I wouldn’t even know.
[00:01:22] Evan Francen: I don’t either. Hundreds of megabytes, I’m sure.
[00:01:27] Brad Nigh: And you have to download like three other things and uncheck the box that you don’t want it to install.
[00:01:32] Evan Francen: Right? Yeah, I don’t want the ask toolbar please.
[00:01:36] Brad Nigh: Right, I can’t tell you how many incidents we’ve seen that have uh ask toolbar, making suspicious calls. There’s a big
[00:01:48] Evan Francen: well adobe writes really, really good secure software. That’s what I’m
[00:01:52] Brad Nigh: told. Yeah.
[00:01:57] Evan Francen: Uh we got a good show planned today. Uh there’s this thing called Zero Trust that people are talking about. You know, it’s it’s pretty popular and I thought would be good for you and I to discuss it uh personally I think I’ve received quite a few questions about it. Um I’m sure you do. You have to. Yeah but like always, you know before we get to that, you know, let’s before we dig in, let’s let’s catch up man, I love catching up with you and seeing how you’re doing or some highlights you have from last week and maybe this weekend.
[00:02:31] Brad Nigh: Yeah, last week work. You know it was it was good. Uh Just a bunch of stuff going on. We had it was insane. I think we had six ir triage like so she’s come in like the last Wednesday afternoon through friday. It was just like, are you, wait, which one? Year and a
[00:02:56] Evan Francen: Half days? You had 6?
[00:02:58] Brad Nigh: Yeah. Well the initial triage right, the initial request for we think something’s going on, we’ll see how many of those actually turn into uh the mind to actually to do something. But they were it was not good. Many of them were really really bad, like
[00:03:19] Evan Francen: wow, what’s the new guy’s name?
[00:03:21] Brad Nigh: Uh Cory Corey fire.
[00:03:26] Evan Francen: Yeah. Was he on the friday? Mhm. We’re on the friday um Online Happy hour.
[00:03:33] Brad Nigh: No. Okay
[00:03:36] Evan Francen: because I think I saw him but I jumped in for like five minutes. I was on my way. Uh My daughter and I were going to go on a motorcycle ride, so just like, oh crap, that’s right, we got the happy hour, so I jumped in. Hey, you know, and there was only like four people left. All right, got to go.
[00:03:54] Brad Nigh: That’s funny now. Yeah, I don’t, haven’t done those. I don’t know, I have enough new meeting, come on, I’m so frightened by the, by friday afternoon uh
[00:04:08] Evan Francen: whiskey, sit down and write
[00:04:12] Brad Nigh: now. Uh but yeah, that was good with a bunch of CMC stuff um working on that and then this weekend did some, it was raining, it was insane. So I did some painting around the house, but the most exciting thing was bought a bicycle. I used to do a bunch of biking like long, you know, the 150 miles today things. Yeah, and I haven’t done it for a while, and I told my bike when we moved up here and I was like, all right now that I’m not getting out of the house and like exercising or at least you know, doing that, I’m buying a bike again. So pretty excited about that. That got that on saturday morning. I didn’t want to what’s that? Got a new bike? Yeah, so my daughters are excited because they’ve been doing just rides around the neighborhood between classes and stuff. I know you have been bugging me to get one too because like we should go. So, so I’m excited. That will be fun.
[00:05:16] Evan Francen: That’s cool. So remember surge? Mhm Yeah, he was on our podcast a few podcasts ago. He’s a biker guy too.
[00:05:27] Brad Nigh: Yeah, yeah, yeah, we’ll say it’s like I said, it’s been it’s been a while since I did that, but it’s
[00:05:33] Evan Francen: fairly shorts and stuff too.
[00:05:36] Brad Nigh: Uh So I have,
[00:05:39] Evan Francen: okay, if you do, I’m not going to give you
[00:05:40] Brad Nigh: crap. I have one. However, what I wear is the like basically regular looking shorts that have the padding built in so they’re not like super tight, but they just look like normal shorts, but the shirt for sure with the pockets in the back for all your stuff and
[00:06:00] Evan Francen: That’s cool, man. The there’s a lot of bikers out on County Road 10. Do you see those guys all the time?
[00:06:07] Brad Nigh: Mm I’ve seen a bunch on five and 11.
[00:06:14] Evan Francen: Oh yeah, Okay.
[00:06:16] Brad Nigh: So I’ve seen packs of them, so yeah, we’ll see a bunch of trails and stuff out here too. So it’s got like a hybrid, a nice hybrid. So I can do like the gravel trails or road bike and
[00:06:29] Evan Francen: cool, eric’s the bike, eric eric’s bike shop to get it.
[00:06:33] Brad Nigh: No, actually it was valley bike and ski over an apple valley. Cool. Yeah. I was surprised like how hard it was to find a bike and I talked to the guys and they’re like, yeah, supply chain is completely disrupted if they don’t have it. They’re saying, you know, they’re getting a small triple, but it’s basically what’s in stock is what they’re expecting for the next two or three months. Anything that comes in is just a bonus, wow. I was like, oh, I’m gonna go ahead and get that right now then. I was looking for herself.
[00:07:06] Evan Francen: Well, that’s cool. What else is new? Mm
[00:07:08] Brad Nigh: hmm. You know, just Doing stuff and dealing with COVID-19 and yeah,
[00:07:17] Evan Francen: when stopping things.
[00:07:18] Brad Nigh: Yeah, I was gonna smoke ribs this weekend and you know, we got like 3.5 inches of rain over the weekend. I didn’t that didn’t happen
[00:07:26] Evan Francen: right? Yeah. Last week for me was kind of crazy. We uh, had a bunch of a bunch of stuff going on in the, some stuff for the state with the state of Minnesota, some stuff with the State of New Mexico. That’s pretty cool. Natgeo, the National Association of State C I O. S
[00:07:47] Brad Nigh: Home, we talked to New Mexico last year and they just didn’t have budget for doing some projects and stuff kind of fluttered out. But they seemed like to get it. That’s good. Not surprising that they’re engaging again.
[00:08:08] Evan Francen: Yeah. And I think we’re going to work on a proof of concept with them for a third party information, Security, risk management. Nice. Yes, it will be fun. We did the security? S show this is not an explicit show. So I don’t say, we don’t say swear words usually, but It’s the security, four letter word starts the mass ends in the tea. The security, that word show we did thursday night.
[00:08:34] Brad Nigh: Yeah. How’d that go?
[00:08:35] Evan Francen: It was pretty cool man. It was, it’s just good to get stuff off your chest. You know, one of the viewers pointed something out to me, you know, I want to do that show. Like not as fr secures our secure ceo and I made that known on the video, but I was wearing my fr secure
[00:08:59] Brad Nigh: sweatshirt, you know?
[00:09:02] Evan Francen: No hoops,
[00:09:05] Brad Nigh: it happens.
[00:09:07] Evan Francen: Yeah, it didn’t get too out of hand. I mean, I think the topics for this week is the ones I proposed to the guys, you know, um, or maybe a little more controversial so I’ll need to make sure I don’t wear.
[00:09:22] Brad Nigh: That’s yeah, yeah, we don’t need you to go like fully Elon musk and like kicked from the no, although
[00:09:33] Evan Francen: you know, I do have some respect for that guy. I like how he marches to the beat of his own drum. Whether you agree with him or not, you know, crazy people are crazy, but I don’t know, I think I’m crazy, you know, some days so
[00:09:50] Brad Nigh: sure. Yeah.
[00:09:53] Evan Francen: Um, what else would, you know, went on a bike ride, motorcycle, motorcycle, I ride bikes with motors.
[00:09:59] Brad Nigh: Yeah, it does go a little faster.
[00:10:02] Evan Francen: Well and yeah, probably not good for you, you know, physically as you know yours that was good, went out to a place, you know, Glencoe, you know, or Glencoe is went out there and found a little cafe that um was doing, you know, take out only okay. It was kind of cool to go to a small town, you know, drop some money and help help out a little bit. Yeah. Uh what else saturday joe came over. I did a bunch of work on that garage.
[00:10:37] Brad Nigh: This is his payback for you helping them with electrical.
[00:10:40] Evan Francen: Yeah, but it’s cool to work with your son, you know, do stuff like, so you have those days coming up, you know? Yeah, that could be that too long. Will you probably have kids that already helping you out? But when they leave the house and then come back to help out. It’s kind of special.
[00:10:57] Brad Nigh: Yeah, they they want to help out. Yeah. A little different though for uh the age range I’m gonna get. So it’s probably a little bit more helpful. Benzak when it comes to like painting or something.
[00:11:13] Evan Francen: Yeah. Yeah. My garage is very organized now. Um So I made the first pass. So what I do is start at one end of the garage and kind of worked my way around uh kind of the first pass. Everything is organized and cleaned up and you know, looking really nice. Now I’m not go back and uh probably insulate and sheetrock the walls.
[00:11:40] Brad Nigh: I did all that in the basement, sheet rocking stocks. I
[00:11:46] Evan Francen: think it sucks more in the basement. It’s easy in the garage because right I backed my truck up uh it off and throw him right you know throw them right up man. It’s not gonna be hard at all.
[00:11:55] Brad Nigh: Yeah still keeping your muddying and
[00:12:00] Evan Francen: lining it all. That’s another thing. I mean in your basement you wanted to look really nice in the garage. You may I may not even tape it. Let me just you know, we’ll see.
[00:12:10] Brad Nigh: You just go there for the the installation benefits.
[00:12:15] Evan Francen: Yeah it does look a little a little more clean little more finished. But yeah we’ll see. Maybe that’ll be the third pass around the garages will be taping and muddying and painting. I don’t know. Uh huh. Mhm. Yeah. So that was the weekend and you write it man. It was is rainy.
[00:12:35] Brad Nigh: Wendy is raw
[00:12:39] Evan Francen: supposed to be nice this week. I heard I heard Wednesday maybe 83 I think 84.
[00:12:45] Brad Nigh: Yeah like upper seventies low eighties towards the end of the week. It could be you
[00:12:51] Evan Francen: Know what it means when it gets above 80.
[00:12:53] Brad Nigh: No work, no pants, no pants
[00:12:56] Evan Francen: so close so
[00:12:58] Brad Nigh: close up.
[00:13:01] Evan Francen: All right well good. Uh What else we talked about last uh Oh no now last week was crazy. The un security or no. The daily insanity check ins are still going strong. You should drop in once in a while. I know
[00:13:17] Brad Nigh: I’ve had like meetings every day like it’s like
[00:13:22] Evan Francen: I’m giving partially giving you crap partially because I think that they
[00:13:27] Brad Nigh: actually should be able to knock on wood join tomorrow. Well maybe the rest of the week. Not today, but as of right now I don’t have anything else on my calendar by the end of the day. That is likely to change,
[00:13:42] Evan Francen: right? Yeah. You get slammed with six I. R. S. Today?
[00:13:46] Brad Nigh: Well we have uh one of them they had global admin for their 03 65 and the attacker set up M. F. A. Locked him out. Uh No, but they didn’t know. Yes you can’t get it back. So it’s like I don’t know what’s going to happen with that one. But
[00:14:12] Evan Francen: the basics, the basics,
[00:14:14] Brad Nigh: the attacker had the basics to put in the taking place. Right?
[00:14:18] Evan Francen: Good job. Yeah. All right. Well, speaking of basics uh zero trust thing, you know, begin. I want to get your perspective on that. I know I have mine, I know you and I I don’t think you and I’ve ever talked about zero trust security together.
[00:14:35] Brad Nigh: Mhm. Not maybe in passing
[00:14:38] Evan Francen: right under you know hash it out a little bit. Uh So you know, a simple google search, right? If you’re just your browser google, you know, google search. Zero trust Turns up about 691 million results, narrow that down a little bit. Put quotes around zero trust and You get 1.94 million results. Um so clearly a lot of people seem to know what zero trust means. Uh and some of the returns I thought were sort of interesting. Page one. Top # one a VM ware link and you know, it’s always adds now remember when google didn’t have ads at the top, it was like
[00:15:23] Brad Nigh: yeah,
[00:15:24] Evan Francen: like you get real results. Yeah, a symbol pisses me off man. Yeah, because you know, if I’m Googling something and I just want research, I just want to do some, I don’t want to buy anything. Damn it. You know, every time I googled something doesn’t mean I want to buy something. Mhm.
[00:15:45] Brad Nigh: I definitely. I can’t believe that.
[00:15:48] Evan Francen: Right. Frustrating though because I do remember those days, I think, you know, some of the younger generation probably doesn’t remember.
[00:15:56] Brad Nigh: Yeah, yeah. Back when it was a just the search engine. Yeah. Game changing at the
[00:16:03] Evan Francen: time. Right. Number one VM ware links capsule list, enables and this is the title enable Zero Trust security moved to a new security model. Uh you click the link, it’s gated content which means you have to register for something um register for a white paper that’s titled to enable Zero Trust. Rethink your firewall strategy. Okay. Yeah. Alrighty then. Good. So we’re already getting off on that kind of foot sounds good. The next one down was an ad from Octa. Uh and I didn’t spell Octa correctly in my show notes, but that’s kind of cool. Anyway, so the title is getting started with Zero Trust colon. Never trust. Always verify. That’s also gated content a white paper titled Getting started with zero trust security. Never trust always verify.
[00:17:06] Brad Nigh: Okay that pretty well sums up what what it is
[00:17:13] Evan Francen: now. I I unless I really really really want something. I never sign up for those white papers.
[00:17:22] Brad Nigh: 10 minute email
[00:17:25] Evan Francen: right? Might be urged because what happens? You know obviously that’s that gated content you’re gonna now be on the middle list and being marketed to. So that was the second one. The third one was from a company called Garda core which I never heard of before. You guarded car. Well I guess there’s a company called garlic or uh The title of this search result is zero Trust what it means. How to get there. So I never heard of those guys before. Click the link. More gated content. So the top three results are all gated white paper titled Zero Trust what it means and how to get there faster.
[00:18:09] Brad Nigh: Oh boy
[00:18:10] Evan Francen: Give me my easy button. It almost sounds like it doesn’t it. Yeah. And then the fourth one also an ad from Applegate. A P T. G A. T. E. The quote are the title for this for that search result is become a zero trust security hero. Oh right. Who doesn’t want to be a hero? Do you get a Cape?
[00:18:34] Brad Nigh: Mhm No, never a Cape when you watch the Incredibles. Never get it. No, no, never get a
[00:18:39] Evan Francen: Cape. I would give them my give them my name, email address, phone number and mailing address If they gave me a Cape.
[00:18:49] Brad Nigh: Mhm.
[00:18:50] Evan Francen: But they didn’t. Alright so become a zero trust hero. Invisibility, strength and speed.
[00:18:57] Brad Nigh: Well there you go.
[00:18:59] Evan Francen: Right. So is your top four results in Google search when you get you know, a bunch of normal search results And the titles are all fairly similar at least first page. What is Zero trust a model for more effective security. What is Zero trust? Zero trust Security. What’s zero trust network etc etc. Uh The fact that there are so many what is zero trust search returns. Give me a hint that people are confused. Yeah.
[00:19:31] Brad Nigh: Yeah I would agree with that based on the questions and comments that I’ve gotten.
[00:19:38] Evan Francen: So I think it’s a good topic for us to to dig in a little bit uh tackle it. So you know what is zero trust? You know what’s in your opinion? What what is it you know like I’m guessing it’s real similar to mine.
[00:19:54] Brad Nigh: Yeah. So it’s the way I understand it and see it is basically it’s uh authenticate before anything is given any at any time right? You can’t get any anywhere on your network. You can’t do anything without some form of that authentication occurring.
[00:20:14] Evan Francen: Yeah. and I always like zero trust is I’d like to sum it up with its default deny. Yeah. Everything. Everything default tonight. So I don’t trust anything. I’m, I’m a, I’m a man on an island by himself. I’m not letting anybody. I’m not gonna talk to anybody. I’m not going to share anything with anybody. I’m not gonna probably even look at you right until till there’s some level of trust established, right? Yeah. You and I have done the trust thing enough in applications and teaching right authentication is paramount to trust right? Identify as one thing followed by authentication. So there’s my trust small I mean do you agree with that? Do you think trust is default and I default and I on traffic default and I are both an eye on everything.
[00:21:17] Brad Nigh: Oh, degree that yeah, default deny until you’ve got ballot authentication. Yeah.
[00:21:23] Evan Francen: In one of the things I read an article last week kind of a small segue about people now are sort of claiming and they’ve done this for a while. That whitelist blacklist, we used to use those words that those are racist terms now.
[00:21:37] Brad Nigh: Yeah, I saw that.
[00:21:40] Evan Francen: When does intent on the use of the term come into play on racism? You know what I mean? If I just use the word, I know there’s no intent behind it at all. I don’t even think
[00:21:51] Brad Nigh: race at all. Uh huh Yeah, topic, isn’t it? I know Yes it is.
[00:22:00] Evan Francen: There’s all kinds of words that I use all the time and I never, never, I don’t consider myself at all to be. Well, I mean if true, if you want to be like honest, honest, everybody is racist to some extent. Yeah, I would agree. It’s how you leverage it in it and that’s just, you know, we’re hurting people, right?
[00:22:21] Brad Nigh: Yeah. Yeah. That’s a whole, that’s a, that’s a totally different like rabbit hole. We could go down.
[00:22:28] Evan Francen: People will say that for the security s show on thursday. Yeah. So you can’t use whitelist and blacklist anymore, at least without not, you know, people,
[00:22:40] Brad Nigh: you know? Yeah. And until we get what’s the new, there is no universal accepted replacement. And so that’s kind of the problem. We’re stuck in right now. But yeah, I don’t know your trust. Like get the question all the time. Should we go and do this? We should be by this. And, and it’s like, well, do you have, do you know what your assets are? Do you have, have you been able to do application whitelisting? No. Do you have ingress? Egress filtering in place and like you said, deny by default on your firewall? No. Why the hell are you going to spend money if you’re not doing those things that are like, you could do without purchasing anything like start with basics. I’m not and I like zero Trust, I think it’s a good concept. I just don’t think most companies are anywhere close to being in a situation where they’re going to be able to actually use it.
[00:23:44] Evan Francen: Well, in some brings up another thing, right? Um, zero Trust is new. We just slapped a new name, a new marketing name onto something that’s always been in existence. We’ve always been default deny is more secure than, you know, right. The traditional, I guess, you know, blacklist or default
[00:24:06] Brad Nigh: open to everything. But
[00:24:09] Evan Francen: hi people, we’ve always been more prone to availability. Right? So availability, as long as it works, right Then management is going to be happy when they click, does it actually work great? But default denies not anything new. It’s just like just like the cloud, you know, a few years ago, cloud came out right? Cloud this cloud that and most of us who are networking people are like, what the hell? We’ve been doing cloud the cloud forever.
[00:24:39] Brad Nigh: Right.
[00:24:40] Evan Francen: Anything
[00:24:41] Brad Nigh: new? We’ve had a private cloud with her own storage and VM Farm. It’s basically what we’re doing.
[00:24:48] Evan Francen: Exactly. So, and I think of zero Trust the same way. It’s a, it is a good thing. It’s always been a good thing. It’s always been mostly unattainable for most organizations because they didn’t start this way if you really wanted to do Zero Trust. Right. You’d have to start With the zero trust model, Right? Existing open networks like an open flat network or even a network that’s segmented at Layer three. Try to take that to a zero trust model.
[00:25:20] Brad Nigh: Oh, it’s, I mean we, I know I’ve, I’ve worked on, we didn’t call it zero trust. Right? It was it was probably around you
[00:25:30] Evan Francen: were trying to sell anything.
[00:25:31] Brad Nigh: Well it was it was right, probably right around the time that this was became a thing so it hadn’t really pushed. But yeah, we would like monitor for six months and if it didn’t get hit, we turned it off and then, gosh, guess what, three months later that one activity they do once a year that needs that specific port comes up. And you know, it’s almost impossible to do after the fact even when like it’s a push to actually do it and you have support from the organization to do it. Right.
[00:26:09] Evan Francen: Well that’s and that’s the frustrating part because, you know, you like here C C S O magazine, um It’s today’s top story. This is written in January of 2018, so it is a couple years old. But The subtitle is the technologies that support zero trust are moving into the mainstream. It’s like you always had the damn technologies to do zero trust, right? You have an access control list. Did you have a firewall? Right? Did you have, you know, and we had this, you know, kind of sort of gets under my skin sometimes because I’m reminded of my work on the target breach now central to that was were the pc complaint, you know, back then, I think that was version three maybe of the P C I D S S 3.3 dot one somewhere in there. Okay. And in the standard was network segmentation, That’s the word they used. Network segmentation. And so what people read this to be was, well, if I put in a V land that segments the network.
[00:27:25] Brad Nigh: Yeah, I mean technically.
[00:27:28] Evan Francen: Right, correct. And so they would get signed off from some Q S A. S, you know, on their pcs compliance because they had put layer three in the letter and this is classic letter of the law versus intent of the law. Right. What are the law said, segmentation? Well, I’ve got later three segmentation. The intent of that law. The intent was actually isolation, which means, you know, that you default, deny. Right?
[00:27:57] Brad Nigh: Right. Yeah.
[00:27:59] Evan Francen: So we’ve always had these technologies, we’ve always had these things and I’m not saying we haven’t progressed, we don’t have new cooler technologies, we don’t have micro segmentation is cool. Multifactor authentication things are cool. Um, or some of the orchestration stuff is cool. But if I don’t understand the basics, I don’t even understand what I’m trying to do with this stuff who gives a crap they’ll sell it to you, but,
[00:28:27] Brad Nigh: and I’m sure it’s real cheap. Right? And the problem is if you don’t have those basics mastered, you’re gonna put zero trust in. It’s not going to be done properly. And then you’re gonna have this false sense of security and then be like how this happened.
[00:28:40] Evan Francen: Right. Right. Oh my gosh,
[00:28:43] Brad Nigh: Right.
[00:28:44] Evan Francen: Yeah I mean that’s well that’s what management and you can’t blame management because that’s what they’re told. Right? I’m justifying budget because of these reasons right? I need this zero trust thing for these reasons and this imagine it’s like okay that seems reasonable. We should have that for those reasons. Put it in its not doing those reasons or some of the reasons that you didn’t even think of our exist you know they you know maybe you should have you know and so yeah so then when it does happen in management we’ve seen it happen so many times an incident response management. Like I thought we were protected against this right? You could have been if it was configured correctly you know maybe
[00:29:28] Brad Nigh: you know and and the like as you say that like those people that that thought they were doing the right thing. Hey we gave as a ceo I gave budget, I gave authority. I gave the financial support for security and we were completely open. How do you feel bad for them because they want those are the people that seem to want to be doing the right thing and that’s you know does that reflect on their I. T. Team? Did you know with a poor was it the whatever software that was sold to them with this big promise should that company get named right Like those things piss you off because there’s so many companies that don’t get that support. And then when they get get it and it still happens because it’s not put in properly, they don’t have the basics in place. Right? That job but bugs me.
[00:30:27] Evan Francen: Well, I’m just thinking of the terms. So the term came from It was a forester and most who originally came up with the term zero trust and There’s a number of things I don’t like about the word one. I don’t think it’s every ever fully 100% attainable.
[00:30:50] Brad Nigh: Yeah. Unless you’re starting completely from scratch
[00:30:53] Evan Francen: and even then, man, I mean, zero trust that means. Yeah. Anyway. Yeah. But it also any time you use the definitive words in our industry like zero. Yeah, we’re guaranteed or you know, eliminated or you know, things like that. It almost implies like if I put in zero trust, there’s no risk. Right? I’ve closed it up. Yeah. More or less. I don’t like that. No. For anybody who reads that into it, you know?
[00:31:27] Brad Nigh: Yeah. And I mean, yeah, it does. It sounds it feels marketing gimmicky like the concept is good, but it’s not like you said, this is what we’ve been trying to get to forever.
[00:31:50] Evan Francen: What we didn’t need was another word for it. Right. Right. What we needed was better applications of it. And so if I buy like if I go get some, you know, paul Altos micro segmentation and put it into my network by now implemented zero Trust, the answer is no. There’s still more things. Right? All right. Um So, you know, that’s the part that frustrates me to about zero Trust is there’s just so much more to it than I think people realize because you know, you have hardware, software data, right? Take something, you know, like data. If I’m never gonna be able to implement Zero Trust, I’m going to need to know where all my data is, where all my data goes. Who is authorized to have my data, who is not authorized to have my
[00:32:37] Brad Nigh: data classification,
[00:32:39] Evan Francen: right? Nobody had their data flow diagrams. You know, Zoo And those data flow diagrams are gonna look like spaghetti. I mean they’re gonna look terrible if I haven’t done proper network segmentation and isolation, so I haven’t put them in proper containers and places on the network. So if that hasn’t happened, making sense of your data flow diagram. Spaghetti is
[00:33:05] Brad Nigh: Yeah. I don’t uh I don’t know how people based on what I’ve seen the last oh well, work. And then just uh doing the consulting side of it. I mean, I don’t know if I even to count this could count five. That would be at a point of I think they would be successful at doing this.
[00:33:33] Evan Francen: Well, yeah, especially, you know, if you didn’t start there, there’s been times, you know, I was working with one large organization and another, you know, I guess related word that you know for zero Trust is um, you know, adversary obstruction where zero trust kind of came from was the traditional, they said the traditional and it’s never been traditional unless you never took security seriously. The crunchy shell gooey center sort of approach to security, right? Some people call that the traditional approach, which I traditional maybe for somebody who’s dumb it security. I mean that’s, that should have never been a traditional approach. We should have always taken the approach that assume that somebody is in the network already. What can they get to? Can we make it difficult enough as they transition or pivot through the network to No, that will be loud enough that we can identify them earlier, detect them earlier, you know, stop them
[00:34:37] Brad Nigh: like so I was just talking to a company last week on their vulnerability scan results. Um, because with the new version and all that day questions on their score and stuff and they had a couple of older boxes that they could not turn off. They had business critical applications that there was not a replacement for and they were working towards fuck to your net out. But until then right, you got to be in business and I was like, well those are gonna still hit you. There’s nothing we can do, right. There’s known exploits. It’s a but what can you do segment it isolated only the people that absolutely need access to it can hit it and only on the ports that are absolutely required. Right? With additional logging in place. Do these things. It, those don’t cost anything extra to do when they’ve always concept.
[00:35:37] Evan Francen: Right. And they’ve always been good security concepts. Right? We’ve called that defense and depth. Yeah. Well that need to know, I mean these are all concepts that are not new. We bundle them, you know, some of them together into this word or this term called zero trust. And I think in some cases it causes confusion. Uh, it certainly improves sales, but that’s not good for you. The one who’s buying, if you don’t know what it is. Right.
[00:36:08] Brad Nigh: Again, I’m gonna go back to, it’s actually probably worse for many companies that buy zero trust solutions and they’re going to have this false sense of security that hey, we’ve got zero trust we’re safe. Right? And quick doing some of maybe the other things or being as vigilant because observe.
[00:36:29] Evan Francen: All right. And, and zero trust isn’t, it’s not an easy button. It almost that’s another thing about, you know, the term zero trust. It almost seems like, Oh yeah, I need, I need a zero trust solution. Right? Just plug that in. And I’m good. Uh, your to your point about, you know, being a false sense of security. There’s a lot of work that goes into zero trust. If you truly want to do it the right way. Right. You were with me that week when I was out in the Northeast and you know, this is a company, a pretty large company, um lots of applications, uh lots of users and they wanted to get to this thing called, you know, it’s more adversary obstruction, right, mom. You know, it’s part of trust, right? And you know, something as simple as seemingly simple where your data flow diagrams, what what data is going, where, what applications are in scope, what applications are not. Mhm. And that took months. Yeah,
[00:37:42] Brad Nigh: just for that and that and that is not a company that’s a like they’re on top of things. They’ve got a really good security and I. T team over there. They really do. And yeah, data for diary of suck. Right? But nobody has it because you have to first you have to map your data
[00:38:05] Evan Francen: afterwards. It’s much more afterwards than it does if you did it at the beginning.
[00:38:11] Brad Nigh: Oh yeah. Well nobody, but I don’t know if I’ve ever, I’m trying to think if I’ve ever gone in and had that opportunity to Uh huh. Yes, maybe some new systems where that would be the case, but usually at night or in security you’re inheriting something that’s been around forever. Right? It just doesn’t happen for the most part.
[00:38:36] Evan Francen: Well that’s what it comes down to. So it comes down to the, you know, eventually it was. And I kind of warned them that this was probably going to be the thing. At what point is it easier just to start over? Okay starting over oh my God that’s a lot of work. Well so is what we’re about to
[00:38:54] Brad Nigh: view.
[00:38:56] Evan Francen: Maybe maybe it makes sense to build a parallel environment where he actually started with security at the core at the foundation where you’ve implemented proper network segmentation isolation, you understand data flows, you understand where your applications are, I mean Yeah and then people over,
[00:39:16] Brad Nigh: well here’s the problem with that. I’ve got personal experience in that we’ve had a domain that was just badly broken. He didn’t just poorly managed like they just turned off exchange servers when they were done, they just turned off domain controllers when it was they’re done, they didn’t demote them or uninstalled like you were supposed to. So like trying to upgrade Exchange to an inversion took nine months because every time we would run it would run into another thing, we had to go to manually clean. It was a nightmare. So he said look we’re going to spend years trying to get this clean or we can do it correctly side by side. And we stood up, the new domain had proper sub domain set up for each of the different areas that needed it. We had I. T. All moved over and then the C. I. A. Left the newborn came in and said that’s not on the it’s a it’s no longer a priority. And so we’re I didn’t stay much longer beyond after that um But for yeah, multiple reasons but oh now you’re stuck with a half and half situation. Mhm. Yeah, which is even worse because
[00:40:32] Evan Francen: it’s a house of cards man.
[00:40:34] Brad Nigh: Yeah, but it’s like we’ll just do it the right way. Change of leadership, we’re not doing that anymore now you’re what? Well I’m managing to
[00:40:43] Evan Francen: well but in that case you did the right thing. If you excuse me, I was going to use a bad word if you have crappy leadership leave, why would I subject myself to that? Why would I, you know, ever, there’s so many good job opportunities for people who do things right and do things right? The first time, one of the things that I’m really thankful for my own father when he raised me and I was, I mean I’m I’m a Marine Corps son right? And one thing that’s drilled into over and over and over again is if you’re going to do something, do it right. Yeah, yeah, from the start, don’t
[00:41:21] Brad Nigh: take the time to do it right? The first time I’m, my grandfather was a marine, I’m assuming there’s a little bit of that I got told to. So
[00:41:30] Evan Francen: Yeah, so I mean if you really want to do zero trust and you have the opportunity to do it from the beginning to do it right from the start we implement things that are concepts that we’ve always understood things like you know defense and depth, you know, like um you know, segmentation, isolation, things like asset inventory. Yeah. Why the hell would I ever plug something? I mean whatever, I’m not going to get there. What frustrated?
[00:42:00] Brad Nigh: Yeah. Disabling ports that aren’t in use. All right. Doing Yeah, there’s so many things you can do that are just Easy. There are all part of that, you know, zero trust, right? I like the concept, but uh it just feels like, I don’t know, there’s so many things that we could do that are that you are, we’re lumped in there that people just don’t have the fundamental things that anybody could do with basically anything they currently have. You don’t have to buy anything to do asset inventory.
[00:42:41] Evan Francen: Right? So On the point of zero trust, you and I are both in agreement That it’s absolutely wonderful. I mean zero Trust is a good thing, right? Just like a lot of good things that can be used for good and it can be used for bad if it’s being used for bad meaning selling you something that you don’t understand telling you something as a silver bullet or as an easy button, just implement this thing and it’s gonna make your security problems go away. That’s when it’s a bad thing. Yeah. So my advice would be to do some research on Zero Trust. If you have, it’s not as easy as you think it is, but it can be done. I think if you plan properly, if you approach it strategically, certainly if you have if you have the opportunity to build a brand new environment uh building in right at the beginning. But if you’re retrofitting an environment that already exists that wasn’t built with security at the core, you’re in for a ride man.
[00:43:44] Brad Nigh: Yeah, yeah and
[00:43:48] Evan Francen: yeah, well it can be done and I think it should be done. I think I think you should plan for it. You know, you don’t what I don’t want people to do is just like say yeah, you know, environment to begin with, we can’t get there no plan for it, but plan properly. Right?
[00:44:05] Brad Nigh: Yeah, yeah. We keep preaching it. Just start taking little chunks, right? Do your asset inventory, do your segmentation, put in review firewall rules, can you do better ingress, egress, traffic filtering, understand where your data is. Start mapping just all these things that are tough, a lot of work but are Yeah, I don’t want to say simple but there they are. They’re just they’re just the basics of what you should be doing
[00:44:40] Evan Francen: when they are simple. I think a lot of times people get the words simple and easy. Yeah,
[00:44:46] Brad Nigh: that’s that’s really
[00:44:46] Evan Francen: not easy. No, but it is simple and you only have to do it once and get into the process right once once you get your hands around it the first time, then change control comes into play right? Then you start implementing, you know, those things that keep your hands around it. But I think the best people, the people that are the best at security are the people that understand what it is. They are trying to secure the best. Mhm. So if I’m if I’m responsible for securing a network, if I really, really know that that network intimately, I’m going to be better at securing it than you will as somebody who doesn’t right? So you’re gonna have to do it eventually anyway. Right? So you don’t do zero trust and say, well I don’t have to worry about S and M is right now
[00:45:32] Brad Nigh: wrong right now you spend a bunch of money and you have to do this thing that before you can use it.
[00:45:40] Evan Francen: Right? And there are some zero Trust technologies that will help you build your acid inventory. But it’s these steps that you need to take before you get into the kind of the full model of things. Right? Right. So if I want zero trust, what do I need to do? That was one of my questions in the show notes, I think we covered that. It’s master the fundamentals. Master the basics. Mhm. And and you know, and I know that some people don’t like it. I actually do, I enjoy doing those things because I understand what it is. I’m working with.
[00:46:16] Brad Nigh: Thank you said it’s it’s simple to do. There’s a like and you get something like a lot of I think information security very uh intangible. Like you don’t have a firm result, right? It’s hey, we’ve got good security and we can tell this because nothing’s happening. That’s a hard concept. But hey, I now have an asset list. I can tell you what’s installed on every on any machine in the entire, on the, on the network. I know if there’s a vulnerability that comes out that affects something specifically, I can do a query that says here’s where that is and where I need to go to patch. Like you, you have a result in front of you, right?
[00:47:01] Evan Francen: Yeah, totally. Hey, did you ever see that? It just reminded me, did you ever see my PDR burger? Yes. Do you like my PDR burger? I do. Okay. Because you got, you brought up another concept as you were kind of talking about that, about, you know, prevention, detection response and how those kind of that you have to work together. Well, all right, well, good stuff. Um, good talk man. Seriously? I could tell that you and I were both getting a little bit juiced up and we could seriously, we could talk and it’s, it’s not coincidental that this is also something if you want to tune in on thursday, one of the next six or seven thursday nights we’re going to cover the same thing that’s not going to be put as politically correct as you and I have to be,
[00:47:45] Brad Nigh: Yeah, you definitely want to, he gets you fired out,
[00:47:50] Evan Francen: right. And so there’ll be some, some curse words being slung around, I’m sure, uh, and Wolf to invite you on. Sometimes you can work to, if you don’t want your kids to watch
[00:48:01] Brad Nigh: and will be, that’s, they watched me watch the Stanley cup playoffs. I’m sure there’s nothing.
[00:48:11] Evan Francen: All right. Well, thanks for your insight. I think you and I see things, you know, the same way, which is cool. Makes it fun to work with you. But then there’s also, you know, slight disagreements, but they’re all within the same boundary of like we understand security really well.
[00:48:25] Brad Nigh: Well then I think the nice thing ultimately want the same goal. Now. It’s just how we’re getting, how we think we should get there is going to differ slightly and you don’t want to agree with some 100% of the time. That would be boring.
[00:48:36] Evan Francen: Yeah, that would be boring. All right. So, uh, I think people, hopefully the listeners have a better clear view of what zero Trust is and what it means to them. Uh, if they have additional questions or comments reach out right. Don’t person you don’t want to reach out to is somebody who’s trying to sell you something. One of the things that I like about us is that we’re product agnostic asked me about what zero Trust is. I’m not gonna try to sell you a firewall. No. And I will try to figure out. And if you disagree with what my Interpretation of zero Trust is, then you know, to our point about disagreement, that’s a great opportunity for us both to learn. Yeah. So good stuff. Reach out to us, contact us, we’ll get to how to do that at the end, essentially email us at un security at proton mail dot com and we’ll hook you up. Alright. Some new stuff. I have four news articles that caught my attention last week. I’m not sure where we’re at on time right now.
[00:49:36] Brad Nigh: I was just I’m glad you had that first one. I was gonna mention that to you. I was talking with some of the I. R. Guys on that one over the weekend.
[00:49:45] Evan Francen: Oh yeah
[00:49:45] Brad Nigh: they are evil or yeah,
[00:49:47] Evan Francen: depending on how you want to pronounce that,
[00:49:49] Brad Nigh: I don’t know how that law firm survives this.
[00:49:53] Evan Francen: Their lawyers,
[00:49:54] Brad Nigh: I don’t know who would use them.
[00:49:56] Evan Francen: I was gonna say where’s her? Like some lawyers, not all but lawyers are like cockroaches, they survived nuclear disasters. Somehow
[00:50:08] Brad Nigh: they’ll come back as something as a different name.
[00:50:10] Evan Francen: Right? Right. And more resistant to this kind of thing.
[00:50:15] Brad Nigh: Yeah. That’s a crazy story.
[00:50:17] Evan Francen: Yeah. So the first one on our news list is uh from hack read and it’s all over the internet so you can find it in numerous places. But basically it’s These are evil hackers that attacked a law firm uh gathered out 756 GB of data.
[00:50:36] Brad Nigh: How do you, how do you not notice almost a terabyte of data going off your network?
[00:50:43] Evan Francen: Well, you know, I mean, I don’t know,
[00:50:45] Brad Nigh: I guess you don’t know how long it’s been right. I guess they could be very slowly doing this over a long period of time
[00:50:50] Evan Francen: and do it over a weekend.
[00:50:53] Brad Nigh: Uh But you’re not monitoring for like unusual traffic patterns?
[00:50:59] Evan Francen: No, Obviously not. No. I mean talk about Lack of zero Trust. Right?
[00:51:08] Brad Nigh: Oh, I think I thought it was hilarious. Was Did you see the their initial ransom demand was $21 million. They doubled it and they came the law firm offered to pay like 350,000. The article was basically like a few $42 million dollars and I’m gonna start leaking stuff.
[00:51:30] Evan Francen: Yeah. Yeah, so the title for this article from hackery it is are evil hackers leaks email conversation on trump amid ransomware demand. Uh Another word or another. They’re also known as so then shouldn’t no. Key B which we’ve tried to say before,
[00:51:53] Brad Nigh: I like are evil.
[00:51:54] Evan Francen: Yeah, it’s easier to say. Uh So the law firm is grubman shire mice, ellis and Saks 756 GB worth of data on nine May. Yeah. They originally had the first high profile personalities like robert de Niro lady gaga Madonna.
[00:52:16] Brad Nigh: And they were like reading contracts and stuff.
[00:52:20] Evan Francen: Yeah, it’s crazy. I’m not sure how yeah, I don’t know what the trip with the trove of data actually includes. I mean some of that stuff may not be all that sensitive
[00:52:31] Brad Nigh: but that’s the thing anybody if I’m a client of theirs and I’ve had any sort of sensitive legal, I am freaking out right now. Right,
[00:52:41] Evan Francen: right. Certainly if it’s an active case to right Oh yeah.
[00:52:45] Brad Nigh: More so yeah mm well I’m just the, what would the embarrassment, what would it be? What would be the impact? Yeah, good career.
[00:52:55] Evan Francen: Yeah, I don’t know man, So Friday is when they up their demands to 42 million.
[00:52:59] Brad Nigh: Yeah, I think that’s when I saw it was when that came out
[00:53:06] Evan Francen: uh Yeah if there’s text now they donald trump isn’t a client of theirs, that doesn’t mean that they didn’t have conversations and that their clients didn’t have conversations or dealings with donald trump. So that’s the around about you know how trump is kind of pulled into this conversation. Uh Yeah so the data of the firm’s clients will be auctioned off every week on an information exchange available for any uh the firm will not be able to get back its data as the Attackers control the decryption keys. So this was you know a ransomware and the data exfiltration?
[00:53:53] Brad Nigh: No. Yeah Why would I don’t know maybe I guess the only way you would pay it is if you don’t have backups of your data because they’ve already said you’re not getting him back and $42 million dollars is absurd. Uh huh.
[00:54:11] Evan Francen: Yeah. Well and so this is going to lead to a whole bunch of drama to because there’s gonna be things that are leaked out of this thing that people are just going to assume is real and legit. Because what would stop me as an attacker from dumping some propaganda or some of my own things intermingled with this data to make somebody look bad.
[00:54:36] Brad Nigh: Yeah. That forced the law for me to come out and say that that’s not real
[00:54:41] Evan Francen: Mohamed. Who’s going to believe who? Right.
[00:54:43] Brad Nigh: Right. I know I’m like yeah
[00:54:45] Evan Francen: so this is just a whole bunch of I mean talk about a show here.
[00:54:50] Brad Nigh: I’m so glad uh we’re not working that I hard.
[00:54:54] Evan Francen: Well yeah well that’s that’s what pissed off the Attackers right? Because they did engage uh somebody to help them recover data and whatever else. And that pissed the actors off. You know that was another contributing factor from doubling the ransom. Yeah. So I mean if you’re stuck in this kind of place, there’s really nothing much you can do. Uh I guess try to put as much of a positive pr spin on it as you can but the data is gone. I wouldn’t pay the ransom either because yeah That doesn’t guarantee you anything other than now you’re out 21 or $42 million dollars and they still have the data. So I guess you know retire maybe. Yeah hopefully you’ve been doing a good job saving money and you can just all in somewhere where nobody will find you and change your name.
[00:55:54] Brad Nigh: You call it resume generating event.
[00:55:57] Evan Francen: Yeah. I mean if you have a last name of Grubman share this else or sacks maybe you know, change your name to something else. Yeah that’s a really bad spot to be in. So there’s that uh the next one I’ve got is experts reported the heck of several supercomputers across europe. So this is security affairs dot c. O. You know, always a good source of pretty good information. The title is experts reported the heck of several supercomputers across europe allegedly these computers are being hacked for their you know their ability to uh for crypto mining. Right so monday. The german D W. H. P. C. Organization announced that five of its supercomputers had to be shut down due to a crypto minor infection. How does a crypto minor infection get onto a supercomputer?
[00:56:54] Brad Nigh: I don’t know but it must be really effective at crypto mine.
[00:57:00] Evan Francen: All right. Yeah. Yeah. Oh boy. So the message that they published the organization published dear users due to an I. T security incident, the statewide HPC. The HPC systems there’s five of them listed. Uh Yeah but
[00:57:20] Brad Nigh: what was interesting on this one was the, did you see the C. B. E. Home that they think they were Uh kind of speculating was exploited. It was only a 44.4 on CBS right so you know it’s like,
[00:57:39] Evan Francen: yeah Yeah CB 2019 15666.
[00:57:47] Brad Nigh: Yeah just because it’s not a 10 or critical or whatever doesn’t mean it can’t be taking advantage of us. Patch everything.
[00:57:57] Evan Francen: Yeah it’s interesting. I mean I’ve never, the first time I’ve heard of a supercomputer getting hacked for crypto mining I’m sure I wouldn’t be surprised if if it’s happened before but the first time I’ve seen it in the news. Yeah good point. Take away from that is just because you know it’s not ACBS of 10 or a nine doesn’t mean it doesn’t need to be attended to potentially.
[00:58:23] Brad Nigh: Yeah
[00:58:25] Evan Francen: next one is also from security Affairs and and we’ve seen this with these before. I like these um sort of regular updates. It’s coronavirus. It’s the title is coronavirus themed attacks. May 10 through 16 May 2020 just gives a pretty good synopsis. It’s not going to be all inclusive because such a thing doesn’t won’t exist. But I think a very comprehensive good list of kind of what types of attacks are certain are currently happening. Um Yeah it’s good stuff. Zeus Sphinx continues to be used in Covid themed attacks. Crooks continue to use Covid 19 lures. Microsoft warrants. Just some really good articles if you’re interested in kind of what is new or what’s being seen I guess uh the guy puts it together as Pierluigi paige paige paige genie back on me a Djaniny
[00:59:25] Brad Nigh: Gonna Let you you try that one.
[00:59:27] Evan Francen: Some guy from Italy probably but good, good stuff. So you know, keep your eyes open I guess the point the reason why I picked that one is I like to see kind of what’s new if there’s anything surprising that stands out there really wasn’t anything for me but we work in this industry all the time so I know
[00:59:44] Brad Nigh: it’s a great resource just to kind of stay up and yeah, I understand what’s going on.
[00:59:50] Evan Francen: Yes, so keep your eyes open, you know, we knew that this was going to happen from the beginning. Uh huh And then the last one which I liked maybe this is why I was having my issue
[01:00:03] Brad Nigh: potentially.
[01:00:04] Evan Francen: And so this is from Ars Technica the title is chrome will soon block resource training ads, here’s how to turn it on now fed up with crypto jacking ads, google developments have you covered? Yeah it’s good to good article about you know how you can uh you know reconfigure um or configure google chrome two, you know, not steal your resources. Do you have any more than like just a few tabs open. It seems like memory just gets way out of whack and then you start seeing processors step up and
[01:00:45] Brad Nigh: yeah, I’m definitely going to be uh turning that feature on.
[01:00:49] Evan Francen: Right. Yeah. So if you’re a Chrome user, which I think chrome is by far the most popular, you know, browser in use, read this article and uh yeah, turn on. Firefox already had that mechanism allegedly in place to bring
[01:01:07] Brad Nigh: something to mara
[01:01:09] Evan Francen: block, crypto jacking, but it’s a flag, chrome colon slash slash flags slash pound, enable dash, heavy dash add, dash intervention. This is the future, but you can turn on done easy, yep, easy peasy. So go do that if you’re Chrome user uh unless you like helping crypto miners. All right, that’s it. So never a shortage of things to talk about. For sure. I mean we could seriously talk hours, we could just do this and not even work. Work. Oh,
[01:01:48] Brad Nigh: I mean somebody would probably complain at some point, but it would be really fun.
[01:01:53] Evan Francen: Right, I need to help a lot more coffee.
[01:01:56] Brad Nigh: Yeah.
[01:01:58] Evan Francen: All right, well that’s episode 80 advance security podcast. It’s just about a rap brad. Do you have any shout outs?
[01:02:04] Brad Nigh: Yeah. You know, I was thinking about this and I’m going to give a shout out to the to the team, just how well everybody seems to be handling and just taking in stride all suddenly remote and continuing to work and be productive and you know, taking some initiative when we had customers that we’re not in that position. Um, so we had some open time that seems kind of got moved around of like, okay, I’ve got some time I’m going to make improvements. I’m gonna do this these things. So it’s just so much fun to work with everybody.
[01:02:39] Evan Francen: Cool. Yeah, I agree. I want to get a shout out to the, the daily and sanity checking crew. Uh, just a bunch of really cool people that I, I really look forward to seeing every day. Um, you know, it’s, it’s just water cooler talk right half hour. We just getting around the virtual water cooler and just shooting the breeze and sometimes somebody’s got something more substantial but shout out to that whole crew. One person that stands out in particular in that crew for some reason. Right now my top of my mind is Richie. Mm Rich is pretty sweet man. He’s a cool guy, teaches yoga and all this other stuff and he’s a hacker to just doesn’t just doesn’t come off that way maybe initially, but he is all right. I can’t say enough thanks to our listeners. Crazy. You know how, um, I guess we run into you all over the place and emails sometimes on social media sometimes in person. Even
[01:03:38] Brad Nigh: that’s so weird to have people come up and be like, I love listening to you guys. I was like, really okay, thank
[01:03:45] Evan Francen: you. It is cool. Um, stay safe please. You know this week, let us know how we can help you. We are both brad and I do this because we do love helping people. So send things to us by email at Unsecurity@protonmail.com. If you’re the social type socialize with us on twitter, I’m @EvanFrancen and brad’s @BradNigh uh thinking about coming to the hangout for the daily insanity check in if you need some support or just want to talk or just want to meet new people whatever you want to do, you can always follow them on twitter is twitter as well. That’s at insanity in so I am sanity. I am. Uh there you go. Have a great week.