The SolarWinds Cyber Attack

In light of the SolarWinds cyber attack the US Senate met about the events surrounding the attack and what can be done to prevent it in the future.

In light of the SolarWinds cyber attack (which you’ve more than likely heard of by now), the US Senate met about the events surrounding the attack and what can be done to prevent (or at least reduce the likelihood of) similar events in the future. There were some very interesting witness testimonials, but not all good. If policymakers draft policy based solely on what these witnesses said, we might be in some serious trouble! Evan and Brad recount the hearing and discuss their thoughts on the attacks, the witnesses, the hearing itself, and more.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: welcome listeners. Thanks for tuning in to this episode of the unsecurity podcast. This is episode 121 to date is March 2nd 2021 20 once. Uh, joining me as usual is my good friend Brad. My good morning Brad

[00:00:37] Brad Nigh: morning Evan.

[00:00:38] Evan Francen: How you doing man?

[00:00:40] Brad Nigh: Not bad. I’m excited. It’s going to warm up. I saw that we might not have snow uh cover by this time next week.

[00:00:52] Evan Francen: that’s cool man.

[00:00:53] Brad Nigh: I did. Yeah,

[00:00:57] Evan Francen: I uh, you know, I’m heading for Daytona bike week on third thursday friday,

[00:01:04] Brad Nigh: whatever.

[00:01:06] Evan Francen: Yeah. Uh, so down in Daytona beach and I booked my Airbnb back in december and got a notice from the owner yesterday morning that she canceled my reservation. Well, I know. So I’m like, what the hell? How could And there’s no recourse you can’t do anything they give, you know, you get your money back. But yeah, but there’s a reason why I booked in december because now it’s all going to be booked up

[00:01:43] Brad Nigh: right and anything else is gonna be more expensive. Right? Report that that it seems shady.

[00:01:51] Evan Francen: Well, I am going to report that. I’m actually gonna send her a bill to for, I got the basically the same resort. Um, But I, it took me, I spent $5 trying to find a new place to stay because you know there’s like 500,000 to a million people that go to this thing. And so I’m trying to figure out, you know I’m checking everything and I finally found a place It’s going to cost me like $3300. And the one that I had had before it was like 20 500

[00:02:25] Brad Nigh: wow.

[00:02:27] Evan Francen: Right? And so it’s like Crap man. I mean that’s 800 bucks. and uh And it takes like five days for them to reverse you know for them to replace you. So I’m not like you know it’s like because I don’t take like I don’t take like big time money out of the company. You know what I mean? I try to live on a on a salary like everybody else. Right? Yeah. Yeah that makes things tight.

[00:03:00] Brad Nigh: That’s real money.

[00:03:02] Evan Francen: Yeah. So I was yesterday but you know it’s going to be like 70 something down there so and I guess I’m not gonna complain.

[00:03:09] Brad Nigh: No wow that’s that’s all we had a better experience last year we were going to go down to the Fort Myers area for spring break and Covid hit everything got shut down and so we Received out and the owner refunded the money and turned it around like within 24 hours.

[00:03:32] Evan Francen: Nice.

[00:03:32] Brad Nigh: So definitely we had that bookmark next time we get to go we’re gonna use them again. I mean that’s good customer service.

[00:03:41] Evan Francen: Yeah for sure man the cost This cost 800 bucks And you know, we got like seven people going and I’m not going to I’m not going to church that more. I’m gonna tell him. Yeah. They only distress it. So my thoughts. Yeah. I pissed away five hours this day and you know, I don’t really have five hours to piss away.

[00:04:06] Brad Nigh: No. No, I’ve seen your calendar.

[00:04:10] Evan Francen: Yeah I was. Yeah. I should see the messages I was sending back and forth because anyway, I’m not going to get you too much about it. So we’re working on a bunch of stuff here. You know, I know you are. I am one of the things I’ve been working on is I still have been working on the book and I finally put on my calendar. So now we’re gonna get, we’re gonna see some acceleration good um on the V. C. So handbook Blocks three hours every morning. The flower. Well you have to get this up on amount of, if any of the listeners have written a book before. But um if you just kind of like do it when you have free time, you never have free time,

[00:04:54] Brad Nigh: right? Yeah you do. Well I think that’s with a lot of this stuff we work on its, I know if I don’t block it on my calendar, things happen, things come up, I forget about it because other stuff is happening. So.

[00:05:10] Evan Francen: Yeah so we’ll see some acceleration on that. I’ve been working on S. Two or G. R. Three using the new C. I. S. Controls Version eight. I’m hoping they don’t like totally changed because they’re not like released released yet they’re in the workbench. So if you go to CIA any listeners want to participate anybody can go the CIA’s you know go to their website and sign up for the workbench and there you can see kind of the discussions that are ongoing about the latest version of used to Way back when used to be the sands top 20 and then it became the CIA stopped 20 then it became the CIA’s controls. So it’s going to be looks like 18 controls this year but I’m breaking it down you know for consumption right In the S. two orig tool so this will be revision three of our content and I think I’m like 140 controls in and I think I just finished uh number eight.

[00:06:22] Brad Nigh: Yeah I’ve got Whatever 300 something for the C. M. M. C.

[00:06:31] Evan Francen: Uh So I thought the hardest part was going to be doing this first part where we take the core you know control frameworks and sort of uh it’s gonna be harder to push them together isn’t it?

[00:06:43] Brad Nigh: Yeah I totally I was looking at the notes that I. R. S husband is 300 something. The cumin seeds like 175 176 something like that. But yeah it’s gonna be interesting because well I mean C. I. S. Is not holistic look it’s good don’t get me wrong but it’s focused on very much of the technology for really outward facing right? Um

[00:07:14] Evan Francen: Well the new the new controls in eight it uh it gets it gets tougher for him.

[00:07:21] Brad Nigh: That’s good. And again I like the C. I. S. Don’t I don’t want to sound like I’m being negative but it’s not, the current version is not holistic but I don’t think it ever claimed to be. Uh But then you’ve got you know cmn see that has a completely different set of requirements to pass. It’s not really true false. It’s do you have two of these three things the different levels have different requirements around it. So it’s gonna be really interesting to see how this turns up. It turns out okay. And see the different people’s take on it. I’ll say I was really happy I’ve been working with consulting team, the VC. So team and they sit over there kind of their wish list and contribution to it. So I stayed out of the process with them. So I didn’t have anything like I didn’t have any influence, this is all of them but I was helping like kind of guide Megan and until them in terms of you know what to do and things. So I was really happy to see that come over.

[00:08:32] Evan Francen: I was happy to see that come over to until I realized it’s more work for me to do.

[00:08:37] Brad Nigh: Well there is a

[00:08:38] Evan Francen: mhm I did like it too though. It was really cool. It’s uh what I got I got it open here maybe six pages of just you know, suggestions and ordering of controls and such like that.

[00:08:53] Brad Nigh: Well and what’s nice is it kind of but it’s like suggestions by the people that by far have done the most of these. Right? It’s right

[00:09:04] Evan Francen: yeah it’s good. It’s definitely good advice. These are things you know, you you only wish you had, you know until you have them. Doesn’t kind of like wish you didn’t because it does make more work but it makes it makes it makes it so much better man. I mean and certainly the end result, people receiving the assessments are it’s night and day. So I’m excited to work through that. That’s good. You’ve been working on an IR assessment, an incident response assessment,

[00:09:35] Brad Nigh: maturity assessment. So it’s pretty much done except for that final scoring piece too. Make it into the to score uh And then some like figuring out math around retention times and how that factors into the score and but the most part it’s true false with like, hey how long do you keep your backups? There are three months 3 to 6 60 12, 12 plus and so yeah well plus gets a full credit and then you get progressively less as it goes down. But it’s for the moment, I mean it’s completely functional. Just you don’t have that final score at this point, but Mhm.

[00:10:20] Evan Francen: Very cool man. I’m excited to see that. And uh now you if you guys is the team already taken that and applied it or used it a couple of times, at least the content, Right?

[00:10:29] Brad Nigh: Yeah. Yeah. So the first time we did it on ourselves, so the I. R. K. And interviewed me uh for as a fr secure representative, which was interesting considering helped create it. But it was in that that we realized that how we had things worded and kind of the ordering was it needed some tweaking. So it’s that’s always good. You never know those things until you’ve done it. Yeah. And then we’ve done it on with those changes done and to customers hustle.

[00:11:06] Evan Francen: Yeah, awesome, awesome. Did I tell you anything about the great Matter society?

[00:11:10] Brad Nigh: You know, I was like what is that?

[00:11:12] Evan Francen: What is that? It’s another one of Evan’s hair brained ideas. It. Uh so you know, on the on the shoot show that we do every thursday night we talked about kind of some deep stuff sometimes and one of the questions I have posed, we might even talked about here briefly was you know what’s at the root of all information security industry problems. Right? So that’s a good question. You know, to drive a whole bunch of conversation and through all that conversation, we had a bunch of really good ideas. Like, first of all, we just assume that there is a problem. Well, depending on how good perspective you look at it, it may not be a problem at all. Right. If you’re, if you’re a vendor who was selling security stuff, I mean acrimonious was just I think valued at $1.2 billion dollars yesterday, it’s like, well day, nothing broken here, brother. You know, we’re to one fine.

[00:12:06] Brad Nigh: Yeah.

[00:12:08] Evan Francen: You know, so, but anyway, that that whole discussion and then we realized that we had some really good ideas on how to fix things, certain things. Yeah. But what we don’t have is a good place, a good forum where we can talk about solutions to difficult problems and then vote on those things and really have a voice together. Um, you know, because I’m one voice man. You’re one voice. You know, you get 1000 of our voices then maybe we can affect some change instead of maybe the Senate hearing, which we’re going to talk about today. Uh, you can go to this place and say, well this is how we should do policy. You know, what have you? So really a think tank, I think.

[00:13:00] Brad Nigh: Okay. Yeah, I know you’ve, we’ve talked about that before. I didn’t, I didn’t know what when I thought at the buddhist. Yeah, really, there’s definitely room for something like that.

[00:13:17] Evan Francen: Yeah. And we, and we’re gonna stick to, you know, just like we do at, you know, the companies you and I work for where you stick to the mission and we’re gonna have strong core values and we’re not going to deviate from those core values. So if you can’t if you’re coming to participate in this think tank, because you know, you want to make a big name for yourself and make a bunch of money or influence decisions on behalf of some certain technology that your company sells. No, that’s not gonna work.

[00:13:46] Brad Nigh: Yeah. Oh and uh people based on our experience, uh it was kind of self police itself itself, moderate uh a good extent because that so many people are just tired of constantly being sold to. Right? Just that’s not that’s not the point.

[00:14:09] Evan Francen: No. Exactly. And and oftentimes you’re either being sold a bill of goods, you know, uh we joke about it, you know, ai everybody’s got a I but nobody’s got a I you know, so either being sold a bill of goods being sold products, they can’t do what they promise that they will do, or the products that you can’t use anyway because you don’t know how to or you don’t have the manpower for it.

[00:14:38] Brad Nigh: I think that’s probably the bigger, more common issue. Buy something that, in theory would be great, but it’s not configured properly. I mean, how many times in an I r have we heard, wow, I thought we we spent all this money and we have all this technology. How did this happen? How did we not know? Right because it wasn’t properly not catching everything

[00:15:03] Evan Francen: well. Right. And what people don’t realize is when you do those things you actually make things more vulnerable because now you’ve got another product in your product stack or you’ve got another set of applications that you need to patch and you don’t even know how, you know, you don’t want to configure. Well, vulnerabilities typically come in two flavors, right? It’s missing updates and patches or meaning that there’s a software flaw or you didn’t configure it well.

[00:15:29] Brad Nigh: Well and I think the yes there is that security peace but also the bigger issue to me is it gives people a false sense of security and they stop paying attention. They’re like well we’ve got this in place, I don’t have to be as vigilant, it will alert me and that’s not the case.

[00:15:48] Evan Francen: Yeah. Very true. Good point man. Yeah. All right. To anything. Oh it’s your week next week if you can think of a guest, I don’t know, we got to guests are kind of fun because it makes things up a little bit just a little bit different.

[00:16:03] Brad Nigh: I’ll think about that. Yeah I like having the best because exactly, it does give a different voice and perspective.

[00:16:11] Evan Francen: Yeah. So do that? Anything? Anything else do that fr security security studio I think exciting.

[00:16:20] Brad Nigh: Just I mean it’s crazy busy good. Um So yeah I’m working on the S. Two R. C. M. M. C. Stuff. The IR assessment is pretty much wrapped up and then uh doing a miss maturity update uh kind of re redoing that based on them some new guidance that we’ve seen come out on how it should be done. So um kind of combining the uh uh I saw a five step people process and technology with the nist for levels of maturity. Okay. Writing controls and scoring and all that fun stuff.

[00:17:07] Evan Francen: Nice. The one that’s the one for bluegrass. Yeah

[00:17:11] Brad Nigh: that’s what’s driving it but I’m doing it in a way. It it’ll be that useful for anyone. We’ve had you know multiple larger clients say I want a maturity assessment not the risk assessment which is like whatever. I don’t necessarily always agree with it but you know if if that’s what they want it is a valid thing. It’s just you know we always the fun part is we always map that back to the S two given the score and and whatever that happens are always like I love this. Yeah you’re not just doing this. Yeah

[00:17:47] Evan Francen: exactly. Yeah that’s correct.

[00:17:51] Brad Nigh: You know if they’re being required to do it in a certain way. All right

[00:17:57] Evan Francen: but that’s kind of the point right? I mean in our industry anyway we’re so just shoveled in the way we talk about security. The way we talk the way we quantify risk. The way we do assessments the way we mean. We talked about see MMC we talked about CIA’s you think talking about NST you know whether it’s one of the special publications Sp 853 or the C. R. Assistant CSF you talk about cool bit you talk about so I mean it’s like my God, you know, let’s just figure out a way perfect because it will never be perfect. Right?

[00:18:33] Brad Nigh: But at the end of the day, I mean if you look at all of those There what they’ve got to be 90 at the end of the day. The same.

[00:18:43] Evan Francen: I know right.

[00:18:44] Brad Nigh: But it’s just different approaches to how they’re looking at the exact same controls and what the you know, recommendations are are different. Right.

[00:18:56] Evan Francen: Right. And I think we get a rapture on the accident a lot. Just certain. I mean I’m finding myself do it every time I work with controls. You know, I’m finding myself do it with the C. S. You know controls. You take the CIA’s wording and then you make essentially refined controls. Because their wording sometimes is somewhat The lump like a whole bunch of like three or four controls into one statement. It’s like that should be 34 statements right there.

[00:19:24] Brad Nigh: Yeah. I will say the nice thing with CMC is is it is pretty clear um and they have good guidance on those. So it’s just a lot of work kind of pulling all this stuff together and clarifying and you know, hey, here’s they have this recommendation that doesn’t necessarily Yeah, you’re just rewarding stuff. So yeah.

[00:19:50] Evan Francen: Uh reminds me one more thing I’m reaching out to uh I’m gonna reach out to some colleges here, it’s not like number one priority, but reach out to some colleges to put together that, you know, I talked about, you know, how we secure critical infrastructure. You know, I take like water, you know, treatment facilities for instance, Just give them two things, identify your externally exposed systems, iP addresses, either close them down or secure them with multifactor authentication. If we just did those two things Say in the next 12 months across the entire country, how much better off would we be? And so I’m reaching up to the University of Minnesota, their Technology Institute, their Master’s Program for Security, and a few others try to get some what a great project it could be, you know, to work with other students from other universities and colleges in get to work on this, go solve this thing.

[00:20:56] Brad Nigh: Yeah, that would be cool.

[00:21:00] Evan Francen: Yeah, so that’s coming too. But it was just too much stuff. I gotta stop being that. I wish I sometimes, you know, uh a D. D. Is like a superpower. Sure, sometimes a D d will put you into an early grave man, I’m kind of like, I’m on the edge right now, so I gotta get back to be like, hey I’m just gonna focus on something now.

[00:21:20] Brad Nigh: Yeah.

[00:21:22] Evan Francen: Funny. Mhm. All right. So let’s talk about the last week. Yes. You know, I’m not sure how many people realized, you know, even in our industry that there was an open hearing on Capitol hill, the senate held an open hearing and the hearing it was titled hearing on the hack of US networks by a foreign adversary. And really this was about or came about from, you know, the solar winds attacks of you know, late last year and you know, still on still ongoing uh today. And part of this was so you have this committee, the intelligence committee and then you had in the link, if you want to find it is, you know, on the show notes the website, they had four witnesses. They had invited five but one declined. So kevin Mandia, the ceo of fire, I was one mhm. Suit to the car I think Rama krishna the ceo of solar winds, brad smith, the president of Microsoft and George kurtz the president and ceo of crowdstrike. So you got some pretty heavy hitters, you know, in this committee. Uh the one who declined, which I thought was really interesting. I don’t know why you would make this decision because they were called out at least what? 567 times. Making 10 times.

[00:23:03] Brad Nigh: Yeah, it was like one person started it and then everyone else was like, I’d like to add my support wondering why this didn’t happen. So pretty much every, I think almost every senator on that committee called him out.

[00:23:16] Evan Francen: Yeah, so amazon web services didn’t show up. They were invited, they didn’t show up. Uh It didn’t seem like any of the committee members knew why it was just declined, which is really kind of crappy because w S was used in carrying out the attack. Aws. Um amazon has not been forthcoming. So there’s some articles that are linked to also that that sort of cover what amazon role is in any of this, but it’s a really, really important role, Their infrastructure played a huge role in this.

[00:23:55] Brad Nigh: Yeah, I get it. It’s a tough spot for them because how would they have known this? Right, nobody else. So I get them going, what do you want us to do? Nobody else knew about it, but at the same time you typically don’t want to piss off senators.

[00:24:14] Evan Francen: Well, in this was this was a committee hearing wasn’t, you know, hearing to put blame, so amazon not showing up almost makes them exposed for blame.

[00:24:26] Brad Nigh: Oh, it’s like like I said, they definitely did not put themselves in a good light. Well

[00:24:34] Evan Francen: no, so if our listeners, if you wanted to go uh watch or listen to um the committee hearing, it was about 2.5 hours long.

[00:24:46] Brad Nigh: It was it was long. There was really a lot of the interesting stuff said and a lot of things that I did agree with, especially from the the witnesses, which probably isn’t surprising but since I was kind of validated our thought process and how we do things to hear, hey, this is what you should be doing were like yes, we’ve been preaching that for years,

[00:25:10] Evan Francen: right? Well one of the things that’s good about being on, you know, us working together, not just you know, here on the podcast, but you know, in other work, it’s just the different perspectives because I think I was disappointed in a lot of what they said. I was also also you know, there was there were valid points for sure. But the one part that in the middle of the the hearing or about Now or 22 minutes in is that exchange with Senator Wyden? Yeah, he’s a democrat out of Oregon I think. Thanks. So where essentially he’s like, okay, first of all Orion doesn’t need internet connectivity to operate. He picked up on that or somebody advised him on that, which was like there you go. So we valid invalidated the least privileged principle for sure because you know, people weren’t the Irs of all places believe it or not was blocking uh internet access, you know from the Orion system and they didn’t have any issues.

[00:26:24] Brad Nigh: Right, Well, you know, so one of the interesting things I think just kind of ties into that is I didn’t realize that there was that information sharing block in place between the different agencies, right? Like uh what? Yeah, it feels like everyone should have been doing like the same thing and not, they’re not changes, he’s doing it their own way, which really surprised me, but it probably shouldn’t have, but

[00:26:55] Evan Francen: it’s crazy man, will the government has become so big, so complex, you know, I think that was a big reason around, you know, maybe Fisma and some of the other types of things they’re trying to do at the federal level to try to get them to play by the same rules. Yeah, we’re not doing that for the most part,

[00:27:16] Brad Nigh: but yeah, going back there, he widened definitely had a good point and said, you know, iris had it where it wasn’t connected or it was blocked so it couldn’t communicate, so they didn’t get reached. Right? Why didn’t everyone do that?

[00:27:31] Evan Francen: Yeah, well, and that’s the thing, man, I mean, you have a tool, right, no matter what tools you’re using, right, take like construction, you have a saw, right? You used us all correctly. Hey, there’s, you know what materials you can go through cut through, you know, you wear your safety stuff and I mean you use it correctly, right, in the digital world, you have a firewall, the firewall that’s used correctly is a really effective tool and what it’s designed for. So his question was essentially, you know, Orion doesn’t need any internet connectivity period to operate. Uh so if it was isolated, it would not have there have been no communication back to uh you know, the perpetrators in this attack. Mhm. So there would be no command in control because there would be no communication. So that point was really well taken and then he went down the path and so he confirmed that first with, you know, Mr Rama Krishna solar rents. And then the second thing he said was, you know, we have these things, these standards basically NSA recommends that organizations only allowed traffic that’s necessary for operation. And I ask you, you know, that’s the same sort of thing. So we’ve got, you know, going back to all this craps or that we we were talking about, you’ve done all these standards right? Here is definitely a place where there’s overlap. You only allows a goat with default deny. Now the old way we used to say it for people who speak the old language blacklist, right? We’re blacklist and whitelist, so you white list meaning you only permit the traffic that’s authorized, right? It’s zero trusting, but like the real zero trust, not some crap I’m trying to sell you

[00:29:26] Brad Nigh: right? Yeah. You know, I liked Yeah, well I like uh and his answer in that you’re

[00:29:40] Evan Francen: not gonna just that’s cool,

[00:29:41] Brad Nigh: but it comes, it brings about a bigger issue, right? So his answer was depends, right? In theory it’s the sound thing, but it’s academic and practices operationally cumbersome, which means the businesses aren’t willing to do what’s right because they’re like, well that’s just too much work and it might cause slowdown. So we’re not going to do the right thing. And that’s to me the bigger issue and I agree, I think, you know, reading it, I kind of a think he was a agreeing but saying yeah, yeah, that’s great. But nobody actually does it. It’s not practical and that’s the problem. Right?

[00:30:24] Evan Francen: Well, the thing that, so you know, Senator Wyden had asked, you know, basically have these standards and you do the default deny would that have essentially mitigated the attack. And he asked the question and he used a lot, a lot more words than that, but that’s what this question was. And then he asked each one of the uh witnesses to give a yes or no question, right? And and so then, you know, kevin Mandia is the first one to answer. And first, you know, I get his where he’s coming from for sure, but he says it depends. Well that was that wasn’t one of your options first of all, yes, yes or no. And and one of the things that irritates me just about people in general, man and maybe I’m just getting old and you know, grumpy and it’s time to put me out to pasture. But mhm follow instructions, you were given the instruction, yes or no give answer. Yes or no. So if it depends, well then it’s a no trip. Yeah, because what the question was is a properly configured firewall one that’s set up with default deny only permitting traffic that’s required for operation and authorized. Would that would that have mitigated the attack? Yeah. So kevin, so kevin inserted the subjectivity by saying it depends that wasn’t the question. What you’re saying, depends for is because you’re you’re you’re interpreting this question as a firewall of firewall, not a properly configured firewall Because the answer is absolutely 100 yes.

[00:32:10] Brad Nigh: Well, right, I agree. But I can I can see based on experience of going Yeah, I would, but nobody does it. So it’s

[00:32:23] Evan Francen: that’s another question. Right? It’s not a question,

[00:32:27] Brad Nigh: but it gets a it was a good point to bring up.

[00:32:31] Evan Francen: I agree. And if you if you want, if you would have said so, the question was, what are properly configured firewall have mitigated this attack? The answer is yes. But

[00:32:43] Brad Nigh: yeah, I think maybe uh Mr kurtz’s answer was reading through it, uh may have been a better response. Uh and he had the benefit of not going first. Right, So you got to hear what the other people said and the senators reaction, but you know, he said yes and I would say firewalls help but are insufficient. There isn’t a brief, we’ve investigated the company didn’t have a firewall or in a virus

[00:33:07] Evan Francen: but again, he didn’t answer the question. The question wasn’t a firewall. The question was a properly configured firewall,

[00:33:15] Brad Nigh: but I think, well how

[00:33:17] Evan Francen: often have you gone into a properly configured firewall?

[00:33:20] Brad Nigh: The problem, Right,

[00:33:22] Evan Francen: bingo, That’s where, but that’s where we should have focused. That’s where it would have been nice to take. This is why don’t people have properly configured firewalls?

[00:33:32] Brad Nigh: Oh, 100%. I’m like we

[00:33:35] Evan Francen: have the technology, what we don’t need is more damn technology,

[00:33:39] Brad Nigh: right?

[00:33:40] Evan Francen: You already have the tool, learn how to use the tool.

[00:33:43] Brad Nigh: And I think that’s the point that Mandia and kurtz was making, is there there? But nobody’s using them properly? I

[00:33:52] Evan Francen: don’t even, I don’t even think that’s the point they were making because that was the point you were making, you would have said yes, but rather than it depends and then go on to say the bottom line is this we do over 600 red teams a year. Firewalls have never stopped one of them.

[00:34:08] Brad Nigh: Well and and that that was uh yeah, I didn’t think he went, he missed the point on that one for sure because it wasn’t about getting in. He was saying, hey, if they had an egress traffic filtering enabled, would that have stopped it and that wouldn’t stop somebody from getting necessarily in, but it would stop it from communicating back out and continuing. So I agree. I think he missed the point on that statement for sure.

[00:34:38] Evan Francen: I didn’t like his analogy about a gate guard outside the new york city apartment building blah blah blah because what you did is you distracted from the root of the problem. You finally got to it sort of at the end but not in a clear enough manner that anybody. I think most people probably didn’t catch it. Yeah.

[00:34:55] Brad Nigh: Yeah I can I can see that. I don’t yeah. I don’t know.

[00:35:00] Evan Francen: I don’t want another damn tool. I know the tool that works.

[00:35:05] Brad Nigh: Yeah. Like I said the way I took both his and and chris was was to say that yeah the technology is there but it’s not being used properly. No, they didn’t they didn’t say it. If they had said that specifically. Yes I would have helped but nobody does it. That would have been the right answer.

[00:35:24] Evan Francen: Well knowing knowing ceos of very large multibillion dollar companies that just love the money. There’s a reason why they didn’t answer the way as clearly as you and I would have answered it because the answer was the question is yes or no. Yes absolutely. A properly configured firewall according to what the N. S. A. And the N. S. To put out as guidance meaning a default deny would have mitigated this particular attack. Could you have potentially gotten around it? It would be a lot more difficult.

[00:35:56] Brad Nigh: You know this is what I love doing this because it does make you look at things in a different way. And it’s interesting that? Now looking at it and having some time to chew through it. The only one of the four witnesses that, you know was very straightforward is the non security company.

[00:36:16] Evan Francen: Exactly. Rama Krishna was like, yeah, the

[00:36:21] Brad Nigh: standard help. Yes.

[00:36:23] Evan Francen: Yeah. Thank you.

[00:36:26] Brad Nigh: Where is? Yeah, I get that.

[00:36:30] Evan Francen: Yeah. I grew up in a military family where my father gave me that you have an option to options Evan yes or no. I answered yes or no.

[00:36:41] Brad Nigh: Right.

[00:36:44] Evan Francen: Yeah. That’s a, that’s a very simple binary. Uh, you know,

[00:36:48] Brad Nigh: and you know, the one that I didn’t like was bride smith’s answer. God, he’s like, yeah, it depends because what he said, he didn’t even and any justification, right? Yeah. At least Mandia and, and kurt’s were gave, you know, some justification for their thought process. Why did they say this? So, I mean, I give them credit for that. Even if they answered it wrong, at least they, you know, put something out there. Right?

[00:37:22] Evan Francen: Right. Yeah. So I would have, I mean, I, there was a lot of that sort of innuendo sort of stuff in the testimony where when we have the opportunity to and Jack a pr thing or a sales pitch almost they took that, it seemed like they, a lot of times they took that opportunity.

[00:37:48] Brad Nigh: Oh yeah. I didn’t think, uh, brian smith was the worst that they did that by far the most pushing, well, we’ve said everyone needs to go to the cloud and get rid of their on prim yeah, because you want to charge a subscription,

[00:38:04] Evan Francen: right? Yeah. Would you tell me how that has anything to do with mitigating attacks? Right? This type of attack

[00:38:15] Brad Nigh: now? I will Yeah, true because they didn’t catch it either. Right? But and I will say this there is a benefit for using cloud hosting because I guarantee you Microsoft has more resources to look for this stuff and be aware of it then most companies but at the same time your that’s the that Bruce transfer, are you willing to put all your trust in them? Because at that point you don’t have a lot of the control anymore. So

[00:38:51] Evan Francen: you and the way in the way that stuff Mhm. Like my stuff in my world is everything to me, my stuff in somebody else’s world is a very insignificant part of their world. So you know, Yeah. You know I’m a you know take a bunch of marbles and put them in a bin. I’m just one of those marbles in my world, that marble is all I am right, this is me this, I’m going to protect this thing as much as I can. At least I care about it. I mean I know how to protect it, but I care about this thing when you put it into a you know a big bucket like Microsoft and one of the one of the marvels falls out of the body in that context. It’s like a big deal. They have all these resources and everything but that marble that happened to fallout was my marble.

[00:39:41] Brad Nigh: Well, and you know, how many times have we seen a data breach where it was a MIs configured, you know? Mhm cloud based solution either hosted by as your AWS and you know, you’re still responsible, but now you’re putting it somewhere where maybe you don’t have the expertise to make sure that it’s done correctly versus on prim where Yeah, you can put a firewall in place and isolated, make sure you can talk to the internet as opposed to we have to have it open to the internet to be able to communicate.

[00:40:20] Evan Francen: Yeah, one of the wisest pieces of advice and I’ll keep living with it, man, this that’s it, it will always hold true, you know, the worst enemy of security is complexity. Mm right, You know, and so the last thing I want to do is add more stuff to it already have tools, if anything I want to remove tools from my environment.

[00:40:44] Brad Nigh: Yeah, yeah, simplify Well, you know, that’s again, not to say that there isn’t a use case for it, like they’re 100%, but do people truly understand the risks when they’re doing that and I don’t think the majority of people do and you know, that that leads me to one other thing I wanted to say was, uh, it was interesting listening to this, you know, senators talk and some of them, I mean they were clearly well prepped by their staff, but you could tell they didn’t really get some of the answers just by the way they were asking follow ups or, you know, their responses, right. Um, but overall I thought all the witnesses actually did a fairly good job of not talking over them with, you know, super technical to speak. It was understandable. Mhm. Which is a pretty impressive thing when you’re talking about something this complex,

[00:41:50] Evan Francen: Right? one of the things that, that’s frustrating to is when you talk about, you know, how, how seriously people take security. One of the first things they go to is how much money they spent. So you know, and white and hit on it and they were hitting on it numerous times in the committee and you’ve seen calls all over the place, we need more funding, need more money, need more money, need more money for cybersecurity and they don’t, what you need to do is to need, you need to learn to use the shit that you already have. Well,

[00:42:24] Brad Nigh: yeah,

[00:42:25] Evan Francen: The manual, the one RTF RTF.

[00:42:28] Brad Nigh: Yes, who does that? Um, I would say the one thing that I like I did it and this is obviously another could go down a whole another rabbit hole, but was bright smith saying we need more, we need to invest in colleges and technical colleges, getting more security people out there, we’re outnumbered and have to, you know, are constrained, We talked about this. We have to play by the rules. The Attackers don’t, they don’t care, you know? And so yeah, we need more people. And I liked that call and getting that kind of, the way it was phrased. I don’t remember how it was, but like investing in college programs to get, get something, get more people, get more access for people to do this,

[00:43:22] Evan Francen: you know? And well, yeah, and I think it’s, I don’t know, man, I’m not a big, I mean, I get that and I am a big fan of, there are so many college programs anyway. Most lot of people can’t afford them. I think you’ve got to go all the way back to, you know, K 12. This is a life skill.

[00:43:39] Brad Nigh: Yeah. Well, and yeah, take it a step further, right? Like let’s get this type of stuff going into school,

[00:43:48] Evan Francen: right? Don’t they say like rising water raises all ships or whatever.

[00:43:53] Brad Nigh: Uh, I don’t know. I don’t like that.

[00:43:57] Evan Francen: Well, so like if you take an entire population and you improve their skill level, it raises

[00:44:03] Brad Nigh: everything that makes sense

[00:44:06] Evan Francen: because right now in, in the general population, there’s so, I mean there’s just so much ignorance. So, you know, and we did something with, uh, well, and obviously I’m telling my own, our, our own idea right with yes to me, but if everybody did just that or do something, I don’t care. It could be ours, it could be whatever. I mean ours is pretty so there’s no motive to it, it’s just whatever. If everybody had an s to score to just start up, how much would that raise the awareness of security in our country. And let’s say we tied some sort of, you know, because people like their gratification, they like their rewards, they like something sadly too often I like something for nothing. Um But you know, I mean I think it’s something like that that needs to elevate everybody right? Because lot of the things that they’re teaching in colleges, I was I was telling you about University of Minnesota lot of the things are teaching you in like the curriculum is like stuff that a lot of that you probably should have already known before you even got

[00:45:27] Brad Nigh: Yeah. Yeah. Yeah, unfortunately that’s not the case.

[00:45:32] Evan Francen: Yeah. So I think I agree with, you know what brad smith said, we do need to invest in more security people in our industry, but I think you’ve got to start like we gotta get everybody

[00:45:43] Brad Nigh: better. Yeah. Well I mean it makes sense because I mean look at all the kids now have an ipad or a Chromebook or something. I mean kindergartners. Uh there needs to be something starting at in kindergarten even. Yeah, for sure and then that goes back to, you know, the teachers that maybe don’t understand it. So how do we educate them? So they can provide good content and yeah, it’s a, there’s a lot of work to be done

[00:46:18] Evan Francen: and parents, because parents also don’t know a lot of these things, right? I didn’t grow up with computers, but I was in kindergarten, I didn’t have a computer.

[00:46:26] Brad Nigh: No,

[00:46:27] Evan Francen: she saw, you know, this is all new to me. So I think I understand what my kindergarten is going through when they’re working with a computer, but I didn’t live that, right, You know? And I may not even, I mean I may have a blue collar job, but I don’t work, I don’t work a lot with technology then what, you know, now my kids probably had a disadvantage, you know? Yeah, like you said.

[00:46:53] Brad Nigh: Yeah, So uh, here, here’s my going off on a tangent, but I was looking through it. Uh, one of the things that’s about was what was the process for uh Sudhakar Ramakrishna, like when did he get offered the job? Did he take it knowing that could happen? I was trying to find that and I couldn’t find it, but I mean, he started in january, so that’s a, you’re taking on a lot as stepping into Ceo with all that going on,

[00:47:25] Evan Francen: you know what a great opportunity because one, you can point blame it, They, I mean there’s going, even if you don’t point, oh, there’s this, there’s this implied like, yeah, that’s that was he did that I’m here

[00:47:37] Brad Nigh: to fix this, right? Yeah. He definitely has a phenomenal opportunity. But at the same time it’s a, I mean, they had,

[00:47:48] Evan Francen: and I would have negotiated a healthy race are healthy, you know, bonus structure or something.

[00:47:53] Brad Nigh: Oh, I’m sure Saltman, please,

[00:47:57] Evan Francen: I’ll take the job sure. But you know, whatever we had for a bonus, let’s double that.

[00:48:03] Brad Nigh: Yeah, Yeah. I would assume something that the higher profile was not a last minute thing that had been in the works for a while, right?

[00:48:17] Evan Francen: He hasn’t even updated his linkedin profile yet. It still says

[00:48:21] Brad Nigh: the whole

[00:48:23] Evan Francen: secure.

[00:48:24] Brad Nigh: That’s funny. Yeah. Because that not broken. Broken like december, right? Yeah. So like three weeks before he started the job, there’s no way he knew prior to accepting it. You don’t ceos don’t take a good gift to his notice. Alright. People a little bit longer of a transition.

[00:48:48] Evan Francen: Yeah. Yeah. But I did like I like this testimony probably the best because he came off as very honest. Um, he took instruction extremely well. I just thought it was, I liked, I didn’t feel like there was another agenda with them,

[00:49:04] Brad Nigh: I think. Yeah, exactly. What I think realistically, I mean, he had the most at stake. It was their company’s product that got breached the rest of those people found it and we’re impacted by it. But it was there things. So yeah, yeah, I think he did a really good job of, okay, here’s some of the things, here’s some of the changes we’ve already made. What,

[00:49:27] Evan Francen: But I think I found it interesting too, that this was in the fire, white fire eyes environment for a while before they, before they noticed it months. All right. Because I think, you know, I I think there was a fire is a great company. I don’t want it to come off this way, but I’m also not enamored by, well, you know, I’m not easily like wowed in a lot of these things. Uh, because I still believe until until there’s kind of something to take us somewhere else. Fireeye sort of stumbled on it.

[00:50:03] Brad Nigh: Oh, yeah.

[00:50:04] Evan Francen: Or when they stumbled on it, it I still believe that it was on purpose. The Russians or whoever’s behind it. It’s the Russians, we should just say it. I don’t know why we keep playing that game. I know, but they’re not saying it in the in the federal government, you know, with the Senate hearing and all that stuff. Remember they were like,

[00:50:25] Brad Nigh: no, they said it was the Russians, they were arguing about how to classify it. They didn’t say it was Russia, right. You know? Yeah. Well, I think that this goes to show it could, this is what we talked about, it can happen to anyone. It’s not a matter of if it’s a matter of when if people are really wanting to get in, they’re going to get in, right, and you know, there’s there’s nothing you can do to, you know, you can do as much as you can to push it out and minimize the impact. But if you have a nation state coming after you, it’s just a matter of time,

[00:51:06] Evan Francen: Right? No, for sure, because it may not be technological either. Let’s say you did have that properly configured firewall with and there was no communication vector back to an attacker in Russia. Well then I’ll come physically or they’ll get something uh figure out they’re very crafty. Right? It’s just like the same thing we did with stuxnet, that was a very difficult environment to get malware into, you know, and if you if you if you watched or read the story about how that happened, I mean they recruited quite a few people, finagle its way into that environment,

[00:51:45] Brad Nigh: right? Yeah, I mean it that was a really good uh example of being extremely crafty changing the speed without changing the display. How do you catch that? Like you don’t until you go, what is going on? Why does this keep failing?

[00:52:10] Evan Francen: Well, I, I do think that this was certainly a sophisticated attack too, but I don’t think it was super ultra, I mean sophisticated, they had, they had time on their side, they were patient, they were like any really good attacker that was focused on a specific mission and operation, you know, take your time. We’re in no rush.

[00:52:32] Brad Nigh: Well, and I thought, I think it was uh, kevin India that was saying it because some of the senators were like, well why didn’t they just burn it down and get out or why did they keep staying in? Well, because that wasn’t what they want. They didn’t want to burn it down. They wanted persistence, they wanted to continue siphoning data. So why would they didn’t want, yeah, they didn’t want to make a big star.

[00:52:59] Evan Francen: Well, I think this is chess playing out on a world stage two. I think, I think the Russians, you know, did play this out? And they, they still have footholds in many, many, many, many, many, many places. So don’t think that they’re like then they’re out right? That that, you know, this was their only attack vector. But the way the right, I mean they’re chess players, man. I mean who in the world is better at playing chess than the Russians? Well, it’s no coincidence that fire. I found this attack and I’m sure the Russians are really taking note of how we’re responding to it, right? Which which person got mobilized? Where how are they doing it? What are they saying? What? You know, I’m sure they had many, many people who watched the Senate of the same center here in you and I watched,

[00:53:49] Brad Nigh: Oh, for sure. Well, I mean I would agree with based on on the complexity and the scope of this, you know, Microsoft saying, Yeah, we figured there’s got to be at least 1000 engineers working on this. I mean, this is not again, if they want to get in, they’re going to get in there, putting the resources to do this stuff. Um, I did like, I couldn’t, I don’t remember who it was. I don’t remember if it was Senator Wyden or Senator Warner, I don’t remember who it was, but they brought up, you know, hey, maybe we need to have rules of engagement, you know, in a war. You don’t bomb the red cross, the ambulance to the hospital. Mhm. Do we how do we get some sort of an international agreement that, hey, you don’t do these things because

[00:54:40] Evan Francen: but it won’t work. I mean, they’re attacking hospitals now.

[00:54:48] Brad Nigh: That’s what I’m saying. If you can get, you know, is there a way to do that? Right? Come to us?

[00:54:54] Evan Francen: How how? Because, well, it’s not the Russians, it’s a it’s a it’s a criminal gang that the Russians allowed to operate on their

[00:55:02] Brad Nigh: soil. It’s the government.

[00:55:07] Evan Francen: Well, right, that’s what I’m saying. It’s they allow them to operate on their soil. As long as, you know, the way the Russians approach. It is. Yeah. You can go do criminal activity just don’t attack us. Don’t attack our resources, Otherwise you’ll be in trouble.

[00:55:21] Brad Nigh: Oh, I think there’s definitely a lot of that, but I think this was actually that state sponsored, not

[00:55:29] Evan Francen: what I’m, what I’m saying, what I’m saying is in this battlefield if you’re gonna so can’t attack hospitals. Well, big deal.

[00:55:39] Brad Nigh: Well yeah, there’s gotta there’s gotta be something Uh

[00:55:45] Evan Francen: huh But I think now, so here on this one particular point because there’s many points, but I think on this one particular point where Mr Wyden said properly configured firewall, Mr Mandia said it depends. But then the key point is what he said, you know, towards the end of that Yeah, statement because what he said was um in theory it’s a sound thing but it’s academic and practice, it’s operationally cumbersome.

[00:56:17] Brad Nigh: Right. Which means like you were found that businesses just aren’t willing to take the time and effort mm to properly configure it because oh well that’s a, you know, it’s a negative or or an impact on the business, they’re like, well it’s not worth it.

[00:56:38] Evan Francen: So it’s operationally cumbersome but that’s that’s I think the point to solve it properly configured firewall yes, would have mitigated this attack. However, nobody are very few people actually configure the firewalls properly.

[00:56:54] Brad Nigh: Mhm

[00:56:56] Evan Francen: And why do they not configure their firewalls properly? Well in many cases it’s operational cumbersome, which like you can interpret that to be either because I think sometimes who say it’s operational and cumbersome because it’s work. Thank you because I have to work. Well you get paid for it. So I figured out

[00:57:16] Brad Nigh: well, and here’s the thing how many servers and server software need internet access? Very few. Right like or they only need specific porters to, you know, specific cloud hosted, you know, updates, you know, for they think like your your endpoint protection, you know, when to update, sort, patch management, things like that. Good. You don’t need DNS and internet or anything. You don’t need external access for what I would estimate 99% of the software and servers that are out there, right? Or at least yeah, it would be very targeted.

[00:58:08] Evan Francen: And then I love this. I agree completely. The center what Wyden guys become uh endearing to me because I’m a network I I grew up a network guy, right? Let’s just go back in the nineties and man, I love networks, I love how they work. Just the beautiful but the hell said this, you know after talking with you know, in the in the statement he goes, yeah, it just seems to me what I’m asking about is network security one oh one. Any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world. And you basically said almost the same thing. So And he that’s strong man because it is this is Network Security one on 1.

[00:58:54] Brad Nigh: Yeah, he’s he seems to be uh probably the most like aware like knowledgeable I guess of that stuff. I don’t know if it’s to staff that hope the l hooked him up or if he’s he went and did the research but he I think he had the most relevant pointed questions. There was a lot of explain this to me, explain this to me. You know how did this happen? But I thought his were we’re really spot on

[00:59:27] Evan Francen: but I love what we said do it. So it is network security one on one. He’s right about the firewall and then it’s any responsible organization wouldn’t allow software with this so that I would love to see legislative Legislate that you need to you know that you need to allow default deny. I don’t care if it’s operationally cumbersome. So is you know sort of 90% of the regulations out there anyway. At least this one would be effective and two if you have software with certain levels of access nobody who’s responsible would ever allow this connection with the outside world.

[01:00:05] Brad Nigh: Yeah. Yeah. You know let’s see I’m going to try and find this

[01:00:11] Evan Francen: does that. I’d love to see so many I’d love to see I’d love to see companies like cos then release guidance that said this system does not need to communicate with the outside world. You know so you have some accountability on the side of the software maker developer because to get them to write 100% bug free code Ain’t gonna happen any time soon but you can have them say that this communicates with the outside world or this doesn’t need communication with the outside world? Please block all traffic And this is how you do it as part of the implementation guide.

[01:00:48] Brad Nigh: Mm. Yeah. Well, and so I was looking for this uh couple, I guess it’s been about three weeks last week. I’m sorry. Um Laurie posted that she heard from a client that their insurance broker Is saying that 80% of insurance companies will deny companies coverage if they don’t have M. F. A.

[01:01:09] Evan Francen: And the other March.

[01:01:10] Brad Nigh: Yeah. Charge enormous amounts if you don’t. And so you’re starting to see that happened and we’ve heard rumblings from other uh interest companies and brokers that a lot of these companies, interest companies are considering just getting out splashing Whoa, this is huge. We were going to lose everything on this. I think you’re gonna start, it almost is gonna, I wonder if it becomes almost self regulating to some extent that that we don’t need it. But hey, if you don’t do these things, you’re not going to be able to operate, you’re not to get insurance, you’re not going to be able to do these things, People are going to work with you. So you got to start doing them

[01:01:56] Evan Francen: well there’s maybe, but doing what, that’s that’s the thing that we keep doing the overwhelmed, we overwhelmed businesses, but here’s an ice tea CSF. Here’s so here’s this. So what do they do? They don’t, they don’t have the time. they’re not in business for that. They don’t have time to read through all this stuff and do all this. Give Me two Things. Give Me three Things To Do.

[01:02:20] Brad Nigh: I thought that was good. Right? M F A N X on remote access. Perfect. Right. Hey, you need to do this and you need to do these other proof that you’re doing these other two things and be specific about it. Right? I think you have to on everything and you have a good centrally managed antivirus and a patch management solution. You don’t do those things were not going to insure you

[01:02:45] Evan Francen: well. And even that is, you know, I mean even it’s like I wouldn’t teach a baby how to drive a car. Right? I mean you have to get them there. It’s gonna have to take time we have to back up on a lot of the things that we’re doing in this industry rather than throwing more stuff at it, throwing more stuff at it. Because something insecure at the court will always be insecure. We have to step back and say, all right, Do these two things and then we’re gonna take this as a journey that we’re gonna do these next two or three things and on and on, you know?

[01:03:17] Brad Nigh: Well, but I think that’s where from a consultant’s perfect perspective, that’s where we can help. But I think rate these insurance companies are information, security companies right there getting the things and say, hey look, we know

[01:03:32] Evan Francen: you’re talking insurance, I thought we were still talking about the fixing the problem thing. Oh

[01:03:36] Brad Nigh: no, I mean it all comes from that injury dictating, hey, you need N. F. A. They’re they’re listening to the experts saying, hey, this is gonna be the biggest thing you can do to reduce risk. So they’re saying all right, you need to do anything. They’re not agree. They’re not going to be the ones saying how they should do it. But those companies that need to come and find people that can help them do the right thing, right? So I think it’s going to be layered approach, right? Somebody’s got to dictate, hey, you’ve got to start doing these things and then somebody else has to come in and say, ok, here’s how here’s how we can get you to do the things you need to do.

[01:04:19] Evan Francen: Alright? We’re coming up towards the end. Uh yeah, we can talk about this for a while. It’s it’s really good food for thought man. And we can tell that we started getting a little Anthony and animated, animated uh

[01:04:33] Brad Nigh: passionate about what we do. Hell

[01:04:36] Evan Francen: yeah, when it pisses me off because I think these problems are very much solvable the problem, you know, and it’s a because, you know, I was following along in your thought process and I’m trying to figure out, you know what people say and how you attack these types of ideas. So you say M. F. A. There’s still certain we have a lot to do in this industry because I think a lot of people, you know there’s a certain population I would say. Well yeah but you can hack M. F. A. O. K. But that’s not the point. Stay focused on the point. I think a lot of times we don’t even know what the hell the point is in this industry. You know, the point is not to never have another uh solar once again. Right. Right. Yeah. You’re going to say the same thing man reduced, produce the likelihood of this stuff happening and make it make it get better at responding to it quicker. Yeah. And you’re not gonna do that if you keep adding more stuff to it because you keep changing the goal posts so you’re not, who knows? Right. It’s just nuts. Yeah, a lot of work, you know. Yeah. So news stories I had and we’re not gonna cover them today. But if you want to see them uh Yeah they’re on my they’re on the show notes. Hackers released a new jailbreak tool for almost every iPhone except for the latest version 14.4. So we running that chinese businessman plotted the ge insider to steal transistor secrets. This is not something new either. And I think it’s something that flies into the radar quite a bit is you know the industrial espionage state sponsored industrial espionage. It happens all over the place. And then NSA embraced the zero trust security model. Which awesome. I guess. You know, it’s, it’s not, no man. This is not anything new. Right? Just, we just called it something else and put a pretty sticker on it. And then now people are out there selling crap like crowdstrike. For instance, their definition of zero trustees ain’t nothing like the real definition. Right? What am I gonna do brand

[01:06:51] Brad Nigh: that’s Keep up in one company at a time.

[01:06:54] Evan Francen: That’s right brother. I love working this will work in this battle with you man. It’s uh, it’s nice to have somebody and I like the fact that we don’t see if things exactly the same way, but our hearts are in the right place. We love helping people. We want to solve these problems.

[01:07:11] Brad Nigh: Yeah. The end goal is the same for both of us. It’s just how, how we see getting there is going to be a little different. That’s what makes it fun.

[01:07:20] Evan Francen: It does make it fun because I totally respect your way of getting there. I think when you have this mutual respect, it’s like you have a great point. Can I fit that in with my point or do I need to change my point? You know what I mean? You figure out the solution that if we both do these things right? It makes a little bit of, I

[01:07:38] Brad Nigh: mean you saw it today with uh, me realizing, oh yeah, the only non security company had the best dance. Oh yeah, okay, we have had that realization, if we haven’t had that conversation we did. So I thought them

[01:07:56] Evan Francen: it is awesome, right? And shout out quick this week.

[01:07:59] Brad Nigh: Yeah, yeah, I’m gonna give a shout out to Renee uh working out and having a bad day and she just I don’t think she even knew she had uh what she said made such a positive in fact, but it really just completely made my day and just yeah, I took a lot of like, I was like, thank goodness, okay, and relieved all that stress and I didn’t, I realized I was kind of carrying, so that’s her name,

[01:08:30] Evan Francen: that’s cool man. Yeah, there’s always so many people to give shoutouts student, I’m going to give a shout out actually uh to you brad. I’ve seen you doing some really cool stuff and they seem to be just kind of, you know, in a in a really good season where you’re creating cool things and I have every interaction I’ve had with you in the last couple of weeks has been cool, really cool. So yeah, I know you’ve been through some Mhm. You know, we? Ve uh rough waters, this kind of thing, you know, and uh you’re staying strong man, I’m really proud of you, I’m excited to get this, get back to this book with you. So thank you, Shut up

[01:09:10] Brad Nigh: to appreciate

[01:09:11] Evan Francen: that. Alright, so thank you to all our listeners. Send things to us by email at insecurity at proton mail dot com. If you’re the social type socialize with us on Twitter, I’m @EvanFrancen Brad’s @BradNigh. Just our names, no spaces. Our twitter handles, other twitter handles. You can just follow and find stuff that we’re doing is un security is @UnsecurityP. security studio is @StudioSecurity and fr securities @FRSecure. Get people signed up for that sea ice experimental program.

[01:09:47] Brad Nigh: I think we’re like 3800, 373,800. Right in that range. That’s beautiful. That’s insane.

[01:09:56] Evan Francen: I love it. And it’s awesome. People were helping. All right. So I take we’ll talk to you again next

No items found.
Sign up for our newsletter

Receive monthly news and insights in your inbox. Don't miss out!

Industry insights