Distilled Security Podcast

Join hosts Justin, Rick, and Joe as they cover:

Resume Review Insights: Joe offers valuable tips on resume writing, focusing on showcasing accomplishments and using metrics to stand out.
Passion Projects and Hobbies: The team discusses how personal projects and volunteer work can make resumes more compelling by demonstrating a passion for the field.
Community Engagement at TRISS: The hosts invite listeners to their booth at the upcoming Three Rivers Information Security Symposium (TRISS), where they will be offering resume reviews and engaging with attendees.
Counter-Espionage and Pagers: A fascinating look at the use of pagers in recent counter-espionage operations, analyzing their effectiveness and ethical concerns.
Supply Chain Security Concerns: A discussion on the risks tied to supply chain vulnerabilities, focusing on hardware inspections.
Tabletop Exercises in Cybersecurity: The hosts highlight the importance of tabletop exercises to prepare organizations for security incidents, contrasting them with current trends in incident response training.
School Violence Threats: An examination of the rise in school violence threats and the challenges schools face in managing these situations.

Links

Spirits

Boone 1833 12-Year-Old, Snyder's Flask (discontinued) - https://boonedistilling.com/

Hosts

Justin Leapline - LinkedIn
Joe Wynn - LinkedIn
Rick Yocum - LinkedIn

Connect with Us

Website: Distilled Security Podcast
Twitter: @DisSecPod
Email: hello@distilledsecuritypodcast.com

Creators & Guests

Host

Joe Wynn

Founder & CEO @ Seiso | IANS Faculty Member | Co-founder of BSidesPGH

Host

Justin Leapline

Founder of episki | IANS Faculty Member

Host

Rick Yocum

Optimize IT Founder | Managing Director, TrustedSec

What is Distilled Security Podcast?

Join us on Distilled Security as we delve into the fascinating world of cybersecurity. Each episode, we break down intriguing topics, analyze the latest news, and engage in in-depth conversations with our hosts and invited guests. Whether you're a seasoned professional or just curious about cybersecurity, our podcast offers valuable insights and thought-provoking discussions to keep you informed and entertained. Tune in and stay ahead of the curve in the ever-evolving landscape of cybersecurity.

Speaker 1: 00:01

Welcome, everybody, to the Stills Security podcast, episode number 5. I'm Justin Liebeline. I'm here with Rick Yoakum and Joe Wynne, and we're glad to talk to you today. Today, we got a pretty interesting, lineup here. First thing I want to bring up is we're gonna be at Tris, which is exciting.

Speaker 1: 00:18

Got invited by, one of the conference organizers, which we're really grateful to do, and really just just want to promote a little bit of what we're doing, what we're talking about. Wanna get some community feedback, with that and everything. We have our booth, so please come by and talk. It's, October 3rd. October 3rd, Thursday

Speaker 2: 00:37

Yeah.

Speaker 3: 00:38

At the convention center.

Speaker 1: 00:39

At the Pittsburgh David l Lawrence Convention Center. So, yeah, that'll be good. We need, to, you know, bring our a game and everything. Are we gonna do any, interviews or anything while we're there?

Speaker 3: 00:51

Oh, no. We'll find some

Speaker 1: 00:52

victims. Yeah.

Speaker 3: 00:54

So it'll be interesting. Rick, you brought up earlier, maybe it'd be interesting to have people give us feedback for what topics they wanna hear about.

Speaker 2: 01:01

Yeah. I I know we have a little bit of a backlog of topics, so maybe we'll, we'll post, you know, post some or post some. And It

Speaker 1: 01:07

keeps building every, every time we do an episode.

Speaker 2: 01:11

Yeah. And I

Speaker 1: 01:11

think we, what, have, like, 2 dozen topics that we've, like, put in the trash and, like, oh, what's around here? So help help us get some them. Yeah.

Speaker 3: 01:19

Yeah. And then the other thing, I was looking at the, lineup today, and, wow, I was, I didn't realize some of the speakers are gonna be there, but there's some pretty impressive talks. Oh, yeah.

Speaker 1: 01:27

Yeah. Okay.

Speaker 3: 01:29

I saw, well, just some people we know from the community, Ryan Volok and Oh, yeah. He's

Speaker 1: 01:35

on a panel discussion. Right? I think a small to midsize business dealing with security. Yeah.

Speaker 3: 01:40

There's a couple other things. There's some good CISOs I saw on the list. I think some sort of women in technology and cyber conversations happening. Then they're also doing resume reviews and coaching.

Speaker 1: 01:53

Which you're participating in?

Speaker 3: 01:54

Yeah. 9 AM, I signed up for the slot where I will, take a look and beat up your resume. And, everybody who I ever looked at their resumes, I'm like, look, I'm not going to be gentle. This is Yeah. Right.

Speaker 3: 02:06

Gonna be tough. Are you ready for this?

Speaker 2: 02:08

Feedback is good.

Speaker 3: 02:09

So, yeah. So it's always fun.

Speaker 1: 02:10

Anybody say no and walk away?

Speaker 3: 02:11

No. No. That's never happened.

Speaker 1: 02:14

How dare

Speaker 2: 02:14

you, sir?

Speaker 3: 02:16

Yeah. So it's, typically and the main things I look for when I'm

Speaker 1: 02:19

doing a resume resume Like Comic Sans? Really?

Speaker 3: 02:21

Yeah. Yeah. Comic. If you're not using Comic Sans, forget it. You you want Comic Sans.

Speaker 3: 02:27

Yeah.

Speaker 1: 02:27

Of course. That's what I was implying. Yeah.

Speaker 3: 02:28

Yeah. No. Really, I'm looking for things like if your resume so getting ready for this, if you're showing up, the kind of feedback you'll get is if your resume reads like your job description, I'm going to have a problem with that. And we're going to talk about it, and we're going to figure out how to make it a little bit more about what you actually accomplished, not the job that you had. And then the other piece is metrics.

Speaker 1: 02:48

Counter than, to a lot of, recommendations. Well, I I look at everything. Critique critique your resume to apply for the position to highlight the attributes that you're trying to, achieve and everything.

Speaker 3: 03:01

100% agree.

Speaker 1: 03:02

Okay.

Speaker 3: 03:03

But if it just lists that I was responsible for

Speaker 1: 03:07

Manage the firewall rules set. Basically twist around the the the yeah.

Speaker 3: 03:11

Job set. But instead of manage a firewall rule set, it's what did you do that impacted the organization? Show me a metric. Tell me something. Did you improve the process?

Speaker 3: 03:21

Were you able to get 5 times as many firewall rule sets reviewed because you did something? Let's figure that out.

Speaker 2: 03:27

Work with executives to drop ticket counts of angry people because or whatever.

Speaker 1: 03:32

And it's funny. Like, I've done this on my resume probably over 10 years now. I haven't used my resume in forever. But I had where the job was, I described my responsibility, and then I'd have a highlights, and I'd have a couple of bullet points of what you're talking about with, like, I did this project under this time, you know, this amount of, like, close the project, worth this amount of money, you know, whatever it was, you know, type of thing. So the highlights, like, did accomplishments versus here's I'm in charge of this and this, and we did this.

Speaker 1: 04:03

You know?

Speaker 2: 04:03

I always like something similar. It's like there's, like, responsibilities and there's, like, accomplishments. Mhmm. Right? Which is a little bit different.

Speaker 2: 04:09

I wasn't, like, fully responsible for this thing operationally, but here's this big thing that I did that helped in these ways or whatever and kinda separating those out can be useful. But, anyway

Speaker 3: 04:18

That's good. No. And then the other thing I look for is, what do you do outside of your job to make yourself better for the next job you've been doing?

Speaker 1: 04:28

So you're looking for a cultural type stuff? Maybe it's podcasting. Yeah. Maybe. Like I'd probably go down on the hiring, you know?

Speaker 3: 04:35

Well, you look at it like, well, the 3 of us, we could just end our day and go home. Right? But instead, we keep talking about cybersecurity because we don't just do it for a job. We do it because we like to do it. Right.

Speaker 2: 04:45

We talk

Speaker 3: 04:45

about this stuff because we want to talk about it.

Speaker 2: 04:47

Right.

Speaker 3: 04:47

If we weren't here recording a podcast, what do we be doing? We'd be sitting around with a couple drinks talking about cybersecurity.

Speaker 1: 04:53

Yeah.

Speaker 3: 04:54

So do you do something like that? Find a way to fit into your resume things you do that make you valuable to somebody, but also show you have a passion for this thing you want to do.

Speaker 2: 05:05

Yeah. Or a passion for something else that you can transfer. That's what

Speaker 1: 05:07

I was thinking. Right?

Speaker 2: 05:09

So, yeah, maybe you do all this volunteer work. Okay. How does that translate to your skill set? Oh, you have all this extra empathy and you can interact with people, or you can identify issues more quickly or whatever that is, even if it's something not in cybersecurity. But you do it in your spare time, and it gives you skills that are transferable and unique to you, that's super cool too.

Speaker 3: 05:28

And imagine if you were doing that and also applying to a non for profit. Right. Because now you're totally relating this whole idea of giving back and volunteering to the place you wanna get a job Yeah. And help they they need cybersecurity as well.

Speaker 2: 05:42

Absolutely. So Yeah.

Speaker 1: 05:43

Well, good. I also like, even highlighting stuff of, like, what are your hobbies outside of the career path and everything. Just enter stuff. Like, I met a guy the other day that he walked the entire Appalachian, trail,

Speaker 2: 05:54

you

Speaker 1: 05:54

know, from spring to fall. You know, it took me, like, 5 ish months or something like that, and it's just, like, that's such a cool story to tell, you know, type of thing. Yeah.

Speaker 2: 06:04

Well, and I think that's super important too because, like, the way that you connect with people is through stories and, like, human interactions. It's not like I manage the firewalls. No. Like, it's just not. And so if you're in an interview and you can talk about something you're passionate about or something you've done or whatever, like, you're gonna be more memorable.

Speaker 2: 06:22

You're gonna end up more loose in the conversation, hopefully, you know, all that kind of stuff, and and, you know, people are gonna remember you differently.

Speaker 3: 06:29

Reminds me of a conversation I had today. I was talking to somebody. I'm like, what you really need and we were discussing, like, what would be the perfect person for this GRC role that, they have open?

Speaker 2: 06:39

Mhmm.

Speaker 3: 06:40

And I don't know that you actually need somebody who is super technical or super knows everything about GRC. What you really need is somebody who can communicate and go and interact with people because

Speaker 1: 06:54

You need an evangelist.

Speaker 3: 06:56

Yeah. About half the job is getting people to get the things done that need done so you can start removing the risk from risk register, things like that. You need a people person. Right? Right.

Speaker 1: 07:07

From a job. People understand?

Speaker 3: 07:09

Yeah. From Office Space. Yep. So, yeah. Absolutely.

Speaker 3: 07:14

And then, but back to your story about the guy who hiked the trail.

Speaker 1: 07:19

Mhmm.

Speaker 3: 07:20

I bet that person's going to complete the projects you give them.

Speaker 1: 07:22

Yeah, right?

Speaker 3: 07:23

They're going to get all that done.

Speaker 2: 07:25

Right. Preparation, all that stuff. I mean again, you can tie all sorts of things to if you think about it a little bit.

Speaker 3: 07:31

Yeah. I bet they're a heck of a project planner, and they finish the work.

Speaker 1: 07:35

They're actually in recruiting, for a company. Okay. So a dedicated corporate recruiter and everything. So yeah.

Speaker 2: 07:42

Yeah. So anyway, come to come see Joe. Let him beat up your resume.

Speaker 3: 07:46

Yeah. Come see us all. Stop by the table.

Speaker 1: 07:49

We're also gonna have some stuff we're raffling off. So definitely come by, say hi. Enter your name in and everything. We'll might have some spirits to give away, and you have some I got a gift card and anything.

Speaker 2: 07:59

Yeah. Yeah.

Speaker 1: 08:00

Yeah. That'll be good.

Speaker 3: 08:01

Oh, and there's a evening event too, DSP is doing.

Speaker 1: 08:04

Yeah. So we are sponsoring happy hour as well. It's at Helltown Brewing, a local brewery. So that will be a a good time.

Speaker 3: 08:14

Yeah. But we can't wait.

Speaker 2: 08:15

Won't be

Speaker 1: 08:15

spirits, but, you know, it's beer. It's close.

Speaker 2: 08:17

Yeah. Yeah. So

Speaker 1: 08:20

alright. So why don't we enter into our our first kind of meat of the topic here? So, pagers exploding.

Speaker 3: 08:27

Oh my goodness.

Speaker 2: 08:28

Yeah. Big deal.

Speaker 1: 08:29

So it it was really interesting, and I think there was a lot of, obviously, passionate opinions all over the place about this. I think where I kind of wanted to talk about is just utilizing technology and kind of a a a counter espionage type, format. And is this revolutionary or not?

Speaker 2: 08:49

Like, I

Speaker 1: 08:50

was kinda you know, like, there's been the program, the, a non, a nom I forget what it was. It was basically the FBI basically took over cell phones and then started distributing out to drug dealers, you know, all that stuff, you know, over in Europe a lot of the times, and they utilize that as kind of a a way to get information. Obviously, this is more on the offensive, you know, rather than information gathering and technology. Yeah. But what do you guys think?

Speaker 1: 09:15

Is this something revolutionary, or is this just you know? You know? It is what it is.

Speaker 3: 09:20

Go for it. I have a couple of thoughts, but, I wanna hear what you think.

Speaker 2: 09:23

I mean, I don't think it's revolution. Yeah. I mean, I I think, it's a lot more public and loud in message sending, maybe intentionally, but I don't think it's it's revolutionary. I mean, the reason we go through scanners at airports is because very small amounts of plastic explosive like the Oh, the shoe bomb.

Speaker 1: 09:43

Yeah, try to fight it

Speaker 2: 09:44

in a shoe, right? And so, very small amounts of plastic explosives can do huge damage, and I think this killed 27 or 37 people.

Speaker 1: 09:51

It wasn't huge, but it injured like 25,000?

Speaker 2: 09:55

Yeah. Something yeah. In the yeah.

Speaker 3: 09:57

So let's talk a little

Speaker 2: 09:58

bit. Yeah.

Speaker 3: 09:59

So the the meat of the story, if you haven't heard

Speaker 1: 10:01

Oh, right.

Speaker 3: 10:01

Is really that, looks like Israelis, created an attack against Hezbollah. Yeah. And what they did, was they they set up an Israeli front, company to sell pagers and walkie talkies and offered a version that, they could distribute to people that they suspected to be,

Speaker 2: 10:27

Part of that group.

Speaker 3: 10:28

Yep. And

Speaker 1: 10:29

Mhmm. Do you know the the the root of that actually went a little bit before that? The Israelis are so good at counter espionage and, you know, just cybersecurity in general, and they were basically hacking everything that Hezbollah had. Like, all their technology, like, they were intercepting everything.

Speaker 2: 10:45

They were already

Speaker 1: 10:46

Their leader came out and said, like, we gotta go old school because we don't trust anybody.

Speaker 3: 10:49

I heard the

Speaker 1: 10:50

you know? And so they're

Speaker 2: 10:52

like, what do we do? Right.

Speaker 1: 10:53

Like, maybe we set up a company, and we'll sell old school stuff.

Speaker 3: 10:57

Right. Yeah. Yeah. In fact, one of the one of the items from an article I read was that, Israeli talked up their mobile phone surveillance capabilities so well Intentionally. Yeah.

Speaker 3: 11:07

Whether they were even doing it or not, they advertised they were doing it

Speaker 2: 11:11

To drive people towards buying

Speaker 1: 11:13

Yeah. Old school stuff.

Speaker 2: 11:14

That they could do stuff too. Yeah.

Speaker 3: 11:16

And so is it, what would

Speaker 1: 11:19

you say earlier? Revolutionary? Yeah. Novel.

Speaker 3: 11:21

Novel. Yeah. It's it's not. It's just a whole bunch of small supply chain hacks Right. Kind of put together in order to get a very high grade plastic explosive inside

Speaker 2: 11:33

of these devices. And send a signal.

Speaker 3: 11:35

Tiered up with the emergency signal, so you put it up to your face, and then it would go off. Yeah. And so

Speaker 1: 11:42

And I'd love to, like, a lot of people are like, you know, it's so indiscriminate of, like, who they're aiming at and everything like that. But if not looking at, I think, the full picture because once those pagers went off, then they went back to radios. But the Israelis had that too.

Speaker 2: 11:57

They actually Yeah.

Speaker 1: 11:58

So the next day they exploded those. So all of a sudden, they can't trust any communication That's right. Any communication medium whatsoever. So they went to in person, and they found out that a bunch of Hezbollah leaders were meeting in a house and essentially blew them all up. There was, like, 12 to 18 of the top Hezbollah leaders they eliminated in one strike because now they're forcing them to meet together because they can't trust communication.

Speaker 1: 12:24

And hand up

Speaker 2: 12:24

be conspicuous. Right. Yeah.

Speaker 1: 12:27

So it was just interesting, like, you know, again, they're doing it to basically get them to consolidate, you know, and, go into that. It's very interesting, you know, into their

Speaker 3: 12:38

Yeah. So here's an interesting quote from a, Alan Woodward, a cyber expert at England's University of Surrey, said a threat model should always look at the hardware first. So this is like, what can we learn from this? Look at the hardware first. And what's in the hardware?

Speaker 3: 12:56

And his his question was, was nobody from Hesbelog going to wherever these pagers were being manufactured at least sampling them and see what's happening when they get packaged up? Like, did nobody go to these things? So take kinda takeaways. What's that?

Speaker 2: 13:10

Do we? Right.

Speaker 1: 13:11

You get a new laptop or you're taking it apart?

Speaker 3: 13:14

No. You might not be. Yeah. But when, but I know large companies, these $1,000,000,000 companies, they're actually going to the manufacturer and checking out to see what's happening before they sign up to buy certain components that are gonna go into things.

Speaker 2: 13:27

That's true, but that's still different than, like, like, things can still be intercepted on route and blah blah blah blah blah blah. So, like, there's so many avenues by which something like this can occur. Right? So, okay, I'm not gonna be able though? What's that?

Speaker 3: 13:41

Able to get all of the I don't know how because that was what I

Speaker 1: 13:45

was presumed at the start was Israeli who are just intercepting the, the papers and then putting the Right.

Speaker 2: 13:52

It was actually pry like the

Speaker 1: 13:54

yeah. They actually left.

Speaker 3: 13:56

Yeah. Yeah. They're actually the ones getting them sent out. So I while I don't disagree that it's a good avenue, at the scale they were doing it, could they have accurately intercepted enough of them going through shipping to stop them versus getting it at the source when they're sending them out.

Speaker 2: 14:14

Well and and I definitely agree with that, but this gets into, like, risk profiling. Right? Like, how many bad things need to happen for the bigger bad thing to occur. Right? In their case, they were intentionally simultaneously targeting many, many, many targets.

Speaker 2: 14:28

Mhmm. I don't think that's typically how, adversaries try and make their way into organizations. Right? They kinda just need, like, 1 or 2 footholds.

Speaker 3: 14:39

Well, what's, related to SolarWinds?

Speaker 2: 14:43

Yeah.

Speaker 3: 14:43

Do you hacked hacked the source? Absolutely.

Speaker 2: 14:45

Yeah. Absolutely right. Let them distribute all the things to everywhere Absolutely right.

Speaker 3: 14:49

And put it there. And the things I'm worried about are, well, are any of these pagers getting misrouted? And do they have explosives in them and Right. Actually go to a civilian?

Speaker 1: 15:01

Yeah. They could. You know? I mean, they had the contract, so they were delivering it straight to them.

Speaker 2: 15:09

I don't know. I've I've worked for for some companies that are heavy in logistics, and that stuff is fraught with challenges. Because because how many people know about this thing? Right? So you have some well meaning people on trucks or in factories that aren't part of the end group, and all of a sudden they go, oh, yeah, this truck's delayed.

Speaker 2: 15:26

Yeah. Just it's the same thing. Just swap the boxes or whatever. Like, I'm obviously not saying that happened here, but it's a situation I can absolutely envision given places I've worked in the past where there's, like, high turnover and stuff like that. I suspect they have some fail safes in place to try and prevent that sort of thing, but it's definitely not out of the realm of possibility, especially, like, once you put stuff in the wild.

Speaker 1: 15:46

Well and I think it's a little bit different. I mean, we're talking about, like, corporate espionage versus this is all out warfare, you know, typically. And, you know, there's a little bit different from a casualty perspective.

Speaker 3: 15:56

Right. Well, in the

Speaker 2: 15:57

risk profile.

Speaker 1: 15:57

Yeah. Exactly. Yeah. But it is sort of like to your point of inspecting a device, like, you know, the underhandedness of, like, some of the the tactics and everything like that, you would think they cut open some of the devices just to make sure. Like, just one device looking at that, they'd probably discover, hey.

Speaker 1: 16:17

What is this stuff inside here? You know, type of thing.

Speaker 2: 16:21

Yeah. Maybe. Yeah. It's it's tough. But your point like, do you do do companies really do this from a, like, US supply chain perspective?

Speaker 2: 16:29

Like, oh, boy. And then you get into SolarWinds and then you're okay. Now you're talking about SBOM for vendors and stuff like that. I mean, vendor questionnaires aren't getting to this level of scrutiny. That's for sure.

Speaker 2: 16:42

And they're painful as they are as they exist today. That's tough.

Speaker 1: 16:48

So do you think we'll see more of this stuff here? Or

Speaker 3: 16:51

I'm not sure.

Speaker 1: 16:52

Nicely in case.

Speaker 3: 16:53

I'll I think it's gonna be difficult to replicate this anytime soon because now you have a new threat vector to look for. Everybody who's analyzing this stuff, you know, it comes back to risk. So what there was this wasn't on an on based threat radar before. Right? Like, my pager is gonna explode.

Speaker 2: 17:15

Well, maybe. Like, I don't know what I don't know what's on the NSA's threat radar. Like, it's highly likely that the things that, organizations do because, again, they like, they were doing, like, the cell phone thing or whatever. Right? It's highly likely that those tactics, they go, oh, we use this offensively.

Speaker 2: 17:30

We need to make sure no one uses it against us. Right? Like, you build the defensive plays for the things that are in your offensive playbook. So I think agencies or or organizations that are that operate sort of in the physical realm, if it wasn't on their radar before it is now Right.

Speaker 3: 17:47

Well, that's what I mean. That's why I don't know if it'll happen again because now it might be and if it is, it feels like it's too soon to Yeah. Have somebody else. Also

Speaker 1: 17:57

I I was gonna say, also, I think it's a unique situation where you have kind of a a first world country fighting a third world country. You know? And maybe that's not the the exact terms, but you got a very sophisticated actor and somebody that makes crude IEDs, you know, into that. So, you know, to be able to even facilitate this, like, 2 first worlds, are they gonna be sending beepers back and forth in the the countries? You know?

Speaker 1: 18:23

Now they're gonna rely on their own stuff.

Speaker 2: 18:24

It's fair. It's asymmetric resource.

Speaker 1: 18:26

Or 2 third worlds that don't have that technical capability to even set up, you know, something with explosives into the electronics or something along that line. So I'm thinking it's a unique situation where you have basically a very advanced military, you know, with that versus a not so advanced.

Speaker 2: 18:43

Yeah. Maybe. But but also, like, I mean, this happened I I'm I wish I remembered the specifics, but this happened to, like, a nuclear center centrifuge, right, where the NSA or the CIA

Speaker 1: 18:55

did, like, basically Israeli, stagnant stucks?

Speaker 2: 18:59

Stucks. Yeah. Yeah. So, like, there's that. And then it also dovetails into, like, hey.

Speaker 2: 19:03

Is this an isolated thing? Some of the car stuff that was happening that I know we're gonna talk about, right, in terms of, hey. You know, the US government is now pulling back on or or thinking about pulling

Speaker 3: 19:13

back on. Well, I think the White House released just today a statement or took steps about banning Chinese connected vehicle hardware. So another supply chain Right. Type problem. Because and it all comes back to looking at the risks.

Speaker 3: 19:30

Where is the equipment and the parts coming from?

Speaker 2: 19:32

Mhmm.

Speaker 3: 19:33

And for something like the, US automotive industry, it's maybe not them directly. So what I read was not them directly who's buying this stuff, but it's the 3rd parties

Speaker 2: 19:42

Yeah.

Speaker 3: 19:43

That buy that it's going into that then car dealers or car manufacturers buy from.

Speaker 2: 19:48

Yeah.

Speaker 3: 19:49

And so this is, like, gonna take years to figure out this very complex supply chain.

Speaker 2: 19:54

Oh, yeah. Well, and I, you know, I think, like, in the in the eighties, maybe even earlier than that, there's already you probably both heard me talk about this before, but like the nobody knows how to to make a pencil.

Speaker 3: 20:05

Oh, yeah.

Speaker 2: 20:05

Yeah. So like even even, you know, rewind 40 years and something as simple as a pencil And, you know, you source the wood, you source the rubber, you source the metal, you source the graphite, and it goes through all these processes to get to where it needs to go. And then there's all this logistics to get it to a factory, and then there's all these factory processes to smash all that stuff together. There's all these other logistic processes to get it to someone that can sell it, and then you buy it at the Staples. But, you know, in in anything else is probably more complex than a pencil.

Speaker 2: 20:38

A car is infinitely more complex. Right. And you think about the supply chain and the logistics that go into that, there's a lot of stuff that is probably, like, assumed safe in a lot of ways that, you know, that that are potential avenues for bad stuff to happen. I don't know how to solve that. But to your point, it's gonna take a long time to start to unwind and think through the risk profiling for these complex things that we rely on.

Speaker 2: 21:03

And cars is a great example. I mean, tons and tons of people operate heavy machinery every single day without really thinking about the fact they're operating heavy machinery at high speeds. And if someone somewhere could click a button and all those brakes are disabled or engines are turned off or whatever, you've caused complete havoc, particularly in major city centers.

Speaker 3: 21:22

Have you heard about the other related to this, that the White House was also putting a a ban on, which is the ports. At our ports, there's a lot of, Chinese cranes

Speaker 2: 21:37

Yeah.

Speaker 3: 21:38

With the ability to potentially have the Chinese remote access into them.

Speaker 2: 21:42

Right.

Speaker 3: 21:42

And be able to take them over.

Speaker 2: 21:44

Yeah. And you think about single points of failure. So, like, ports so much stuff comes through ports.

Speaker 3: 21:49

We saw it happen during COVID. Right. And the ports were shut down, and then toilet paper. Right? Yeah.

Speaker 1: 21:54

You couldn't get that. Didn't leak in. She just had a paper that was released, about some

Speaker 3: 22:00

of that.

Speaker 1: 22:00

Yeah. A fellow IANS faculty member. She did some type of survey or something like that with some of the porta entry, things. I think she shared it on LinkedIn just this week and everything.

Speaker 2: 22:11

Oh, interesting.

Speaker 1: 22:11

We'll link it in the show notes. Yeah. I I haven't reviewed it yet, but it was on my to do list. Mhmm.

Speaker 3: 22:16

Yeah. So if you're yeah. I always like to relate these kind of fit conversations back to, like, I'm sitting at my desk. I'm a cybersecurity whatever leader at a company.

Speaker 2: 22:28

What do I do about this?

Speaker 3: 22:29

What where does this come into my, realm? And so Don't buy pagers? Don't buy pagers. Yeah. Yeah.

Speaker 3: 22:37

Which thank goodness. Right? But it's what makes up the service or product that I'm delivering.

Speaker 1: 22:45

Mhmm.

Speaker 3: 22:45

And how far am I gonna go in order to check all the things that come into this? So, you know, what can I do to disrupt it? And then when I'm doing a, you know, just just kind of, like, an interesting way of starting some kind of a brand new conversation with somebody I've never talked to before about their cybersecurity program. Like, what really brings your company down? Like, what is the is it gonna be a supply chain problem?

Speaker 3: 23:11

Is it gonna be you don't have enough of some part? Yeah. Well, how could cybersecurity impact, your supplier getting those parts or the 3rd or 4th party getting them that you rely on and how far are you going in order to figure out where these are meaningful to you delivering what you get paid for?

Speaker 2: 23:30

Yeah. I couldn't agree more. You, like, you start with the business impact assessment ish type thing to understand what's important, what's not, and then, you know, you can start to think through risk tolerance from there.

Speaker 1: 23:42

And then, you know, through your tabletop exercises, I love throwing in the the wild cards, you know, and, you know, thinking about new wild cards out there, like, and this vendor isn't available anymore. Now what do we do? You know, during this, you know, or something like that.

Speaker 2: 23:55

This happened to 2 organizations and, you know, and, yeah, this vendor is dealing with the other organization first because they asked them first. Right. Yeah.

Speaker 1: 24:04

Yeah. Those are always fun to throw in, like and our head admin is not it's like on vacation. Yeah. You can't you can't he's unable to be contacted.

Speaker 3: 24:14

You're that guy, aren't you, who throws in the injects?

Speaker 1: 24:16

Yeah. Exactly. I love that. Yeah. Because then it's like, oh, the one person that has all the passwords is gone and we can't contact them?

Speaker 1: 24:23

Oh, maybe we need a fallback, you know? Right. And those are the things that, like, the testing out the assumptions of, you know, like, this will always be there. You know? And then you start second guessing, like, oh, what happens if, you know, type of thing.

Speaker 1: 24:37

And then you start is it that important that you make a fallback plan or an alternate plan or something like that? Sometimes it's not, you know, and Yeah. We'll roll with it, you know, type of thing. And sometimes it's, yeah, we need a plan for that in case that happens.

Speaker 3: 24:50

Sounds like we're rolling to the next topic, which is the importance of tabletop exercises. No. That's not on the list. It's not, but you just brought it up.

Speaker 2: 24:59

I like

Speaker 3: 24:59

this topic.

Speaker 1: 25:00

Yeah sure.

Speaker 3: 25:01

Yeah. So what should companies be doing? Tabletop exercises. What does that mean?

Speaker 1: 25:08

Yeah. So I'm not the expert on it. You know, I've done a number, when I, you know, ran security programs for companies. I haven't done one in a while, type of thing. But, yeah, it's, you gain a number of scenarios and there's some of, like, pretty good people are like I work with, Tyra Hudak at, trusted Zach, and he's the king of incident.

Speaker 1: 25:27

Speaker 2: 25:27

is extraordinary. Yeah.

Speaker 1: 25:29

And watching some of his, you know, stuff online, Like, he gives really good advice on what you should be doing, what you shouldn't be doing. Yeah. If I was to dive back into that, I'd be, brushing up. You know? You could be watching all his videos.

Speaker 1: 25:44

Yeah. Exactly.

Speaker 3: 25:45

Good. There you go. So go watch his videos. That's tip number 1.

Speaker 1: 25:49

Yeah. Yeah. How much, does CSO get into that? Do you

Speaker 3: 25:52

we do a fair amount of tail pop exercises. And one of the things I like to do in a new company or a company who's gonna start doing it for the first time, we convince them it's the right time to do it, is I have this, like, 3 or 4 step approach to getting to the one that becomes advertised.

Speaker 2: 26:07

Mhmm.

Speaker 3: 26:08

And the first thing I do is I say to the security team who doesn't wanna look foolish in front of their IT peers.

Speaker 2: 26:14

Yeah.

Speaker 3: 26:15

So I'm like, let's just sit down and, like, walk through this. How's it gonna go ourselves? And then once we talk about the tabletop exercise, let's bring in our IT peers.

Speaker 2: 26:24

Mhmm.

Speaker 3: 26:24

And then let's talk about the IT things that need to happen and how this tabletop's gonna go. And then we'll do an actual tabletop Right. With just IT. And we do all that before we start bringing in the people outside of IT. Right.

Speaker 2: 26:36

Because

Speaker 3: 26:36

last thing you want is the CIO getting a phone call, that, you know, the their team didn't really look like they knew what they were doing

Speaker 2: 26:44

Right.

Speaker 3: 26:44

During the tabletop exercise that you had HR, legal, the head of PR, and communications, and and maybe, like, a COO in. And so you wanna get all these, other things done. And you want this to look really good. And you really want your head of cyber to look great. You want your head of IT to look great.

Speaker 3: 27:02

And then you start bringing in the other pieces. And the part that, we just started to expand into, because we now have some people on the team who do crisis, management and

Speaker 2: 27:13

have been

Speaker 3: 27:13

doing that at the executive level for years. Mhmm. Like, they can train executives like an like a former news director

Speaker 2: 27:21

Right.

Speaker 3: 27:22

Is part of the team. So they know how to train you to be on camera.

Speaker 2: 27:24

Media ready.

Speaker 3: 27:25

They know how to exactly. And so the next step of it is, let's do the, the the fake incident. Let's walk through it. And then let's figure out what are the executives gonna be doing.

Speaker 2: 27:37

Oh, yeah.

Speaker 3: 27:38

And do they have a crisis plan that aligns to the cybersecurity incident response plan? And and and then, like, what you were doing is, alright. Well, let's take the, the, CEO out of the mix. Yeah. He's no longer available to, make a decision.

Speaker 3: 27:55

Right. Now who decides if we pay the ransom? Yeah. Who decides if we do the thing? Right.

Speaker 3: 28:01

And are we prepared?

Speaker 2: 28:02

Right.

Speaker 3: 28:02

And then wherever that falls apart, you know, that becomes your priority for the, for your your next, incident response Yep. Improvement plan.

Speaker 2: 28:11

Yeah. I have, a passionate opinion about some trends I've seen in this area over the course of the past year that'll probably make some people mad at me, but I'm gonna voice it anyway. So I have seen this trend where, very large organizations that involve that that do, like, tabletop stuff, build these giant facilities, basically these, like, fake socks, for lack lack of better term, and they kind of will fly the executive to this facility, and they will put them in in a room, and they'll they'll have these big TVs up. It's almost like this crisis communication center, like, foe thing, and then they'll, like, get a call on the phone. It'll it'll be something like pretending to be ABC News.

Speaker 2: 28:57

Right? And and I've talked to a handful of executives that think that this is like, oh, this was kind of neat. Like, this was cool or whatever. In my opinion on this is like, well, it

Speaker 1: 29:09

might I haven't heard of this.

Speaker 2: 29:10

Yeah. Yeah. There's a I

Speaker 1: 29:12

know Fate command center, essentially. Essentially. Yeah. Yeah.

Speaker 2: 29:16

I've heard a couple of examples. You're like, oh, it's kinda cool. And my initial my gut response to that is like, well, is it cool because you flew somewhere and, like, had this theater experience and whatever? And and what what these I our organizations will tell you is like, oh, but it puts them in the hot seat, and it really kinda simulates them. And I'm kinda like, but it doesn't teach them anything they're not gonna learn anyway in a room.

Speaker 2: 29:39

Mhmm. The the the other side of that coin is something that I've started to see just a hair of, which is super cool in my opinion, which is organizations that do kind of technical offensive testing for, like, you know, pen testing, red teaming, that kind of thing Mhmm. That integrate an offensive test with a future IR engagement. And so they say, hey. We're gonna do this red team, and we're gonna try and get in or whatever.

Speaker 2: 30:10

And if we fail to get in, okay, we're still gonna, like, still give us access at the end. Like, they do all the normal stuff and do all the testing. That's good. But still give us access at the end so we can plant certain things. But if you don't catch us, we're still gonna plant these certain things.

Speaker 2: 30:21

Right? So they leave all these footprints behind intentionally that then map to the IR scenario. And so not really for the executives, but for the technical folks, we say, hey, x y z happened. What would you do? And they say, well, I'd pull up Splunk and I'd look for these things.

Speaker 2: 30:36

They go, okay, do that on September 18th. Show me that you actually could execute this thing, and it turns it from this theoretical thing into this tactical thing, and it starts in all sorts of legitimately practical elements start to follow. Oh, you were on that server. Oh, we actually don't have access. Oh, that was like a month ago.

Speaker 2: 31:01

We don't have those logs anymore or whatever. Like all these legit things we say, okay, show me It starts to I don't wanna say fall apart. It doesn't always fall apart, but it can.

Speaker 3: 31:10

Well, I have, interesting story. We once had did something very similar. Yeah. Well, this one example is one that we did very similar, and we call it a breach I call it a breach regimen assessment. So we're really, how ready are you to Yeah.

Speaker 3: 31:25

Find all this stuff. And so we actually had a pause in engagement for 3 months while they went and put in all the logging.

Speaker 2: 31:33

Because, like, something happened or because you identified it as a big gap?

Speaker 3: 31:36

Because we identified it as a big gap. So we're saying, well, what would happen, if we're going to do this? Yeah. And so we started to go through. And the first thing we do is say, well, what are all the systems?

Speaker 3: 31:46

Where are all the logs going? And how far back do you have data? Right. And we're now going to go and we're gonna plan something and see if it's, able to be found. Yeah.

Speaker 3: 31:56

And then, what we found pretty quickly was after 1 week of what was supposed to be a 30 day project, it didn't get over for like 6 months because we had to wait 3 months for them to go and procure, log management better log management tools. Right. Get more retention on the, you know, the files, and and so on so that they would have enough.

Speaker 2: 32:19

Yeah.

Speaker 3: 32:19

So that when we were done, they they super appreciated the fact that they were now more prepared than ever Right. Because they knew and had confidence.

Speaker 2: 32:28

Oh, you didn't just talk us through the steps. You had us yeah.

Speaker 3: 32:31

And So very similar to what you're saying.

Speaker 2: 32:33

Yeah. Yeah. Yeah. And so that's, I think, the very beginnings of a trend. I hope that people that listen to this or us or whomever, the industry as a whole, turns it into a full fledged trend because I think the IR theater stuff, there's elements of that that can be kind of useful or good or whatever.

Speaker 2: 32:49

But I think, like, some of that, hey, let's fly you to a place and pretend to be a newscaster. Like, meh. Or, like, people are using, like we I I saw a bunch of requests at one point when I was, like, working on some of this stuff around. Like, oh, yeah. And can you, like, use deepfakes to simulate, like, a news, you know, a news feed about our company or whatever?

Speaker 2: 33:09

It's kinda like, well, yeah. But affect how different is that from us just telling you while CNN is saying this about your company?

Speaker 1: 33:18

Yeah. Right.

Speaker 2: 33:18

Like, it's like your decisioning honestly isn't going to

Speaker 1: 33:22

change that. We're hiring actors and

Speaker 2: 33:24

Yeah, right.

Speaker 1: 33:25

But or deepfakes

Speaker 2: 33:26

or whatever it is. It actually increased the cost significantly of a lot of these activities for not a lot of value. But I do think the other side of that, which is like, hey, take the what is effectively a tabletop and slowly start to move it to more of a test, just like what happened with backups, whatever, like 15, 20 years ago. Right? Like, oh, you say they're good, but, like, can you actually, like, test them?

Speaker 2: 33:46

Like, start doing that with IR. I think that's a really good trend.

Speaker 3: 33:49

Now for backups, I remember where we would, request a particular file Yeah. And see if it could get restored. Yeah. You know? Interesting.

Speaker 1: 33:59

Yeah.

Speaker 2: 33:59

Yeah. So good trend and bad trend. And I think probably some big companies hate me now, but they may or may not watch this. So I'm probably okay.

Speaker 3: 34:06

And you're probably fine.

Speaker 1: 34:07

But then you have someone's like, how much time for a full restore? And when the admin comes back, they're like, it'll take a week, you know, for our data store. You know? They're like, okay. So you'll be out at least a week.

Speaker 1: 34:17

Right. Get hit by ransomware. And then that admin

Speaker 2: 34:20

that admin becomes your best friend because

Speaker 1: 34:21

they're like, I've been saying this for years. Yeah. The terabytes of data that you're backing up and all that, it's like yeah. So, yeah, a lot of people don't realize how much time that adds, especially when getting into big hospital systems with all this, you know, PHI data Oh, yeah. You know, that they're, having.

Speaker 1: 34:40

And, like, there was a few clients that I I haven't worked with directly, but here and through the grapevine that it took them weeks to get back to restoration. I mean, just look at change health care

Speaker 2: 34:50

Oh, yeah.

Speaker 1: 34:50

How long it took them to get that, you know. I still have you guys heard anything, like, from a, like, entry? I haven't heard It's

Speaker 2: 34:58

funny you say that. No.

Speaker 1: 34:59

Actually, I

Speaker 2: 35:00

hadn't thought about it, but I haven't heard of anything.

Speaker 1: 35:04

Because it was crazy. I I did a a few executive briefs on it, and it was, like, counting up on all the systems that they publicly said were affected. It was, like, a 180 some odd sit like, systems that were affected. Not servers, like, applications that were down. Yeah.

Speaker 1: 35:21

And I'm like, how does it affect that many systems? Like, you know, was there core like, again, I just want answers. Yeah. Wonderful. No.

Speaker 2: 35:31

Yeah.

Speaker 1: 35:32

Nah. Probably not. At this point, it's like memory hold, and United does wanna talk about it.

Speaker 2: 35:38

That's that's that's the key. But as

Speaker 1: 35:40

a security professional, I wanna know. So, you know, I wanna make sure it doesn't happen again, type of thing. But

Speaker 2: 35:46

Yeah. Yeah. I I think the the fact that we even know about it means that the sweep it under the rug engine that operates in general for a lot of these breaches and things did not operate as intended for some parties involved.

Speaker 1: 35:58

I still remember the the one of the things, like, remember that RSA breach that happened way back in the day where they compromised their keys Oh, yeah. To some other tokens

Speaker 2: 36:06

and everything.

Speaker 1: 36:07

The eye opening thing to me when they shared that the initial compromise came from an HR partner that they've been working with. The partner was compromised, and they saw the email chain going back and forth between their HR reps, you know, with that. And they're like, oh, they've been exchanging the Excel file back and forth. I'll just respond from the last one from the company, up the version like, the version of they had a specific filename version, upped it, and then put in a macro virus, and that was the initial compromise. It came from a legitimate source, you know, an established trail, and we're back to supply.

Speaker 1: 36:48

Yeah. And it's like, how do you catch that? Like, you know, outside of, like, actually detecting the virus, like, how do you like, that's uncatchable from a just a purely phishing. Like, it came from a legitimate email Right. At that point.

Speaker 1: 37:01

You it came from a trusted, like, source of that. It was like,

Speaker 2: 37:05

oh, man.

Speaker 3: 37:06

Was that ins was it an insider or an outsider that did it?

Speaker 1: 37:09

It was an outsider. Yeah. So that company was compromised. They had access to their full email server. And then they were looking through their email and saw they were exchanging emails with RSA.

Speaker 3: 37:18

Gotcha. Yeah.

Speaker 1: 37:19

Yeah. And so they basically as that person, basically just wrote the email, put a macro virus in this existing Excel sheet, and then send it off to RSA, the contact that was already in that trend, you know, and everything. So it was like Wow.

Speaker 2: 37:34

Yeah. So anyway, tabletops. Good. Useful. Yes.

Speaker 2: 37:39

But definitely do the dumb stuff and do the good stuff.

Speaker 3: 37:42

No. So have fun with it too.

Speaker 2: 37:44

Mhmm. I agree with that, actually. Like, I I don't know. I'm I'm like a theater nerd to an extent and like that. That element of things is fun.

Speaker 2: 37:52

And so for me to say, like, that the

Speaker 1: 37:54

I think you're the one who plays D and D,

Speaker 2: 37:57

Yeah. I definitely play D and D. I was a lead my senior year

Speaker 1: 38:02

in the Oscar musical.

Speaker 2: 38:04

No. No. No. I like that stuff.

Speaker 3: 38:06

Yeah. Awesome. Yeah.

Speaker 2: 38:07

I'm a big fan.

Speaker 3: 38:08

Make sure that you don't stop with just the cybersecurity part of your, scope. Eventually, bring it to the business, figure out what they're gonna do and what you need them to do. Right. Because they need to make decisions so you can figure out what your next step is.

Speaker 2: 38:24

Yeah. Yeah.

Speaker 1: 38:25

Yeah. I started incorporating, like, when we're manufacturing stuff out of a facility, it's like big snow day. What do you do? Like, we can't nobody can get in the office.

Speaker 2: 38:33

So Right.

Speaker 1: 38:34

We're not producing stuff. Like Yeah. I believe you do. You know that type

Speaker 2: 38:38

of things. Yeah. Yeah.

Speaker 3: 38:39

You know what I wanna know? What are we drinking? Rick, what you got there? What'd you bring?

Speaker 1: 38:45

The difference.

Speaker 2: 38:46

So we have 1833 from Boone County Distilling Company, Snyder's Flask limited edition. There are lots of words here and they're on a corner, but the bottom says made by ghosts, which I love. I

Speaker 1: 39:04

don't know

Speaker 3: 39:05

them. That just comes in.

Speaker 1: 39:07

Oh, it's just a kind of made by ghosts.

Speaker 2: 39:11

Yeah. Yeah. Yeah. I

Speaker 1: 39:12

thought it was like ghost distilling company or something like that. No. No.

Speaker 2: 39:15

Boone County Distilling Company.

Speaker 3: 39:17

I thought you said goats.

Speaker 2: 39:18

Oh, made by goats. Impressive. Well trained.

Speaker 3: 39:23

The greatest of all time. Yeah.

Speaker 2: 39:25

Yeah. No. I, I like this a lot. I got this a couple years ago in Louisville, and it is, to me, like, this kind of candy slash vanilla balm.

Speaker 1: 39:37

I get a lot of butterscotch on the nose. Yeah.

Speaker 2: 39:39

It's just so sugary, and

Speaker 1: 39:41

I'm I'm a sweet tooth person.

Speaker 3: 39:43

So Yeah.

Speaker 1: 39:44

Like, just smelling it and everything. Yeah.

Speaker 3: 39:45

For sure. Cheers. Cheers.

Speaker 1: 39:53

Yeah. It has a lot of sugar right at the front, and then you get kinda almost is it high wheat, and I Yeah.

Speaker 2: 40:01

I well, I mean, I don't I actually don't know the mash bill. It might say with all those little words on the corner.

Speaker 1: 40:07

No. Not mash bill.

Speaker 2: 40:08

This is where I get Justin to do the work for me.

Speaker 1: 40:14

Oh, that's a did you notice? So this is Copper

Speaker 2: 40:18

distilled only. I know that because it says it on the front.

Speaker 1: 40:21

So this interesting. So it says Boone County, Kentucky

Speaker 2: 40:26

Mhmm.

Speaker 1: 40:27

But the distilled number is Like the DSP? Yeah.

Speaker 2: 40:32

IN 1. Indiana. Yeah. I don't know what that means. I bet there's a bunch of whiskey slash urban nerds that know why that would be.

Speaker 2: 40:46

No. What they moved, but kept the DSP? I don't know how to I

Speaker 3: 40:49

don't know. Seems like a research project for Justin after the thing. Put that

Speaker 2: 40:53

in the

Speaker 3: 40:53

show notes.

Speaker 1: 40:53

There's a DSP KY up at the top here. So DSP KY 20,000. So they're a newer distillery. So maybe maybe they're, doing, like, that they're aging in one place or maybe they're distilling in 2 places.

Speaker 2: 41:10

Yeah. It could be or like a like a doing business as and they got the DSP in a few places or whatever.

Speaker 1: 41:14

I don't think you need a, DSP license if you're not actually doing the distilling

Speaker 2: 41:20

process. Someone else that had one. Yeah. Okay. Yeah.

Speaker 2: 41:23

I could see, like, commercial things there. Anyway, that is interesting to me. Yeah. Anyway, I I like this one, though.

Speaker 3: 41:28

Yeah. Well, why you have it open there? I

Speaker 2: 41:35

mean, I won't say no.

Speaker 3: 41:37

And you?

Speaker 2: 41:38

Thanks, man. Yeah.

Speaker 1: 41:42

So what's next onto this here? Well, What'd we decide? That's a joke question.

Speaker 2: 41:50

Yeah. They don't They got on the list.

Speaker 3: 41:53

Well, I like the way you frame this. Signals from noise.

Speaker 2: 41:56

Oh,

Speaker 3: 41:57

yeah. Threats of school violence.

Speaker 2: 41:59

Yeah.

Speaker 3: 41:59

There's been a lot of this recently.

Speaker 1: 42:01

Yeah.

Speaker 3: 42:02

In local school districts here, getting calls. We know

Speaker 2: 42:06

have been impacted. Right. Yeah.

Speaker 3: 42:09

And it's only been a couple weeks in the school, and there's always lots of threats going on, happening, way more than I think it used to as well.

Speaker 2: 42:21

Yeah. Yeah. From from my understanding with people that I've talked to that have been impacted by this, it does seem like there's certainly an uptick in the volume of of the threats, basically. And, you know, we're talking about, you know, schools, and so they're obviously taking to, like, the, I don't know, the the maximum appropriate measures in terms of, hey. Everybody locked down in place, or, hey.

Speaker 2: 42:45

We're gonna get the bomb squad out immediately and check parking lots or whatever, because you have to treat every potential instance like it could be, the real thing because of the the consequences if you don't treat it. But, but I think there's a lot of potential scary impacts from just the nature the fact that the volume of these threats is increasing even if they're not, actual items. Right? Like a boy who cried wolf thing.

Speaker 3: 43:15

Right? Right. Well, there's there's 2 different sides of it. There's the, the mental fatigue of these kids in the

Speaker 2: 43:23

school Absolutely. Right.

Speaker 3: 43:25

Having to worry about what is actually happening. Yeah. That's horrible.

Speaker 2: 43:29

Yeah.

Speaker 3: 43:30

And anybody who has kids and your kids worried, like, what's gonna happen or

Speaker 1: 43:35

Yeah.

Speaker 3: 43:35

You know, is something really actually bad gonna happen every time they, sequester them and

Speaker 1: 43:41

lock the doors and But eventually when they get talus to that Well, they they I would have to assume,

Speaker 3: 43:46

you know And and that's the other side of it. And so Alright. To what degree do all of these become alright. That's just another

Speaker 2: 43:56

Just another tornado drill. I can't remember growing up.

Speaker 3: 43:58

The fire alarm went off again. Yeah. Or the car outside is beeped. The alarm went off again. Nobody's looking to see if it's actually being broken into or stolen.

Speaker 2: 44:07

Right. Signal is

Speaker 3: 44:08

just a noise.

Speaker 2: 44:09

Yeah.

Speaker 3: 44:09

And it's just annoying. Right? So at what point do the all these things create the, the problem where they're not taken as seriously?

Speaker 2: 44:19

Right.

Speaker 3: 44:19

And, yeah, here's a metric. I was, looking at this, and I found an article. And I basically just threw the topic you suggested from the, creative name in the Google and ended up with an article that was just a couple days old. Yeah. I know a surprise.

Speaker 3: 44:33

In, Hillsborough County, Florida, it's a 220,000 student, district Which is huge. Huge. And they fielded 260 reports through the state's anonymous reporting system since September 4th compared to 275 all of last year.

Speaker 2: 44:53

Both of those blow my mind. Even 275 in a single year Yeah. Blows my mind. Let alone over 200 in, like, a month and a half.

Speaker 3: 45:03

And they take every like you said, everyone is treated, very seriously. And so, officials are concerned that with this flood of vague and false threats

Speaker 2: 45:13

Right.

Speaker 3: 45:13

Students are gonna be less vigilant to your point, Justin Yeah. About reporting troubling messages or things they might see.

Speaker 1: 45:22

Yeah.

Speaker 3: 45:22

And what we wanna make sure is nobody stops reporting. Right. Because the moment they stop reporting, what is that? Right. What concerns me is and and some of the like, the latest ones were coming from somewhere in Australia

Speaker 2: 45:36

Right.

Speaker 3: 45:37

Made a threatening call

Speaker 2: 45:39

Yep.

Speaker 1: 45:39

To a school district,

Speaker 3: 45:42

claiming there were some bombs in the, parking lot. Yep. And then, again, from the same area, claiming there was, some other problem gonna happen. I got into the school or something.

Speaker 1: 45:53

And wasn't that, Springfield, was in the news, and they got, like, 30 some odd, like, bomb Oh,

Speaker 2: 46:00

there been there's been a lot of attention in that community for political reasons. Right. Yeah. Yeah. But, yeah,

Speaker 1: 46:05

part of it was the bomb threats and the government came out and said, like, yeah, it all came from overseas. You know? Right. All that, all these threats.

Speaker 3: 46:11

So why is this happening? Why is it coming from overseas? And, several thoughts. 1, is this are they testing our measures? Are they looking to see how you actually react when something like this happens?

Speaker 3: 46:25

And is this like a prelude? I don't know.

Speaker 2: 46:28

Right.

Speaker 3: 46:29

And, you know, and then then the other side of it is, how much disruption to every family? Like, if I'm getting disrupted, I deal with it, you know, that kind of thing happens or whatever. You're on this other one. Your kids are actually Oh. Putting in that scenario.

Speaker 3: 46:45

Yeah. All of a sudden, you know, how much disruption is there to, our economy? How much are start disruption to the normal daily work lives Yeah. Are we having because of it?

Speaker 2: 46:57

Yeah. If you could quantify, like, the the cost of I mean, which and there is, like, legitimate. Like, kids being afraid is not okay. So, like, the mental anguish side of things. Right.

Speaker 2: 47:06

Mhmm. Right? Plus the the disruption just to the typical school day. Right? Everyone has to shelter in place or or or or Yeah.

Speaker 3: 47:14

You no longer whatever.

Speaker 2: 47:15

Oh, a 100%. And then, okay, let's just assume for whatever reason, it's a threat and it happens in the morning, and it's it's identified as false almost within 30 minutes. Right? Very quickly. I mean, there's no good aftermath of this.

Speaker 2: 47:33

Right? In the maybe the best case scenario, everyone's rattled for the rest of the day. Right. Worst case scenario, they see this so often, they don't even care. Right.

Speaker 2: 47:43

Right? Like, they get back to productivity quickly, but the cost of that is exactly what you were talking about earlier, which is, oh, are people no longer taking this seriously, and is it gonna make it harder? It's like

Speaker 1: 47:56

people pulling the fire alarm nowadays. You're like, this is a disruption.

Speaker 2: 48:00

I've been

Speaker 1: 48:00

You know, like, it's not like, hey. There's an actual fire.

Speaker 3: 48:03

Right.

Speaker 1: 48:03

Exactly.

Speaker 2: 48:04

Right. Well, and and I I think of and certainly not to trivialize the the school situation because it's a totally different thing, but some of the patterns seem similar in terms of, like, I've talked to so many network people about, like, IDS, IPS, and they just chuckle and they go, do you think we're reviewing all those emails? What are you crazy? Right. I get a zillion pokes at the at the perimeter every single day.

Speaker 2: 48:27

Why? How could I possibly do my day job in this other thing?

Speaker 1: 48:32

And that's a problem with the noise at that point.

Speaker 2: 48:34

Signal to noise. Yeah. Exactly right. And so I think about these issues, and and I wish I had real solutions. I don't actually think that I do.

Speaker 2: 48:43

But I think about these, and some of those patterns seem similar. And but the the consequence, right, of an issue is so ridiculously high and serious. I I don't know. I just feel like it's security and risk people. Like, it's things that we we should be able to fix.

Speaker 3: 49:02

Probability impact is top of the line.

Speaker 2: 49:05

Yeah. It does not get higher.

Speaker 3: 49:06

Damn. Yeah. But they've been very improbable.

Speaker 1: 49:09

And I say I go back to I mean, even coming back to, like, cybersecurity and everything, don't worry about necessarily the the the noise of it. Focus on prevention and response, you know, at the end of the day. Like, things happening from an alerting perspective, you gotta worry about, like, your perimeter and your response if this happens more over than, like, somebody alerts.

Speaker 2: 49:34

Well, that actually seems like a legit takeaway. It becomes, well, I guess we do need metal detectors everywhere, and we do need, like, fence perimeters and all these things because and, you know, I I was talking to some people that were impacted by some events recently nearby in terms of threats, and and one of the things that that we ended up in a conversation about was, like, does it actually make sense to for for kids to move things from unsecured locations into the school, which should be a secured location, every single day. Right? Backpacks and all these things. If things are like laptops and digital and all that stuff, now there's certain hygiene products and stuff like that that maybe they need to move in or or not or whatever.

Speaker 2: 50:20

But, like, ultimately, how many things should kids or I almost think of it like like like the Westinghouse's of the world or whatever. Like, you know, those employees are not allowed for for the secured areas. Like, they don't move anything inside. Right? Like, basically, there's locker there's, like, outside lockers, and you leave everything there, and everything you need to do your job is here inside, and that goes through a really rigorous process Yep.

Speaker 2: 50:47

And never the twain shall meet. Right?

Speaker 1: 50:49

I used to work at a facility like that. You couldn't bring any electronics without authorization essentially from me, a security person, going through the gate. And we had to wear these big long what's called smocks. They're basically like Yeah. Uni gowns with no pockets, so you can't, like, shove things in your pocket and everything like that.

Speaker 1: 51:07

They came down to, like, your knees and everything.

Speaker 2: 51:11

And and I hate the impact that that could have psychologically

Speaker 3: 51:13

Oh, yeah.

Speaker 2: 51:14

On kids, but I don't know what else you do.

Speaker 1: 51:18

Our kids are too soft anyways nowadays. So

Speaker 2: 51:21

but but I don't know what else you do other than say, look, this is a highly secure location, right, where you should be able to feel safe.

Speaker 1: 51:27

Schools be a highly secure location.

Speaker 2: 51:29

-I mean, I don't think they can be an insecure location.

Speaker 1: 51:32

I'm not saying insecure.

Speaker 2: 51:33

-Well, I know. But, like, I don't know how you draw that that line.

Speaker 3: 51:36

-Right. Well, I mean, they seem to do a pretty good job now because you walk up to the building, all the doors are locked. Mhmm. You just gotta make sure that somebody didn't prop a door open in order to get so the kid could get their, Uber Eats delivery that you weren't supposed to have in the first place.

Speaker 1: 51:55

You could put door alarms onto there and different things along that line. So, like, there's a lot of ways you could Absolutely. You know, annoying, secure, and also alert, secure, like, into the head office there if a door is propped open for more than 30 seconds or something like that.

Speaker 2: 52:09

But I I do think your note on, well, if there's too much noise in the detective channels, you have to move to prevention, makes a lot of sense. Yeah.

Speaker 1: 52:17

Preventative response. Yeah.

Speaker 2: 52:19

Like, that makes a ton of sense to me.

Speaker 3: 52:21

Well, it's like, oh, this is coming full circle. We're talking about continuity earlier a little bit. We're talking about tabletops. And, really, it doesn't matter what the incident is that creates the outage. It's what can happen that's an outage, and how do you Right.

Speaker 3: 52:38

Get back, in the business from that. So, and I like the idea, because every one of these things focusing on, well, what is your plan? What are you gonna do? And how are you gonna lock things down and get everybody to a point that, they can work. And I was kinda surprised that some of the schools locally didn't, go into the same mode they went into really quickly during snowstorms or COVID where they didn't, hey, let's just go Zoom tomorrow.

Speaker 2: 53:07

Right. And, that's a really good point.

Speaker 3: 53:10

Yeah. But, you know, again, you do that. All of a sudden, who's calling off work that has to go somewhere so they can stay home because all of a sudden, their kids are gonna be home all day.

Speaker 1: 53:20

Yeah. And are they able to come to a that are really impacted by that.

Speaker 2: 53:23

Yeah. And this is where, like, the, the tactical siloed approach really impacts the the rest of the world or the physical world, right, in in the politics of the situation then. Because then you do that enough times because, I mean, effectively, these threats can can be basically a DDoS to a school. Right.

Speaker 3: 53:43

Right? If it And a DDoS that can turn to a DDoS to a company. Everybody's trying to get ready to come back to work. Right.

Speaker 2: 53:49

Trying to

Speaker 3: 53:50

get them to come back to the office.

Speaker 1: 53:51

Yeah.

Speaker 3: 53:51

All of a sudden, so and so can't go to the office because Because. They have to stay home because their kids have to stay home.

Speaker 2: 53:58

3rd time this week. What do you mean? Right. Yeah. Yeah.

Speaker 2: 54:01

Yeah.

Speaker 3: 54:02

Yeah. And if you add all those up

Speaker 2: 54:05

The economic info.

Speaker 3: 54:07

Yeah, is a foreign adversary actually creating, disruption to our economy Yeah. Because they disrupt our workforce through disrupting our kids at school.

Speaker 2: 54:17

Right. I I remember, in college so my college roommate was, like, a poli sci major, and at one point, he's doing this, like, model UN type stuff, and he was, basically, you know, as we were describing, Justin, before, like, the inject thrower, like, the the chief French thrower of, like, something goes wrong. Like, what would what would an adversary do? And I remember at the time, because I was always been kinda security minded and, you know, a little off kilter, I was like, oh, you just need to poison all the stamps. Just poison all the stamps, and this is when, like, postal mail was, like, an actual thing.

Speaker 1: 54:56

Did you watch that Seinfeld episode

Speaker 3: 54:58

Yes.

Speaker 1: 54:58

There? Yeah. George's wife. Yeah. Yeah.

Speaker 1: 55:00

Right. Susan.

Speaker 2: 55:02

We just bullied all the steps and, like, all these admins that get all the work done, like, and the economic impact of that, and you're gonna shut down everything. It's interesting to to me that as we're talking now, it puts me in that frame of reference in terms of, like, oh, you want, like, a side loaded approach to impact an absolute ton of stuff? It's the schools. Right? Because it because it is the single most important thing.

Speaker 2: 55:29

Right? The the kids for all these working professionals. And, yeah, that's like I mean, if it's not a national security issue, why? Probably should be. Yeah.

Speaker 2: 55:43

Absolutely. That's why

Speaker 1: 55:44

and that's where I think I mean, our country has shifted, oh, well, tons of stuff since we were founded. But one of the things I think we've shifted probably in the wrong direction is self protection used to be more localized and individualized, and now we look for other people to provide that protection, kind of thing. So, you know, we're looking for grants and funding and, you know, to be able to secure a lot of the schools and, you know, there's laws passed on what you can do and what you can't do in certain situations. You know? Like, we used to bring guns into school a 100 years ago.

Speaker 1: 56:18

People going hunting would come, you know, with their rifles and put it in the corner of the classroom.

Speaker 2: 56:23

Yeah. You

Speaker 1: 56:23

know? Like, how far we've shifted, you know, into that, type of mentality.

Speaker 2: 56:28

Yeah.

Speaker 1: 56:29

And the only reason, like, you you guys know, like, my political influences, but I just look also at kinda, you know, data from that and how less of an incidence we had back then versus where it seemed to be going the wrong direction Yeah. You know, from a frequency standpoint.

Speaker 2: 56:47

Yeah. So Oh, and I don't wanna blow up the podcast, but on on episode 5. But but, you know, it is weird because I think about all these other shifts that have happened. Right? So, like, I wonder if mental health has shifted over time because because we used to be so much more community based, and so people that are, like, obviously a little off kilter, they don't necessarily have access to all the same resources, including firearms and things like that as everybody else.

Speaker 2: 57:18

But now it's potentially that economy has shifted. Right? Or or even just ideas and thoughts about weird things. Like, they're easy to access.

Speaker 1: 57:31

And there's, I mean, there's been a few books onto that about more of the tribalism of people's, like, thoughts. Like, before we had the Internet

Speaker 3: 57:38

Right. Exact so sure how I was gonna go. You had

Speaker 1: 57:40

the weird person in town. You know? They're shut. They're yeah. Exactly.

Speaker 1: 57:43

They're like, they're the weird person. You know? Old Eddie, he's kinda weird. You know? You just accept him for what it is and, you know, you know Right.

Speaker 1: 57:50

Kinda avoid. But now Eddie can find like Eddie's out on the Internet, and they can have a collective Eddie.

Speaker 2: 57:58

You know? And like anything else, it's this echo chamber. Yeah. Exactly. Echo chambers inherently drive people to action.

Speaker 2: 58:04

Right. Whether it's a positive one, like the Distilled Security podcast, or, you know, negative ones, you know, that it causes real concern or, again, can drive people to action they might not have taken anyway. Yep. And so I do I do wonder that, you know, although, like, yeah, people potentially, like, brought things that could be weapons, but were arguably tools at the time to school before. Like, is that still okay?

Speaker 2: 58:27

Well, maybe Once you wanted

Speaker 3: 58:28

to plan something with your buddy that lived a while away, you just didn't text them and they knew it instantly. Right. It was you maybe you write them a letter, and it takes days. So communication is, like, instant compared to, right.

Speaker 2: 58:44

That's a great point. Yeah. Yeah. Well, and one of the things that I had heard in the veracity of this is not, certified, so it could be wrong. But this is a while back, and we're talking about this we were talking about the school stuff.

Speaker 2: 58:56

I'd heard this, I think, last year when I'd heard that some of this stuff was bubbling up more frequently, was that kids in different countries were essentially exchanging threats so that neither of them would have to go to school. Right? So, hey, maybe, you know, you're, you know, you're in Chile, and I'm in the US. And I know you, and you know me. But you know what?

Speaker 2: 59:21

We're in different countries. And so what's the real chance of this coming back on us? You call in this threat to my school, and

Speaker 1: 59:26

I'll call initial association, like a gaming relationship or something like that?

Speaker 2: 59:30

It could be anything. I mean, honestly Met on Reddit?

Speaker 1: 59:33

Like, I'm curious on, like, the initial, like, cross, you know, ideas and everything like that.

Speaker 2: 59:38

There's so many forums for these things from, you know, pick a number chan, right, to TikTok, to Instagram, to Snapchat, to Facebook.

Speaker 3: 59:50

So you make a relationship with somebody that's in a four way place, maybe in another country.

Speaker 2: 59:55

Based on a shared community. Yeah. Right? You say, hey, we both play Fortnite or whatever. Yep.

Speaker 2: 59:59

And all of a sudden you go, oh, I have to go to school tomorrow. Oh, dude. I do too. I just wish someone would call on a threat or whatever. Actually,

Speaker 3: 01:00:07

right? For you today. You do that for me tomorrow. We're good to go. So I heard that this was

Speaker 2: 01:00:11

a thing that was happening last year and prior.

Speaker 1: 01:00:13

But, again, you don't only do that so often until they start degrading the response. Well, right. And that's That's what I'm saying.

Speaker 2: 01:00:21

Yeah. Yeah. And that's an issue. Right. That's a clear issue.

Speaker 1: 01:00:23

So I

Speaker 2: 01:00:24

I wish I had better solutions. I like the preventative thing. That's the best thing

Speaker 1: 01:00:28

that I've heard. And that's where, like, they clear a lot of this stuff. Like, they go through and validate. They look at source. They look at, you know, the validity of the information, who is coming from.

Speaker 1: 01:00:37

Is it a student? Is it somebody far away? Yeah. And then they're like, alright. Are we gonna do anything different?

Speaker 1: 01:00:42

You know, like

Speaker 2: 01:00:43

Yeah. But that's all in post. Right? Like like, you have to you run up like, you have to respond. I I believe you have to respond to the threat as though it's serious until you can run the analysis, and you run the analysis in post.

Speaker 1: 01:00:55

Yeah. But I think a lot of schools nowadays, they already have, you know, security officers that are, in the hallway. You know, they already have metal detectors, and everything. It's un

Speaker 2: 01:01:05

I don't wanna say, I I mean, I guess I will say, like, underfunded or the perceived underfunding of schools, right, in many cases. Yeah.

Speaker 1: 01:01:13

I mean, around where we are, they have that stuff. Now every school, absolutely, there are a number of schools that

Speaker 3: 01:01:19

are not funded. Schools have metal detectors, but they do have security officers and local police forces happen to get involved pretty quickly.

Speaker 2: 01:01:26

That's true. That's true. Yeah. But I

Speaker 1: 01:01:28

don't know. It becomes And a lot of them.

Speaker 2: 01:01:30

The resources they need. Like, how quickly do they do these analyses?

Speaker 1: 01:01:33

I know we have a guy in the neighborhood. He's ex secret service. His his he's retired, but his job now is to go around to local schools and actually give him assessments and remediation plans for That's awesome. Business and everything. That's awesome.

Speaker 1: 01:01:48

Thank that person for me. Yeah. That's super cool. Yeah. That's what his company does right now.

Speaker 1: 01:01:52

And he he, and they work with a whole bunch of schools to say, okay. You know, how do you get in? Who has master keys to everything? Like, how are we gonna respond? Where are the keys located?

Speaker 1: 01:02:02

Like, if all the master keys are inside and you're under, like, a lockdown, like, that's not gonna do the cops or first responders any good. You know? So you need to make some extra copies and, like and coordinate all of this prior to something happening.

Speaker 2: 01:02:16

Right.

Speaker 1: 01:02:16

You know? So I love that exercise.

Speaker 3: 01:02:17

Like a tabletop exercise? Yeah. Like a tabletop here. So I

Speaker 2: 01:02:20

know what you're saying. Well, you know, and may so so maybe it's not as worrisome as initially it was in my head, but, boy, I don't I don't love the fact that it's, like, increasing in frequency.

Speaker 3: 01:02:31

Yeah. It's horrible. Yeah. Yeah. So, any other topics for tonight?

Speaker 1: 01:02:36

I think we're we're probably good. Right?

Speaker 3: 01:02:39

Yeah. Yeah. So big thing, October 3rd.

Speaker 2: 01:02:42

Yep. Yeah. Come see us. Come see us.

Speaker 3: 01:02:44

Come by the table. Come by later for the happy hour.

Speaker 1: 01:02:48

Have a good time.

Speaker 2: 01:02:49

Yeah. Can't wait. That'll be fun. Hey.

Speaker 3: 01:02:52

Cheers, guys.

Speaker 2: 01:02:52

Cheers, Zach.

Speaker 1: 01:02:53

Alright. Thanks. Thank you, everyone. Don't forget to like, comment, and subscribe. Let us know some of the topics that you would like us to, talk about, and enjoy.

Speaker 1: 01:03:03

Thank you.

Speaker 2: 01:03:04

Take care.

More episodes

Chapters

Creators & Guests

What is Distilled Security Podcast?