April 21, 2025 • 33 mins
Join The Audit as we dive into the high-stakes intersection of critical infrastructure and cybersecurity with Tim Herman, President of InfraGard Minnesota. InfraGard is a unique public-private partnership with the FBI designed to protect the 85% of America's essential systems owned by the private sector. From power grids to transportation, the vulnerabilities are real—and increasingly complex.
In this episode, we discuss:
- How joystick-operated tugboats on the Mississippi reveal hidden cyber risks
- Why tabletop exercises are vital for incident readiness
- Common mistakes in organizational response plans (and how to fix them)
- The importance of physical backups and redundant communication systems
- Actionable steps to bridge the gap between planning and execution
Cybersecurity isn’t just an IT issue—it’s national security. Don’t miss this compelling conversation on how InfraGard is helping organizations build resilience before the next breach hits.
Like, share, and subscribe for more expert insights from the frontlines of cybersecurity.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Welcome to the Audit presented by IT Audit Labs
.
I'm your co-host and producer,joshua Schmidt.
Today we're joined by EricBrown and Nick Mellum the usual
suspects, and today our guest isTim Herman from InfraGard.
Tim, thanks for joining us.
Can you tell us a little bitabout yourself, how you know
Eric and tell us what you do atInfraGard?
Tim Herman (00:26):
Sure, I am the president of InfraGard Minnesota
.
I live here in St Paul,minnesota, and InfraGard for
those of you who don't know whatthat is, it's a FBI private
sector partnership.
Essentially, 85% of thenation's critical infrastructure
is owned by the private sectorand so the FBI wants to have
relationships with thosebusiness leaders and we've got
about 800 members in Minnesota.
(00:47):
Of those 800 members, I wouldsay probably 90% of them are
leaders in an IT role, a CISOand other leadership roles.
Eric Brown (00:58):
I'm proud to say I'm a member.
Yes, and Tim, I apologize.
The first thing you hear isthat Josh is sleeping in the
middle of the day.
Nick Mellem (01:09):
Sleeping on the job .
Eric Brown (01:11):
He's napping.
We don't have enough to doaround here.
Tim Herman (01:15):
Because you're up late.
Eric Brown (01:16):
Yeah, well, aren't we all up late, right?
It's the life of a musicianfellas Life of a musician.
Joshua Schmidt (01:24):
Yes, yeah, when you guys are all getting tucked
into your beds, I'm going to beplaying mustang sally down at
the bar, so unless there's abreach, just like the meme yeah,
yeah.
Well, we're speaking of which.
Stick around to the end, folks.
We got meme of the day.
We're gonna pop that up here atthe end of the convo.
So stick around to the end.
You're not gonna want to missthis, this, this meme.
That nick pushed me via thealgorithms of linkedin when I
(01:47):
was up late and you're up allday it happens, there's a lot of
sickness going around right now.
A lot of itis, a lot of excuses, okay, eric.
Eric, coming in like lookinglike darth maul today with the
looks like you're Dark Erictoday.
I think, yeah, put the hood up,please, there you go Dark.
Eric Brown (02:09):
Eric.
Nick Mellem (02:10):
That completed the look.
Joshua Schmidt (02:12):
That's awesome.
I'm either Kent or I'm lazy.
Eric Brown (02:17):
K2.
K2.
Joshua Schmidt (02:21):
No, dudes you do not want to open this.
You do not want to open thiscan of worms With me.
The nicknames are gonna.
Nick Mellem (02:30):
We want that tattooed on your neck next time
you join K2.
Hey, eric's got a tattoomachine.
We'll print it for you, oh,okay great, yeah, let's do that
Game night activities.
Eric Brown (02:42):
We had a producer Good guy who's Game night
activities.
Game night activity.
We had a producer, a good guy,who's he, Josh, has filled his
shoes, but he was very heavy onthe censor button.
Yeah, Notes beforehand aboutyou know things that we should
say and not say, and we thoughtmaybe we were going to get a
(03:03):
reprieve from now.
At least Nick and I did.
Nick Mellem (03:06):
Poor Josh.
He just won't come from his napand he's just getting berated.
Eric Brown (03:10):
Sorry, josh, let's get back to the podcast.
Sorry, tim's got a little bitof time.
Joshua Schmidt (03:14):
Just remember, I am the producer.
I have post-production editingpowers.
You're messing with the powerhere Just remember who holds the
keys to the power here.
Eric Brown (03:24):
Yeah, just remember who holds the keys to the power
here.
Sorry, josh, I hope you'respeaking Chinese here in a
second.
Nick Mellem (03:27):
Before we jump into the whole other thing, before
Tim, what is the thought processbehind the FBI pushing this to
the private sector?
Is there a quick skinny thatyou can give the listeners and
me why they would do that?
Tim Herman (03:39):
Sure.
So the mission of InfraGard isto help protect our nation's
critical infrastructure.
So the basis is there are 16areas of critical infrastructure
, so IT being one of themtransportation, energy dams,
water treatment facilities, sothis makes up several of those
(04:02):
critical infrastructure sectors,up several of those critical
infrastructure sectors.
The reason the FBI gets broughtin on investigations and things
in the cyber attack world isbecause they're the ones that
are hunting down the bad actors,and a lot of times they
actually have the encryptionkeys from other investigations.
(04:23):
So rather than paying a ransom,if you bring the FBI in, it's
very possible that they mighthave the keys to unlock the
kingdom as well.
And so the FBI, they're notinterested in your secret sauce,
they just want to help in anyway they can on that
investigative side.
Joshua Schmidt (04:43):
Eric, can you speak a little bit about your
experience working with Tim, oris there anything that we can't
talk about there?
Eric Brown (04:50):
No, tim and I maybe it's been a little less than a
year or so, but certainly haveappreciated working with Tim and
Tim's got a lot of greatcontacts in the industry.
Tim's helped and maybe, timthis is a story you could tell
around some of the what would wecall it like the tabletop
(05:11):
exercises that you'veparticipated in cool stories
there and just bringing togethera great group of people in
Minnesota that all care aboutinformation security, either at
a conference or at the meetupsthat you do, and you do those
meetups quarterly, is it Tim?
Tim Herman (05:29):
Yeah, five times a year actually, and the
interesting thing about that iswe just had our chapter meeting
this last Monday and we hadabout 65 people that showed up.
We're now meeting atMedtronic's headquarters.
One of the cool things aboutthat particular meeting is we
(05:49):
brought in a speaker from the USCoast Guard that helped
facilitate a tabletop exercise afew years back on the upper
Mississippi River that engagedthe City of St Paul Port
Authority and the City of StPaul Emergency Management and a
host of others, and so, if youwant to get into that in more
(06:09):
detail, I can share a little bitmore about that as well.
Eric Brown (06:12):
Yes, definitely.
Nick Mellem (06:13):
I would love that.
Eric Brown (06:14):
I want to get into the details about where it was
on my calendar, because it's nothere.
Nick Mellem (06:17):
You need a new assistant.
Joshua Schmidt (06:19):
Yes, we definitely want to get into the
tabletop exercises and some ofthe groundwork you've been doing
, tim, but can you give us kindof just a general, you know,
30,000 foot view of like whytabletop exercises are so
critical with the private sectorand infrastructure, critical
infrastructure?
Tim Herman (06:36):
So a few years ago I worked for an organization
called Norwich UniversityApplied Research Institutes and
they actually were usingDepartment of Homeland Security,
science and TechnologyDirectorate funding to develop
an exercise platform to dotabletop exercises all
throughout areas of thatcritical infrastructure.
And so when I was working forthem is when I worked with the
(07:00):
Coast Guard and helped kind oforganize that exercise on the
upper Mississippi River.
But why tabletops are reallyimportant is most companies of a
certain scale or a certain sizehave developed an incident
response plan and, eric, I knowthat you work with companies on
helping them create thatincident response plan.
(07:21):
It's great to have a plan butif you don't actually test the
plan and exercise the plan, youdon't really know how you're
going to do in a real worldincident.
And so to you know, just likeyou know in the military does
drills and drills and drills,you need to exercise and build
that muscle memory so that younot only eliminate the silos
(07:42):
between the different you knowpeople that are that would need
to be engaged in a real-worldincident but you develop those
relationships between each otherso that again, when things go
sideways, you're actually ableto have that muscle memory and
respond accordingly.
Nick Mellem (08:01):
I think a lot of times when we've been doing
these exercises, a lot of peopleare scared to pull the hood up
and see what could go wrong,when you know we should be
practicing this so much we can'tget it wrong.
And when I was in the militaryI had a it was a sergeant at the
time.
He would always tell me tell us, the more you sweat in peace,
the less you bleed in war, right?
(08:24):
So if we continue to practicethis day in and day out and help
these organizations understandthat we can be comfortable being
uncomfortable to make sure weget these things right when it's
a real life.
Tim Herman (08:35):
Well, and what I was always trying to share with
folks when I'm kind oforganizing a tabletop exercise
is there's no right or wronganswer to going through an
exercise.
There's no bad way to do anexercise, or it's not about
singling out people that didsomething wrong.
It's really more aboutidentifying where your gaps are
(09:00):
so that you're not stuck wingingit when you're in the middle of
a crisis.
Joshua Schmidt (09:06):
In my line of work, tabletop exercises mean
something completely different,but I'm curious have you worked
with Eric on a tabletop exercisebefore together?
Not yet, but we should.
We need to.
Yeah, that'd be fun.
I know, Eric, you have someexperience with tabletop as well
.
What does your experience looklike working with organizations
to run these kinds of exercises?
Eric Brown (09:28):
You know it's a time when you get the leaders of the
organization in a room andthey're not politicking or
worried about their individualareas of responsibility.
So it's kind of a unique viewwhere they come in and you know
you have people from you couldhave leadership, overseeing HR
(09:51):
or communications, and then youknow the more tactical roles as
well and you're going throughessentially a role-playing
scenario.
Right, an exercise Homelandsecurity will come into
organizations and help out withthem.
It's really a nice way to seehow the organization works and
(10:13):
it helps the organizationunderstand what maybe some of
the other roles that they maynot see.
Right, they may just see thesecurity organization is pushing
out these crazy phishing emailsonce a month, but then to
actually see how the securityorganization works in real time
and not in a real crisis, thatthere's stress.
(10:34):
You know there is a littlestress on the tabletop because
you're like uncovering thesegaps in the organization of like
, oh well, you know he does getto push the button, which is
something that Chris Gabbard,when he leads these from
Homeland Security, it reallydrives the leaders to say who
can make that call to take thatproduction system offline.
(10:55):
So it's just a great.
You know, two hours to a half aday experience.
We need more button pushers.
Tim Herman (11:03):
One of the things that was really cool about the
exercise on the MississippiRiver was when I first started
working for this organization,the Nuwari Research Institute, I
reached out to the St Paul PortAuthority and you know, knowing
that they run everything on theupper Mississippi River and
then they said you know what youreally need to talk to, the
(11:25):
port operator and the person,the group that's actually moving
all the barges around.
And so I met with them and rightaway he identified hey, tim, a
couple of years ago we actuallyput in all new engines in our
tugboats that are all remotelycontrolled, so our drivers don't
(11:49):
even have to be on the boat.
And so now we're moving, youknow, eight or 12 barges around,
you know, with a joystick.
Essentially is we don't have awhat-if plan for if somebody
were to remotely hijack that andrun it into another boat or
into a bridge or the refinerydown the river or whatever the
(12:13):
case is.
And so this exercise ended upturning into more of a workshop
on identifying who needs to beinvolved in that scenario if
something like that were tohappen in the real world.
The outcome of that is they'veactually been able to continue
doing exercises, and so I thinkthey've done at least one or two
(12:34):
additional exercises to be ableto now exercise that incident
response plan and still findingadditional gaps and building
that muscle memory.
Joshua Schmidt (12:44):
So did you do well at game night?
Last time we had at IT AuditLabs, with this tactical kind of
thinking Because I had to leavea little bit earlier and Eric
was nice enough to text me theoutcome of the game, but I think
it was blood on the clock toweror something like that.
Tim Herman (12:57):
Yeah.
Yeah, I was actually the demonin that one, and so I lived
through it all.
Joshua Schmidt (13:05):
I just remember being slightly persecuted kind
of not too much, unlike thebeginning of this episode.
I was kind of the patsy or thepariah of that game early on,
but I think I was just atownsperson or something.
It's always a poor Josh.
Nick Mellem (13:23):
Going back to the tabletop exercise with the
letter agencies that Josh wastalking about, I'm curious when
you get all these big entitiestogether, how you know let's say
, you finish the tabletopexercise how do you you know,
you find out uncover all thesegaps, things that they're doing,
right or wrong, things theycould do better, how do you get
(13:44):
all of them to marry togetherand listen and get on the same
sheet of music and start toimplement these things?
Because I would assume, onceyou do it, the job's not done?
Tim Herman (13:50):
Right, absolutely so .
Every exercise will finish upwith what's called an
after-action report and actually, right after the exercise is
closed, you want to spend atleast 30 minutes in what's
called a hot wash where you'rejust, you know heat of the
moment.
What was your experience like?
You know, what did you learn?
You know, while you're just youknow heat of the moment, what
(14:11):
was your experience like?
You know, what did you learn,you know, while you're still
kind of amped up and you know,in that exercise mode, and then
you, you know, spend the nextcouple of weeks drafting that
after action report.
And that's the how to, you know, to fix you know what we
learned.
Doing one exercise isn't enough.
You actually have to have anexercise program where you're
doing, you know, exercises,maybe twice a year or quarterly,
(14:34):
or you know, it depends on yourbusiness and how things change
in your business.
But you know there are someorganizations that are doing it
quarterly and some organizationsthat are doing it only every
other year.
And you know again, it justdepends on the business.
But but that exercise programreally helps identify you know
where.
Again, it's a measuring stick.
(14:54):
You're, you're, you'remeasuring how good we did, we do
, in identifying additional gaps?
Or how, how good did we do inin being ready and building that
muscle memory?
Joshua Schmidt (15:07):
Eric, how have you seen this like shore up the
security with the people thatyou've worked with when
conducting tabletop exercises?
Eric Brown (15:14):
The thing that resonates most with me is you're
able to show value and get somefunding for information
security programs and theoutcome of this, because, going
into it, some of the leadershipdoesn't quite really know what
we do on a day-to-day basis.
And then during the exercise,when you have multiple things
(15:36):
going on and you're talkingthrough those scenarios and they
see how important informationsecurity is the next time the
budget cycle rolls around,there's not as much pushback,
right?
Are we going to get new tablesand chairs or are we going to
invest in information security?
Joshua Schmidt (15:53):
The shipping on the Mississippi River, any other
Tom Cruise worthy kind ofincidents that we could go over,
because we're all actionjunkies, we want to hear the
good stuff.
Tim Herman (16:05):
Yeah, absolutely, you know.
I'll give an example of we did.
We did exercise with a coupleof different airports around the
US and the interesting part isthat we learned is is every
airport and this is not unlikeother other businesses and other
sectors but you know, everyairport is in a different
maturity level and so thatexercise can go deeper, or it
(16:29):
plays really basic or not basic,but more attuned to the people
that are in the room.
That might not be all yourtechnical people, it might just
be your leadership, it might bethe CIO and the CISO and the CEO
and you know kind of all thatC-suite, but then also include
(16:51):
legal and include, you know, themarketing person.
You know that handles all thecommunications and when there is
a real world scenario, you'vegot to be on your tippy toes.
You know, ready to go, you know, because things can go even
more sideways very quickly.
Nick Mellem (17:10):
One common trend that I feel like I'm always
seeing is communication.
But as soon as when things kickoff and still part of
communication everybody startsrunning into each other.
It's like the Spider-Man meme.
They're pointing at each otherlike I thought you were doing
that.
No, I thought you were doingthat.
So I think just gettingeverybody to slow down this is
(17:30):
why we're training.
So you know, take a breath,regroup for a second.
Maybe it's still gonna beuncomfortable, really, no matter
what right.
So if we can get it from beinglike 75% clunky, let's get it
down to like 20 or 30.
We're more streamlined.
You have a good basis to getyou far down the track and then
you know you can keep buildingon it.
But the communication isusually the biggest piece,
(17:51):
whether that's social media, thepress, newsletters, whatever it
is, how to communicate that andwhen.
Eric Brown (17:58):
You could take if you have a P2 or a P1 incident
that's going on in anorganization where you have
multiple systems that are downor a critical system that's down
and you're going through.
You could even do it in theevent of, say, a planned outage,
a maintenance window.
So your firewall is down andyou have multiple teams testing.
(18:20):
You have some people on thebusiness side that are going to
be involved in testing and thenyou have your central
communication channel.
You have your technical channel.
You could really run these as atabletop exercise, do the hot
wash after, talk about it andwrite it up, because I've been
involved in a few of theserecently where you know there's
(18:40):
a scheduled outage windowbetween you know a certain time
and then the technical peopleare bothering the engineer who's
hands-on configuring, say, thefirewall Firewall's got to come
up within an hour or we're goingto be behind schedule and
they're saying, can we test yet?
(19:01):
Can we test yet?
Pinging him because they have adirect relationship with that
engineer, versus leveraging thechannel and the project manager
who's coordinating that and willhandle the communication, so
being able to then go back tothe organization and talk about
it.
Really, the tabletop exercisesare more so aimed at the
(19:22):
leadership level, but using a P1or a P2 or even an outage
window where you have engineerslike that help desk person who's
going to be taking those callsduring the outage.
Instead of escalating that tothe engineers, they could just
stop the communication rightthere.
So, yes, we're in an outagewindow, we'll have communication
(19:44):
for you at next time, versusthen having to trouble the
engineers with oh, is it goingto be back up?
Tim Herman (19:52):
Yeah, that's totally true.
One company that I wasconsulting with through my
employer, they wanted to do twoseparate exercises one for the
leadership to help identifywhere you know kind of, where
gaps might be in the leadership,but then they wanted to do a
technical exercise that focusedon really okay, we know that if
(20:18):
our systems get encrypted andlocked in, we actually need to
migrate other systems to thecloud, and you know, we need to
make sure that that's going tobe seamless, and so let's
exercise that process so we'renot having to, you know, like,
do that in the real world.
One of the things that I alwayswould ask the people that I was
(20:39):
working with on the client sideis what are you really trying
to accomplish?
You know, rather than justsaying, hey, we want to exercise
a ransomware, you know, event,rather than just saying, hey, we
want to exercise a ransomwareevent.
My answer to that is why?
What is it that you really wantto get out of that?
Is that a concern of yours?
Why is that a concern?
What are those concerns?
(21:00):
And really kind of dive deepinto.
Because when you're creating ascenario for an exercise, you
want that scenario to actuallybe relevant and not too generic.
That's just another layer thatyou need to be a part of.
Eric Brown (21:18):
Tim, I can't tell you how many organizations I've
walked into and I've said areyou backing up your M360 Vive
environment?
Yeah, oh no, we don't have todo that.
Microsoft does that.
What Right, Good luck.
Yeah, oh no, we don't have todo that.
Tim Herman (21:31):
Microsoft does that.
Eric Brown (21:32):
What.
Nick Mellem (21:32):
Right, right.
Eric Brown (21:32):
Good luck.
Yeah, what?
Because if somebody fat fingerssomething, somebody maliciously
deletes something, you're notgetting it back, right the
entire thread, all kinds ofthings.
Microsoft is responsible at thezone level of you know, if they
wipe something out, they'regoing to take care of getting it
back, but they don't care aboutyour data.
(21:53):
That's your problem.
Tim Herman (21:54):
Well, the thing that we always tell people also and
I'm sure that you've shared thiswith your clients and people
that you work with is that makesure that your incident response
plan is not on your same system, that you know on your hard
drives or you know in the cloudbecause you know you should have
a hard copy of it, because ifit's encrypted you don't
(22:15):
actually have a playbook thenand you know if a bad actor is
in your network, for you knowthree weeks, three months, you
know three years before theyactually decide to execute.
You know said.
You know said disruption.
They actually have to executesaid disruption.
They actually have read throughyour incident response plan.
They know who your insurancecompany is, they know who your
(22:36):
legal law firm is, they knowexactly where to hit you because
they've read your incidentresponse plan.
So just having a plan isn't theballgame.
It's knowing how to use theplan and where things need to be
put as well.
Nick Mellem (22:53):
That threat actor probably knows your incident
response plan better than yourorganization.
Yes, right right.
Eric Brown (22:59):
And having that back channel.
If you're a team shop, you'vegot Slack as a channel or
Discord some way to communicateif you can't get into your work
systems.
Tim Herman (23:09):
Exactly.
Nick Mellem (23:10):
That is an interesting point, Eric.
I don't think enough people areputting pressure on having
another means of communication.
They just think Teams is alwaysgoing to be up or whatever.
Whatever their means ofcommunication will always be
there, but having a secondary ortertiary to ensure
communication, it's a big deal.
Eric Brown (23:27):
Sometimes that's fun to do too.
You know, if you go into anorganization you're doing a
tabletop and they're a littlebit.
You know, maybe they've beenthrough a few of these before
and they're pretty good, they'vegot a good plan.
Then you say, okay, well, nowyou can't use your cell phone,
right.
Something happened in the area.
You got a regional disruption.
Power towers are out right,like the AT&T issue.
(23:47):
That happened like what twoyears ago, where cell phone
coverage was disrupted becauseallegedly they messed up a DNS
entry or something, whatever itwas.
But then you know, how are yougoing to get a hold of Nick,
right?
How are you going to get a holdof Tim or Josh If you can't
call them?
What are?
Nick Mellem (24:05):
you going to do we?
Got to have everybody,everybody's got to go out and
get their ham radio license.
Joshua Schmidt (24:10):
Or if I'm napping, for example.
Nick Mellem (24:12):
Right?
Well, we can count on Joshbeing napping during this whole
situation.
Eric Brown (24:17):
I turn my ringer off , do not disturb.
Joshua Schmidt (24:20):
He's asleep One o'clock on a Friday.
Nick Mellem (24:24):
He's doing some research on aliens or something.
Eric Brown (24:26):
Well, yeah, Tim, I tell you this dude, where's the?
Joshua Schmidt (24:33):
tinfoil Nick, we keep tinfoil hats on handy,
Speaking of which we've got atinfoil hat question.
Nick Mellem (24:38):
Production value here at IT.
Joshua Schmidt (24:39):
Outlands.
Here's the tinfoil hat questionof the day, tim.
So a lot of planes have beengoing down helicopters lately.
I mean, was it just a couple ofyears ago the Baltimore Bridge
incident?
Does this set off your spidersenses at all?
Do you feel like these could becyber attack related, or at
least some of them?
Some of them are probably justuser error, of course, but once
(25:01):
again, this is a tinfoil hatquestion.
Tim Herman (25:04):
I cannot confirm or deny, no, not confirm or do not
know.
You know, I have to sayhonestly, anytime I hear that,
oh, t-mobile is down again orsome other, you know some other
thing has a major outage in theback of my mind, I'm wondering,
I wonder if it's some kind of abreach, some kind of a scenario
(25:26):
that you know, or an incident,if you will, that might be going
on and the thing is is you'renot going to hear about it in
the public, you know, foranother six months, because
they've got to do the forensicsand they've got to do a bunch of
things making sure that they'reback up and running and they
need to identify, you know, wastheir data lost, was data
(25:46):
compromised, and and so you, andso there's just a whole lot of
things that need to happenbefore you can share with the
public.
But, yeah, I would say thattinfoil hat, with things kind of
going sideways, it is somethingthat I'm thinking about.
Joshua Schmidt (26:04):
Yeah, Is that even a possibility to hack into
an airplane or helicopter'ssystem and control it?
I mean, you said that it'spossible for remote-controlled
boats or barges right.
Tim Herman (26:17):
Well, how many drones do you think there are
going around in the world?
That's all remote-controlled.
Joshua Schmidt (26:23):
That's a great question.
Tim Herman (26:24):
Yeah, absolutely, I think it's possible.
Joshua Schmidt (26:27):
When there is a new threat that does pop up on
our radar?
How fast are we to incorporatethese things into your tabletop
exercises?
Do you get your clients on thehorn right away and set up a
meeting, or do these things kindof depend on how the
organization wants to prioritizethis part of the security?
Tim Herman (26:46):
It's certainly something that you're aware of
and you've got your client list.
Say, if you're doing a virtualCISO with a healthcare client or
with some kind of business inmanufacturing and some new
scenario comes up or comes tomind or something happens in the
marketplace that is relevant,yeah, absolutely, you want to
(27:09):
reach out to your clients andmake sure that that's
incorporated.
Getting back to the exercisesthat we were doing with the
short line and regionalrailroads, an interesting fact
about that is there are 500short line railroads in the
United States and of those 500,probably 90% of them use the
same piece of software to manageyou know, not just you know
(27:32):
kind of their operations, butmanage the switching of the
tracks.
And so what happens if thatsoftware gets compromised?
You essentially screech to ahalt the entire transportation,
rail transportation in theUnited States, and so you know
how prepared are you forsomething like that to happen,
(27:53):
and that was part of thescenario for those exercises.
Eric Brown (27:57):
We saw that with was it Maersk, with shipping, like
back in 2017, 2018 with the worm, you know?
And as we're talking throughthis, I'm reminded of the other
day I was took a picturestanding out my patio window
looking into the backyard, andthere's a.
The backyard is there's alittle bit of grass, and then it
(28:20):
goes to these, these pine trees, and the pine trees are, let's
say, maybe 30 to 40 feet tall.
They're about you know they're.
They're pretty mature, maybe 50, 40 years, and some of them
have fallen over.
We've had some removed.
You know they died, cut themdown, had them removed.
But there was one that hadn'tbeen removed.
(28:43):
It still had some green on thetop, but like you could see that
the middle part was dead right,the bark was coming off of it
and it was like oh, you know,we're moving here in a couple of
weeks or a couple of months, Isthis something we're going to
deal with?
Probably I will put we'll kickthe can right.
And there was.
We had a bad storm, I don't know, maybe two months ago, and that
(29:04):
tree fell over and it snappedoff maybe eight feet up and
fortunately, the way it fell, itfell away from the house.
So I took a picture of thatbecause it's very for me it was
very poignant of theconversations that we like to
have with customers of if youwork with us before you even
build the house, we're going totell you about your risk.
(29:26):
You put a house there, you'regoing to have to deal with these
trees.
Unfortunately, we usually getbrought in after the tree has
already fallen over and donedamage to the house, and now
we've got a lot of cleanup to do.
Right, you're going to bedisplaced, your pets could have
got loose and just it's a wholemess.
But it's a whole mess thatcould have been avoided.
(29:49):
So when, when maybe, you builtthe house there, you wanted the
area, you understood the risk ofthe trees, you signed off on
the risk.
But now the trees are dying.
You need to take care of thattree.
That's a $500 to $800 problemif you take care of that tree
before it falls.
But if it falls and it's not100% that it's going to hit the
house, but there's a good chanceit could that's a
(30:11):
multi-thousand dollar problem.
That's an insurance problem andit's in the tabletop exercises.
I'm working with a client now.
They're looking at building,doing some manufacturing in the
United States and I'm thinkingabout, well, where should we put
that manufacturing facility?
(30:32):
You know like we got to takeinto account transportation
right, if it's on the coast,maybe it's easier to get to.
But then there's also thecomponent of if you put they're
not talking about this, butlet's say they are, you know,
we're going to put manufacturingdown in Florida somewhere, well
, easy to get to from a flight,but that thing's going to be
underwater.
(30:52):
Thinking through these thingsearly and having a tabletop,
even maybe before you made adecision of like, hey, we're
going to build an officebuilding in XYZ location, folks
like you know, tim and Nick andI, could come in and have the
conversations around like, okay,are you near, you know an
(31:12):
airport, or you know what arethe weather patterns in that
area?
What are some of the thingsthat you should really be
mindful of?
Right, are you putting it neara refinery?
Well, what happens if thatrefinery has a spill?
It may not impact you, but yourworkers may not be able to get
to the office for a week untilthey clean that stuff up.
Joshua Schmidt (31:32):
So, to rephrase my previous question, I think
what I was actually trying toget at you kind of uncovered
here and Eric, I think what Iwas actually trying to get at
you kind of uncovered here andEric, I really liked your
analogy with the trees.
How do you plan for those Xfactors?
Like you mentioned, tim, thepandemic wasn't on anyone's
bingo card for 2020.
How?
Tim Herman (31:51):
do you plan for those contingencies that you're
kind of unseen.
You really try to curveball asmuch of the unforeseens.
Try to.
You know, curveball as much ofthe uh, the the unforeseens.
Um, you know, depending on thematurity of your organization,
there are times where where wewould actually uh in, in, inject
, uh into the exercise some youknow major curve ball that would
actually stress your people outeven more.
(32:13):
So not just that you are havingthis outage or downtime or
whatever the scenario is, butnow you've also got a strike
happening at the same time.
Or now you've got yourprincipal person, the CISO,
happens to be on a remote islandsomewhere, that his laptop got
(32:35):
pop spilled on it and he, youknow, doesn't have access to it.
And you know, like, whathappens in those kinds of real
scenarios, because those thingsdo happen.
And so I think you know, justtrying to be creative, you know
people like Eric, people likethe company I work for, it's
really just trying to understandwhat all the possibles are.
(32:56):
Trying to understand what allthe possibles are.
Then you can start thinking ofthe impossibles or the you know
what are the things that youknow just seem so unreal.
Well, let's actually injectthat into the exercise, just to
see how people respond.
And you know, are they readyfor those?
You know curveballs in themiddle of a crisis.
Joshua Schmidt (33:14):
Do you fellows have anything else that you
wanted to get in today?
Or ask Tim about.
Eric Brown (33:19):
The only question I had, Tim, was how did I not know
about Monday?
Tim Herman (33:24):
Maybe they ended up in your filter.
Eric Brown (33:27):
Man, I got to go back.
Tim Herman (33:28):
Too much security.
Joshua Schmidt (33:31):
Never too much security for the cyber attack
cat here.
Tim Herman (33:35):
So next time in May, eric, we need to have you
actually come and speak in May,on May 19th, and so that way you
have to show up.
Eric Brown (33:41):
I gotta show up?
I would love to.
Yeah, let's do it.
Joshua Schmidt (33:45):
You just let me know, tim, I'll make sure it
gets on the calendar.
Yeah, may 19.
All right, folks.
Well, thanks so much forjoining us today, tim.
We've been listening to TimHerman from InfraGard and joined
by Eric Brown and Nick Mellonof IT Audit Labs.
My name is Joshua Schmidt,co-host and producer.
Here's our meme of the day, andthanks again for listening.
(34:08):
Please tell your friends,subscribe and leave us a comment
in the comment section onYouTube, or give us a review on
Spotify, and we publish everyother week on Monday.
See you soon.
You have been listening to theAudit presented by IT.
Eric Brown (34:18):
Audit Labs give us a review on Spotify and we
publish every other week onMonday.
We'll see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our our security controlassessments rank the level of
(34:41):
maturity relative to the size ofyour organization, Thanks to
our devoted listeners andfollowers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill.
No-transcript.
Welcome to the Audit presented by IT Audit Labs
.
I'm your co-host and producer,joshua Schmidt.
Today we're joined by EricBrown and Nick Mellum the usual
suspects, and today our guest isTim Herman from InfraGard.
Tim, thanks for joining us.
Can you tell us a little bitabout yourself, how you know
Eric and tell us what you do atInfraGard?
Tim Herman (00:26):
Sure, I am the president of InfraGard Minnesota
.
I live here in St Paul,minnesota, and InfraGard for
those of you who don't know whatthat is, it's a FBI private
sector partnership.
Essentially, 85% of thenation's critical infrastructure
is owned by the private sectorand so the FBI wants to have
relationships with thosebusiness leaders and we've got
about 800 members in Minnesota.
(00:47):
Of those 800 members, I wouldsay probably 90% of them are
leaders in an IT role, a CISOand other leadership roles.
Eric Brown (00:58):
I'm proud to say I'm a member.
Yes, and Tim, I apologize.
The first thing you hear isthat Josh is sleeping in the
middle of the day.
Nick Mellem (01:09):
Sleeping on the job .
Eric Brown (01:11):
He's napping.
We don't have enough to doaround here.
Tim Herman (01:15):
Because you're up late.
Eric Brown (01:16):
Yeah, well, aren't we all up late, right?
It's the life of a musicianfellas Life of a musician.
Joshua Schmidt (01:24):
Yes, yeah, when you guys are all getting tucked
into your beds, I'm going to beplaying mustang sally down at
the bar, so unless there's abreach, just like the meme yeah,
yeah.
Well, we're speaking of which.
Stick around to the end, folks.
We got meme of the day.
We're gonna pop that up here atthe end of the convo.
So stick around to the end.
You're not gonna want to missthis, this, this meme.
That nick pushed me via thealgorithms of linkedin when I
(01:47):
was up late and you're up allday it happens, there's a lot of
sickness going around right now.
A lot of itis, a lot of excuses, okay, eric.
Eric, coming in like lookinglike darth maul today with the
looks like you're Dark Erictoday.
I think, yeah, put the hood up,please, there you go Dark.
Eric Brown (02:09):
Eric.
Nick Mellem (02:10):
That completed the look.
Joshua Schmidt (02:12):
That's awesome.
I'm either Kent or I'm lazy.
Eric Brown (02:17):
K2.
K2.
Joshua Schmidt (02:21):
No, dudes you do not want to open this.
You do not want to open thiscan of worms With me.
The nicknames are gonna.
Nick Mellem (02:30):
We want that tattooed on your neck next time
you join K2.
Hey, eric's got a tattoomachine.
We'll print it for you, oh,okay great, yeah, let's do that
Game night activities.
Eric Brown (02:42):
We had a producer Good guy who's Game night
activities.
Game night activity.
We had a producer, a good guy,who's he, Josh, has filled his
shoes, but he was very heavy onthe censor button.
Yeah, Notes beforehand aboutyou know things that we should
say and not say, and we thoughtmaybe we were going to get a
(03:03):
reprieve from now.
At least Nick and I did.
Nick Mellem (03:06):
Poor Josh.
He just won't come from his napand he's just getting berated.
Eric Brown (03:10):
Sorry, josh, let's get back to the podcast.
Sorry, tim's got a little bitof time.
Joshua Schmidt (03:14):
Just remember, I am the producer.
I have post-production editingpowers.
You're messing with the powerhere Just remember who holds the
keys to the power here.
Eric Brown (03:24):
Yeah, just remember who holds the keys to the power
here.
Sorry, josh, I hope you'respeaking Chinese here in a
second.
Nick Mellem (03:27):
Before we jump into the whole other thing, before
Tim, what is the thought processbehind the FBI pushing this to
the private sector?
Is there a quick skinny thatyou can give the listeners and
me why they would do that?
Tim Herman (03:39):
Sure.
So the mission of InfraGard isto help protect our nation's
critical infrastructure.
So the basis is there are 16areas of critical infrastructure
, so IT being one of themtransportation, energy dams,
water treatment facilities, sothis makes up several of those
(04:02):
critical infrastructure sectors,up several of those critical
infrastructure sectors.
The reason the FBI gets broughtin on investigations and things
in the cyber attack world isbecause they're the ones that
are hunting down the bad actors,and a lot of times they
actually have the encryptionkeys from other investigations.
(04:23):
So rather than paying a ransom,if you bring the FBI in, it's
very possible that they mighthave the keys to unlock the
kingdom as well.
And so the FBI, they're notinterested in your secret sauce,
they just want to help in anyway they can on that
investigative side.
Joshua Schmidt (04:43):
Eric, can you speak a little bit about your
experience working with Tim, oris there anything that we can't
talk about there?
Eric Brown (04:50):
No, tim and I maybe it's been a little less than a
year or so, but certainly haveappreciated working with Tim and
Tim's got a lot of greatcontacts in the industry.
Tim's helped and maybe, timthis is a story you could tell
around some of the what would wecall it like the tabletop
(05:11):
exercises that you'veparticipated in cool stories
there and just bringing togethera great group of people in
Minnesota that all care aboutinformation security, either at
a conference or at the meetupsthat you do, and you do those
meetups quarterly, is it Tim?
Tim Herman (05:29):
Yeah, five times a year actually, and the
interesting thing about that iswe just had our chapter meeting
this last Monday and we hadabout 65 people that showed up.
We're now meeting atMedtronic's headquarters.
One of the cool things aboutthat particular meeting is we
(05:49):
brought in a speaker from the USCoast Guard that helped
facilitate a tabletop exercise afew years back on the upper
Mississippi River that engagedthe City of St Paul Port
Authority and the City of StPaul Emergency Management and a
host of others, and so, if youwant to get into that in more
(06:09):
detail, I can share a little bitmore about that as well.
Eric Brown (06:12):
Yes, definitely.
Nick Mellem (06:13):
I would love that.
Eric Brown (06:14):
I want to get into the details about where it was
on my calendar, because it's nothere.
Nick Mellem (06:17):
You need a new assistant.
Joshua Schmidt (06:19):
Yes, we definitely want to get into the
tabletop exercises and some ofthe groundwork you've been doing
, tim, but can you give us kindof just a general, you know,
30,000 foot view of like whytabletop exercises are so
critical with the private sectorand infrastructure, critical
infrastructure?
Tim Herman (06:36):
So a few years ago I worked for an organization
called Norwich UniversityApplied Research Institutes and
they actually were usingDepartment of Homeland Security,
science and TechnologyDirectorate funding to develop
an exercise platform to dotabletop exercises all
throughout areas of thatcritical infrastructure.
And so when I was working forthem is when I worked with the
(07:00):
Coast Guard and helped kind oforganize that exercise on the
upper Mississippi River.
But why tabletops are reallyimportant is most companies of a
certain scale or a certain sizehave developed an incident
response plan and, eric, I knowthat you work with companies on
helping them create thatincident response plan.
(07:21):
It's great to have a plan butif you don't actually test the
plan and exercise the plan, youdon't really know how you're
going to do in a real worldincident.
And so to you know, just likeyou know in the military does
drills and drills and drills,you need to exercise and build
that muscle memory so that younot only eliminate the silos
(07:42):
between the different you knowpeople that are that would need
to be engaged in a real-worldincident but you develop those
relationships between each otherso that again, when things go
sideways, you're actually ableto have that muscle memory and
respond accordingly.
Nick Mellem (08:01):
I think a lot of times when we've been doing
these exercises, a lot of peopleare scared to pull the hood up
and see what could go wrong,when you know we should be
practicing this so much we can'tget it wrong.
And when I was in the militaryI had a it was a sergeant at the
time.
He would always tell me tell us, the more you sweat in peace,
the less you bleed in war, right?
(08:24):
So if we continue to practicethis day in and day out and help
these organizations understandthat we can be comfortable being
uncomfortable to make sure weget these things right when it's
a real life.
Tim Herman (08:35):
Well, and what I was always trying to share with
folks when I'm kind oforganizing a tabletop exercise
is there's no right or wronganswer to going through an
exercise.
There's no bad way to do anexercise, or it's not about
singling out people that didsomething wrong.
It's really more aboutidentifying where your gaps are
(09:00):
so that you're not stuck wingingit when you're in the middle of
a crisis.
Joshua Schmidt (09:06):
In my line of work, tabletop exercises mean
something completely different,but I'm curious have you worked
with Eric on a tabletop exercisebefore together?
Not yet, but we should.
We need to.
Yeah, that'd be fun.
I know, Eric, you have someexperience with tabletop as well
.
What does your experience looklike working with organizations
to run these kinds of exercises?
Eric Brown (09:28):
You know it's a time when you get the leaders of the
organization in a room andthey're not politicking or
worried about their individualareas of responsibility.
So it's kind of a unique viewwhere they come in and you know
you have people from you couldhave leadership, overseeing HR
(09:51):
or communications, and then youknow the more tactical roles as
well and you're going throughessentially a role-playing
scenario.
Right, an exercise Homelandsecurity will come into
organizations and help out withthem.
It's really a nice way to seehow the organization works and
(10:13):
it helps the organizationunderstand what maybe some of
the other roles that they maynot see.
Right, they may just see thesecurity organization is pushing
out these crazy phishing emailsonce a month, but then to
actually see how the securityorganization works in real time
and not in a real crisis, thatthere's stress.
(10:34):
You know there is a littlestress on the tabletop because
you're like uncovering thesegaps in the organization of like
, oh well, you know he does getto push the button, which is
something that Chris Gabbard,when he leads these from
Homeland Security, it reallydrives the leaders to say who
can make that call to take thatproduction system offline.
(10:55):
So it's just a great.
You know, two hours to a half aday experience.
We need more button pushers.
Tim Herman (11:03):
One of the things that was really cool about the
exercise on the MississippiRiver was when I first started
working for this organization,the Nuwari Research Institute, I
reached out to the St Paul PortAuthority and you know, knowing
that they run everything on theupper Mississippi River and
then they said you know what youreally need to talk to, the
(11:25):
port operator and the person,the group that's actually moving
all the barges around.
And so I met with them and rightaway he identified hey, tim, a
couple of years ago we actuallyput in all new engines in our
tugboats that are all remotelycontrolled, so our drivers don't
(11:49):
even have to be on the boat.
And so now we're moving, youknow, eight or 12 barges around,
you know, with a joystick.
Essentially is we don't have awhat-if plan for if somebody
were to remotely hijack that andrun it into another boat or
into a bridge or the refinerydown the river or whatever the
(12:13):
case is.
And so this exercise ended upturning into more of a workshop
on identifying who needs to beinvolved in that scenario if
something like that were tohappen in the real world.
The outcome of that is they'veactually been able to continue
doing exercises, and so I thinkthey've done at least one or two
(12:34):
additional exercises to be ableto now exercise that incident
response plan and still findingadditional gaps and building
that muscle memory.
Joshua Schmidt (12:44):
So did you do well at game night?
Last time we had at IT AuditLabs, with this tactical kind of
thinking Because I had to leavea little bit earlier and Eric
was nice enough to text me theoutcome of the game, but I think
it was blood on the clock toweror something like that.
Tim Herman (12:57):
Yeah.
Yeah, I was actually the demonin that one, and so I lived
through it all.
Joshua Schmidt (13:05):
I just remember being slightly persecuted kind
of not too much, unlike thebeginning of this episode.
I was kind of the patsy or thepariah of that game early on,
but I think I was just atownsperson or something.
It's always a poor Josh.
Nick Mellem (13:23):
Going back to the tabletop exercise with the
letter agencies that Josh wastalking about, I'm curious when
you get all these big entitiestogether, how you know let's say
, you finish the tabletopexercise how do you you know,
you find out uncover all thesegaps, things that they're doing,
right or wrong, things theycould do better, how do you get
(13:44):
all of them to marry togetherand listen and get on the same
sheet of music and start toimplement these things?
Because I would assume, onceyou do it, the job's not done?
Tim Herman (13:50):
Right, absolutely so .
Every exercise will finish upwith what's called an
after-action report and actually, right after the exercise is
closed, you want to spend atleast 30 minutes in what's
called a hot wash where you'rejust, you know heat of the
moment.
What was your experience like?
You know, what did you learn?
You know, while you're just youknow heat of the moment, what
(14:11):
was your experience like?
You know, what did you learn,you know, while you're still
kind of amped up and you know,in that exercise mode, and then
you, you know, spend the nextcouple of weeks drafting that
after action report.
And that's the how to, you know, to fix you know what we
learned.
Doing one exercise isn't enough.
You actually have to have anexercise program where you're
doing, you know, exercises,maybe twice a year or quarterly,
(14:34):
or you know, it depends on yourbusiness and how things change
in your business.
But you know there are someorganizations that are doing it
quarterly and some organizationsthat are doing it only every
other year.
And you know again, it justdepends on the business.
But but that exercise programreally helps identify you know
where.
Again, it's a measuring stick.
(14:54):
You're, you're, you'remeasuring how good we did, we do
, in identifying additional gaps?
Or how, how good did we do inin being ready and building that
muscle memory?
Joshua Schmidt (15:07):
Eric, how have you seen this like shore up the
security with the people thatyou've worked with when
conducting tabletop exercises?
Eric Brown (15:14):
The thing that resonates most with me is you're
able to show value and get somefunding for information
security programs and theoutcome of this, because, going
into it, some of the leadershipdoesn't quite really know what
we do on a day-to-day basis.
And then during the exercise,when you have multiple things
(15:36):
going on and you're talkingthrough those scenarios and they
see how important informationsecurity is the next time the
budget cycle rolls around,there's not as much pushback,
right?
Are we going to get new tablesand chairs or are we going to
invest in information security?
Joshua Schmidt (15:53):
The shipping on the Mississippi River, any other
Tom Cruise worthy kind ofincidents that we could go over,
because we're all actionjunkies, we want to hear the
good stuff.
Tim Herman (16:05):
Yeah, absolutely, you know.
I'll give an example of we did.
We did exercise with a coupleof different airports around the
US and the interesting part isthat we learned is is every
airport and this is not unlikeother other businesses and other
sectors but you know, everyairport is in a different
maturity level and so thatexercise can go deeper, or it
(16:29):
plays really basic or not basic,but more attuned to the people
that are in the room.
That might not be all yourtechnical people, it might just
be your leadership, it might bethe CIO and the CISO and the CEO
and you know kind of all thatC-suite, but then also include
(16:51):
legal and include, you know, themarketing person.
You know that handles all thecommunications and when there is
a real world scenario, you'vegot to be on your tippy toes.
You know, ready to go, you know, because things can go even
more sideways very quickly.
Nick Mellem (17:10):
One common trend that I feel like I'm always
seeing is communication.
But as soon as when things kickoff and still part of
communication everybody startsrunning into each other.
It's like the Spider-Man meme.
They're pointing at each otherlike I thought you were doing
that.
No, I thought you were doingthat.
So I think just gettingeverybody to slow down this is
(17:30):
why we're training.
So you know, take a breath,regroup for a second.
Maybe it's still gonna beuncomfortable, really, no matter
what right.
So if we can get it from beinglike 75% clunky, let's get it
down to like 20 or 30.
We're more streamlined.
You have a good basis to getyou far down the track and then
you know you can keep buildingon it.
But the communication isusually the biggest piece,
(17:51):
whether that's social media, thepress, newsletters, whatever it
is, how to communicate that andwhen.
Eric Brown (17:58):
You could take if you have a P2 or a P1 incident
that's going on in anorganization where you have
multiple systems that are downor a critical system that's down
and you're going through.
You could even do it in theevent of, say, a planned outage,
a maintenance window.
So your firewall is down andyou have multiple teams testing.
(18:20):
You have some people on thebusiness side that are going to
be involved in testing and thenyou have your central
communication channel.
You have your technical channel.
You could really run these as atabletop exercise, do the hot
wash after, talk about it andwrite it up, because I've been
involved in a few of theserecently where you know there's
(18:40):
a scheduled outage windowbetween you know a certain time
and then the technical peopleare bothering the engineer who's
hands-on configuring, say, thefirewall Firewall's got to come
up within an hour or we're goingto be behind schedule and
they're saying, can we test yet?
(19:01):
Can we test yet?
Pinging him because they have adirect relationship with that
engineer, versus leveraging thechannel and the project manager
who's coordinating that and willhandle the communication, so
being able to then go back tothe organization and talk about
it.
Really, the tabletop exercisesare more so aimed at the
(19:22):
leadership level, but using a P1or a P2 or even an outage
window where you have engineerslike that help desk person who's
going to be taking those callsduring the outage.
Instead of escalating that tothe engineers, they could just
stop the communication rightthere.
So, yes, we're in an outagewindow, we'll have communication
(19:44):
for you at next time, versusthen having to trouble the
engineers with oh, is it goingto be back up?
Tim Herman (19:52):
Yeah, that's totally true.
One company that I wasconsulting with through my
employer, they wanted to do twoseparate exercises one for the
leadership to help identifywhere you know kind of, where
gaps might be in the leadership,but then they wanted to do a
technical exercise that focusedon really okay, we know that if
(20:18):
our systems get encrypted andlocked in, we actually need to
migrate other systems to thecloud, and you know, we need to
make sure that that's going tobe seamless, and so let's
exercise that process so we'renot having to, you know, like,
do that in the real world.
One of the things that I alwayswould ask the people that I was
(20:39):
working with on the client sideis what are you really trying
to accomplish?
You know, rather than justsaying, hey, we want to exercise
a ransomware, you know, event,rather than just saying, hey, we
want to exercise a ransomwareevent.
My answer to that is why?
What is it that you really wantto get out of that?
Is that a concern of yours?
Why is that a concern?
What are those concerns?
(21:00):
And really kind of dive deepinto.
Because when you're creating ascenario for an exercise, you
want that scenario to actuallybe relevant and not too generic.
That's just another layer thatyou need to be a part of.
Eric Brown (21:18):
Tim, I can't tell you how many organizations I've
walked into and I've said areyou backing up your M360 Vive
environment?
Yeah, oh no, we don't have todo that.
Microsoft does that.
What Right, Good luck.
Yeah, oh no, we don't have todo that.
Tim Herman (21:31):
Microsoft does that.
Eric Brown (21:32):
What.
Nick Mellem (21:32):
Right, right.
Eric Brown (21:32):
Good luck.
Yeah, what?
Because if somebody fat fingerssomething, somebody maliciously
deletes something, you're notgetting it back, right the
entire thread, all kinds ofthings.
Microsoft is responsible at thezone level of you know, if they
wipe something out, they'regoing to take care of getting it
back, but they don't care aboutyour data.
(21:53):
That's your problem.
Tim Herman (21:54):
Well, the thing that we always tell people also and
I'm sure that you've shared thiswith your clients and people
that you work with is that makesure that your incident response
plan is not on your same system, that you know on your hard
drives or you know in the cloudbecause you know you should have
a hard copy of it, because ifit's encrypted you don't
(22:15):
actually have a playbook thenand you know if a bad actor is
in your network, for you knowthree weeks, three months, you
know three years before theyactually decide to execute.
You know said.
You know said disruption.
They actually have to executesaid disruption.
They actually have read throughyour incident response plan.
They know who your insurancecompany is, they know who your
(22:36):
legal law firm is, they knowexactly where to hit you because
they've read your incidentresponse plan.
So just having a plan isn't theballgame.
It's knowing how to use theplan and where things need to be
put as well.
Nick Mellem (22:53):
That threat actor probably knows your incident
response plan better than yourorganization.
Yes, right right.
Eric Brown (22:59):
And having that back channel.
If you're a team shop, you'vegot Slack as a channel or
Discord some way to communicateif you can't get into your work
systems.
Tim Herman (23:09):
Exactly.
Nick Mellem (23:10):
That is an interesting point, Eric.
I don't think enough people areputting pressure on having
another means of communication.
They just think Teams is alwaysgoing to be up or whatever.
Whatever their means ofcommunication will always be
there, but having a secondary ortertiary to ensure
communication, it's a big deal.
Eric Brown (23:27):
Sometimes that's fun to do too.
You know, if you go into anorganization you're doing a
tabletop and they're a littlebit.
You know, maybe they've beenthrough a few of these before
and they're pretty good, they'vegot a good plan.
Then you say, okay, well, nowyou can't use your cell phone,
right.
Something happened in the area.
You got a regional disruption.
Power towers are out right,like the AT&T issue.
(23:47):
That happened like what twoyears ago, where cell phone
coverage was disrupted becauseallegedly they messed up a DNS
entry or something, whatever itwas.
But then you know, how are yougoing to get a hold of Nick,
right?
How are you going to get a holdof Tim or Josh If you can't
call them?
What are?
Nick Mellem (24:05):
you going to do we?
Got to have everybody,everybody's got to go out and
get their ham radio license.
Joshua Schmidt (24:10):
Or if I'm napping, for example.
Nick Mellem (24:12):
Right?
Well, we can count on Joshbeing napping during this whole
situation.
Eric Brown (24:17):
I turn my ringer off , do not disturb.
Joshua Schmidt (24:20):
He's asleep One o'clock on a Friday.
Nick Mellem (24:24):
He's doing some research on aliens or something.
Eric Brown (24:26):
Well, yeah, Tim, I tell you this dude, where's the?
Joshua Schmidt (24:33):
tinfoil Nick, we keep tinfoil hats on handy,
Speaking of which we've got atinfoil hat question.
Nick Mellem (24:38):
Production value here at IT.
Joshua Schmidt (24:39):
Outlands.
Here's the tinfoil hat questionof the day, tim.
So a lot of planes have beengoing down helicopters lately.
I mean, was it just a couple ofyears ago the Baltimore Bridge
incident?
Does this set off your spidersenses at all?
Do you feel like these could becyber attack related, or at
least some of them?
Some of them are probably justuser error, of course, but once
(25:01):
again, this is a tinfoil hatquestion.
Tim Herman (25:04):
I cannot confirm or deny, no, not confirm or do not
know.
You know, I have to sayhonestly, anytime I hear that,
oh, t-mobile is down again orsome other, you know some other
thing has a major outage in theback of my mind, I'm wondering,
I wonder if it's some kind of abreach, some kind of a scenario
(25:26):
that you know, or an incident,if you will, that might be going
on and the thing is is you'renot going to hear about it in
the public, you know, foranother six months, because
they've got to do the forensicsand they've got to do a bunch of
things making sure that they'reback up and running and they
need to identify, you know, wastheir data lost, was data
(25:46):
compromised, and and so you, andso there's just a whole lot of
things that need to happenbefore you can share with the
public.
But, yeah, I would say thattinfoil hat, with things kind of
going sideways, it is somethingthat I'm thinking about.
Joshua Schmidt (26:04):
Yeah, Is that even a possibility to hack into
an airplane or helicopter'ssystem and control it?
I mean, you said that it'spossible for remote-controlled
boats or barges right.
Tim Herman (26:17):
Well, how many drones do you think there are
going around in the world?
That's all remote-controlled.
Joshua Schmidt (26:23):
That's a great question.
Tim Herman (26:24):
Yeah, absolutely, I think it's possible.
Joshua Schmidt (26:27):
When there is a new threat that does pop up on
our radar?
How fast are we to incorporatethese things into your tabletop
exercises?
Do you get your clients on thehorn right away and set up a
meeting, or do these things kindof depend on how the
organization wants to prioritizethis part of the security?
Tim Herman (26:46):
It's certainly something that you're aware of
and you've got your client list.
Say, if you're doing a virtualCISO with a healthcare client or
with some kind of business inmanufacturing and some new
scenario comes up or comes tomind or something happens in the
marketplace that is relevant,yeah, absolutely, you want to
(27:09):
reach out to your clients andmake sure that that's
incorporated.
Getting back to the exercisesthat we were doing with the
short line and regionalrailroads, an interesting fact
about that is there are 500short line railroads in the
United States and of those 500,probably 90% of them use the
same piece of software to manageyou know, not just you know
(27:32):
kind of their operations, butmanage the switching of the
tracks.
And so what happens if thatsoftware gets compromised?
You essentially screech to ahalt the entire transportation,
rail transportation in theUnited States, and so you know
how prepared are you forsomething like that to happen,
(27:53):
and that was part of thescenario for those exercises.
Eric Brown (27:57):
We saw that with was it Maersk, with shipping, like
back in 2017, 2018 with the worm, you know?
And as we're talking throughthis, I'm reminded of the other
day I was took a picturestanding out my patio window
looking into the backyard, andthere's a.
The backyard is there's alittle bit of grass, and then it
(28:20):
goes to these, these pine trees, and the pine trees are, let's
say, maybe 30 to 40 feet tall.
They're about you know they're.
They're pretty mature, maybe 50, 40 years, and some of them
have fallen over.
We've had some removed.
You know they died, cut themdown, had them removed.
But there was one that hadn'tbeen removed.
(28:43):
It still had some green on thetop, but like you could see that
the middle part was dead right,the bark was coming off of it
and it was like oh, you know,we're moving here in a couple of
weeks or a couple of months, Isthis something we're going to
deal with?
Probably I will put we'll kickthe can right.
And there was.
We had a bad storm, I don't know, maybe two months ago, and that
(29:04):
tree fell over and it snappedoff maybe eight feet up and
fortunately, the way it fell, itfell away from the house.
So I took a picture of thatbecause it's very for me it was
very poignant of theconversations that we like to
have with customers of if youwork with us before you even
build the house, we're going totell you about your risk.
(29:26):
You put a house there, you'regoing to have to deal with these
trees.
Unfortunately, we usually getbrought in after the tree has
already fallen over and donedamage to the house, and now
we've got a lot of cleanup to do.
Right, you're going to bedisplaced, your pets could have
got loose and just it's a wholemess.
But it's a whole mess thatcould have been avoided.
(29:49):
So when, when maybe, you builtthe house there, you wanted the
area, you understood the risk ofthe trees, you signed off on
the risk.
But now the trees are dying.
You need to take care of thattree.
That's a $500 to $800 problemif you take care of that tree
before it falls.
But if it falls and it's not100% that it's going to hit the
house, but there's a good chanceit could that's a
(30:11):
multi-thousand dollar problem.
That's an insurance problem andit's in the tabletop exercises.
I'm working with a client now.
They're looking at building,doing some manufacturing in the
United States and I'm thinkingabout, well, where should we put
that manufacturing facility?
(30:32):
You know like we got to takeinto account transportation
right, if it's on the coast,maybe it's easier to get to.
But then there's also thecomponent of if you put they're
not talking about this, butlet's say they are, you know,
we're going to put manufacturingdown in Florida somewhere, well
, easy to get to from a flight,but that thing's going to be
underwater.
(30:52):
Thinking through these thingsearly and having a tabletop,
even maybe before you made adecision of like, hey, we're
going to build an officebuilding in XYZ location, folks
like you know, tim and Nick andI, could come in and have the
conversations around like, okay,are you near, you know an
(31:12):
airport, or you know what arethe weather patterns in that
area?
What are some of the thingsthat you should really be
mindful of?
Right, are you putting it neara refinery?
Well, what happens if thatrefinery has a spill?
It may not impact you, but yourworkers may not be able to get
to the office for a week untilthey clean that stuff up.
Joshua Schmidt (31:32):
So, to rephrase my previous question, I think
what I was actually trying toget at you kind of uncovered
here and Eric, I think what Iwas actually trying to get at
you kind of uncovered here andEric, I really liked your
analogy with the trees.
How do you plan for those Xfactors?
Like you mentioned, tim, thepandemic wasn't on anyone's
bingo card for 2020.
How?
Tim Herman (31:51):
do you plan for those contingencies that you're
kind of unseen.
You really try to curveball asmuch of the unforeseens.
Try to.
You know, curveball as much ofthe uh, the the unforeseens.
Um, you know, depending on thematurity of your organization,
there are times where where wewould actually uh in, in, inject
, uh into the exercise some youknow major curve ball that would
actually stress your people outeven more.
(32:13):
So not just that you are havingthis outage or downtime or
whatever the scenario is, butnow you've also got a strike
happening at the same time.
Or now you've got yourprincipal person, the CISO,
happens to be on a remote islandsomewhere, that his laptop got
(32:35):
pop spilled on it and he, youknow, doesn't have access to it.
And you know, like, whathappens in those kinds of real
scenarios, because those thingsdo happen.
And so I think you know, justtrying to be creative, you know
people like Eric, people likethe company I work for, it's
really just trying to understandwhat all the possibles are.
(32:56):
Trying to understand what allthe possibles are.
Then you can start thinking ofthe impossibles or the you know
what are the things that youknow just seem so unreal.
Well, let's actually injectthat into the exercise, just to
see how people respond.
And you know, are they readyfor those?
You know curveballs in themiddle of a crisis.
Joshua Schmidt (33:14):
Do you fellows have anything else that you
wanted to get in today?
Or ask Tim about.
Eric Brown (33:19):
The only question I had, Tim, was how did I not know
about Monday?
Tim Herman (33:24):
Maybe they ended up in your filter.
Eric Brown (33:27):
Man, I got to go back.
Tim Herman (33:28):
Too much security.
Joshua Schmidt (33:31):
Never too much security for the cyber attack
cat here.
Tim Herman (33:35):
So next time in May, eric, we need to have you
actually come and speak in May,on May 19th, and so that way you
have to show up.
Eric Brown (33:41):
I gotta show up?
I would love to.
Yeah, let's do it.
Joshua Schmidt (33:45):
You just let me know, tim, I'll make sure it
gets on the calendar.
Yeah, may 19.
All right, folks.
Well, thanks so much forjoining us today, tim.
We've been listening to TimHerman from InfraGard and joined
by Eric Brown and Nick Mellonof IT Audit Labs.
My name is Joshua Schmidt,co-host and producer.
Here's our meme of the day, andthanks again for listening.
(34:08):
Please tell your friends,subscribe and leave us a comment
in the comment section onYouTube, or give us a review on
Spotify, and we publish everyother week on Monday.
See you soon.
You have been listening to theAudit presented by IT.
Eric Brown (34:18):
Audit Labs give us a review on Spotify and we
publish every other week onMonday.
We'll see you soon.
You have been listening to theAudit presented by IT Audit Labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact.
Or our our security controlassessments rank the level of
(34:41):
maturity relative to the size ofyour organization, Thanks to
our devoted listeners andfollowers, as well as our
producer, Joshua J Schmidt, andour audio video editor, Cameron
Hill.
No-transcript.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.