Joshua Schmidt: 0:04

Welcome to the Audit presented by IT Audit Labs. I'm your co-host and producer, joshua Schmidt. Today we're joined by Eric Brown and Nick Mellum the usual suspects, and today our guest is Tim Herman from InfraGard. Tim, thanks for joining us. Can you tell us a little bit about yourself, how you know Eric and tell us what you do at InfraGard?

Tim Herman: 0:26

Sure, I am the president of InfraGard Minnesota. I live here in St Paul, minnesota, and InfraGard for those of you who don't know what that is, it's a FBI private sector partnership. Essentially, 85% of the nation's critical infrastructure is owned by the private sector and so the FBI wants to have relationships with those business leaders and we've got about 800 members in Minnesota. Of those 800 members, I would say probably 90% of them are leaders in an IT role, a CISO and other leadership roles.

Eric Brown: 0:58

I'm proud to say I'm a member. Yes, and Tim, I apologize. The first thing you hear is that Josh is sleeping in the middle of the day.

Nick Mellem: 1:09

Sleeping on the job.

Eric Brown: 1:11

He's napping. We don't have enough to do around here.

Tim Herman: 1:15

Because you're up late.

Eric Brown: 1:16

Yeah, well, aren't we all up late, right? It's the life of a musician fellas Life of a musician.

Joshua Schmidt: 1:24

Yes, yeah, when you guys are all getting tucked into your beds, I'm going to be playing mustang sally down at the bar, so unless there's a breach, just like the meme yeah, yeah.

Joshua Schmidt: 1:34

Well, we're speaking of which. Stick around to the end, folks. We got meme of the day. We're gonna pop that up here at the end of the convo. So stick around to the end. You're not gonna want to miss this, this, this meme. That nick pushed me via the algorithms of linkedin when I was up late and you're up all day it happens, there's a lot of sickness going around right now. A lot of itis, a lot of excuses, okay, eric. Eric, coming in like looking like darth maul today with the looks like you're Dark Eric today.

Joshua Schmidt: 2:05

I think, yeah, put the hood up, please, there you go Dark.

Eric Brown: 2:09

Eric.

Nick Mellem: 2:10

That completed the look.

Joshua Schmidt: 2:12

That's awesome. I'm either Kent or I'm lazy.

Eric Brown: 2:17

K2. K2.

Joshua Schmidt: 2:21

No, dudes you do not want to open this. You do not want to open this can of worms With me. The nicknames are gonna.

Nick Mellem: 2:30

We want that tattooed on your neck next time you join K2. Hey, eric's got a tattoo machine. We'll print it for you, oh, okay great, yeah, let's do that Game night activities.

Eric Brown: 2:42

We had a producer Good guy who's Game night activities. Game night activity. We had a producer, a good guy, who's he, Josh, has filled his shoes, but he was very heavy on the censor button. Yeah, Notes beforehand about you know things that we should say and not say, and we thought maybe we were going to get a reprieve from now. At least Nick and I did.

Nick Mellem: 3:06

Poor Josh. He just won't come from his nap and he's just getting berated.

Eric Brown: 3:10

Sorry, josh, let's get back to the podcast. Sorry, tim's got a little bit of time.

Joshua Schmidt: 3:14

Just remember, I am the producer. I have post-production editing powers. You're messing with the power here Just remember who holds the keys to the power here.

Eric Brown: 3:24

Yeah, just remember who holds the keys to the power here. Sorry, josh, I hope you're speaking Chinese here in a second.

Nick Mellem: 3:27

Before we jump into the whole other thing, before Tim, what is the thought process behind the FBI pushing this to the private sector? Is there a quick skinny that you can give the listeners and me why they would do that?

Tim Herman: 3:39

Sure. So the mission of InfraGard is to help protect our nation's critical infrastructure. So the basis is there are 16 areas of critical infrastructure, so IT being one of them transportation, energy dams, water treatment facilities, so this makes up several of those critical infrastructure sectors, up several of those critical infrastructure sectors. The reason the FBI gets brought in on investigations and things in the cyber attack world is because they're the ones that are hunting down the bad actors, and a lot of times they actually have the encryption keys from other investigations. So rather than paying a ransom, if you bring the FBI in, it's very possible that they might have the keys to unlock the kingdom as well. And so the FBI, they're not interested in your secret sauce, they just want to help in any way they can on that investigative side.

Joshua Schmidt: 4:43

Eric, can you speak a little bit about your experience working with Tim, or is there anything that we can't talk about there?

Eric Brown: 4:50

No, tim and I maybe it's been a little less than a year or so, but certainly have appreciated working with Tim and Tim's got a lot of great contacts in the industry. Tim's helped and maybe, tim this is a story you could tell around some of the what would we call it like the tabletop exercises that you've participated in cool stories there and just bringing together a great group of people in Minnesota that all care about information security, either at a conference or at the meetups that you do, and you do those meetups quarterly, is it Tim?

Tim Herman: 5:29

Yeah, five times a year actually, and the interesting thing about that is we just had our chapter meeting this last Monday and we had about 65 people that showed up. We're now meeting at Medtronic's headquarters. One of the cool things about that particular meeting is we brought in a speaker from the US Coast Guard that helped facilitate a tabletop exercise a few years back on the upper Mississippi River that engaged the City of St Paul Port Authority and the City of St Paul Emergency Management and a host of others, and so, if you want to get into that in more detail, I can share a little bit more about that as well.

Eric Brown: 6:12

Yes, definitely.

Nick Mellem: 6:13

I would love that.

Eric Brown: 6:14

I want to get into the details about where it was on my calendar, because it's not here.

Nick Mellem: 6:17

You need a new assistant.

Joshua Schmidt: 6:19

Yes, we definitely want to get into the tabletop exercises and some of the groundwork you've been doing, tim, but can you give us kind of just a general, you know, 30,000 foot view of like why tabletop exercises are so critical with the private sector and infrastructure, critical infrastructure?

Tim Herman: 6:36

So a few years ago I worked for an organization called Norwich University Applied Research Institutes and they actually were using Department of Homeland Security, science and Technology Directorate funding to develop an exercise platform to do tabletop exercises all throughout areas of that critical infrastructure.

Tim Herman: 6:55

And so when I was working for them is when I worked with the Coast Guard and helped kind of organize that exercise on the upper Mississippi River. But why tabletops are really important is most companies of a certain scale or a certain size have developed an incident response plan and, eric, I know that you work with companies on helping them create that incident response plan. It's great to have a plan but if you don't actually test the plan and exercise the plan, you don't really know how you're going to do in a real world incident. And so to you know, just like you know in the military does drills and drills and drills, you need to exercise and build that muscle memory so that you not only eliminate the silos between the different you know people that are that would need to be engaged in a real-world incident but you develop those relationships between each other so that again, when things go sideways, you're actually able to have that muscle memory and respond accordingly.

Nick Mellem: 8:01

I think a lot of times when we've been doing these exercises, a lot of people are scared to pull the hood up and see what could go wrong, when you know we should be practicing this so much we can't get it wrong. And when I was in the military I had a it was a sergeant at the time. He would always tell me tell us, the more you sweat in peace, the less you bleed in war, right? So if we continue to practice this day in and day out and help these organizations understand that we can be comfortable being uncomfortable to make sure we get these things right when it's a real life.

Tim Herman: 8:35

Well, and what I was always trying to share with folks when I'm kind of organizing a tabletop exercise is there's no right or wrong answer to going through an exercise. There's no bad way to do an exercise, or it's not about singling out people that did something wrong. It's really more about identifying where your gaps are so that you're not stuck winging it when you're in the middle of a crisis.

Joshua Schmidt: 9:06

In my line of work, tabletop exercises mean something completely different, but I'm curious have you worked with Eric on a tabletop exercise before together? Not yet, but we should. We need to. Yeah, that'd be fun. I know, Eric, you have some experience with tabletop as well. What does your experience look like working with organizations to run these kinds of exercises?

Eric Brown: 9:28

You know it's a time when you get the leaders of the organization in a room and they're not politicking or worried about their individual areas of responsibility.

Eric Brown: 9:42

So it's kind of a unique view where they come in and you know you have people from you could have leadership, overseeing HR or communications, and then you know the more tactical roles as well and you're going through essentially a role-playing scenario.

Eric Brown: 10:00

Right, an exercise Homeland security will come into organizations and help out with them. It's really a nice way to see how the organization works and it helps the organization understand what maybe some of the other roles that they may not see. Right, they may just see the security organization is pushing out these crazy phishing emails once a month, but then to actually see how the security organization works in real time and not in a real crisis, that there's stress. You know there is a little stress on the tabletop because you're like uncovering these gaps in the organization of like, oh well, you know he does get to push the button, which is something that Chris Gabbard, when he leads these from Homeland Security, it really drives the leaders to say who can make that call to take that production system offline. So it's just a great. You know, two hours to a half a day experience. We need more button pushers.

Tim Herman: 11:03

One of the things that was really cool about the exercise on the Mississippi River was when I first started working for this organization, the Nuwari Research Institute, I reached out to the St Paul Port Authority and you know, knowing that they run everything on the upper Mississippi River and then they said you know what you really need to talk to, the port operator and the person, the group that's actually moving all the barges around.

Tim Herman: 11:32

And so I met with them and right away he identified hey, tim, a couple of years ago we actually put in all new engines in our tugboats that are all remotely controlled, so our drivers don't even have to be on the boat. And so now we're moving, you know, eight or 12 barges around, you know, with a joystick. Essentially is we don't have a what-if plan for if somebody were to remotely hijack that and run it into another boat or into a bridge or the refinery down the river or whatever the case is. And so this exercise ended up turning into more of a workshop on identifying who needs to be involved in that scenario if something like that were to happen in the real world. The outcome of that is they've actually been able to continue doing exercises, and so I think they've done at least one or two additional exercises to be able to now exercise that incident response plan and still finding additional gaps and building that muscle memory.

Joshua Schmidt: 12:44

So did you do well at game night? Last time we had at IT Audit Labs, with this tactical kind of thinking Because I had to leave a little bit earlier and Eric was nice enough to text me the outcome of the game, but I think it was blood on the clock tower or something like that.

Tim Herman: 12:57

Yeah. Yeah, I was actually the demon in that one, and so I lived through it all.

Joshua Schmidt: 13:05

I just remember being slightly persecuted kind of not too much, unlike the beginning of this episode. I was kind of the patsy or the pariah of that game early on, but I think I was just a townsperson or something. It's always a poor Josh.

Nick Mellem: 13:23

Going back to the tabletop exercise with the letter agencies that Josh was talking about, I'm curious when you get all these big entities together, how you know let's say, you finish the tabletop exercise how do you you know, you find out uncover all these gaps, things that they're doing, right or wrong, things they could do better, how do you get all of them to marry together and listen and get on the same sheet of music and start to implement these things? Because I would assume, once you do it, the job's not done?

Tim Herman: 13:50

Right, absolutely so. Every exercise will finish up with what's called an after-action report and actually, right after the exercise is closed, you want to spend at least 30 minutes in what's called a hot wash where you're just, you know heat of the moment. What was your experience like? You know, what did you learn? You know, while you're just you know heat of the moment, what was your experience like? You know, what did you learn, you know, while you're still kind of amped up and you know, in that exercise mode, and then you, you know, spend the next couple of weeks drafting that after action report. And that's the how to, you know, to fix you know what we learned.

Tim Herman: 14:25

Doing one exercise isn't enough. You actually have to have an exercise program where you're doing, you know, exercises, maybe twice a year or quarterly, or you know, it depends on your business and how things change in your business. But you know there are some organizations that are doing it quarterly and some organizations that are doing it only every other year. And you know again, it just depends on the business. But but that exercise program really helps identify you know where. Again, it's a measuring stick. You're, you're, you're measuring how good we did, we do, in identifying additional gaps? Or how, how good did we do in in being ready and building that muscle memory?

Joshua Schmidt: 15:07

Eric, how have you seen this like shore up the security with the people that you've worked with when conducting tabletop exercises?

Eric Brown: 15:14

The thing that resonates most with me is you're able to show value and get some funding for information security programs and the outcome of this, because, going into it, some of the leadership doesn't quite really know what we do on a day-to-day basis. And then during the exercise, when you have multiple things going on and you're talking through those scenarios and they see how important information security is the next time the budget cycle rolls around, there's not as much pushback, right? Are we going to get new tables and chairs or are we going to invest in information security?

Joshua Schmidt: 15:53

The shipping on the Mississippi River, any other Tom Cruise worthy kind of incidents that we could go over, because we're all action junkies, we want to hear the good stuff.

Tim Herman: 16:05

Yeah, absolutely, you know. I'll give an example of we did. We did exercise with a couple of different airports around the US and the interesting part is that we learned is is every airport and this is not unlike other other businesses and other sectors but you know, every airport is in a different maturity level and so that exercise can go deeper, or it plays really basic or not basic, but more attuned to the people that are in the room. That might not be all your technical people, it might just be your leadership, it might be the CIO and the CISO and the CEO and you know kind of all that C-suite, but then also include legal and include, you know, the marketing person. You know that handles all the communications and when there is a real world scenario, you've got to be on your tippy toes. You know, ready to go, you know, because things can go even more sideways very quickly.

Nick Mellem: 17:10

One common trend that I feel like I'm always seeing is communication. But as soon as when things kick off and still part of communication everybody starts running into each other. It's like the Spider-Man meme. They're pointing at each other like I thought you were doing that. No, I thought you were doing that. So I think just getting everybody to slow down this is why we're training. So you know, take a breath, regroup for a second. Maybe it's still gonna be uncomfortable, really, no matter what right. So if we can get it from being like 75% clunky, let's get it down to like 20 or 30. We're more streamlined. You have a good basis to get you far down the track and then you know you can keep building on it. But the communication is usually the biggest piece, whether that's social media, the press, newsletters, whatever it is, how to communicate that and when.

Eric Brown: 17:58

You could take if you have a P2 or a P1 incident that's going on in an organization where you have multiple systems that are down or a critical system that's down and you're going through. You could even do it in the event of, say, a planned outage, a maintenance window. So your firewall is down and you have multiple teams testing. You have some people on the business side that are going to be involved in testing and then you have your central communication channel. You have your technical channel.

Eric Brown: 18:27

You could really run these as a tabletop exercise, do the hot wash after, talk about it and write it up, because I've been involved in a few of these recently where you know there's a scheduled outage window between you know a certain time and then the technical people are bothering the engineer who's hands-on configuring, say, the firewall Firewall's got to come up within an hour or we're going to be behind schedule and they're saying, can we test yet?

Eric Brown: 19:01

Can we test yet? Pinging him because they have a direct relationship with that engineer, versus leveraging the channel and the project manager who's coordinating that and will handle the communication, so being able to then go back to the organization and talk about it. Really, the tabletop exercises are more so aimed at the leadership level, but using a P1 or a P2 or even an outage window where you have engineers like that help desk person who's going to be taking those calls during the outage. Instead of escalating that to the engineers, they could just stop the communication right there. So, yes, we're in an outage window, we'll have communication for you at next time, versus then having to trouble the engineers with oh, is it going to be back up?

Tim Herman: 19:52

Yeah, that's totally true. One company that I was consulting with through my employer, they wanted to do two separate exercises one for the leadership to help identify where you know kind of, where gaps might be in the leadership, but then they wanted to do a technical exercise that focused on really okay, we know that if our systems get encrypted and locked in, we actually need to migrate other systems to the cloud, and you know, we need to make sure that that's going to be seamless, and so let's exercise that process so we're not having to, you know, like, do that in the real world. One of the things that I always would ask the people that I was working with on the client side is what are you really trying to accomplish? You know, rather than just saying, hey, we want to exercise a ransomware, you know, event, rather than just saying, hey, we want to exercise a ransomware event. My answer to that is why?

Tim Herman: 20:52

What is it that you really want to get out of that? Is that a concern of yours? Why is that a concern? What are those concerns? And really kind of dive deep into. Because when you're creating a scenario for an exercise, you want that scenario to actually be relevant and not too generic. That's just another layer that you need to be a part of.

Eric Brown: 21:18

Tim, I can't tell you how many organizations I've walked into and I've said are you backing up your M360 Vive environment? Yeah, oh no, we don't have to do that. Microsoft does that. What Right, Good luck. Yeah, oh no, we don't have to do that.

Tim Herman: 21:31

Microsoft does that.

Eric Brown: 21:32

What.

Nick Mellem: 21:32

Right, right.

Eric Brown: 21:32

Good luck. Yeah, what? Because if somebody fat fingers something, somebody maliciously deletes something, you're not getting it back, right the entire thread, all kinds of things. Microsoft is responsible at the zone level of you know, if they wipe something out, they're going to take care of getting it back, but they don't care about your data. That's your problem.

Tim Herman: 21:54

Well, the thing that we always tell people also and I'm sure that you've shared this with your clients and people that you work with is that make sure that your incident response plan is not on your same system, that you know on your hard drives or you know in the cloud because you know you should have a hard copy of it, because if it's encrypted you don't actually have a playbook then and you know if a bad actor is in your network, for you know three weeks, three months, you know three years before they actually decide to execute. You know said. You know said disruption. They actually have to execute said disruption. They actually have read through your incident response plan. They know who your insurance company is, they know who your legal law firm is, they know exactly where to hit you because they've read your incident response plan. So just having a plan isn't the ballgame. It's knowing how to use the plan and where things need to be put as well.

Nick Mellem: 22:53

That threat actor probably knows your incident response plan better than your organization. Yes, right right.

Eric Brown: 22:59

And having that back channel. If you're a team shop, you've got Slack as a channel or Discord some way to communicate if you can't get into your work systems.

Tim Herman: 23:09

Exactly.

Nick Mellem: 23:10

That is an interesting point, Eric. I don't think enough people are putting pressure on having another means of communication. They just think Teams is always going to be up or whatever. Whatever their means of communication will always be there, but having a secondary or tertiary to ensure communication, it's a big deal.

Eric Brown: 23:27

Sometimes that's fun to do too. You know, if you go into an organization you're doing a tabletop and they're a little bit. You know, maybe they've been through a few of these before and they're pretty good, they've got a good plan. Then you say, okay, well, now you can't use your cell phone, right. Something happened in the area. You got a regional disruption. Power towers are out right, like the AT&T issue. That happened like what two years ago, where cell phone coverage was disrupted because allegedly they messed up a DNS entry or something, whatever it was. But then you know, how are you going to get a hold of Nick, right? How are you going to get a hold of Tim or Josh If you can't call them? What are?

Nick Mellem: 24:05

you going to do we? Got to have everybody, everybody's got to go out and get their ham radio license.

Joshua Schmidt: 24:10

Or if I'm napping, for example.

Nick Mellem: 24:12

Right? Well, we can count on Josh being napping during this whole situation.

Eric Brown: 24:17

I turn my ringer off, do not disturb.

Joshua Schmidt: 24:20

He's asleep One o'clock on a Friday.

Nick Mellem: 24:24

He's doing some research on aliens or something.

Eric Brown: 24:26

Well, yeah, Tim, I tell you this dude, where's the?

Joshua Schmidt: 24:33

tinfoil Nick, we keep tinfoil hats on handy, Speaking of which we've got a tinfoil hat question.

Nick Mellem: 24:38

Production value here at IT.

Joshua Schmidt: 24:39

Outlands. Here's the tinfoil hat question of the day, tim. So a lot of planes have been going down helicopters lately. I mean, was it just a couple of years ago the Baltimore Bridge incident? Does this set off your spider senses at all? Do you feel like these could be cyber attack related, or at least some of them? Some of them are probably just user error, of course, but once again, this is a tinfoil hat question.

Tim Herman: 25:04

I cannot confirm or deny, no, not confirm or do not know. You know, I have to say honestly, anytime I hear that, oh, t-mobile is down again or some other, you know some other thing has a major outage in the back of my mind, I'm wondering, I wonder if it's some kind of a breach, some kind of a scenario that you know, or an incident, if you will, that might be going on and the thing is is you're not going to hear about it in the public, you know, for another six months, because they've got to do the forensics and they've got to do a bunch of things making sure that they're back up and running and they need to identify, you know, was their data lost, was data compromised, and and so you, and so there's just a whole lot of things that need to happen before you can share with the public. But, yeah, I would say that tinfoil hat, with things kind of going sideways, it is something that I'm thinking about.

Joshua Schmidt: 26:04

Yeah, Is that even a possibility to hack into an airplane or helicopter's system and control it? I mean, you said that it's possible for remote-controlled boats or barges right.

Tim Herman: 26:17

Well, how many drones do you think there are going around in the world? That's all remote-controlled.

Joshua Schmidt: 26:23

That's a great question.

Tim Herman: 26:24

Yeah, absolutely, I think it's possible.

Joshua Schmidt: 26:27

When there is a new threat that does pop up on our radar? How fast are we to incorporate these things into your tabletop exercises? Do you get your clients on the horn right away and set up a meeting, or do these things kind of depend on how the organization wants to prioritize this part of the security?

Tim Herman: 26:46

It's certainly something that you're aware of and you've got your client list. Say, if you're doing a virtual CISO with a healthcare client or with some kind of business in manufacturing and some new scenario comes up or comes to mind or something happens in the marketplace that is relevant, yeah, absolutely, you want to reach out to your clients and make sure that that's incorporated. Getting back to the exercises that we were doing with the short line and regional railroads, an interesting fact about that is there are 500 short line railroads in the United States and of those 500, probably 90% of them use the same piece of software to manage you know, not just you know kind of their operations, but manage the switching of the tracks. And so what happens if that software gets compromised? You essentially screech to a halt the entire transportation, rail transportation in the United States, and so you know how prepared are you for something like that to happen, and that was part of the scenario for those exercises.

Eric Brown: 27:57

We saw that with was it Maersk, with shipping, like back in 2017, 2018 with the worm, you know? And as we're talking through this, I'm reminded of the other day I was took a picture standing out my patio window looking into the backyard, and there's a. The backyard is there's a little bit of grass, and then it goes to these, these pine trees, and the pine trees are, let's say, maybe 30 to 40 feet tall. They're about you know they're. They're pretty mature, maybe 50, 40 years, and some of them have fallen over. We've had some removed. You know they died, cut them down, had them removed. But there was one that hadn't been removed. It still had some green on the top, but like you could see that the middle part was dead right, the bark was coming off of it and it was like oh, you know, we're moving here in a couple of weeks or a couple of months, Is this something we're going to deal with? Probably I will put we'll kick the can right. And there was.

Eric Brown: 29:00

We had a bad storm, I don't know, maybe two months ago, and that tree fell over and it snapped off maybe eight feet up and fortunately, the way it fell, it fell away from the house. So I took a picture of that because it's very for me it was very poignant of the conversations that we like to have with customers of if you work with us before you even build the house, we're going to tell you about your risk. You put a house there, you're going to have to deal with these trees. Unfortunately, we usually get brought in after the tree has already fallen over and done damage to the house, and now we've got a lot of cleanup to do. Right, you're going to be displaced, your pets could have got loose and just it's a whole mess. But it's a whole mess that could have been avoided.

Eric Brown: 29:49

So when, when maybe, you built the house there, you wanted the area, you understood the risk of the trees, you signed off on the risk. But now the trees are dying. You need to take care of that tree. That's a $500 to $800 problem if you take care of that tree before it falls. But if it falls and it's not 100% that it's going to hit the house, but there's a good chance it could that's a multi-thousand dollar problem. That's an insurance problem and it's in the tabletop exercises. I'm working with a client now. They're looking at building, doing some manufacturing in the United States and I'm thinking about, well, where should we put that manufacturing facility?

Eric Brown: 30:32

You know like we got to take into account transportation right, if it's on the coast, maybe it's easier to get to. But then there's also the component of if you put they're not talking about this, but let's say they are, you know, we're going to put manufacturing down in Florida somewhere, well, easy to get to from a flight, but that thing's going to be underwater. Thinking through these things early and having a tabletop, even maybe before you made a decision of like, hey, we're going to build an office building in XYZ location, folks like you know, tim and Nick and I, could come in and have the conversations around like, okay, are you near, you know an airport, or you know what are the weather patterns in that area? What are some of the things that you should really be mindful of? Right, are you putting it near a refinery? Well, what happens if that refinery has a spill? It may not impact you, but your workers may not be able to get to the office for a week until they clean that stuff up.

Joshua Schmidt: 31:32

So, to rephrase my previous question, I think what I was actually trying to get at you kind of uncovered here and Eric, I think what I was actually trying to get at you kind of uncovered here and Eric, I really liked your analogy with the trees. How do you plan for those X factors? Like you mentioned, tim, the pandemic wasn't on anyone's bingo card for 2020. How?

Tim Herman: 31:51

do you plan for those contingencies that you're kind of unseen. You really try to curveball as much of the unforeseens. Try to. You know, curveball as much of the uh, the the unforeseens. Um, you know, depending on the maturity of your organization, there are times where where we would actually uh in, in, inject, uh into the exercise some you know major curve ball that would actually stress your people out even more.

Tim Herman: 32:13

So not just that you are having this outage or downtime or whatever the scenario is, but now you've also got a strike happening at the same time. Or now you've got your principal person, the CISO, happens to be on a remote island somewhere, that his laptop got pop spilled on it and he, you know, doesn't have access to it. And you know, like, what happens in those kinds of real scenarios, because those things do happen. And so I think you know, just trying to be creative, you know people like Eric, people like the company I work for, it's really just trying to understand what all the possibles are. Trying to understand what all the possibles are. Then you can start thinking of the impossibles or the you know what are the things that you know just seem so unreal. Well, let's actually inject that into the exercise, just to see how people respond. And you know, are they ready for those? You know curveballs in the middle of a crisis.

Joshua Schmidt: 33:14

Do you fellows have anything else that you wanted to get in today? Or ask Tim about.

Eric Brown: 33:19

The only question I had, Tim, was how did I not know about Monday?

Tim Herman: 33:24

Maybe they ended up in your filter.

Eric Brown: 33:27

Man, I got to go back.

Tim Herman: 33:28

Too much security.

Joshua Schmidt: 33:31

Never too much security for the cyber attack cat here.

Tim Herman: 33:35

So next time in May, eric, we need to have you actually come and speak in May, on May 19th, and so that way you have to show up.

Eric Brown: 33:41

I gotta show up? I would love to. Yeah, let's do it.

Joshua Schmidt: 33:45

You just let me know, tim, I'll make sure it gets on the calendar. Yeah, may 19. All right, folks. Well, thanks so much for joining us today, tim. We've been listening to Tim Herman from InfraGard and joined by Eric Brown and Nick Mellon of IT Audit Labs. My name is Joshua Schmidt, co-host and producer. Here's our meme of the day, and thanks again for listening. Please tell your friends, subscribe and leave us a comment in the comment section on YouTube, or give us a review on Spotify, and we publish every other week on Monday. See you soon. You have been listening to the Audit presented by IT.

Eric Brown: 34:18

Audit Labs give us a review on Spotify and we publish every other week on Monday. We'll see you soon. You have been listening to the Audit presented by IT Audit Labs. We are experts at assessing risk and compliance, while providing administrative and technical controls to improve our clients' data security. Our threat assessments find the soft spots before the bad guys do, identifying likelihood and impact. Or our our security control assessments rank the level of maturity relative to the size of your organization, Thanks to our devoted listeners and followers, as well as our producer, Joshua J Schmidt, and our audio video editor, Cameron Hill. No-transcript.