The UNSECURITY Podcast – Episode 34 Show Notes

Happy Friday!

2019 is almost half-gone. The midpoint is coming next Monday/Tuesday, and that’s crazy to me. Hard to believe that half the year is already gone, but holy cow it’s been a good first half!

Hope yours was too!

Lots of things happening as usual, but I’ll spare you the details and get right into this week’s show. My (Evan) show this week, so my notes. 😊


SHOW NOTES – Episode 34

Date: Monday, July 1st, 2019

Today’s Topics:

  • “Let’s get real”
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 34 of the UNSECURITY Podcast. Joining me is my right-hand man, Brad Nigh. Good afternoon Brad!

[Brad] Spews wisdom, the kind you can’t find anywhere else…

[Evan] If you were paying attention to the opening, you might have heard me say “afternoon”. That’s because we’re recording on Friday afternoon for Monday’s release. Both Brad and I will be out of the office next week doing some vactiony things. Right Brad?

[Brad] Spews more wisdom. He’s a wisdom spewer.

[Evan] Should we share our vacation plans or should we keep ‘em confidential? We tell others to keep vacation stuff non-public for privacy and safety reasons, so maybe we should follow suit. Whatya think?

[Brad] Brad confirms because of he’s like a wisdom volcano. Hot wisdom.

[Evan] So the last few weeks, we’ve talked about ransomware attacks.

A couple of weeks ago we talked about ASCO, the Belgian aircraft parts maker that was hit with ransomware and lost production for some undisclosed amount of time (globally, so likely lacking proper network segmentation/isolation as well as proper response processes). That news has sort of died out.

Last week we discussed the City of Riviera Beach and how their city council voted unanimously to pay the $600,000+ ransom. This one ticked me off. So, I wrote a blog post about it; DON’T SUCK – STOP PAYING RANSOMS.

We also talked about the fact that we’re not powerless to stop these things, so that prompted another blog post; ASK QUESTIONS – GET ANSWERS (HOPEFULLY). We discussed in reaching out to our local government officials in episode 33, so I gave instructions on how to do so (including an email template). Some people reached out to their local governments and shared their responses! To those who did this, kudos and thank you for making a difference.

Next, we read about another Florida city (Lake City) that voted to pay the ransom. Sunnuva!

So, what did I do? I wrote yet another blog post; CALL TO ACTION – DO SOMETHING ABOUT CIVIC RANSOMWARE. I also reached out to one of our local news stations. The declined the story. No skin off my back, but when are we going to get serious?!

My reply:

“OK. I’d expect the next one to hit within a week. Cities are under siege right now. Have a great weekend and 4th of July!”

All of this leads us to now. The good: there are good people who want to help. The bad: most don’t seem to give a rat.

My question for our discussion is:

Do people even want to be secure?

Open discussion.

[Evan] Good talk. Jason Dance, one of our loyal listeners had some good advice to share:

  1. The same things apply at schools. Reach out to schools and ask questions too.
  2. If you don’t get answers:
    • Ask during a town/city meeting.
    • File a FOIL for the specific information.
    • Ask by Facebook/Twitter/Other social media.

Awesome advice! Thank you, Jason.

We must get our sh_t together, or the pain will only get worse. Now for some news.

News

Just two quick stories today.

Closing

[Evan] That’s how it is! Thanks again to our listeners and thank you Brad (the wise)! Hope you have a wonderful week and a safe 4th of July. God bless America for crying out loud! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

CALL TO ACTION – Do Something About Civic Ransomware

Another city ransomware attack, another payment to the attackers. Another win for the bad guys, and another loss for the rest of us. The question is, are you going to do anything about it?

This time the news comes from Lake City, Florida. The 12,000+ citizens of the small(ish) northern Florida town will foot the 42 bitcoin (~$500,000) bill for the city’s poor preparation. Actually, insurance will cover the direct cost and the city only pays $10,000. Chalk up another loss up for U.S. cities (and their citizens). The money the attackers walk away with will most certainly be used to attack other victims, including other cities. Oh, and as far as insurance goes, we all pay a price in higher insurance premiums and limited coverage options. Insurance companies aren’t in the business of losing money.

The quote of the day; “I would’ve never dreamed this could’ve happened, especially in a small town like this” – Lake City Mayor Stephen Witt.

(BTW, I don’t view this as his fault. We, the information security community, obviously failed in reaching him with the message)

Additional details of this latest ransomware payment:

So, what are YOU going to do about this? Yes, you! When I refer to “you”, I’m referring to everyone/anyone, security people and non-security people alike. All of us are in this together.

Should we wait until your city gets hit, or maybe we believe in the false narrative that it will never happen to you/your city?

Will your mayor or local government official be quoted on the news, having “never dreamed” that such a thing could happen?

DO SOMETHING – START HERE

Earlier this week, I posted an article about an email that I was going to send to my city and county officials. I sent the emails a couple of days ago, but haven’t heard anything back yet. Not to worry, I’m determined (and so should you be).

One of the things I didn’t really expect was for people to follow my lead. It was impressive to read and hear about people who took this as a call to action. They’ve been inquiring of their local governments about ransomware protections too! That’s great news! So far, more than a dozen people have told me that they have written their city and/or county government. Some are even getting good responses back.

Here’s what I’m asking you to do:

  • If you haven’t emailed your city and county government officials (inquiring about their ransomware readiness), PLEASE DO IT.
  • If you’ve emailed your city and/or county government officials, but haven’t received a response within a few days. PLEASE EMAIL AGAIN. Stay engaged until you get an answer.
  • If you’ve emailed your city and/or county government officials, and have received a response PLEASE SEND THE RESPONSE TO US. You can send it to us through the UNSECURITY Podcast email address (unsecurity@protonmail.com).
  • No matter what you do, please follow these rules:
    • DO – Always be courteous.
    • DO – Always be respectful.
    • DO – Help if you can.
    • DO – Remember the goal, we are trying to help and we are trying to prevent more occurrences of the Atlanta, Baltimore, Riviera Beach, and now Lake City ransomware events.
    • DO – Ask us questions and make suggestions (unsecurity@protonmail.com).
    • DON’T – Try to answer questions that you don’t feel (or know you’re not) qualified to answer. Email unsecurity@protonmail.com, and we’ll find a good resource/answer for you.
    • DON’T – Use threatening language or insinuate threats of any kind.

EMAIL TEMPLATE

Feel free to use this sample email template that I used or create your own.

———-START EMAIL———-

Dear <INSERT NAME>,

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you.

How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack?

I ask you because there have been a rash of ransomware attacks that have hit city governments recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/), the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers), and Lake City, Florida (https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/). I hope we’ve planned well and will not pay a ransom (even through insurance) if/when an attack was to occur. Rather than reacting for such an occurrence, I’m hoping that our <CITY/COUNTY> has planned ahead.

Although I work in the information security field, I have no interest in selling anything. I’m just a concerned/interested citizen. If I can help, I will.

Thank you for making <CITY/COUNTY> a great place to live!

Respectfully,

-<YOURNAME>

———-END EMAIL———-

Let’s make this a way we can start fighting back against criminals who are fleecing our cities and our friends. This is only the start. Next steps come after getting responses.

Again, we are all in this together. Please be helpful, respectful, and courteous.

 

Ask Questions – Get Answers (hopefully)

Yesterday I wrote a pointed blog post about ransomware (Don’t Suck – Stop Paying Ransoms) and how it ticks me off when people pay a ransom to an attacker. This morning we recorded episode 33 of the UNSECURITY Podcast about the same subject. During the discussion with Brad on the show, I made the comment that I was going to email my local government officials to inquire about how they will avoid the same mistakes that the City of Baltimore and the City of Riviera Beach made.

Here’s the email that I wrote. I encourage you to write your local government officials too. Accountability is good for everyone.

I sent this email to my City Administrator and the County Administrator where I live.

———-START EMAIL———-

Dear <INSERT NAME>,

Hope you are well.

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you. How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack? I ask because there have been a rash of ransomware attacks that have hit city government recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/) and the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers). As a citizen, I hope we’ve planned well and will not pay a ransom if/when an attack was to occur. Although I work in the information security field, I have no interest in selling anything. Just a concerned/interested citizen is all.

Thank you for making <CITY/COUNTY> a great place to live!

-Evan Francen

———-END EMAIL———-

I’m sharing this because I hope it will motivate you to do the same thing in your city and/or county. Please be helpful, respectful, and courteous. Once I get an answer back, I will probably offer free help. We’ll see.

The UNSECURITY Podcast – Episode 33 Show Notes

Brad is leading this week’s show, but it’s NOT his fault that I didn’t get the show notes posted until now (Sunday).

As always, I hope everyone/anyone reading this had a great week last week. I believe that every week holds something special if you look for it with the right frame of mind.

I got back to writing the 2nd book last week, finally. I’m behind on getting this thing done. In case you didn’t know, I’m in the middle of writing a 2nd book right now. This book is “information security for normal people” for lack of a better title. I’m excited and happy to be back working on it again.

Lots of other cool things last week too. I’ll just pick two for now:

  1. Managers were in town last week for their quarterly strategy meetings. I don’t really participate in the meetings, but I do get to see the people who come in from out of town! Seeing Oscar Minks (Director of Technical Services from Kentucky) and Tyler Briggs (Project Management Team Lead from Florida) is always awesome!
  2. We secured two panelists for the upcoming Hacks & Hops event on September 19th. The event is titled “BREACHED! What to Do When Your Defenses Fail“. Seriously, check this out! Mark Lanterman (Chief Technology Officer of Computer Forensic Services) and Chris Roberts (Chief Security Strategist for Attivo, Advisor for Cympire, OverWatchID, HHS and others…) will both be on the panel! So friggin’ pumped about this. These guys are the real deal and it’s an honor to be on the same stage with them.

If you don’t have tickets already for Hacks & Hops, you better get them soon. This thing is definitely going to sell out! Watch for more announcements soon.

OK, that’s enough. I need to get to it. Here are Brad’s show notes!


SHOW NOTES – Episode 33

Date: Monday, June 24th, 2019

Today’s Topics:

  • More Ransomware – City Riviera Beach
  • News

[Brad] Good morning! This is Brad Nigh, and this is episode 33 of the UNSECURITY Podcast. I actually did my part and got show notes prepped and ready this week.  With me as usual is Evan Francen, good morning Evan.

[Evan] Says Evan things

[Brad] I had our offsite VTO last week which is also so amazing.  It is recharging despite being a lot of work, if that makes sense.  I’m also wrapping up the IR I had, but we had yet another one come in last week, this one was a web app that a client found a vulnerability in (the exposed the DB to the internet, not just the app, among other things).  So with that lead in,  How was your week last week Evan?

[Evan] Starts getting riled up

[Brad] This week we are jumping right in to the discussion because this is a topic we are both very passionate about and want to spend some time discussing.  We are going to talk about the Riviera Beach City Ransomware incident today.

Open discussion about the Riviera Beach City Ransomware

Reference Riviera Beach City ransomware articles:

[Brad] I didn’t do a lot of extra news stories this week but I wanted to include these two because of their relevance to our topic today.

News

Closing

[Brad] That’s a wrap! Thanks again to our listeners, and thank you Evan! Let’s go have a great week! Don’t forget, you can follow me or Evan on Twitter; @BradNigh is me, and Evan’s at @evanfrancen. Email us on the show at unsecurity@protonmail.com.

Don’t Suck – STOP Paying Ransoms

So, in case you haven’t heard, we have this problem. Yeah, there’s this thing called ransomware, and it’s sort of all over the news.

    • Colorado-based NEO Urology paid a $75,000 ransom
    • Colorado-based Estes Park Health (EPH) – they had an incident response plan, but the insurance company paid the ransom. EPH paid the $10,000 insurance deductible for their ransom payment, but it’s not known how much the attacker’s ransom was.
    • Boston-based ResiDex Software – the ransomware attack was discovered on April 9th but was only disclosed this past week. ResiDex appears to have restored their systems from backup, not paying the ransom.
    • New York-based Olean Medical Group – they were hit this past week, and it appears they won’t pay the ransom. According to news reports “Olean plans to begin setting up a new system and will work to regain the encrypted records to populate a new computer system, helped by partner healthcare providers.
    • Seneca Nation Health System – calls their attack a “computer system failure” (the computer system wasn’t what failed, just sayin’). Not sure if there are plans to pay, but the CEO says “We are working feverishly to rebuild our system”.
    • California-based Shingle Springs Health and Wellness Center (SSHWC) – reported that their ransomware attack affects all 21,513 patients, but I don’t think they’re planning to pay the ransom. SSHWC is working to restore their systems by installing new servers and putting workstation upgrades on a “fast track”.

Then there’s this particular attack and response that caught my attention this past week.

The Riviera Beach City Council voted unanimously this week to pay the 65 bitcoin (more than $600,000) ransom.

At what point do we say enough is enough? What’s your excuse for not preparing or planning for a ransomware attack? It’s not like you don’t know that they’re a problem.

What would be your acceptable excuse for not planning for a ransomware attack?

Simple answer. There is no valid excuse. Stop looking for one and stop making sh_t up. If you’re offended, maybe that’s good. It’s the truth. You might have all sorts of excuses that you think are legitimate, but they’re all BS. You’ve run out of excuses. Regardless of being legitimate or not, here are some common ones that people try to pass off:

  1. Management support – you couldn’t get management to “buy in” and do the right thing. Sorry, not a valid excuse. Part of your job is to get management buy in, and you failed. If management has their heads so far up their @55, you should find another place to work where they will champion security. To management – get your head out of your @55, you’re not helping your company, your customers, your partners, or anyone else.
  2. Priorities – you have so much stuff on your plate, that you couldn’t get around to protecting yourself from ransomware. Hard to fathom how good information stewardship isn’t a top priority. I know you might have a thousand other things too, but ransomware protection should be near the top. If it isn’t, revisit your priorities and get to it.
  3. We don’t know how to protect ourselves – take the Ransomware Readiness Assessment that I mention at the end of this post/article or read some self-help articles online (there are hundreds of them).
  4. We have insurance – good for you. That’s probably prudent, but it will never make up for your lack of stewardship. When your insurance company pays, we all pay. Insurance companies aren’t in the business of losing money, so they’ll just jack up the rates and everyone will pay more. Simple economics, right?
  5. You need help – don’t we all? This isn’t as much of an excuse as it is an admission. It’s an excuse if you don’t do anything about it. There are hundreds of online articles full of good advice, and there are probably hundreds (if not thousands) of security professionals that would love to help. Heck, I’m not writing this article for my health. If anything, it’s probably bad for my health (you know, blood pressure and stuff).

Choices

If you get hit with ransomware, you have one of five choices:

  1. Take your chances by paying the ransom. This is a terrible choice (read below), but it is a choice nonetheless.
  2. Don’t pay the ransom and follow a planned and tested incident response process. Your incident response process should include investigation (looking for the source), containment, and mitigation (at a minimum).
  3. Don’t pay the ransom and struggle mightily because you didn’t plan well. Think Baltimore, Atlanta, and hundreds of other organizations that paid hundreds of thousands (or millions) of dollars in attempted recovery operations.
  4. Start over. Only differs from the previous choice because recovery efforts, in terms of data recovery, are no longer on the table.
  5. Shut down operations. Sadly, I’ve seen this more than once, and once was too many times.

There is only one good option among the five. That’s option #2, don’t pay because you can recover. You planned, you’re a good steward of the information entrusted to you (at least in this respect), and you serve your organization well.

The other four options are bad ones, but if you didn’t plan well, option #2 is off the table anyway.

The first option was the only one that considered paying the ransom, while the other four options did not. So, if you didn’t plan well, you must decide whether to pay the ransom or not.

Not paying the ransom

You either prepared well, or you didn’t.

  • If you did, then kudos to you. You’re more likely to be back up and running within a relatively short period, and your organization owes you a big debt of gratitude.
  • If you didn’t, you’re in for a doozy of a response. Get out your checkbook, because it’s probably going to get expensive. It might be so expensive, in fact, that your organization may not survive the ordeal.

The key is planning well! If you didn’t properly protect your data (air-gapped/offline backups, prudent access control, etc.), and if you didn’t plan, you’re a poor steward of the information that’s been entrusted to you. You should slap yourself (hard), update your resume, and maybe find another line of work. People have suffered and/or will suffer because of your poor choices.

Paying the ransom

If you planned (or think you planned), and pay the ransom anyway, take Estes Park Health (noted above) for instance, they claimed to have “incident response program”, but paid the ransom anyway (or their insurance company did).

What’s wrong with this picture?!

Maybe they thought they had planned but didn’t, or the maybe the plan just sucked. If you didn’t plan, or you didn’t plan well, you find yourself in a pickle.

We cited two examples earlier where the organization paid the ransom; Estes Park Health (EPH) and the City of Riviera Beach (FL). It appears from the news reports that one of the two might have had a choice in paying, while the other one did not appear to have a choice.

Estes Park Health (EPH) – the organization was hit by a ransomware attack on June 2nd. According to their own investigation, there was no data exfiltrated (common). The source of the attack wasn’t disclosed, but it was discovered (allegedly) when an on-call IT technician logged in from home and noticed files encrypting live, while he/she was on the system.

Sounds like just about everything was locked down; phones, network access, imaging files, etc. According to one news report, EPH had an “incident response program”, but determined at some point “the only way to restore the software in the clinic and the only way we were able to restore the imaging and so forth is because our insurance company paid the ransom money and we were able to get the keys to unlock those files.

No other significant details are available, like the type of ransomware used, how the ransomware got in, how much was paid, or what the “incident response program” called for. Two things are certain:

  1. The “incident response program” sucked.
  2. The criminals won.

Not only did the insurance company pay the ransom, they paid two ransoms! The insurance company paid two separate ransoms, as EPH discovered more locked files when decrypting its systems.

Riviera Beach City Council – on June 20th, it was reported that the Riviera Beach City Council voted unanimously to award attackers more than $600,000 for the privilege of accessing their own files. Attackers had broken in three weeks prior, and at some point, locked things up. The attackers held all/most of/some of the data entrusted to the city for ransom. Like most cases, the city had been working with “security consultants”, and it was determined the only way to decrypt the information was to pay the ransom.

The attack began on May 29th, when an employee at the Riviera Beach police department opened a malicious email. Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, they eventually opted to pay.

Interesting isn’t it? By proxy, it’s the police paying criminals. Supposedly, the payment is being covered by insurance, but so what?

If you pay the ransom, you suck

People don’t like to be told that they suck, because it sucks to suck. Maybe not sucking will motivate you to change some things and be better.

There are at least four reasons why paying a ransom pisses me off, and why it should piss you off too:

  1. You fund future attacks (against me and my friends). What do you think the attackers will do with the money they collect from you? They’ll take some for their own enjoyment, then they’ll funnel the rest into making their future attacks more effective. If you don’t pay, they have no money. Simple, right? If you think this is only about you, you’re selfish. Selfish people suck.
  2. It shows that you’re not a good steward. Somebody entrusted you with information, and they deserve better. The information (in most cases) isn’t yours, it belongs to someone else. If you can’t take good care of it, you shouldn’t have it. If you need it to run your business, then maybe you shouldn’t be in business.
  3. Attackers win. You might not be as competitive as I am, but you have to admit that it sucks when some jerk beats you at something. If the game was fair and you lost to a good person in a straight-up competition (like chess with a buddy), that wouldn’t be so bad. Here, you lost to a straight up jerk face and there’ll be no gentlemanly handshake at the end. You got taken and you’ll have to just suck it up (or just suck).
  4. Money that can’t be used for good. Every dollar we spend on information security is precious. Businesses are in business to make money and/or serve a mission. Money diverted from either one of these two purposes, takes away from your ability to succeed. What could the City of Riviera Beach have done with the $600,000+ if it were spent on something worthwhile. Wouldn’t the taxpayers rather have a nice new community pool, better streets, a few more safety personnel, etc.? Nope.

There are more reasons why we don’t pay ransoms, see what you can come up with yourself.

Now what?

Get to work. Do what you can to protect your organization from a ransomware attack and plan for one if (when) it were to occur.

Don’t know where to start?

Try our free S2SCORE Ransomware Readiness Assessment

There aren’t any strings attached, there isn’t any registration required, and it’s freely distributable through a Creative Commons License (so, share it too!). I whipped this thing up in early 2017 for a bank customer then forgot I had it.

Are there other obstacles in your way?

Identify the obstacles and figure out how to remove them, go around them, go under them, etc.

Need help?

Reach out to any number of us information security people. Many of us will help you, including myself.

Moral of the story is 1) prepare and plan, 2) DO NOT pay ransoms, and 3) we’re all in this together. Good luck!

The UNSECURITY Podcast – Episode 32 Show Notes

Heyo! It’s Friday again. Actually, it’s Sunday because I’m late. Oh well.

I/we (speaking for Brad too) hope you had a great week!

It was another crazy, but awesome week around here (@FRSecure and @SecurityStudio). Let’s see if I can give you a quick recap without boring you to death. I kid, you won’t actually die.

Monday – Meeting day. Monday’s are always meeting days at the office. The good; we all get to see each other and catchup with life. The bad; meetings. Who likes meetings? In our case, the good FAR outweighs the bad, and I’ll take it!

Tuesday – The highlight of Tuesday was attending the Star Tribune Minnesota 150 Top Workplaces luncheon. CONGRATS FRSecure! Several of us were able to attend the event. Check out the pictures!

This slideshow requires JavaScript.

I LOVE working with the people at FRSecure and SecurityStudio. It’s a great honor and privilege. Brad wasn’t there, even though he’s a tremendous part of our success. He was back at the office working on another IR.

Wednesday – A focus day. A focus day consists of focus time. Everyone needs focus time on a periodic/regular basis. It’s healthy. In the evening, we celebrated the end of the 2019 CISSP Mentor Program by hosting a free BBQ dinner for all local students. The 2019 CISSP Mentor Program was an amazing success; this new crop of information security pros is going to be great!

One of the students already passed his CISSP exam!

Thursday – Led a client’s first incident response tabletop exercise (ever) with FRSecure’s very own vCISO Team Lead, Megan Larkins. Occasionally I get the opportunity to work on something with one of FRSecure’s analysts, and it’s always a great experience for me. The client seemed to like it too!

Here’s a quote from the client’s email to us late Thursday/early Friday:

Hello Evan and Megan,

Thank you, the time you spent with us yesterday was exceptional. I felt a lot was accomplished and everyone was appreciative of your ability to teach without judgment. %COMPANY%  has a way to go but with great vendors like FRSecure, the path forward isn’t as difficult.”

Megan and I had a great time! Quick side note, for lunch we went to the place called D-Spot. It’s a place that’s known for their wings, and there are 50 or so different flavors to choose from. Here’s some of their flavors:

  • Ben Grimm
  • Kamikaze
  • War Machine
  • Widow Maker
  • Iron Maiden
  • Goat’s Blood
  • Tarantula
  • Incredible Hulk
  • El Loco
  • Rougarou

I went with something named “Brimstone”. I like hot stuff. I really like really hot stuff.

Took a bite. It started out sweet, then wait for it…

HOLY HELL WHAT IS HAPPENING TO MY TONGUE?!

WHY ARE MY EYES SWEATING?!

IS THAT A CRAMP IN MY ESOPHAGUS?! WHAT THE HELL IS A CRAMP IN MY ESOPHAGUS?!

JESUS, IS THAT YOU? ARE YOU MAD AT ME? I’M SORRY.

Poor Megan watched me progress from happy to concerned to sadness to panic to blackout and back. She looked genuinely concerned for my well being, but I came back to reality after a bit.

Only three more wings to go…

 

Needless to say, I finished all four of these death morsels from the center of the earth. Paid up front and paid again at about 8pm that night (no details available). My wife tells me, “you’re such a smart guy, so why do you do such obviously dumb things?”

She’s got a point.

Friday – Got the email above on Friday. Friday was another good day. Started with a ride, then a strategy meeting, the weekly FRSecure BBQ, and FRSecure Hawaiian shirt day.

The ride

Hawaiian shirt day

This slideshow requires JavaScript.

Seriously, what’s not to love about all this. We do security, sure, but what good is security without life? Do life first!

Crap, almost forgot about the show notes…


SHOW NOTES – Episode 32

Date: Monday, June 17th, 2019

Brad’s busy. Like, really busy. He’s been tied up all week working on an incident response (IR), so my notes (Evan).

Today’s Topics:

  • Security standards
  • ASCO Ransomware
  • News

[Evan] Happy Monday! This is Evan Francen, and this is episode 32 of the UNSECURITY Podcast. Brad was supposed to lead today’s show, but he’s been tied up with incident response work. Ain’t that right Brad?

[Brad] Queue Brad.

[Evan] We’ve got a good show planned for you today, so let’s get to it.

[Brad] Queue Brad (again).

[Evan] I had some good thinking time this weekend. One of the things that I was thinking about was the use of standards in our industry. There’s a boatload of them. ISO, COBIT, NIST SPs, etc. What do we use standards for?

[Brad] Queue Brad (again).

Open discussion about information security standards.

[Evan] We got an email from one of our listeners this past week that I’d like to talk about.

Hey Evan and Brad,

I have been a listener from the beginning of your podcast and just came across this news item from my home country:

https://www.helpnetsecurity.com/2019/06/13/asco-ransomware-attack/

To me this is weird, the HR manager being the PR person after a big cyber incident? I did a quick look on linkedin but could not find anyone in the company with “security” in their title.

Next thing: I look into the profile of the IT director, since security is sometimes put under IT. But on his profile I can not see any “indicators” that this guy might have any security qualifications or experience in the field.

So this company has have to give all 1500 employees “technical unemployment” and keep extending the end date of this unemployment.

They don’t really communicate on what actually happened, they don’t talk about ransomware either.

At this moment I am pretty confident that my incident response plan is way better than theirs, and we are a small non-profit media company with about 100 employees.

Open discussion about the what we know about the ASCO ransomware attack.

[Evan] BIG thank you to our listeners, and this one in particular. Good talk. Let’s get to some news.

News

Closing

[Evan] That’s a wrap! Thanks again to our listeners, and thank you Brad! Let’s go have a great week! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com.

The UNSECURITY Podcast – Episode 31 Show Notes

Another week is in the books. Is it really true that the older you get, the faster time goes? God, it seems like it.

It was another great week, and there are so many things to be grateful for. FRSecure is cranking away at the mission (to fix the broken industry), and SecurityStudio is kicking tail too! I can only begin to tell you how awesome it is to work with the best information security people in the industry. When I say “best”, I mean the best in terms of quality of character. I LOVE these guys! They won’t brag about themselves, but I’ll brag all day about them. Crazy cool.

Some things going on at FRSecure:

  • Just finished the 10th annual CISSP Mentor Program. We had 500+ registered students at the beginning, and ended with a lot less than that. Some of it is attributed to normal attrition, and some of it is attributed to the quality of the instructors. 😉 The last event is Wednesday; Brad and I are BBQing for the students who can make it to our office in person. Come out and grab some good BBQ on Wednesday at 6pm!
  • We’re putting together our next Hacks & Hops event, actually our superstar marketing folks are. The next event is titled “BREACHED! WHAT TO DO WHEN YOUR DEFENSES FAIL” and it’s slated for September 19th at US Bank Stadium; not the whole stadium, a big meeting room inside the stadium (that would be nuts). We’re working on putting together an all-star panel for you, and there will be beer (lots for those who like lots). Mark you calendars now, and watch for the sign-up. It will sell out fast.
  • We’re hiring again! We’re sort of always hiring, I think. Anyway, the bar is high in terms of integrity, but we’ll learn all sorts of cool things together. Check out our positions, and apply. We like people and stuff! We have six (6) open positions at present, so if you know someone, send them our way!
  • Personally, I had some great meetings this week! The people in this industry are fascinating. Some highlights include the following… Had coffee with Matt Stellmacher on Monday. If you’re in this market, in Minnesota, you gotta know who Matt is! He’s a partner at White Oak Security, and an all around great guy. Had a great meeting with Jim O’Conner on Wednesday. Jim is Cargill’s CISO, and he’s a great guy with a TON of security wisdom. I spent most of the time listening intently to what he had to share. Had lunch with Red Team Security‘s CEO Ryan Manship on Thursday. Our hearts are aligned on some things in this industry.
  • Gave a talk at an event put on by Top Dog PC Services at Summit Brewery. Had a blast making a few new friends and giving away some more books. They recorded some of my talk and posted in online here. The audio and video quality are a little (or a lot) off, but somehow they made me seem like I made sense.
  • The icing on the cake came on Friday (today). Went to BrrCon. This was the best conference that I’d been to in a very long time. Ran into 10(ish) friends, talked to Dave Kennedy and spent a little time with Chris Roberts. These are two of my favorite influential people in our industry. It was a GREAT day!

Some of the things going on at SecurityStudio:

  • We’re finalizing our Board of Directors! In full transparency, this is the first board that I’ve ever put together, and I have (almost) no idea what I’m doing. Thank God for SecurityStudio’s president (James Williams) who’s put together awesome boards before. Also, thank God for the directors who have agreed to participate! Finishing touches are being worked on now, and an announcement is coming soon!
  • At SecurityStudio, we’re all about inclusion and integration. We met with the fine folks from Quill Security Technology this week, and they’ve got some VERY cool stuff! I’ve never seen a better physical security risk assessment methodology or tool than the one these guys have built. You know what they (or I) say, “nobody cares about your firewall when someone steals your server.” How about, “nobody cares about your firewall when someone is assaulted”? Good people over there and I’m sure we’ll figure out a way to integrate what each of us does well!
  • Lot’s a very cool development stuff and marketing stuff being done. You’ll hear more about this soon too!

Oh yeah, I met Betty this week. We met on Tuesday and she’s mine now.

Well, it was one helluva week!

Alright, now onto the show notes…


SHOW NOTES – Episode 31

Date: Monday, June 10th, 2019

This is Evan’s turn to lead the show, and these are my notes.

Today’s Topics:

  • Solutions, not sales.
  • Important lessons this week.
  • News

[Evan] Hey, good morning. Today is Monday, June 10th, and this is episode 31 of the Unsecurity Podcast. This voice you hear is Evan Francen and joining me as usual is my co-worker and more importantly good friend Brad Nigh. Good morning Brad.

[Brad] Queue Brad.

[Evan] Brad, it’s good to hang out with you man. 

[Brad] Queue Brad (again).

[Evan] Can you believe that this is episode 31 already? Seems like episode one was only a few weeks ago, and here we are. We’ve learned a lot since the first show, eh?

[Brad] Queue Brad (again).

[Evan] How was your week last week? Tell us about some of the highlights?

[Brad] Queue Brad (again).

[Evan] Mine was awesome and nuts at the same time (read above).

[Brad] Queue Brad (again).

[Evan] I had one experience last week that I wanted to talk with you about. I was with a couple of sales guys from a VAR…

Open discussion about “solutions not sales”

This topic is sure to raise the blood pressure of both Brad and I. It will be a great discussion!

[Evan] You and I have been in this industry a long time. Between the two of us, we have 40 something years under our belt, but one thing I know, and I think you’ll agree with me, is that we NEVER stop learning. So, last week was full of good stuff. Give us one thing that you learned last week Brad, then I’ll go.

[Brad] Queue Brad (again).

Open discussion about “important lessons from last week”

[Evan] Alright man, good things! Let’s wrap up with some newsy stuff. Just four stories to share quick.

News

Closing

[Evan] Nice talk Brad! Let’s see if we have another week like the last. Hope everyone listening has a great week. Stay safe and stay healthy. Thank you Brad. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen and @BradNigh. Email us on the show at unsecurity@protonmail.com. That’s a wrap!

Denver ISSA Incident Management Workshop Recap

Finally. I’m finally getting around to posting about this event. The fine folks of the Denver ISSA chapter invited me to speak at their chapter event on May 23rd. The event was a three-hour incident management workshop (titled Incident Management – Panic or Plan).

‘Wait! What?! Three hours?!

Yes. These poor folks endured three hours of my preaching. Read on…

About Denver ISSA

The Denver ISSA Chapter is the largest chapter in the world with more than 800 members. I’ve attended numerous ISSA chapter events over the years, and the Denver ISSA Chapter is one of the best! Read about the Denver ISSA Chapter here.

I spent some time with James Johnson, the Chapter President, and Shannon Welton, the Chapter Training Coordinator while I was there, and they are both top notch! Seriously. They’re good, and it was great conversation (for me anyway).

Can’t say enough good things about Denver ISSA. Loved every minute I spent there.

About the Workshop

Shannon Welton was my primary contact for the workshop. She’s a pleasure to work with. I was given liberty to create and present whatever content I wanted to, and she made sure I had everything I needed at every step of the way.

Flight in the morning from Minneapolis to Denver. Grabbed a Lyft. Made the trip from the airport to Maggiano’s Little Italy (16th St Mall). Lunch started at noon, and I got there at 12:05. Not bad. 😉

From the moment I arrived, I felt welcomed. There seemed to be ~100 people there, and they were all engaging. They showed genuine interested in each other and it felt good to be there. Lunch ran from noon til 12:45, at which time Shannon kicked off the workshop with an introduction. When she introduced me, she asked if anyone had heard of me. Funny! Only one person raised their hand.

After three hours together, they’ll all have heard of me now!

I’m the sort of guy that could talk for three days about information security (and incident management), so three hours wasn’t going to be a problem for me. The challenge is/was keeping people engaged for three hours.

Here’s the learning objectives.

Here’s the agenda.

I used two things to keep people awake; a 15-minute break at 2:15 and Dad jokes. We made it through to 4:00pm, and the group was very engaged. More than I expected. There were great questions, good eye contact, and I felt as though we all got something from the experience together.

Workshop Content

Get it here.

  • ISSA-Denver_PanicOrPlan-052319.pdf, the slide deck.
  • CSIR-Maturity-assessment-tool_Info1.pdf, the CREST Cyber Security Incident Response Maturity Assessment Tool introduction document.
  • Maturity-Assessment-Tool.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Summary).
  • Maturity-Assessment-Tool_Detailed.xlsm, CREST Cyber Security Incident Response Maturity Assessment Tool (Detailed)
  • ISSA-SAMPLE_Incident_Log&Categorization_Tool.xlsx, the FRSecure basic information security incident logging and categorization workbook.
  • ISSA-SAMPLE_Security_Incident_Response_Plan-052319.docx, the FRSecure basic incident management/response plan template.

Summary

The Denver ISSA is awesome! If I lived in Denver, I’d be at every event. If you live in Denver, you should go to every event. Seriously, get there.

A dozen of so people came up to speak with me after the workshop. More great questions and some great connections. I felt bad that I had to run shortly after the workshop in order to catch my plane back to Minneapolis. Next time (if/when there is one), I will stay longer.

Presenting this workshop was a real privilege, and I’d go back anytime.

P.S. Another example of their awesomeness; I received a beautiful “thank you” gift basket at my office from these guys. Too cool!

The UNSECURITY Podcast – Episode 30 Show Notes

Happy Sunday! That’s right, it’s Sunday. I’m late getting our show notes posted (again).

Hope you are having a great weekend. Last week’s show (episode 29) was posted on Memorial Day. I hope you took a moment to remember the men and women who made the ultimate sacrifice for our country and our freedom. That’s what Memorial Day is all about.

Our show last week was a new thing for us. We recorded and intro, listened to L0pht’s Capitol Hill testimony from May 19th 1998, and recorded a short close. I like to listen to this recording once each year as a reminder of where we came from and to help keep me grounded. It’s good stuff!

Last week was a short one, but it was busy. Spent a couple of days with some awesome people in Montvale, NJ before returning home for a full-day offsite strategy meeting (with the FRSecure executive leadership team). Friday was full of meetings, but much more low-key.

Yesterday (Saturday) was a no work day. Do you have a day that you’ve set aside for no work? Part of keeping balance in my life is to not work (at all) on Saturdays. I’ve compromised on this rule too many times in the past few months, and I’m actually a little ashamed about it. No more! Saturday’s are back to off limits. Today’s Sunday. 😉

What’s up this week? Brad’s leading the Unsecurity podcast, and he’s got some good things planned for us to talk about. These are his show notes.


SHOW NOTES – Episode 30

Date: Monday, June 3rd, 2019

Evan would have been on time but I got caught up with some IR work that totally threw off my Thursday and Friday, so show notes are coming out on Saturday (turned out to be Sunday).

Today’s Topics:

  • Incident Response
  • News

[Brad] Good morning, today is June 3rd (How is it already June?!?!) and it’s time for another episode of the Unsecurity podcast. I’m Brad Nigh and I will be hosting this week. With me again is Evan Francen, good morning Evan.

[Evan] Talks about something fun he did over the weekend. – (Added by Evan: not really. I cleaned gutters, stained my fence, did some landscaping, and mowed the lawn).

[Brad] Okay so a couple weeks ago you were at the Denver ISSA and did a workshop titled “Incident Management – Panic or Plan”. Let’s talk about that a little bit…

Open discussion around the IR workshop and IR in general

[Brad] There is so much around IR that people still struggle with, hopefully this discussion helped clear things up a bit. Let’s hit some news stories real quick.

News

Closing

[Brad] Alright, another good show. We could talk about incident response every week and never run out of material. Lots of news and lots to do. Thank you Evan. Don’t forget, you can follow me or Evan on Twitter; @BradNigh and @evanfrancen. Email us on the show at unsecurity@protonmail.com. That’s a wrap! Have a great week.