The UNSECURITY Podcast – Episode 38 Show Notes

YES! I’m on time again. If I get good at this, I won’t need to make this comment anymore. Odds of that?

As usual, I’ll give a quick review of the week, then we’ll jump right into the show notes.

It was another good and productive week. Gooder and more productiver than I probably deserve, but this is what you get when you are surrounded by awesome people all the time. 

  • Monday started with UNSECURITY Podcast (episode 37). Our guest was the one and only MN State Representative Jim Nash. If you missed it, you should give it a listen. We call BS on some things, then chat about some other things. All in all it was a great show. After that, it was coffee with a friend and a lot of writing.
  • Tuesday started with coffee with SecurityStudio’s VP of Software Development, Ivan Peev. After coffee it was an executive leadership meeting (all executives rated it a 10, which is always good), more writing, and a global information security strategy meeting with an awesome vCISO client.
  • Wednesday was great. An FRSecure Customer Advisory Board (CAB) meeting, coffee with Peter Vinge (Director of Operations – FRSecure), more writing, a few more meetings, more writing, and a meeting with legal counsel.
  • Thursday started with a SecurityStudio User Advisory Group meeting, then the rest of the day was spent writing.
  • Friday (today) started with a coffee meeting with my good friend and SecurityStudio’s president, John Harmon. We had a cool discussion about family, health, and some security strategy stuff. After coffee came a SecurityStudio product strategy meeting, and now I’m writing again.

What’s with all the writing?

It’s been a while since I’ve updated people on the status of this second book. The first book (Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?) was published this year, and it’s been really well-received. This first book was written to information security professionals. This second book is an information security book written to information security amateurs, or common everyday people. The book’s parts are (for now):

  • Introduction
  • Part 1 – Current State of Affairs (nation-state, cyberwarfare, businesses, attackers, security, privacy, and safety)
  • Part 2 – Motivation (find your motivation to act, family, friends, community, country, and business)
  • Part 3 –  Application (applying the basics and building habits)
  • Part 4 – Introducing and Using S2Me (the assessment, recommendations, and conclusions)
  • Closing

If you read my first book, you might remember where I said that writing a book is a bitch. It still is. The amazingness of the experience is more than worth it though. More to come in the coming weeks and months.

Let’s get to the show…


SHOW NOTES – Episode 38

Date: Monday, July 29th, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth follow-up
  • Project Bacon
  • Industry News

[Evan] – Hi everybody! Holy buckets, we’ve got a good show planned today. Good morning, and in case you don’t know the voice yet, this is Evan and this is episode 38 of the UNSECURITY Podcast. No Brad joining me today. He’s got a “vacation”. Who does that?! Anyway, in his place is my good friend and SecurityStudio’s president John Harmon. This is where you say “hi” John.

[John] He’s a quick thinker with a sharp tongue, so I’ll need to be on my toes with his response (probably).

[Evan] So, Brad’s on vacation. I joked a little about that, but I can hardly think of someone who deserves it as much as he does. Kudos to him for taking some time off to be with his family. Before we get into talking more about our guest and some cool things, I just want to give our listeners a quick update on our Civic Ransomware Awareness Project and an idea for a follow-up to the #100DaysOfTruth thing.

Quick Civic Ransomware Awareness Project Update and New Idea Discussion

John can talk here too, I just don’t have anything specific for him yet.

[Evan] This is our 38th episode of the podcast, and we finally have you on the show. Sorry it took so long. Now, I know you pretty well because we’ve been working together for quite some time now, but the listeners may not know who you are. Tell us about yourself.

[John] Tells us a story about himself

Talking About John

[Evan] I gotta tell you man, I love working with you every day. You’re a guy that truly gets what we’re trying to do and you’re absolutely sold out on our mission. Later this year, like October, you and I are embarking on a new journey. We affectionately call it Project Bacon. Where did the name come from?

[John] The name was John’s idea, but let’s hear him out.

[Evan] The name is awesome. Besides, who doesn’t like Bacon? So, we have this Project Bacon thing. What is it?

[John] Tells us what Project Bacon is.

[Evan] OK, I think I get it (of course I do, but I need to act like I don’t so the show is more interesting or something). Why are we doing this?

[John] Oh yeah! The “why” is the best part.

More Project Bacon Discussion

[Evan] I’m pumped about Project Bacon. It’s going to be a blast and we’re doing good things all along the way. John, you’ve listened to our podcast before. We always close this thing out with a few news stories. You game?

[John] John is always game.

Industry News

Here’s our news to discuss in this week’s show. The depth of the discussion will depend on our time.

Closing

[Evan] – OK. That’s how it is. So many cool things going on and too many things to talk about. Thank you John for filling in for Brad this week. Project Bacon is going to be great! Also, a special thank you to our listeners. Each week, the number of listeners to our podcast continues to grow, and each week we received great feedback from you. Please keep it coming. If we haven’t had a chance to respond, it isn’t because we don’t care, we just haven’t gotten around to it yet.

If you want to keep up with the haps, be sure to follow me, Brad, and/or John on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and John is @HarmonJohn. Email the show at unsecurity@protonmail.com. Have a great week everybody!

The UNSECURITY Podcast – Episode 37 Show Notes

On time this week? Absolutely! We take these things seriously around here, you know that!

Happy Friday UNSECURITY Podcast listeners! It was a great week for us, hope yours was good (or better).

Weeks like this one at FRSecure and SecurityStudio are always special. We held our end of quarter meeting at our Minnetonka, MN headquarters. Our people fly in from all over the country to celebrate, collaborate, and have fun. It’s AWESOME to see everyone and spend time catching up.

This slideshow requires JavaScript.

We are all family here, and it’s an amazing experience when everyone gets to come home. We have people fly in for the week from Florida, Nevada, Kentucky, and soon to be Missouri. It’s magical when everyone gets together. One of our core values is “work hard, play hard”, and it’s fun to see everyone collaborating then going out and having fun afterwards. Seriously amazing people doing incredible things.

I love these people!

Like almost every quarter, the team killed it again. It was another record quarter revenue and profit-wise, but this is secondary to the impact this team is making in our industry.

The mood was awesome. Blessings everywhere.

On to the show notes, eh? (What am I Canadian now?)

Originally, we were planning to cover a new SecurityStudio initiative we affectionately call “Project Bacon”. We’re going to put that off until next week because we have a special guest joining us for this show. Our special guest is Jim Nash, who represents District 47A in the Minnesota State House of Representatives.


SHOW NOTES – Episode 37

Date: Monday, July 22nd, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth update
  • Calling BS on BS
  • Industry News

[Evan] – Hey oh. Good morning everyone. My name is Evan Francen. My show to host this week, so if you don’t like it, blame Brad. Speaking of Brad, he’s here. Hi Brad.

[Brad] Hi (or something similar)

[Evan] Also joining us this morning is Mr. Jim Nash. Now, I’ve got a special affinity for Jim. He’s a good friend, and he also represents my home district in the Minnesota State House of Representatives. Hi Jim.

[Jim] He also says “hi” or something of the like.

[Evan] Jim, I’m grateful for the work you do for the people of our district and I’m also very thankful for advocating like you do for information security. You’re a tremendous advocate for FRSecure, for the State, and for the US as a whole. Thank you.

[Jim] Graciously accepts my gratitude and says something wisdomy that will awe his constituents. I’ll probably have to cut him short because politicians sometimes like to talk.

[Evan] Let’s jump right in, shall we? We have a lot to cover in this week’s show. Real quick, like real real quick, what did you think about last week?

[ALL] Stuff.

[Evan] Yeah, it was a great week for sure. Quick update on the civic ransomware call to action stuff. I actually gave this thing a real name now, “Civic Ransomware Awareness Project”. We received a few more updates; a couple from our backyard here in Minnesota and one as far away as Idaho.

Civic Ransomware Awareness Project discussion

[Evan] I hope we’ll continue the efforts to work together, people from all walks and backgrounds, including the private and public sector, to make information security better for everybody.

[ALL] Maybe they say something maybe they don’t. It’s early Monday morning for crying out loud.

[Evan] Another thing from last week. Don’t know if you guys noticed, but I finished my #100DaysofTruth series. What did you think?

#100DaysofTruth discussion

[Evan] It was a fun exercise. People have been asking me “now what”? Here’s the plan, and you heard it here first. The FRSecure Marketing Team is summarizing all one hundred days into a single blog post, we’re going to produce an ebook out of the content, we’re going to create an audiobook, and I’m thinking about doing #100DaysofLies.

[ALL] Maybe some more comments, maybe I need to kick them under the table to wake them up.

[Evan] Alright, next thing I wanted to talk about was something that you, Jim, brought to my attention last week. This should be a good discussion. Jim came to me an told me that there’s this guy (he didn’t recall his name at the time) who is out there preaching that there are companies in the United States that are unhackable. As you can probably imagine, I’m not buying it. So I wrote a blog post here at evanfrancen.comblog post here at evanfrancen.com, and I’d like to talk about it. Whatya say guys? Game?

[ALL] Of course they’re game!

Calling BS on BS discussion

NOTE: Go into the background some more, then talk about the BS.

[Evan] Alright. Good spirited discussion. Let’s wrap this thing up with some news, then get on with what is sure to be another great week!

Industry News

Here’s the news to discuss, just two this week because we covered so much other stuff and we’re running out of time:

Closing

[Evan] – Well, damn. That’s how it is. We do a ton of things around here and we talk about a lot of stuff. Special thanks to Jim Nash for joining us this week. Jim, you’re a good man. Also, a special thanks to our listeners. You guys give us awesome feedback every week and tips about what you’d like us to talk about. Be sure to follow me, Brad, and/or Jim on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and Jim’s  @JimNashMN. Email the show at unsecurity@protonmail.com. Have a great week everybody!

According to Author, Some Corporations Have “Achieved Security”

A friend of mine brought something to my attention this week. He said he heard there’s a guy out there claiming there are unhackable companies.

Me: Unhackable?

Friend: Yep, unhackable.

Me: What?! No way man. This can’t be true.

Friend: Oh yeah, it’s true. Want me to send you a link?

Me: Absolutely. I’ve got to see this.

He sent me a link to a National Public Radio (NPR) show transcript. The show, All Things Considered, is hosted by Ari Shapiro, a well-respected journalist. Appearing on this show was Richard Clarke, promoting his new book, “The Fifth Domain”. For those of you who don’t know who Richard Clarke is, he was the National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States from 1998 to 2003, an impressive position. He also led a lengthy career with the U.S. government. Like most people in the government and most politicians, he’s well-respected by some and hated by others. Since leaving the public sector, he’s written a bunch of books and he’s been fairly active in speaking about information security (or as he calls it “cybersecurity”). You can read his Wikipedia page if you want to know more about him.

So, I dug into the transcript looking for the place where this wild unhackable company claim was. At this point, I’m still thinking my friend must be mistaken.

SHAPIRO: One line in the book stood out to me from somebody who was talking about election security but could just as easily have been talking about other aspects of cybersecurity. And the line is, our house was robbed, so let’s at least lock the door. The problem is there are so many doors in the United States – 50 states, thousands of counties, who knows how many private businesses. Each one of them is a target. So is it naive to think that anyone could prevent the house from being robbed again?

CLARKE: There are major American corporations that have achieved security – cybersecurity. They don’t like to attract attention to themselves. They don’t like me using their names, so I won’t. But there are big American companies that have done it. Ten years ago, when we wrote the book “Cyber War,” we said no company is safe. If the Russians or the Chinese want to get into your network, they can. Now we’re saying that’s no longer true.

Wait. What the hell does “achieved security – cybersecurity” mean?! Is he saying there are mysterious unhackable “big American companies”? If they’re unhackable, why can’t we know their names and why can’t we share the secret sauce that makes them unhackable with the rest of the industry?!

I can tell you why we don’t know the names of these unhackable companies, and it’s not because Mr. Clarke won’t share them or because they don’t like him using their names, it’s because they don’t exist!

How about the secret sauce, surely this can be shared. Ari Shapiro, being the very good journalist that he is, asks.

SHAPIRO: What do the companies that have not been successfully hacked have in common? What are they doing right?

CLARKE: The companies that are resilient spend more money on it and have a better governance model so that the guy in charge or the gal in charge reports to a much higher-level official. They’re not buried in the bureaucracy of the company. And in terms of just a raw metric, the good companies – the companies that are successful at this – are spending 8% to 10% of their IT budget securing their networks. There are banks in New York that are employing thousands of people and spending hundreds of millions of dollars each year.

Am I reading this right? The secret sauce is “more money” and a “better governance model”? Can’t be. There’s got to be more than that. Well, he goes on to say there are banks in New York who employ thousands of people spending millions of dollars. Banks in New York. Could this be a hint about one of these mystery companies. He also referred to people. There’s a problem now, once you bring people into the equation. Something that’s unhackable requires perfection, doesn’t it? If there’s a flaw anywhere, there’s a potential vulnerability. These people must be infallible. Do you think these are infallible people? They don’t make mistakes? What kind of people must these be?

Want an unhackable company? Find perfect, infallible people. That’s got to be part of the secret sauce!

Back to the money thing. How much money is “more money”? Surely if we throw more money at the problem, it’ll get solved. After all, we’re throwing billions of dollars at the problem every year. Mr. Clarke claims that the successful companies are spending 8% –  10% of thier IT budget on security. On average a large company (more than $2 billion in revenue) spends 3.2% of revenue on IT, but banks spend more like 7%. So, let’s take a $2 billion (revenue) bank. If they spend between $11,200,000 and $14,000,000 ($2 billion x 7% x 8 or 10%) on security, this will make them unhackable? How about J.P. Morgan? This is the biggest bank in New York. They had revenues of $109 billion in 2018. If they spend (or spent) between $610 million and $763 million on information security, did this, or could this, make them unhackable?

Hmm. Maybe, but we still got that people thing. He also mentions another requirement. The guy or gal running this unhackable security program needs to report to the top, like the CEO or even the board.

So far, we can glean that we’ll need the following for an unhackable company:

  • More money – somewhere between 8-10% of 3.2-7% of revenue, maybe even more.
  • Better governance model – report to the CEO or board.
  • Infallible people – perfect people

SHAPIRO: You’ve said the government has acknowledged that it is hackable and that companies have figured out how to get the upper hand and prevent themselves from being hacked. Why can’t the government learn the lessons that these companies have learned?

CLARKE: Well, I think part of the problem is the federal government, which has maybe 40 or 50 major departments and agencies, insists that they all defend themselves. I don’t think that should be the job of every federal agency. What we propose in the book is that the government create one single cybersecurity office for all the little agencies and departments that can’t do it. This is what’s done in the private sector. A lot of companies don’t do it themselves.

SHAPIRO: They outsource it. They hire a contractor.

CLARKE: They outsource it, and you pay them by the month. And you get the – you get them handling all of your security. That’s the way the federal government should do it.

Ooh, another hint. Outsource all your security. Lord knows, a third-party will most definitely treat your stuff as well or better than you will.

DONE! Want an unhackable company, do this:

  • Spend more.
  • Govern better.
  • Be perfect.
  • Outsource stuff.

Let’s Be Real Now

You sensed the sarcasm, right? Here’s the truth:

YOU CANNOT BE UNHACKABLE, EVER.

Anytime you hear someone claim that something or someone can’t be hacked, give it a long sideways look. Such a person who says such things almost instantly loses credibility with all of us who know better. To give Mr. Clarke the benefit of the doubt, he didn’t explicitly say that there are unhackable companies. He just sort of implied it. It’s also possible that I misunderstood what he was saying, but I read the transcript multiple times and came to the same conclusion. Could be he’s just trying to sell books too. Who knows for sure?

The goal isn’t to be unhackable. The goal isn’t to eliminate risk. The goal is to manage it. Eliminating risk would require perfection, and perfection isn’t possible. If anyone tells you different, he/she is a fool. Don’t take advice from a fool.

The UNSECURITY Podcast – Episode 36 Show Notes

Happy Monday! What?! Yeah Monday. Friday came and went, then Saturday and Sunday did too. These show notes that are supposed to be put here on Friday, didn’t get here till now. Enjoy!

Last week was a great week until Thursday, that’s when the travel adventures began. I’ll write about being stuck in Newark, NJ in a another post. Regardless, it’s good to be back home and ready to go.

Here’s the show notes that my buddy Brad put together for this week’s rant.


SHOW NOTES – Episode 36

Date: Monday, July 15th, 2019

Today’s Topic: The Money Grab

[Brad] – Good morning this is Brad Nigh, your host for episode 36 of the UNSECURITY Podcast. Today is Monday July 15th and joining me as always is Evan Francen

[Evan]  – Says Evan-y things

[Brad] – I won’t lie, writing this episode was much harder than I expected.  I know a lot of what we wanted to cover but writing it and researching… I just struggled.

[Evan]  – Consoles and sympathizes with writers block (I hope)

[Brad] – I hit my breakthrough when I had my ‘DUH’ moment and opened your book to chapter 9.  Why in the world was I trying to reinvent the wheel when you’ve already done an amazing job spelling it out.

[Evan]  – Evan is probably to humble here but he will say something gracious.

[Brad] –  So with that let’s talk about the money grab – the money we steal from each other, or maybe “spend” is more politically correct.  In your book you cover 3 problems you have identified.

  1. There’s plenty of snake oil for sale.
  2. Fear and sex sells lots of stuff.
  3. Money spent poorly is bad money.

ISC2 just released a study that I think hammers home the issues we see.

Small Businesses Need New Security Solutions but Aren’t Always Sure Which Ones

Open Discussion with some articles

[Brad] That was a good discussion. As you can tell, both Evan and I can get pretty heated up about these things. Let’s get to a couple of news items before wrapping this episode up.

News

Closing

[Brad] That’s a wrap! Thanks again to our listeners, and thank you Evan! Let’s go have a great week! Don’t forget, you can follow me or Evan on Twitter; @BradNigh is me, and Evan’s at @evanfrancen. Email us on the show at unsecurity@protonmail.com.

The UNSECURITY Podcast – Episode 35 Show Notes

Happy (belated) Birthday America!

Hope you all had a great 4th of July holiday! Both Brad and I (sort of) took the week off last week. We got some much needed rest for the 2nd half 2019 push. Brad spent time with his family, catching some huge fish with his kids. I made a road trip on my bike from Minnesota to Ohio. My wife and 14-year-old daughter joined me and we spent the week celebrating our great country.

This slideshow requires JavaScript.

The first half of 2019 has been wildly successful on multiple fronts, and both Brad and I are grateful.

I left Brad alone this week. I didn’t even reach out to him for our podcast show notes, so I’m not sure if he was planning to write some. Out of respect for his time away from the office, I’m writing this week’s notes.

Haven’t run this past Brad yet, but I think we’ve got the next three shows planned. We’ll see if he’s game. Here’s my plan:

  1. This week (episode 35) – Transfer of Wealth
  2. Episode 36 – The Money Grab
  3. Episode 37 – Project Bacon

Are you intrigued? Yeah, maybe.

OK, let’s get to it…


SHOW NOTES – Episode 35

Date: Monday, July 8th, 2019

Today’s Topics:

  • Civic Duty? – An update
  • Transfer of Wealth
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 35 of the UNSECURITY Podcast. Welcome back from last week’s 4th of July holiday. My security bestie, Brad Nigh is joining me. He’s my co-host and stuff.

Welcome Brad.

[Brad] Brad probably greets me/us here. Assuming that he’s polite and engaged.

[Evan] How was your week off?

[Brad] Brad shares stuff about his time off.

[Evan] I’ll share some brief things about last week.

The meat of the show starts here.

[Evan] Over the past couple of weeks, we’ve been talking about ransomware. We haven’t been talking about the technical details related to how ransomware works because the attack vector essentially hasn’t changed drastically over the past, I don’t know, 20 years!

What we’ve been focused on is the destruction that ransomware is causing organizations, specifically local government organizations. We talked about cities that are suffering millions in losses and those that have chosen to pay ransoms to attackers. These things really strike a nerve in us, and we’ve encouraged people to do something about it.

For reference, see other related posts in chronological order:

Let’s catch up quick on this Brad.

Open Discussion – Civic Duty? – An update

[Evan] So, before we get too heated and deep into the ransomware discussion again, let’s talk a little about the money. The money in terms of how much attackers steal from us and in terms of how much money we steal from each other. We call the latter the “money grab”.

[Brad] Let’s do it! (and other stuff probably.)

[Evan] I was revisiting some of the research about our industry this week, and I wanted to talk about two things.

  1. The transfer of wealth – the money the attackers steal from us.
  2. The money grab – the money we steal from each other, or maybe “spend” is more politically correct.

We won’t have enough time to discuss these two topics with any depth in one show, so we we’ll need to split this up across multiple shows. Whatever, let’s discuss what we can now.

[Brad] Sounds good (hopefully).

[Evan] According to a study/predictions conducted/made by Cybersecurity Ventures, “Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades.” You’ve seen this study, right?

[Brad] Oh yes, of course!

[Evan] We know the source of the study, so we need to take it with a grain of salt, but listen to some of the claims:

  • Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers.
  • In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
  • Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.

Let that sink in a little. Are these numbers and claims accurate in your opinion. Do these numbers and claims just feed our scare tactics? Let’s discuss.

Open Discussion – Money – Transfer of Wealth

[Evan] Good talk Brad! We certainly have our share of opinions on this. Let’s hold off on the “money grab” discussion until next week, then we’ll contrast these issues. Sound good?

[Brad] He’ll agree because he’s a very agreeable man.

[Evan] Just two newsy things this week. We’ll cover them quick.

News

Just two quick stories today.

Closing

[Evan] That’s how it is. Thanks again to our listeners and thank you Brad! Have a great week friends. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.