UNSECURITY Podcast – Ep 103 Show Notes – PsyberReslience Project Pt. 2

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs:
  • Election is next week. Please vote. Regardless of who you vote for, you have a voice. The voice might seem insignificant, but when millions of voices speak together, you have something special. This election season has been crazy, just like 2020 has been crazy. I’m looking forward to it being over, so we can return our focus to serious issues facing all of us.
  • Last week on the Security Shit Show, we talked about election security. The title of the show was “Is My Vote Secure?”. This week it’s Chris Roberts‘ topic, and he hasn’t announced it yet. Stay tuned!
  • Business is good – FRSecure is running at or near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Incidents and calls for our incident response team continue to roll in. There was an incident that occurred this past weekend. Sadly, the way the incident was handled by the client provided good examples of what NOT to do. I’ll right a separate blog post on this story later, but here’s two things you need to do RIGHT NOW. Drop what you’re doing and make sure you’re squared away on:
    1. Check your incident response plan and be sure you know who to call.
      • Double-check the contact information.
      • Is there 24×7 response? Incidents will inevitably happen at the worst time.
      • Who do you call, and who do you call first? Your incident responders, your insurance provider, your legal team, executive management, law enforcement, or…?
    2. Make sure your preferred 3rd-party incident handler/provider is on your insurance provider’s approved list for reimbursement.
      • You waste precious time, energy, and money when you don’t know.
      • Engaging with a 3rd-party incident responder who isn’t on the list will force you into declined reimbursements and/or changed providers (losing more time).
  •  Not a sales push at all, but here’s what FRSecure provides. At a minimum, it makes sense to register with your incident responder (See: IR Registration Services).

  • Not digging the cold weather, but I do live in Minnesota, so…

Episode 102 Quick Recap

Originally, we weren’t planning on making the discussion with Neal O’Farrell into a series, but the talk in episode 102 was too AWESOME! Brad was out sick for the show, but Neal and I had a great talk about his 40(ish) years in our industry, his background growing up in Ireland, his organization (the PsyberResilience Project), our personal mental health issues (stress, burnout, etc.), and mental health in our industry. This is a serious issue in our industry, and we’re not doing a good enough job in tackling our problems.

I’m VERY excited to welcome Neal back again! We’ll talk about resources people can use to improve their lives. Sure to be another great discussion!

These are my (Evan) notes.


SHOW NOTES – Episode 103

Date: Tuesday October 27th, 2020

Episode 103 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Recap episode 102 – Where we left off.
    • Mental Health Discussion.
    • Specific self-help approaches, what we’ve learned from trying them.
    • Other resources and what you can do to help.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 103, the date is October 27th, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, for the second week in a row is our good friend and founder of the PsyberResilience Project, Neal O’Farrell. Good morning Neal.

[Neal] Cue Neal.

[Evan] How are you guys today? What’s new?

Quick Catch-up

Discussion about any current events, life or otherwise…

Transition

 

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast again this week. Last week we had a great talk. So great, in fact, we didn’t leave any time for news stuff. No matter though, people can always read news things for themselves.

Anyway, we talked about your background, both of us shared our personal struggles with mental health, and we talked about your organization (the PsyberResilience Project). This week Brad’s joining us, and we’re going to focus on specific self-help approaches that we’ve tried. Before we jump in, Brad, did you get a chance to listen to last week’s podcast?

[Brad] Cue Brad.

[Evan] What did you think about it?

[Brad] Cue Brad.

[Evan] Great! Let’s dig in.

Begin Discussion

Topics to discuss (or ideas):

  • Recap episode 102 – Where we left off.
  • Mental Health Discussion.
  • Specific self-help approaches, what we’ve learned from trying them.
  • Other resources and what you can do to help.

Discuss whatever else comes to mind.

[Evan] Excellent discussion, and I’m sure our listeners found value in it!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Some interesting nation-state stuff caught my attention this week. God knows, there’s always plenty of nation-state stuff going on!

Wrapping Up – Shout outs

[Evan] Great! Episode 103 is just about complete. Thanks guys! Neal, it was great having you on the show again this week. I’m looking forward to working together to make our industry better. Brad, always happy when you’re here. Glad you’re feeling better this week!

Any shout outs for either of you?

[Brad and/or Neal] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, remind our listeners again how they can get in touch with you.

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

E is for Everyone

There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.

Why?

Three primary reasons:

  1. Information security (good or bad) affects everyone.
  2. Everyone has a role in information security.
  3. If everyone has a role, then everyone must have responsibilities.

There’s a saying I often use:

Information security isn’t about information or security as much as it is about people.

Two important points from this statement:

  1. People suffer when things go bad. If nobody suffered, nobody would care.
  2. People are riskier than technology. Technology only does what we tell it to (for now).

Let’s apply these points to our reasons why “E” is for everyone.

People Suffer

When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.

Some quick examples:

  • Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
    • The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
    • The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
    • Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
  • Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
  • Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
    • Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
    • When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
    • Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.

The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.

Information security (good or bad) affects EVERYONE.

At Home

At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.

The problems at home are less understood for a couple reasons:

  1. The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
  2. Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.

At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.

People Are Riskier

Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?

Yes. Both.

Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.

Technology makers need to be incented to make things more secure, not punished for making things insecure.

Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.

EVERYONE has a role in information security. What’s yours?

Roles

In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.

Information Owners

These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.

Examples:

  • My health record is mine.
  • My financial account information is mine.
  • My Social Security Number is mine.
  • My private conversations are mine.
  • My private emails are mine.
  • My credentials for accessing accounts are mine.

I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.

Information Custodian

These are organizations and people who have been delegated the responsibility of protecting information from the information owner.

Examples:

  • The hospital is a custodian of my health record.
  • The bank is a custodian of my financial account information.
  • The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
  • The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
  • The email provider (personal and work) is the custodian of my private emails.
  • The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
Information Users

These are people who use the information in a manner approved by the information owner through the information custodian.

Organizations Are Not Data Owners

Organizations do not “own” our information. Organizations are custodians and users of our information.

Organizations do NOT “own” any information except what they’ve created.

Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.

Responsibilities

Each role has specific responsibilities, but this is where things get even messier.

Information Owner

Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.

The problem

Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.

Information Custodian

Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.

Information User

Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.

If everyone has a role, then EVERYONE must have responsibilities.

Fundamental

This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.

Honorable Mention for “E”

I received many great suggestions for the letter “E” including:

  • Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
  • Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
  • Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
  • Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
  • Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
  • Evolve – closely related to “evolution” See above.
  • Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).

One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.

Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.

God Showed Up to My Pity Party

Yes, God showed up. Uninvited and unwelcomed.

NOTE/WARNING:

The subject of “God” is touchy for many people. I acknowledge this, and won’t go down the rabbit hole (now). I’ll preface my story with two simple points:

  1. This story isn’t about religion. This is about relationship. Two vastly different things. If it helps, I don’t like religion either, or at all.
  2. Nobody is forcing you to read this. Feel free to stop reading this at any time.

OK, back to my personal pity party.

Pity Party!

This was my party. All mine.

I invited the most important person in my life (me), and I was sure he was coming (again, me.). The best time for me to have a pity party is early in the morning. Mornings are great times for pity parties because it’s easier for me to be alone.

This particular party took place one morning a couple weeks ago. I woke up in a pissy mood, so it was the perfect time to hold my pity party!

I even had a theme. “2020 Sucks!” In my mind, I replayed all the crappy things about this year, and I found I had lots of things to celebrate:

  • COVID-19, and all the disruption it brought to daily life
    • Closed offices.
    • Closed schools.
    • Economic hardships.
    • Fear.
    • Uncertainty.
    • Politicization
    • The saddest/hardest stuff:
      • Sick people.
      • Deaths.
      • Closed businesses (some permanently).
    • Etc.
  • Social (in)Justice:
    • Riots.
    • Cities burning.
    • Systemic racism.
    • Hatred.
    • Killing.
  • 2020 Election:
    • Disinformation.
    • Division.
    • Hatred.

This country I love seems like it’s falling apart. I grew up in a Marine Corps family (Oorah!), so this hits hard and personal. People around me who used to love each other are now at each other’s throats. Damn, this pity party was in full swing!

Wait though, I can kick this thing up a notch!

I haven’t even started to grumble and take the “woe is me” look at my personal issues in 2020:

  • Frustration in my own home.
  • Loneliness and isolation.
  • Hit a deer while riding my motorcycle in May ($11K in damage).
  • Lost my little buddy (dog named “Vike”) in July.
  • Child struggling with school (social issues, lack of routine, etc.)
  • Work stresses from being CEO of two companies. The wind blows the strongest at the top of the mountain.
  • Lost my little sweetheart (dog named “Maizee”) first week in October. Two dogs in one year?! WTF?
  • General insecurities that come with working in the information security industry (yes, we all have them).
  • Etc., etc., and the list could continue.

The party was going great! I was feeling comfortable being shitty. I had a solid shitty attitude. To boot, I felt like I had plenty of blame to toss around and anger to express.

Woop! Woop! Party!

Then “He” showed up.

He showed up like He has before. Subtle. Almost sneaky. No grand entrance or anything.

Upon reflection, I realized He was actually there when the party started. I didn’t know He was there, but He was. At just the right time, He made his presence known to me, with a subtleness I can’t compare to anything else.

He whispered with in a gentle loving voice, “Did you forget?

The whisper wasn’t audible, at least I don’t think it was. There was nobody else in the room to confirm a “yes” or “no”/my sanity. Regardless, whether His voice was audible or not, I’m certain I heard Him.

I responded (not audibly, I don’t think), “Forget what?

He replied, “Forget the blessings. Did you forget the blessings?

I thought for a second. “What blessings?

With more gentleness, and without anger, He reminded me:

  • This was the year I gave you Ryan Cloutier to work with.
  • This was the year I gave you the amazing SecurityStudio team experience at RSA. Remember #MissionBeforeMoney? That was Me.
  • This was the year I gave you a wonderful vacation with your wife and friends. You know that seven-day cruise and everything that came with it?
  • This was the year I gave you 2,500+ students in the FRSecure CISSP Mentor Program. I even let you take credit for it.
  • This was the year I gave you unity and progress at FRSecure; amongst the executive leadership team, the senior management team, and the employees who get the real work done.
  • This was the year I gave you a new motorcycle after you crashed the last one.
  • This was the year I gave you a stronger bond with your wife.
  • This was the year I have you a second vacation, one to the Black Hills of South Dakota with your wife and friends.
  • This was the year I made SecurityStudio profitable for the first time.
  • This was the year I gave you a new puppy with an amazing and vibrant lust for life.
  • This was the year I taught you what unconditional love feels like.
  • This was the year I introduced you to working more closely with Chris Roberts (BTW, I’m using him too) on the Security Shit Show, multiple talks/panels, and business collaboration on My mission (to fix the broken industry).
  • This was the year I gave you new and deeper experiences with co-workers and friends.
  • This was the year I gave you the Daily inSANITY Checkin and new relationships with many wonderful people there (Josh, Jared, Steve, Tony, Richie, Amy, Marlyce, Dwight, Jim, Raul, Shelley, Olga, Jason, Brian, Rod, Caleb, Jeff, Lisa, etc.)

Shall I go on?

Through tears running down my face, I responded, “Thank you. Thank you for coming to my pity party to remind me who I am and what You have done for me.

It was here I realized I’m not cursed. Far, far from it. I’m blessed. Beyond everything that’s been done for me and given to me, I’m blessed by a God who always shows up, even to my pity parties He isn’t invited to.

2020 has been a weird year. It’s been much worse for some than for others, but regardless of how bad it’s been, there’s hope. There’s hope that God will show up for you as He did for me. There’s hope that God will restore what we destroy. I can’t help but wonder how much of what we’ve destroyed was destroyed because we take things for granted. It’s easy to take things for granted when we are given things without 1) earning them (called grace) and 2) realizing where they came from.

Wishing and praying for all brothers and sisters who are struggling today. I pray that you’ll find God, His grace and your blessings.

UNSECURITY Podcast – Ep 102 Show Notes – PsyberReslience Project

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD* like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs – I’ve been writing the information security ABCs the last week or two. This is a journey through the basics and fundamentals of information security. The “experts” can use the reminders and the inexperienced can use the direction (I think). The reception has been great so far, and I love the comments I’ve been getting, in my LinkedIn feed and on Twitter! So far, I’m through “D”. Stay tuned for “E” and “F” which are both scheduled for this week.
  • Election is only two weeks away – Have you already voted or are you planning to? If not, shame. Every U.S. citizen should voice their support for who they want leading this country. If you’re like me, I’m not wild about either of the two leading candidates, but it won’t stop me from casting a vote for who I think is best (out of my limited options). Last week, we talked about election security in episode 101. The notes for that episode have some good resources in them.
  • Disinformation is rampant – Last Thursday, Ryan Cloutier, Chris Roberts, and I opened our three-part series about election disinformation on the Security Shit Show. This first episode was titled “Disunited States of America (Election Disinformation)” and despite our share of technical difficulties, it was a great talk!
  • Business is good – FRSecure is running at near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Cold/Winter

Lot’s of blessings, despite the crazy society we’re living in.

*Speaking of ADHD, mental health is a serious issue in our society and our industry. Helping people with mental health disorders is important for all of us, and it’s a cause that I’m deeply committed to. This is the topic for today’s show.

I’m VERY excited to welcome a special guest this week. He’s the Founder of the PsyberReslience Project, and a long time information security advisor and expert; Neal O’Farrell!

On to the show! Brad is out with a sinus infection (or something), so it’s just me and our guest. These are my notes.


SHOW NOTES – Episode 102

Date: Tuesday October 20th, 2020

Episode 102 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Introduction to Neal
    • About the PsyberReslience Project
    • Mental Health Discussion
    • What can we do to help?
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 102, the date is October 20th, 2020, and I’m Evan Francen, your host.

Unfortunately, Brad Nigh, my good friend and regular co-host, is out with a sinus infection (I think) today. So, it’s me flying solo, but not really.

I’m REALLY excited to introduce you to a great guy and tremendous asset to the information security community; Neal O’Farrell.

Hi Neal.

[Neal] Cue Neal.

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast. Tell us about you and your journey through the information security industry.

Begin Discussion

Topics to discuss (or ideas):

  • Neal’s background.
  • The PsyberResilience Project
    • Its purpose.
    • Why Neal started it.
    • What makes it different?
    • Current initiatives and goals.
    • How can people find you?
  • Mental Health
    • What’s wrong with our industry, in terms of mental health?
    • Have problems gotten worse, especially with today’s current events?
    • Have we fixed/solved anything?
    • Personal mental health issues.
    • What do we need to do?
  • What we’re doing together (SecurityStudio and the PsyberResilience Project

Discuss whatever else comes to mind.

[Evan] Thank you Neal! Great discussion and I’m thrilled to be doing good things with you.

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Just one large news reference for this week. From the Register:

First, Patch Tuesday. Now, Oh Hell, Monday: Microsoft emits bonus fixes for Visual Studio, Windows 10 security bugshttps://www.theregister.com/2020/10/19/security_in_brief/

[Evan] For the most part, I like reading the Register for news. Neal, do you have a favorite news source in our industry?

[Neal] Cue Neal.

Wrapping Up – Shout outs

[Evan] Great! Episode 102 is just about complete. Thanks Neal! It was great having you join us this week and I’m very happy to have you fighting on the good side. Once again, how can we help?

[Neal] Cue Neal.

[Evan] Always grateful for our listeners! We’re behind on email still, but we’ll get there! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, do you have a way you prefer people get in touch with you?

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Why Isn’t “C” for Compliance?

If you missed it:

And “C” is NOT for compliance. Why not?

The simple answer is:

Compliance is NOT information security despite what people may think.

Judging from how many organizations treat compliance and information security like they’re the same, they’re not. People must be confused. Compliance has never been the same as information security, and it never will be.

Ultimately, compliance is doing what you’ve been told to do.

Explanation

Here’s how compliance works.

A governing body (country, state, industry, etc.) decides it needs to do something about information security, or privacy (a different, but inseparable thing). They write a law, regulation, or standard by which all entities (organizations) must abide. Examples include:

  • 104th United States Congress\Department of Health, HIPAA, all entities interacting with PHI.
  • 106th United States Congress\Federal Financial Institutions Examination Council (FFIEC), GLBA, financial institutions
  • California State Legislature, Assembly Bill No. 375 (California Consumer Privacy Act  or “CCPA“), for-profit businesses who conduct business in California that 1) has gross revenue in excess of $25MM, 2) buys, receives, or sells personal information of 50,000 or more consumers, or 3) earns >1/2 of its annual revenue from selling consumer personal information
  • Payment Card Industry Security Standards Council (self-regulation), Payment Card Industry Data Security Standard (PCI-DSS), organizations that handle branded credit cards from the major card brands (VISA, MasterCard, et al.)

If you’re in the sights of the regulation\law\standard, you have little choice but to comply with the regulation\law\standard or face sanctions. Where organizations DO have a choice is in how they comply. Organizations can choose:

  1. To abide by the intent of the regulation\law\standard, or
  2. To abide by the letter of the regulation\law\standard.

The choice comes down to the organization’s understanding, lack of skill, and/or how short-sighted management may be.

Option #1 – Intent of the Law

The intent of information security and privacy related regulations/laws/standards is usually a noble one. Take HIPAA for instance, the intent is to protect protected health information (PHI).

That seems noble.

The challenge is writing a regulation\law\standard that’s prescriptive enough to be effective in enforcing the intent while at the same time being flexible enough to apply to a large population and all its inherent variables. There are 146 mentions of the word “risk” in the Final Rule. This is great because “risk management” fits our definition of information security. Clearly, when reading the text, the intent of HIPAA is to build a fundamental information security program upon risk management fundamentals.

This is not only noble, but it’s very close to producing the same outcome as information security. Sadly, this is as close to information security as compliance gets.

Option #2 – Letter of the Law

If the intent of the law escapes you, you have the other option, a shortcut, the letter of the law. Abiding by the letter of the law is a shortcut, leading to checkboxes and poor information security.

HIPAA calls for a risk analysis in the Security Rule, so shortcutters get out their Excel spreadsheet and do the minimum work necessary to check the box. HHS recognized that people were half-assing it. Many healthcare organizations were not even doing their risk assessments, so in 2009/2010 they incented health care organizations through Meaningful Use Requirements. That still didn’t have it’s desired effect, so they increased enforcement through the OCR (first settlement in 2009). That still didn’t do enough, so HHS started compliance audits in 2011. Still not enough, so the Omnibus Rule comes about in 2013. Since then HIPAA audits have been delayed and we’re in a bit of a stalemate.

Question. Has healthcare information security been improved, or not? In some places, “yes” maybe. In other places, “no”. There’s nothing definitive to say one way or the other.

Conclusion

“C” is not for compliance because compliance isn’t information security. If you must use compliance as your driver, go after the intent of the law versus the letter of the law (PLEASE).

D is for Data

The words we use make a difference. They make a difference in what we do, how we communicate, and our overall effectiveness as information security professionals.

This may seem basic for you, but it’s important to recognize not everyone is an “expert”. Unless you only work with people like you (experts), you’d better master the application and communication of these basics.

Despite wanting “D” to stand for something else, something a little less obvious and more sexy, it’s for “data”. Covering two things here, what is “data” and why must “D” stand for data.

What is Data?

Wouldn’t it be nice if there was just one definition? Unfortunately, there’s not for the word “data”. Merriam-Webster has three:

  1. factual information (such as measurements or statistics) used as a basis for reasoning, discussion, or calculation
  2. information in digital form that can be transmitted or processed
  3. information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful

Dictionary.com has four:

  1. a plural of datum (and datum has five definitions)
  2. individual facts, statistics, or items of information
  3. information in digital format, as encoded text or numbers, or multimedia images, audio, or video
  4. a body of facts

BusinessDictionary has two:

  1. Information in raw or unorganized form (such as alphabets, numbers, or symbols) that refer to, or represent, conditions, ideas, or objects. Data is limitless and present everywhere in the universe.
  2. Computers: Symbols or signals that are input, stored, and processed by a computer, for output as usable information.
Despite eleven definitions from these three sources, there are some commonalities. Here’s the definition that I’ve gleaned; data is raw or unorganized information that is factual and/or statistical.

If “information” is core to the definition of “data”, then what’s the definition of information?

Data that is :

  1. accurate and timely,
  2. specific and organized for a purpose,
  3. presented within a context that gives it meaning and relevance, and
  4. can lead to an increase in understanding and decrease in uncertainty.
Summary Definitions

Data is:

raw or unorganized information that is factual and/or statistical

Information is:

accurate, timely, specific, and organized data that provides meaning and relevance

The difference between the two is organization and meaning.

Why D is For Data?

The simple answer is data is at the core of everything that is information security and/or data security. To drive home this fact, not only is “information” in the term “information security”, information is data, and the word “data” is applied all over our industry:

  • data administration
  • data aggregation
  • data breach
  • data integrity
  • data leakage
  • data loss
  • data loss prevention
  • data mining
  • data spill
  • data theft

So, to come full circle on the why “D” is for “data” despite wanting to find a more sexy word, data is fundamental to everything we do as information/data security professionals.

There you have it.

Honorable Mention for “D”

  • decrypt (or decryption) – turning ciphertext data (encrypted) into plaintext data.
  • digital – representation of data in discrete units, such as binary (0s and 1s).
  • denial of service – an attack aimed at making a system, service, or application unavailable to authorized users.

There you go. That’s “D”. “D” is basic. “D” is boring (to some). “D” is fundamental.

Next up is “E”.

C is for Cybersecurity

Cybersecurity is NOT the same as information security.

Different words, different things.

What is “Cybersecurity”?

In order to fully appreciate the difference between information security and cybersecurity, we need to define both.

Information Security

The workable definition of information security that I’ve used for a decades is:

Managing risk to unauthorized disclosure, alteration, and destruction of information using administrative, physical and technical controls.

This is a workable definition because it hits all the necessary points:

  1. It’s “managing” risk, NOT eliminating risk. Eliminating risk is impossible.
  2. It’s a business issue, NOT an IT issue; therefore, administrative and physical controls cannot be dismissed. Two common phrases to drive this point:
    • It’s easier to go through your secretary than your firewall.
    • Nobody cares about your firewall when someone steals your server.
  3. Keeping things secret is important (confidentiality vs. disclosure), but so is making sure the information is accurate (integrity vs. alteration) and available (destruction).

OK. Now for “cybersecurity”.

Cybersecurity

Cybersecurity or “cyber security”, tomayto tomahto.

Seems this is a combination of two words, “cyber” and “security”. So then, what does “cyber” mean?

Let’s Google it:

Me being me, I’m not to be one who takes a single source of truth at face value, at least not if I can help it. What does Merriam-Webster say?

Alright good enough. Confirmed. Cybersecurity then is defined as:

Managing risk to unauthorized information disclosure, alteration, and destruction using technical controls.

Cybersecurity is a subset of information security. They are NOT the same. We could reason that cybersecurity and IT security are the same (or similar), but not cybersecurity and information security. Sort of looks like this:

If accuracy and language are important to us, which they should be, then we need get our words and terms straightened out.

Why This Matters

There are several reasons why it matters:

  1. There’s enough confusion already. Don’t believe me, go ask someone to define “cybersecurity” out of the blue. For the best results, ask three or four people who work in our industry and three or four people who don’t. Note three things:
    • The bewilderment with the question.
    • Their exertion in providing a clear answer.
    • Differences between answers (yours and theirs, theirs and others, etc.).
  2. We’ve fought hard to make this a non-IT issue. The struggle is real. For 25+ years we’ve struggled to get business leaders to buy in and take responsibility for what’s theirs. We’ve been consistently preaching this isn’t an IT issue. We’ve trudged and plodded for slow progress. Now, we start using the word “cybersecurity” and we begin to lose ground. The ground we lose may seem insignificant, but ANY/ALL lost ground is bad. If you’ve fought this battle as long as some of us have, you know how hard we’ve grappled with this issue over the years.
  3. They’re both valid terms/words for what they’re already designed for. One word means one thing and one term means something different. They’re both perfectly valid for what they’re designed to communicate. Why mess?
How We Got Here

In my opinion, two reasons, marketing* and laziness.

Cybersecurity sounds cooler, sounds sexier, and probably sells more stuff (not necessarily stuff you/I need). Another reason might be laziness. Information security is eight syllables, and cybersecurity is six. We can save two whole syllables when using “cybersecurity! Think of all the cool things you could do with the extra syllables we’ve saved! I’ve even heard “experts” refer to information security as simply “cyber”. How sexy is “cyber”?! Using only two syllables?! Sounds super-experty too. The other six syllables can now be used to explain what you actually meant in the first place I guess.

Changing the meaning of words to fit marketing and/or laziness doesn’t seem right.

How To Get Back

Simple, use your words correctly. If you must use the word “cybersecurity”, preface it with what you’re actually talking about.

Honorable Mention for “C”

  • Confidentiality – protecting from unauthorized disclosure or keeping information secret.
  • Control – we can’t secure things we can’t control. A control is a restriction put upon an asset to protect it from unauthorized disclosure, alteration, and/or destruction. There are many applications of controls and control types, including access control, configuration control, change control, etc.
  • Cryptography – the simplest meaning is “secret writing”. It’s turning plaintext data into encrypted data (ciphertext) and vice versa. Cryptography can be great for protecting against unauthorized disclosure and alteration of information, but doesn’t do anything for protecting against destruction.

Most people could have guessed what “C” was going to be. Next up is “D”.

 

UNSECURITY Podcast – Ep 101 Show Notes – Election Security

Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!

Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!

Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.


SHOW NOTES – Episode 101

Date: Wednesday October 14th, 2020

Episode 101 Topics

  • Opening
  • Catching Up (as per usual)
  • Election Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.

[Brad] Brad does Brad.

[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.

Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.

[Brad] He might comment here.

Catching Up

[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.

[Brad] Cue Brad.

[Evan] I’ll share some stuff too (probably).

Transition

Election Security

[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?

[Brad] Cue Brad.

[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.

There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.

There’s more to election security than protecting voting machines, so let’s talk about this.

Resources

[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.

Election Security Discussion

Open discussion

[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.

News

[Evan] Here are some recent and interesting news stories to talk about.

Wrapping Up – Shout outs

[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?

[Brad] We’ll see.

[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

B is for Business

A business is in business to make money.

You and me?

We’re in the business of living life.

Don’t forget either of these points, now or when you’re doing your (information security) work. Personally, I get messed up sometimes, thinking I’m in the business of securing/protecting everything under the sun, forgetting to live life.

Protecting information is a good thing, even a great thing, but it’s not THE thing.

At Work

For-profit organizations are in business to make a profit. Non-profit organizations are in business to serve a mission.

It’s not that binary though, is it?

There are mission-driven companies, and there are non-profit organizations who rake in millions.

What drives your organization?

Mission-Driven

I can speak from experience on this. SecurityStudio and FRSecure, the two companies I work for, are both mission-driven organizations. They are for-profit companies, but it’s all about #MissionBeforeMoney.

Our mission? To fix the broken information security industry.

We serve out our mission by:

  1. Serving in our industry’s best interest. We seek partnership and collaboration with like-minded organizations, and we steer clear of bad-mouthing and destructive behaviors. We avoid and/or terminate relationships with organizations who aren’t like-minded.
  2. Serving our customer’s best interest. Always. Two things; don’t ever sell a customer something they don’t need (or the rumor is I’ll run you over with my truck), and stay product agnostic (selling products and consulting shouldn’t mix for us because there’s an inherent bias).
  3. Building solutions to fix real problems. Real problems might be difficult to solve, but it’s what we do.

OK. What about your organization?

If you work for a mission-driven organization, what’s the mission? If you don’t know the mission, then you’re probably not working in a mission-driven organization.

Money-Driven

Pure money-driven organizations focus on money obsessively. They will sometimes compromise quality and/or doing what’s in the best interest of their customers to make more money. In reality, pure money-driven organizations are heartless.

Good thing though, pure money-driven organizations seem rare. Most money-driven organizations are a mix between money lust and mission.

Why this matters.

You work for an organization. If you want success in return for your information security efforts, you’d better align your efforts with the purpose of the organization.

  1. You must figure out and communicate how information security feeds your organization’s mission, and/or,
  2. You must figure out and communicate how information security will make your organization more money.

Both can be done. It’s work. But it’s worth it. You’ll serve the organization better, and you’ll be better too.

Business people think information security is a cost center and/or some necessary evil. It’s obvious. How many times have you heard:

  • What’s the minimum we need to do?
  • What’s the cheapest way to check the box?
  • We don’t include information security in business decisions because it slows things down.
  • We don’t have money to hire help.
  • Etc., etc., etc.

It’s no wonder we don’t have “buy in” from the business. We’re not aligned with the business!

Every miss-spent dollar on information security is one less dollar for the mission and one more headache for the bean counters.

At Home

You’re in the business of living life, we all are. You might be someone who works in information security, or maybe you’re not. Either way, you’re still in the business of living life.

So, how does information security improve or make your life better? If information security doesn’t, why bother?!

  • Passwords. No thanks.
  • Scary things. No thanks.
  • Extra steps. No thanks.
  • More work. No thanks.

We need to figure out (for ourselves and others) how to position information security as something that improves life; something that makes life better. Information security is a life skill, and we’d all be more skilled if it was enjoyable and simple.

We’re working hard on this front with S2Me. It’s 100% FREE, go check it out. Also, go check out all the awesome content put out by Wizer.

Closing

So, there you have it. “B” is for “business”. We need to make information security more “B” friendly at work and home.

Honorable Mention for “B”

  • Basics – the basics of information security are what form the foundation of information security. Poor basics = poor foundation. Poor foundation = crumbling structure (or information security program). Most risk is found in missing (or broken) basics. Master them. If you don’t know them, learn them (book).
  • Backup – bad things happen. What will you do when they do? No backup, expect to lose data (forever). Expect it because the time will come soon, and it’s never convenient.
  • Bit – the smallest unit of data in a binary system, like your computer. Bits are cool. When they get together, they make bytes, kilobytes, megabytes, etc. Speaking of backup (previously), get all your important bits!

Next up, “C”.