H is for Holistic

Despite all the words that could have been chosen for the letter “H”, here it stands for:

Holistic

We use the word “holistic” semi-frequently in our industry, and there are several definitions. The two definitions I like best are both from the Cambridge Dictionary:

dealing with or treating the whole of something or someone and not just a part:

and the second, similar definition:

relating to the whole of something or to the total system instead of just to its parts

So then, a couple questions with respect to “holistic” and “information security”:

  1. What is the “whole” of information security?
  2. Why is the “whole” of information security important?

Let’s figure it out.

What is the “whole” of information security?

Ask an “expert”. Heck, ask ten! See what response(s) you get.

A simple definition of information security would help; however, a significant and often overlooked problem in our industry is that we still haven’t agreed on one. If you don’t believe me, and don’t want to ask an expert, Google “What is information security?“:

  • the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.
  • Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or…
  • Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
  • Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk…
  • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

These are only the top five results. There are certain similarities; however, there are significant differences too. Only one of the definitions mentions risk, and even then it references “mitigating risks” versus managing them. I won’t dissect all the definitions here, but the point is, we don’t all agree. Just last week, I read an article from one of our industry experts who claimed that information security and cybersecurity are one in the same.

Ugh! This is us.

If we’re not confused enough ourselves, how do you think we’re viewed by people who don’t work in our field? You know, the ones who are ultimately responsible for information security in the organizations they lead?

Many of them, and some of us, believe information security is complex, overwhelming, and confusing. The default reaction for such things?

Ignorance.

Let’s simplify, explain, and fit information security into organized boxes. Maybe this will help. In order to understand the “whole” of information security, we must first know what “information security” is. The definition:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

We can slice and dice this thing into millions of parts, but this will get us into the weeds quickly and back to that overwhelming feeling. A trick that’s worked for me and my clients is to dissect the “whole” of information security, from the top. Start with the goal or purpose of information security and work our way down through to the minutiae.

The purpose of information security is risk management.

Period.

The purpose of information security is NOT compliance and it’s certainly NOT risk elimination (which is impossible). So, start there.

The three high-level functional areas of information security; Administrative, Physical, and Technical means (or controls). Add those next.

Notice the overlap?

Everything is in the context of risk management. Administrative controls govern how we do things, including our handling of physical and technical controls. There has to be overlap between physical and technical controls because it doesn’t matter how well a server is configured when someone steals it.

From here, plug in all the other stuff. Again, fight the urge to dig in the weeds at this point. We can debate details for days (they vary from organization to organization anyway), but this is a good structure for holistic information security.

The most important points for holistic information security are understanding:

  • This is about risk management. (NOTE: Risk mitigation, referenced in one of the cited definitions earlier, is a risk decision as part of risk management. Some risks are completely acceptable as-is, and don’t require mitigation.)
  • Administrative controls rule the others. Computers only do what we tell them to do. Tell them to do bad stuff, and they will. Tell them to be configured poorly, and they will.
  • Information security isn’t an IT issue, clearly.

So, who cares?

Why is the “whole” of information security important?

We can’t fully realize the benefits of information security without understanding and treating the “whole” of information security. We sell ourselves, and the organizations we serve, short. Two important things come to mind almost immediately; we don’t realize the benefits and we don’t live in reality.

Reality

Treating the “whole” of information security better protects us from being blindsided by something we didn’t account for. You’ve probably heard the saying, “your security is only as good as your weakest link“? It’s been said thousands of times by people a lot smarter than me; here’s just a few:

So, then. What is your weakest link?

Treating any one part of information security while neglecting others is poor information security. If you’re fooled into thinking that you’re sufficiently protecting yourself (or your organization) without taking a holistic approach, you’re living with a false sense of security. It’s not reality.

Benefits

Information security has been treated as a cost center since before I started my career in the early 1990s. Sad. Why can’t we use information security to be more efficient, drive more business, and ultimately make more money (assuming this is the purpose of the business)? We can, but it takes a intimate understanding of holistic information security and the organizations we serve.

The short of it; mission (or purpose) alignment is key. Think about it for now, and perhaps we’ll elaborate more when we get to “M”.

Treating the “whole” of information security makes us better consultants to the organizations and leaders we serve. The most common “tell” for an information security leader (CISO or vCISO) who doesn’t understand (or treat) the holistic view of information security is his/her inability or unwillingness to put risk into context. The best CISOs are 1) great leaders and 2) understand risk in context.

Honorable Mention for “H”

Several words could have been chosen for the letter “H”, including:

  • Hacker – a person who can think outside of the box, exploring ways to use things beyond their intended purpose. Some hackers are motivated by curiosity, others by notoriety or money. What motivates a hacker is often deeply personal. Just like most things in life, hacking can be used for good or evil, depending upon the motivation.
  • HAL – an acronym for hardware abstraction layer, but every time I think “HAL”, I think of HAL 9000. HAL 9000 is the fictional artificial intelligence system from 2001: A Space Odyssey. If you haven’t seen this movie, stop reading now. It’s a classic, and you need to watch it.
  • Hardening – making systems (infrastructure, computers, etc.) less penetrable (or less vulnerable), often through configuration. Classic hardening techniques are removing applications that aren’t necessary, removing services that aren’t necessary, strengthening authentication (with MFA or other), etc. Well-known resources for system hardening include CIS Benchmarks and the Security Technical Implementation Guides (or STIGs).
  • Hardware – the stuff you can touch. Assets come in two forms; tangible and intangible. Hardware assets are tangible and are often used to manage intangible assets such as software and data.
  • HITECH – acronym for Health Information Technology for Economic and Clinical Health Act. This regulation was enacted in 2009 as part of the American Recovery and Reinvestment Act (ARRA). HITECH prescribes certain information security requirements and clarifies others (related to HIPAA) for healthcare and related entities.
  • HIPAA – acronym for the Health Insurance Portability and Accountability Act, enacted in 1996. Prescribes certain information security and privacy requirements for healthcare entities.
  • Heuristic – in simple terms, methods of deriving solutions to problems through learning and experience.
  • Home Area Network (HAN) – the network, and everything connected to it, in your (and my) home.
  • Honeypot – a purposely vulnerable computer system deployed to attract attackers. Honeypots are often deployed as a deception technique and/or to learn about the tactics attackers are using in the wild.
  • Human – You and me. I’ve often said that information security isn’t about information or security as much as it is about people (humans). Humans are the ones who suffer when things go wrong (if we didn’t, then nobody would care), and we are the most significant risk (not the computer).

That does it for “H”, now on to “I”.

Episode 107 Show Notes – Happy Thanksgiving

Hey there, it’s time for episode 107 of the UNSECURITY Podcast!

Just when you think you can’t get any busier…

You get busier.

Maybe if I learned to say “no” a little more often. My dilemma is 1) mostly brought on by myself and 2) is a blessing. It’s better to be busy than to have nothing to do, especially when you’re helping people. I’m grateful.

Short introduction today. Too much going on to elaborate much (for now).

On to the show notes…

This is Evan, I’ll lead the discussion today, and these are my notes…


SHOW NOTES – Episode 107

Date: Tuesday November 24th, 2020

Episode 107 Topics

  • Opening
  • Catching Up
    • What’s new?
    • “Information Security @ Home”
  • Happy Thanksgiving
    • What are your grateful for?
    • What’s different this year?
    • What’s the same?
    • Holiday shopping tips for EVERYONE
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 107, the date is November 24th 2020, and I’m your host, Evan Francen. Sadly, Brad won’t be joining me today. He’s out of commission fighting a bout of labyrinthitis. The prognosis is good, so we expect him to be back soon!

So, this means you’re all stuck with me. I’ll do my best to provide some value for your ears and brain.

Quick Catchup

[Evan] The catchup time is a little different without Brad, so I’ll just give you a quick recap of what I’ve been up to.

Topics:

  • 4th quarter is notoriously busy, like VERY busy, for us. Everyone is running at 100% capacity right now, which is good, but also stressful.
  • Security Sh*t Show – this is live on YouTube every week; Thursday nights at 10pm CST.
    • Last week Chris Roberts and I did the Paqui One Chip Challenge online with a couple fans.
    • We also unveiled a new sticker (see below). If you’d like one, just subscribe to the Sh*t Show YouTube channel and let us know.

  • Information security hobbies – I’ve been working on a Raspberry Pi home network security device, including Kismet, pfsense, and Pi-hole. More to come on this next week.
  • Maybe another thing or two.

Transition

Happy Thanksgiving!

[Evan] Originally, Brad and I were going to continue our discussion about information security at home, then I realized that this is Thanksgiving week! Instead of talking about our original topic, I’m going to talk about protecting yourself (and your family) from holiday shopping scams. For many Americans, Friday marks the beginning of the holiday shopping season, and it’s important for all of us to be careful! Lots of things have changed this year, it is 2020, but some things haven’t. The scammers are still scamming, and a most of the scams are the same this year as they’ve been in years past.

Some interesting stats/information:

  • 61% of Americans have already started holiday shopping (before Thanksgiving)
  • 22% of Americans start their holiday shopping on (or after) Thanksgiving
  • 15% of Americans start their holiday shopping in December
  • 2% of Americans start their holiday shopping in January (hopefully for next year)
  • Last year:
    • $730 billion was spent on holiday shopping
    • $135.5 billion was spent holiday shopping online
    • $71.3 billion was spent holiday shopping using a mobile device
  • Online holiday shopping (in terms of dollars spent) is expected to increase by 35.8%

More online shopping coupled with the fact that most of us are more distracted (than ever), means attackers could have a heyday.

Opportunity + Distraction = Success (for scammers)

Tips to protect yourself and your loved ones (we will make this into a checklist soon):

Most important – situational awareness. It’s the umbrella for all other protection activities/behaviors.

  1. Ship to a secure location – avoid shipping to places where merchandise could sit unattended and insecure for long periods.
  2. If you decide to use a mobile app for shopping, use official retailer apps only.
  3. Don’t save payment card (debit or credit) information in any shopping accounts
  4. Using Apple Pay or Google Pay for payments wherever it’s available.
  5. If you’re unfamiliar with a retailer, do your research before buying. Make sure the site and retailer are legitimate.
  6. Don’t rush to purchase at the lowest price. Slow down and think about security risks first.
  7. Never make purchases on public Wi-Fi – Never.
  8. Use a VPN when shopping (or doing anything sensitive) online.
  9. Always use strong passwords and a password manager.
  10. Check security and/or privacy policies, especially for retailers you’re unfamiliar with.
  11. A legitimate retailers will NEVER ask for your Social Security number, so don’t give it out.
  12. Make purchases with credit cards over debit cards.
  13. Make purchases with prepaid debit cards over credit cards or regular debit cards.
  14. Review all your accounts and bank statements regularly. You should be doing this all year.

Please be careful this holiday season. DO NOT let scammers steal ANY of your joy or hope!

Transition

[Evan] Alright. That’s that. On to some news…

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 107. Gonna give my shout outs…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

G is for Governance

Governance

How does the word “governance” make you feel? In full transparency, the word makes me edgy and disturbed.

I really don’t like the word “governance”.

Maybe you’re a like me, and “governance” gives you a case of the heebie-jeebies. What about this word makes us feel this way?

Two things (for me anyway); I don’t like being told what to do, and bad governance seems more prevalent than good governance. Maybe I’d cringe less if good governance were more common in our industry.

Let’s do three things here; 1) define what governance is, 2) describe bad governance, and 3) show what good governance looks like. If you think information security governance is a waste of your time, you’re wrong!

Governance is critical to every information security program without exception.

If this is true, we’ll need to do some explaining.

What is Governance?

Literally. Merriam-Webster defines “governance” as:

the act or process of governing or overseeing the control and direction of something (such as a country or an organization) 

Further definition, this time using the word “govern”:

  • to exercise continuous sovereign authority over – Sovereign means supreme authority. Authority without accountability can easily lead to despotism, and that’s bad! So, governance without accountability is also bad, really bad.
  • to control the speed of (a machine) especially by automatic means – Could apply figuratively, but this is more like a governor on a motor.
  • to control, direct, or strongly influence the actions and conduct of – This one works I think.
  • to exert a determining or guiding influence in or over – Yeah, even better. I especially like the use of the word “influence” versus manipulation. Different things.
  • to serve as a precedent or deciding principle for – Another definition that fits.

OK, now to apply this knowledge of “governance” to information security.

Bad Governance

Bad information security governance can be more damaging to an organization than no governance at all. Here are some reasons for bad governance:

  • Poor Alignment – Bad governance starts with poor (or no) alignment with the organization’s mission. The mission of the organization defines its purpose and its reason for existence. ALL things done in the business should be aligned with the mission, including information security.
    • If the organization has no mission, it is purposeless and directionless. Best of luck trying to establish information security governance in this organization! You’ll need it.
    • If the organization has a mission, but information security governance is miss-aligned, we’ll run into all sorts of issues. Issues can include lack of business “buy-in”, angry/disgruntled personnel, culture problems, constantly changing direction (without progress), miss-appropriated funds, etc.
    • If you don’t know whether your organization has a mission, go find out! It’s like really important.
  • No Roles and Responsibilities – Start with a simple question, “Who’s ultimately responsible for information security here?” Too many organizations have no answer or a crappy answer to this fundamental question. From there, begin to define all the things that need to be done (responsibilities). Assign responsibilities to people (roles), and you’re on your way to better governance. People don’t inherently know what their role is or what their responsibilities are. Define and enable.
  • No Accountability – Holding people accountable just makes sense. Roles, responsibilities, and rules without accountability are all empty; they’re useless.
  • Poor leadership – Not just business leadership, but information security leadership. We have a lot of CISOs, directors, and managers in this industry, but not enough leaders. Leaders define direction and become people that other people want to follow. Can you think of an information security leader you didn’t want to follow? Don’t be that person.

Governance just for the sake of governance is dangerous. Bad governance is the sort of governance that makes me/us cringe. Ick!

Good Governance

Good governance is attainable, and it’s beautiful.

We already mentioned the key, it’s alignment.

This is where there’s harmony between the business and information security. The purpose of the information security program fits nicely within the organization’s mission, and even drives the mission forward. Management sees the value with information security. They understand how information security is vital to the organization’s mission and not just a cost center. Management champions the cause because they get it.

Information security doesn’t get in the way, it’s part of the way.

Roles and responsibilities are clearly defined, well communicated, and everyone is enabled to do their part. Information security is part of the culture. Accountability isn’t punitive, but empowering. There are incentives for doing good things instead of punishments for making mistakes.

This sort of governance is led by information security leadership who has a vision for information security. The vision clearly benefits the organization as a whole, not just the security team or IT. The vision is clear and people can see how it benefits them personally. They don’t just tolerate information security, they want to be part of it.

Information Security – The Game

Good governance can work like a good board game.

  • Alignment – We play a board game for a reason. We want to have fun, we want to win, we want to socialize, or whatever. It’s an enjoyable experience, and we’re all sitting down at the table together for a reason.
  • Roles and Responsibilities:
    • Management – In a board game, someone defined the rules for playing the game. We need to define the rules for our information security game. Don’t lose track of the purpose (See: Alignment).
    • Information Security Leadership – They helped design the game with business management, so they should be experts on how the game is played. This is also the person who sits down, reads/understands the rules for the game, then helps the players play the game correctly.

Quick Question: In a board game, how many people read the instructions?

Answer: One. One person reads the rules, disseminates the rules to the other players, and instructs people how to play.

Seems logical.

Another Quick Question: Why do we ask everyone to “read and acknowledge” information security policies (in a poorly governed security program)?

Answer: You shouldn’t. It’s bad governance and a bad precedent. Nobody will read your policies!

    • Employees – The players. They’re expected to play the game according to the rules. They understand the importance of the rules, and understand the reason for the game. They may want to win (positive reinforcement), enjoy the experience, or whatever else motivates them.
  • Accountability – As the game is played, it’s played according to the rules. One player isn’t permitted to define his/her own rules or cheat. Accountability is built into the game.

Conclusion

Good governance is critical to the success of all information security programs. The definition of “good” depends upon your organization’s mission, but in all cases it’s supported by alignment, roles and responsibilities, accountability, and leadership.

Basically, three options:

  1. No Governance = Anarchy
  2. Bad Governance = Chaos, waste, loss, false sense of security, mutiny, etc.
  3. Good Governance = Harmony, effectiveness, simplicity, relaxation, calm, value, etc.

You make the choice (assuming you’re empowered to), but I’ll choose option #3 please.

Honorable Mention for “G”

Again, many great suggestions from friends. Here are the honorable mentions for the letter G:

  • Gamification
  • GLB Act or GLBA
  • Governance, Risk And Compliance (GRC) – NOTE: actually three different (but related) things rolled into one; good for selling more stuff.
  • Gray Box Testing
  • Group Policy Object (GPO)

OK, now to figure out what “H” will be…

Episode 106 Show Notes – Infosec @ Home

Hey there, it’s time for episode 106 of the UNSECURITY Podcast!

Short introduction today. Too much going on to get too wordy for now.

We’ll just jump right in to the show notes, if you don’t mind. This is Evan, I’m leading the discussion today, and these are my notes…


SHOW NOTES – Episode 106

Date: Tuesday November 17th, 2020

Episode 106 Topics

  • Opening
  • Catching Up
  •  Information Security @ Home
    • So, what’s the big deal?
    • Taking inventory (what do you got?)
    • What do we (Brad and I) do?
    • S2Me – Today and a sneak peek in v3
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 106, the date is November 17th 2020, and I’m your host, Evan Francen. Joining me as usual is my good friend and co-worker, Brad Nigh. Good morning Mr. Nigh.

[Brad] Cue Brad.

[Evan] Man, I haven’t talked to you since last week on the podcast. What’s up, what’s new?

[Brad] Cue Brad.

Quick Catchup

It’s 4th quarter, so I’m guessing we’re both running pretty low on fuel. Personally, I have a cruddy attitude this morning, so this’ll be fun.

Topics:

  • Brad’s stuff. What’s he been up to, what’s he working on, and what’s a day in the life of Brad look like?
  • Great talk with Oscar Minks (last week’s guest) yesterday morning; U.S. incident response capabilities, cyberinsurance brokenness, etc.
  • Security Sh*t Show – what’s new here.
  • The book (UNSECURITY) is now in the Cybersecurity Cannon!
  • Maybe another thing or two.

Transition

Information Security @ Home

[Evan] So, this weekend, I figured I go grab another Raspberry Pi to play with. I want to build a plug and play home information security device. First thing, figure out how to compile a good inventory of everything on my home network.

This is where the story begins…

Topics:

  • So, what’s the big deal?
  • Taking inventory (what do you got?)
  • What do we (Brad and I) do?
  • Tools, devices, etc. that could help
  • S2Me – Today and a sneak peek in v3

Begin Discussion

[Evan] Great discussion. Here are some news stories.

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 106. Thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Service and Sacrifice – Happy Birthday USMC

Today marks the 245th birthday of the United States Marine Corps (USMC).

HAPPY BIRTHDAY MARINES!

  • To the greatest fighting force on the planet.
  • To the faithful men and women who serve our country with bravery only they can fathom.
  • To the “Jarheads”, “Devil Dogs”, “Teufel Hunden”,  and “Leathernecks” who give all so others can have.

Quick History

The storied history of the USMC began on November 10th 1775, when Captain Samuel Nicholas gathered two battalions of Continental Marines in accordance with the Continental Marine Act of 1775. Less than six months after being formed, these brave men set out on their first amphibious assault, the successful Raid of Nassau (March 1–10, 1776).

Our beloved USMC has fought in (at least) twenty-eight armed conflicts including:

  • Revolutionary War
  • Quasi-War with France
  • Barbary Wars
  • War of 1812
  • Creek-Seminole Indian War
  • Mexican War
  • Civil War-Union
  • Spanish-American War
  • Samoa (1899)
  • Boxer Rebellion
  • Nicaragua (1912)
  • Mexico (1914)
  • Dominican Republic (1916-1920)
  • Haiti (1915-1934)
  • Nicaragua (1926-1933)
  • World War I
  • World War II
  • Korean War
  • Dominican Republic (1965)
  • Vietnam War
  • Lebanon (1982-1984)
  • Grenada (1983)
  • Persian Gulf (1988) (Oil Platforms)
  • Panama (1989)
  • Persian Gulf War (1990-1991)
  • Somalia (1992-1994)
  • Afghanistan (2001-2015)
  • Iraq (2003-2016)

From 1775 to 2015, more than 41,000 Marines have made the ultimate sacrifice for us on the battlefield. Additionally, more than 200,000 have been wounded (Source: Marine Corps University). The fact that these numbers are as low as they are is a testament to Marine dedication, training, effectiveness and lethality. Regardless of the numbers, let’s not forget that each one of these soldiers was a father, mother, son, daughter, aunt, uncle, brother, sister, and/or friend. It’s our duty as citizens of this great country to ensure their sacrifices were not made in vain; that their sacrifices might live on through our own acts of service to others.

My Marine Corps Story (brief)

I was born in the Naval Hospital Philadelphia to two Marine Corps parents. My father served in active duty from 1957/8 until retirement in 1978, and my mother also served. Although her active Marine Corps duty was not as long as my father’s, her duties (raising me and keeping my father in line) was a helluva lot more challenging. I’m an only child who grew up on base (Camp Pendleton and Quantico).

Although I didn’t serve directly in the Marine Corps myself, the Marine Corps culture is a huge part of who I am. The Marines, my mother and my father taught me so many good things about the right way to live. Things like respect, discipline, work ethic, drive, mission, etc. I am forever grateful!

Happy Birthday

So, Happy Birthday Marines!

There are no words to describe how grateful I am. Regardless of how many people express gratitude for your service consciously, the gratitude is in their subconscious every time they exercise a constitutional right, walk down a street, eat a warm meal, embrace a family member, or do anything made possible by your service. Thank you for standing guard day and night for me, my family, and all Americans. I don’t take you or your sacrifices for granted, and I pray I never will.

The USMC always serves faithfully, rightfully earning their motto, Semper fidelis. Saying you’re faithful is one thing, demonstrating it through blood, sweat, and tears for 245 years is something entirely different.

UNSECURITY Podcast – Ep 105 Show Notes – Honest IR

Alright, the U.S. election season is over. Now we can all focus again, right?

Maybe, maybe not.

Before we get too far, I want to call your attention to an article I wrote last week titled “Good People Didn’t Vote For Your Guy“. Healing and unity are long overdue in our country. I’m hoping we will find our way back to being countrymen/women working together for our common good. I’m also hoping that our elected officials don’t steal this opportunity for thier own selfish gain.

OK, now back to work…

Last week on the UNSECURITY Podcast, episode 104, we talked with a good friend Richie Breathe about the security industry’s perceived stigma against healthy stuff. It was a great episode and a real pleasure spending time with such a cool guy. If you missed the episode, go give it a listen.

Also last week, Ryan Cloutier, Chris Roberts, and myself had a GREAT time chatting on the Security Shit Show. Our topic was “Seven Ways Security Can Improve Your Sex Life“. Chris found a “Fitbit for your man bits” online, and the conversation went on from there. Lots of fun!

Plenty of businessy stuff went on last week as well, including a half dozen (or so) partnership discussions with some great organizations. Things continue to hum along, so watch for announcements from FRSecure and SecurityStudio in the coming weeks.

On to the show!

Episode 105 Topic and Special Guest

FRSecure’s Director of Technical Solutions and Services, Oscar Minks is joining us on the show again this week. For those who don’t know Oscar, he’s the awesome leader of FRSecure’s Team Ambush and an all around incredible guy. We’ll ask him to tell us who Team Ambush is on the show, but these are essentially the people who do all (or at least most) things technical at FRSecure, including penetration testing, red/blue/purple teaming, incident response, CTF competitions, exploit development and training, etc. Seriously an INCREDIBLE team!

We’ve got Oscar on this week to talk primarily about what TO DO, and what NOT TO DO during an incident response. In the last few months, we’ve seen a significant increase in the number of reported incidents, and we’ve seen too many people make mistakes. Don’t get us wrong, there are people who do things right, but sadly this is too rare.

Should a great talk!

Let’s get on to the notes…

Brad’s leading the discussion today, and these are his notes.


SHOW NOTES – Episode 105

Date: Tuesday November 10th, 2020

Episode 105 Topics

  • Opening
  • Catching Up
    • What’s new?
    • How 4th quarter got you going? 😉
  •  Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response
    • First, tell us about “Team Ambush”
    • Recent Incidents/Stories
    • Top things to do
    • Top things NOT to do (examples)
    • What’s next for Team Ambush?
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 105 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is November 10th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about mindfulness after the last three shows…

[Brad] We have Oscar Minks with us today. Good morning Oscar.

[Oscar] Says a few things in his sweet southern drawl…

[Brad] As is tradition, let’s catch up with what happened over the last week.

[Evan] The weather was really nice this weekend, so I think Evan got in a good ride (or two).

Quick Catchup

Brad, Evan, and Oscar do a little friendly catching up…

NOTE: We know this isn’t specifically security-related, but security folks gotta have a life too, right?

Transition

Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response

[Brad] Okay so it’s no surprise that IR work is keeping us busy, the report from DHS and Secret Service around healthcare is proof of that. I thought it would be a good discussion today to talk about what are some do’s and don’ts when working with an IR firm, which is why Oscar is joining us this morning.

Open discussion points:

  • Tell us about “Team Ambush”
  • Recent Incidents/Stories
  • Top things to do
  • Top things NOT to do (examples)
  • What’s next for Team Ambush?

Begin Discussion

[Brad] Great discussion. Here are some news stories.

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 105. Thank you Evan and Oscar, do you have any shout outs this week?

[Evan] We’ll see…

[Oscar] We’ll see…

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

F is for Fundamentals

Despite how much I’d like to use “F” for something else:

  • What the ____ are you doing?!
  • ____ you!
  • Who the ____ told you to do that?!
  • Why the ____ do I bother?

I’ll fight the urge and use “F” in a more decent manner, even if it is a little less honest.

So why does “F” stand for Fundamentals? For starters, fundamentals are critical. Without understanding and implementing fundamentals, the information security program you’ve poured your heart, soul, and money into will fail. Fundamentals form the foundation, and a house with a crappy foundation looks like this…

You might think your information security program looks better than this house, but if you lack fundamentals, you’re wrong. Sadly, we’ve seen too many information security programs look exactly like this house; falling apart, unsafe, and in need of serious rebuilding (or starting over). So, why do so many information security programs look like this house?

The quick answer:

  1. People don’t understand the fundamentals of information security. (AND/OR)
  2. People don’t practice the fundamentals of information security.

Let’s start with #1

People Don’t Understand Information Security Fundamentals

Seems we’ve preached “fundamentals” so many times, I’m beginning to wonder if we’re using the word right. Let’s look at the definition, then use logic (our friend) to take us down the path of understanding.

Here’s the definition of “fundamental” from from Merriam-Webster (along with my notes):

  1. serving as a basis supporting existence or determining essential structure or function – the “basis” or foundation of information security.
  2. of or relating to essential structure, function, or facts – the words “essential structure” reinforces the idea of foundation. We can’t build anything practical without a good foundation; therefore, we need to figure out what makes a good information security foundation (based upon its function).
  3. of central importance – what is the “central importance” of information security? We get this answer from understanding the purpose of information security.

OK, now let’s take “fundamental” and apply it to “information security”. My definition of information security is:

Managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

Does the definition of information security meet the objectives set by the definition of “fundamental”? Think about it. Re-read if necessary.

Settled?

If the answer is “no”, then define information security for yourself. Write it down. (let’s hope ours are close to the same)

The definition of “information security” is the most fundamental aspect of information security. If we don’t have a solid fundamental understanding of information security, good luck with the rest.

OK, so what’s next?

Notice the words “managing risk” in the definition? Information security isn’t “eliminating risk” because that’s not possible. Managing risk; however, is quite possible. Seems our next fundamental is to define how to manage risk. Logic is still our friend, so let’s use it again:

  • You cannot manage risk unless you define risk. = risk definition
  • You cannot manage risk unless you understand it. = risk assessment
  • You cannot manage risk unless you measure it. = risk measurement (management 101 – “you can’t manage what you can’t measure“)
  • You cannot manage risk unless you know what to do with it. = risk decision-making
Risk Definition

If managing risk is fundamental to information security, it’s a good idea for us to define risk. The dictionary definitions of risk are not entirely helpful or practical. For instance:

  1. possibility of loss or injury – this only accounts for likelihood and says nothing of impact.
  2. someone or something that creates or suggests a hazard – this is more “threat” than risk.

In simple terms, risk is:

the likelihood of something bad happening and the impact if it did

OK, but how do we then determine likelihoods and impacts?

These are functions of threats and vulnerabilities. More logic, this time theoretical:

  • If you have no weakness (in a control), it doesn’t matter what the threat is. You have zero risk.
  • If you have infinite weakness (meaning no control), but have no threats, you also have zero risk.
  • If you have infinite weakness (meaning no control), and have many applicable threats, you (potentially) have infinite risk.
  • Zero risk and infinite risk are not practically feasible; therefore, risk is between zero and infinity.

Makes sense. The important things to remember about risk are likelihood, impact, threat, and vulnerability. Also, it helps to remember that risk is always relative.

Risk Assessment

The next fundamental in “managing risk” is to assess risk. To some folks, assessing information security risk seems like a daunting and/or useless exercise. There are several reasons for this. One reason might be because it is new to you. Risk assessments aren’t new (we do risk assessments all the time), but doing them in the context of information security is new.

Examples of everyday risk assessments:

  • You’re driving down the road and the traffic light turns yellow. The risk assessment is quick and mostly effective. What’s the likelihood of an accident or a police officer watching? What would the repercussions be (or impact)? You quickly look around, checking each direction. You assess your speed and distance. If you assess the risk to be acceptable, you go for it. If you assess the risk to be unacceptable, you hit the brakes.

NOTE: Risk decision-making for information security comes later in this post.

  • You just used the restroom. Do you wash your hands or not? You assess the risk of not washing your hands. Will I get sick, or worse, get someone else sick if I don’t wash? What are the chances? What could be the outcome if you don’t wash your hands? If you deem the risk to be acceptable without washing, you might just walk out the door. If you deem the risk to be unacceptable (hopefully), you’ll take a minute or two and wash your hands.

We all do risk assessments, and we do them throughout the day. We’re used to these risk assessments, and we don’t think much about them. Most of us aren’t used to information security risk assessments. There are so many controls and threats (known and unknown). It’s easy to become overwhelmed, confused, and paralyzed; leading to inaction.

Some truth about information security (risk) assessments:

  • There is no such thing as a perfect one.
  • Your one is probably going to be your worst and most painful one.
  • You cannot manage information security without one.
  • They’re fundamental.

Just do an information security risk assessment. Worry about comparisons, good ones versus a bad ones, later (you’re probably not ready to judge anyway).

Risk Measurement

People argue about measurements. Don’t. Fight the urge.

You can use an existing risk measurement; FAIR, S2Score, etc. or create one yourself. If you’re going to create your own risk measurement, here are some simple tips:

  1. Make the measurement as objective as possible. Instead of open-ended inputs or subjective inputs, use binary ones. Binary inputs are things like true/false, yes/no, etc.
  2. Use the measurement consistently. An inch is an inch, no matter where you apply it. A meter is a meter, no matter where you use it. For example, if a “true” answer to some criteria results in a vulnerability score of 5 today. It should be a 5 tomorrow too. Applying threats may change things, but the algorithm is still the same.
  3. The criteria being measured are relevant. For instance, take the crime rate in a neighborhood. Is it relevant to information security risk? The answer is yes. Our definition of information security is “administrative, physical, and technical” risk. Crime rates are relevant to physical security threats.

If you are new(er) to information security risk management, you may want to use a metric that’s already been defined by someone else. Again, caution against trying to find the perfect measurement. It’s like arguing whether an inch is a better measurement than a centimeter. Don’t get me started…

Risk Decision-Making

Alright, so you did your information security risk assessment.

Done?

Nope, just getting going now. Before doing your risk assessment, you were risk ignorant. Now, you’re risk learned. Yay you!

What to do with all this risk?

Let’s say your organization scored a 409 on a scale of 300 (worst) – 850 (best), and you discovered several areas where the organization scored close to 300. There’s LOTS of room for improvement. Now you need to make decisions about what you’re going to do. To keep things simple, you only have four options:

  1. Accept the risk as-is. The risk is acceptable to the organization and no additional work is required.
  2. Transfer the risk. The risk is not acceptable, but it’s also not a risk your organization is going to mitigate or avoid. You can transfer the risk, often to a third-party through insurance or other means.
  3. Mitigate the risk. The risk is not acceptable, and your organization has decided to do something about it. Risks are mitigated by reducing vulnerability (or weakness) or by reducing threats.
  4. Avoid the risk. The risk is not acceptable, and your organization has decided to stop doing whatever activity led to the risk.

That’s it. No other choices. Risk ignorance was not a valid option.

There you go! Now you have a start to the fundamentals of information security! The foundation.

Did you notice that I didn’t mention anything about security standards, models, frameworks, identification, authentication, etc.?

These are all fundamentals too, but first things first.

People don’t practice the fundamentals of information security.

We live in an easy button, instant gratification, shortcut world today. Information security is simple, but it’s definitely NOT easy. Good information security takes work, a lot of dirty (NOT sexy) work. What happens when you cut corners in laying a foundation? Bad things.

  • Hacking things. That’s a lot sexier than doing a risk assessment.
  • Blinky lights. These are a lot sexier than making formal risk decisions.
  • Cool buzzwords. So much sexier than the basics. The basics are boring!

Hacking, blinky lights and buzzwords all have their place, but not at the expense of fundamentals.

You have no excuse for not doing the fundamentals. Zero. The truth is, if you know the fundamentals and fail to do them, you’re negligent (or should be found as such). Reminds me, there are a few more fundamentals you should know about before we finish:

  • Roles & Responsibilities – Ultimately, the head of the organization (work and/or home) is the one responsible for information security; all of it. He/she may delegate certain things, but the buck always stops at the top of the food chain. Whatever’s delegated must be crystal clear, and documentation helps. We should always know who does what. (See: E is for Everyone).
  • Asset Management – You can’t secure what you don’t know you have. Assets are things of value; tangible (hardware) and intangible (software, data, people, etc.). Tangible asset management is the place to start, because it’s easier to understand. Once you’ve nailed down your tangible assets, go tackle your intangible ones.
  • Control (access, change, configuration, etc.) – You can’t secure what you can’t control. Administrative controls (the things we use to govern and influence people), physical controls, and technical controls.
    • Start with administrative controls; policies, standards, guidelines, and procedures. These are the rules for the game, and this is where standards like ISO 27002, COBIT, NIST SP 800-53, CIS Controls, etc. can help.
    • Access control; identity management and access management. Authentication plays here.
    • Configuration control; vulnerabilities love to live here (not just missing patches).
    • Change control; one crappy change can lead to complete vulnerability and compromise.

Last fundamental is cycle. Cycle through risk assessment, risk decision-making, and action. The frequency of the cycle depends on you.

Summary

I’d rather over-simplify information security than over-complicate it. Simplification is always a friend, along with logic. Quick summary of the fundamentals of information security:

  • Fundamental #1 – Learn and work within the context of what information security is (risk management).
  • Fundamental #2 – Roles and responsibilities.
  • Fundamental #3 – Asset management.
  • Fundamental #4 – Administrative control.
  • Fundamental #5 – Other controls (several).

Honorable Mention for “F”

As was true in previous ABCs, I got some great suggestions. Here’s some honorable mentions for “F”:

  • Facial Recognition
  • Failover
  • Failure
  • Faraday Cage
  • Fat Finger
  • Fear Uncertainty & Doubt (FUD)
  • Federal Information Processing Standards (FIPS)
  • Federal Information Security Management Act (FISMA)
  • Federal Risk and Authorization Program (FedRAMP)
  • Federated Identity Management (FIM)
  • Feistel Network
  • FERPA
  • Fibonacci Sequence
  • File Integrity Monitoring (FIM)
  • File
  • Fingerprint
  • Firewall
  • Foobar/Fubar
  • Fortran
  • Fraud over Internet Protocol
  • Fuzz Testing

Hope this helps you in your journey! Now on to “G”.

 

Good People Didn’t Vote For Your Candidate

The truth:

There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your candidate”.

Demonize as you will, but here’s a reminder of some things.

People who voted for the other candidate are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.

These people are NOT:

  • “ill”
  • “sick”
  • “dumb”
  • “stupid”
  • “racist”
  • “bigoted”
  • “idiots”
  • “Socialists”
  • “Fascists”
  • or any other demonizing word you want to throw at them.

These people ARE:

  • human beings with basic needs
  • human beings with basic desires
  • human beings with dreams
  • human beings who want to be loved
  • human beings who want to feel grace
  • human beings who have families
  • human beings who have different perspectives (a good thing)
  • human beings who have different beliefs (also a good thing)
  • human beings who have different backgrounds (also a good thing)
  • human beings with many additional things that are beautiful about them.

A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).

It doesn’t matter who “your candidate” is or who “my candidate” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.

There is only ONE team. We are ALL Americans. We are NOT just votes. We are ALL people.

The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.

The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).

So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.

UNSECURITY Podcast – Ep 104 Show Notes – Stigma Against Healthy

Last week was nuts. Is “nuts” the norm? God, I hope not.

The week started off with what seemed like a run of the mill ransomware attack against a healthcare client. The investigation led us to threat hunting with another client. During the threat hunting exercise, Brian Krebs called. He claimed to have information about 427 healthcare organizations who could be attacked by Wednesday (10/28). This led us down all sorts of paths with a few renowned researchers, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Secret Service (don’t ask), and others.

Eventually, CISA issued a joint cybersecurity advisory with the FBI and Department of Health and Human Services (HHS). See: Ransomware Activity Targeting the Healthcare and Public Health Sector.

On Friday, FRSecure issued their own statement and hosted a very well-attended webinar. See: Situation Update: RYUK Ransomware in Healthcare.

One thing we learned is that incident response in the United States, in terms of our readiness across the public/private sector is in bad shape. It shouldn’t take 3+ days to legitimize a threat and coordinate a response. Thank God we didn’t witness a coordinated attack against 427 hospitals at once. Had this been a real attack against 427 hospitals, we would have been in a world of hurt!

Other things that happened last week include:

  • Episode 103 of the UNSECURITY Podcast, Part Two with Neal O’Farrell of the PsyberResilience Project was awesome! If you missed it, you should go check it out.
  • FRSecure is rocking it! We’re running on all cylinders and making a positive difference in our industry. I’m very proud and humbled at the same time.
  • SecurityStudio finished another incredible month! People are buying into the concept of focusing on the fundamentals and simplification. In case you didn’t know, complexity is the worst enemy of information security.
  • The Security Shit Show was awesome on Thursday night! Personally, I needed the time to talk shit with my peers, Ryan Cloutier and Chris Roberts. It’s like therapy. The title for our discussion was “Kiss and Make Up?” and we talked about what life might look like after the election.

There was probably other important stuff sprinkled in last week too, but the brain can only handle so much!

On to the show!

Episode 104 Topic and Special Guest

A few important things about this episode:

  • This is episode 104, the two-year anniversary of the UNSECURITY Podcast! Holy crap, where did the time go?! It’s been an incredible ride so far, and we’ve met 100s of amazing people along the way.
  • Our topic (or, I guess title) is “The security industry’s stigma against healthy stuff“. Is there a stigma against healthy stuff in our industry? Maybe. We’ll look into it in this episode.
  • We have another special guest, and he’s a good one! We call him Richie Breathe, and he’s a great guy with interesting perspectives on wellness. He’s the perfect guest to wrap up what turned into another semi-series about us and our health.
  • Next week, we’re going to dive back in to incident response. We’ve seen some very interesting (and alarming) trends, and it’ll be good to share with you.

Let’s get on to the notes…

Oh yeah, one more thing before we forget.

GO VOTE!


SHOW NOTES – Episode 104

Date: Tuesday November 3rd, 2020

Episode 104 Topics

  • Opening
  • Happy Anniversary (to us)
    • What’s been your favorite thing about the UNSECURITY Podcast?
    • What’s been your favorite moment or episode?
  •  Special Guest Richie Breathe and the security industry’s stigma against healthy stuff
    • Who’s Richie Breathe?
    • Is there a stigma? If so, how bad do we think it is?
    • Ideas for improving wellness in our industry.
    • Where to go next.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi again everyone. Welcome to another episode of the UNSECURITY Podcast! This is episode 104, the date is November 3rd, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, is a good friend Richie Breathe. Good morning Richie.

[Richie] Cue Richie.

[Evan] First things first. Today is election day. Did you guys vote?

[Brad & Richie] Well, did they?

Happy Anniversary (to us)

[Evan] This is our 104th episode in a row, meaning 104 weeks in a row, meaning two years! I can hardly believe it. Seems like yesterday we did our first episode together Brad. Happy anniversary!

[Brad] Cue Brad

[Evan] I gotta tell you man. I’ve loved every minute of this with you. Sincere gratitude for being my pal in this journey.

[Brad] Cue Brad

[Evan] Now, Richie. You’ve been listening for a while, and we actually met through the podcast, didn’t we?

[Richie] Cue Richie

[Evan] I’ve met 100s of amazing people over the past two years from this show. So many incredible memories. Brad, what’s your favorite thing about the UNSECURITY Podcast?

[Brad] Cue Brad

[Evan] How about you Richie?

[Richie] Cue Richie

[Evan] My favorite thing.

I couldn’t have imagined so much and I’m VERY grateful. How about a favorite moment or episode? Brad?

[Brad] Cue Brad

[Evan] Richie?

[Richie] Cue Richie

[Evan] My favorite moment/episode.

Like I said, it’s been an amazing ride. Here’s to many more episodes and lots more memories!

Transition

Special Guest –  Richie Breathe and the security industry’s stigma against healthy stuff

[Evan] Richie, thanks for being here man. I know we talked about this a while back, and the time has finally come. You first learned about me and Brad through the UNSECURITY Podcast, then started coming to the Daily inSANITY Checkin, right?

[Richie] Cue Richie.

[Evan] The Daily inSANITY Checkin is another HUGE blessing for me. I’ve met some incredible people there and I love sharing life with them. Shout out to you guys!

For people who want to know more, the Daily inSANITY Checkin is just what it says. It’s a daily informal meeting with people who care about each other. It’s a safe place to come, share thoughts, share ideas, or share whatever else comes to mind. The only real rules are to show respect and be yourself. Simple.

We started the Daily inSANITY Checkin immediately after the COVID-19 lockdowns started in March and we’ve been going strong ever since. It’s been incredible. So, Richie. You’re there almost every day, and I’m grateful to have gotten to know you. I know you, but tell the listeners a little about yourself.

[Richie] Cue Richie.

Begin Discussion

The security industry’s stigma against healthy stuff

  • Who’s Richie Breathe?
  • Is there a stigma? If so, how bad do we think it is?
  • Ideas for improving wellness in our industry.
  • Where to go next.

[Evan] Awesome! Great discussion. Thanks again Richie!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Richie, please feel free to comment anytime too!

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] Great! Episode 104 is just about complete. Thanks guys! Next week we’re going to tackle some incident response stuff. Things like what’s going on, what people are doing wrong, and how to do things better. Episode 105 will be great, and maybe we’ll invite a guest to boot!

Richie, loved having you join us this week. Thank you!

Any shout outs for either of you?

[Brad and/or Richie] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Richie, how can listeners find you?

[Richie] Cue Richie.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!