Episode 106 Show Notes – Infosec @ Home

Hey there, it’s time for episode 106 of the UNSECURITY Podcast!

Short introduction today. Too much going on to get too wordy for now.

We’ll just jump right in to the show notes, if you don’t mind. This is Evan, I’m leading the discussion today, and these are my notes…


SHOW NOTES – Episode 106

Date: Tuesday November 17th, 2020

Episode 106 Topics

  • Opening
  • Catching Up
  •  Information Security @ Home
    • So, what’s the big deal?
    • Taking inventory (what do you got?)
    • What do we (Brad and I) do?
    • S2Me – Today and a sneak peek in v3
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there! Thank you for tuning in to this episode the UNSECURITY Podcast. This is episode 106, the date is November 17th 2020, and I’m your host, Evan Francen. Joining me as usual is my good friend and co-worker, Brad Nigh. Good morning Mr. Nigh.

[Brad] Cue Brad.

[Evan] Man, I haven’t talked to you since last week on the podcast. What’s up, what’s new?

[Brad] Cue Brad.

Quick Catchup

It’s 4th quarter, so I’m guessing we’re both running pretty low on fuel. Personally, I have a cruddy attitude this morning, so this’ll be fun.

Topics:

  • Brad’s stuff. What’s he been up to, what’s he working on, and what’s a day in the life of Brad look like?
  • Great talk with Oscar Minks (last week’s guest) yesterday morning; U.S. incident response capabilities, cyberinsurance brokenness, etc.
  • Security Sh*t Show – what’s new here.
  • The book (UNSECURITY) is now in the Cybersecurity Cannon!
  • Maybe another thing or two.

Transition

Information Security @ Home

[Evan] So, this weekend, I figured I go grab another Raspberry Pi to play with. I want to build a plug and play home information security device. First thing, figure out how to compile a good inventory of everything on my home network.

This is where the story begins…

Topics:

  • So, what’s the big deal?
  • Taking inventory (what do you got?)
  • What do we (Brad and I) do?
  • Tools, devices, etc. that could help
  • S2Me – Today and a sneak peek in v3

Begin Discussion

[Evan] Great discussion. Here are some news stories.

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] That’s it for episode 106. Thank you Brad! Who you got a shoutout for today?

[Brad] We’ll see…

[Evan] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

Service and Sacrifice – Happy Birthday USMC

Today marks the 245th birthday of the United States Marine Corps (USMC).

HAPPY BIRTHDAY MARINES!

  • To the greatest fighting force on the planet.
  • To the faithful men and women who serve our country with bravery only they can fathom.
  • To the “Jarheads”, “Devil Dogs”, “Teufel Hunden”,  and “Leathernecks” who give all so others can have.

Quick History

The storied history of the USMC began on November 10th 1775, when Captain Samuel Nicholas gathered two battalions of Continental Marines in accordance with the Continental Marine Act of 1775. Less than six months after being formed, these brave men set out on their first amphibious assault, the successful Raid of Nassau (March 1–10, 1776).

Our beloved USMC has fought in (at least) twenty-eight armed conflicts including:

  • Revolutionary War
  • Quasi-War with France
  • Barbary Wars
  • War of 1812
  • Creek-Seminole Indian War
  • Mexican War
  • Civil War-Union
  • Spanish-American War
  • Samoa (1899)
  • Boxer Rebellion
  • Nicaragua (1912)
  • Mexico (1914)
  • Dominican Republic (1916-1920)
  • Haiti (1915-1934)
  • Nicaragua (1926-1933)
  • World War I
  • World War II
  • Korean War
  • Dominican Republic (1965)
  • Vietnam War
  • Lebanon (1982-1984)
  • Grenada (1983)
  • Persian Gulf (1988) (Oil Platforms)
  • Panama (1989)
  • Persian Gulf War (1990-1991)
  • Somalia (1992-1994)
  • Afghanistan (2001-2015)
  • Iraq (2003-2016)

From 1775 to 2015, more than 41,000 Marines have made the ultimate sacrifice for us on the battlefield. Additionally, more than 200,000 have been wounded (Source: Marine Corps University). The fact that these numbers are as low as they are is a testament to Marine dedication, training, effectiveness and lethality. Regardless of the numbers, let’s not forget that each one of these soldiers was a father, mother, son, daughter, aunt, uncle, brother, sister, and/or friend. It’s our duty as citizens of this great country to ensure their sacrifices were not made in vain; that their sacrifices might live on through our own acts of service to others.

My Marine Corps Story (brief)

I was born in the Naval Hospital Philadelphia to two Marine Corps parents. My father served in active duty from 1957/8 until retirement in 1978, and my mother also served. Although her active Marine Corps duty was not as long as my father’s, her duties (raising me and keeping my father in line) was a helluva lot more challenging. I’m an only child who grew up on base (Camp Pendleton and Quantico).

Although I didn’t serve directly in the Marine Corps myself, the Marine Corps culture is a huge part of who I am. The Marines, my mother and my father taught me so many good things about the right way to live. Things like respect, discipline, work ethic, drive, mission, etc. I am forever grateful!

Happy Birthday

So, Happy Birthday Marines!

There are no words to describe how grateful I am. Regardless of how many people express gratitude for your service consciously, the gratitude is in their subconscious every time they exercise a constitutional right, walk down a street, eat a warm meal, embrace a family member, or do anything made possible by your service. Thank you for standing guard day and night for me, my family, and all Americans. I don’t take you or your sacrifices for granted, and I pray I never will.

The USMC always serves faithfully, rightfully earning their motto, Semper fidelis. Saying you’re faithful is one thing, demonstrating it through blood, sweat, and tears for 245 years is something entirely different.

UNSECURITY Podcast – Ep 105 Show Notes – Honest IR

Alright, the U.S. election season is over. Now we can all focus again, right?

Maybe, maybe not.

Before we get too far, I want to call your attention to an article I wrote last week titled “Good People Didn’t Vote For Your Guy“. Healing and unity are long overdue in our country. I’m hoping we will find our way back to being countrymen/women working together for our common good. I’m also hoping that our elected officials don’t steal this opportunity for thier own selfish gain.

OK, now back to work…

Last week on the UNSECURITY Podcast, episode 104, we talked with a good friend Richie Breathe about the security industry’s perceived stigma against healthy stuff. It was a great episode and a real pleasure spending time with such a cool guy. If you missed the episode, go give it a listen.

Also last week, Ryan Cloutier, Chris Roberts, and myself had a GREAT time chatting on the Security Shit Show. Our topic was “Seven Ways Security Can Improve Your Sex Life“. Chris found a “Fitbit for your man bits” online, and the conversation went on from there. Lots of fun!

Plenty of businessy stuff went on last week as well, including a half dozen (or so) partnership discussions with some great organizations. Things continue to hum along, so watch for announcements from FRSecure and SecurityStudio in the coming weeks.

On to the show!

Episode 105 Topic and Special Guest

FRSecure’s Director of Technical Solutions and Services, Oscar Minks is joining us on the show again this week. For those who don’t know Oscar, he’s the awesome leader of FRSecure’s Team Ambush and an all around incredible guy. We’ll ask him to tell us who Team Ambush is on the show, but these are essentially the people who do all (or at least most) things technical at FRSecure, including penetration testing, red/blue/purple teaming, incident response, CTF competitions, exploit development and training, etc. Seriously an INCREDIBLE team!

We’ve got Oscar on this week to talk primarily about what TO DO, and what NOT TO DO during an incident response. In the last few months, we’ve seen a significant increase in the number of reported incidents, and we’ve seen too many people make mistakes. Don’t get us wrong, there are people who do things right, but sadly this is too rare.

Should a great talk!

Let’s get on to the notes…

Brad’s leading the discussion today, and these are his notes.


SHOW NOTES – Episode 105

Date: Tuesday November 10th, 2020

Episode 105 Topics

  • Opening
  • Catching Up
    • What’s new?
    • How 4th quarter got you going? 😉
  •  Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response
    • First, tell us about “Team Ambush”
    • Recent Incidents/Stories
    • Top things to do
    • Top things NOT to do (examples)
    • What’s next for Team Ambush?
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 105 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is November 10th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about mindfulness after the last three shows…

[Brad] We have Oscar Minks with us today. Good morning Oscar.

[Oscar] Says a few things in his sweet southern drawl…

[Brad] As is tradition, let’s catch up with what happened over the last week.

[Evan] The weather was really nice this weekend, so I think Evan got in a good ride (or two).

Quick Catchup

Brad, Evan, and Oscar do a little friendly catching up…

NOTE: We know this isn’t specifically security-related, but security folks gotta have a life too, right?

Transition

Special Guest Oscar Minks – What TO DO, and what NOT TO DO during an incident response

[Brad] Okay so it’s no surprise that IR work is keeping us busy, the report from DHS and Secret Service around healthcare is proof of that. I thought it would be a good discussion today to talk about what are some do’s and don’ts when working with an IR firm, which is why Oscar is joining us this morning.

Open discussion points:

  • Tell us about “Team Ambush”
  • Recent Incidents/Stories
  • Top things to do
  • Top things NOT to do (examples)
  • What’s next for Team Ambush?

Begin Discussion

[Brad] Great discussion. Here are some news stories.

News

[Brad] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Brad] That’s it for episode 105. Thank you Evan and Oscar, do you have any shout outs this week?

[Evan] We’ll see…

[Oscar] We’ll see…

[Brad] Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

F is for Fundamentals

Despite how much I’d like to use “F” for something else:

  • What the ____ are you doing?!
  • ____ you!
  • Who the ____ told you to do that?!
  • Why the ____ do I bother?

I’ll fight the urge and use “F” in a more decent manner, even if it is a little less honest.

So why does “F” stand for Fundamentals? For starters, fundamentals are critical. Without understanding and implementing fundamentals, the information security program you’ve poured your heart, soul, and money into will fail. Fundamentals form the foundation, and a house with a crappy foundation looks like this…

You might think your information security program looks better than this house, but if you lack fundamentals, you’re wrong. Sadly, we’ve seen too many information security programs look exactly like this house; falling apart, unsafe, and in need of serious rebuilding (or starting over). So, why do so many information security programs look like this house?

The quick answer:

  1. People don’t understand the fundamentals of information security. (AND/OR)
  2. People don’t practice the fundamentals of information security.

Let’s start with #1

People Don’t Understand Information Security Fundamentals

Seems we’ve preached “fundamentals” so many times, I’m beginning to wonder if we’re using the word right. Let’s look at the definition, then use logic (our friend) to take us down the path of understanding.

Here’s the definition of “fundamental” from from Merriam-Webster (along with my notes):

  1. serving as a basis supporting existence or determining essential structure or function – the “basis” or foundation of information security.
  2. of or relating to essential structure, function, or facts – the words “essential structure” reinforces the idea of foundation. We can’t build anything practical without a good foundation; therefore, we need to figure out what makes a good information security foundation (based upon its function).
  3. of central importance – what is the “central importance” of information security? We get this answer from understanding the purpose of information security.

OK, now let’s take “fundamental” and apply it to “information security”. My definition of information security is:

Managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

Does the definition of information security meet the objectives set by the definition of “fundamental”? Think about it. Re-read if necessary.

Settled?

If the answer is “no”, then define information security for yourself. Write it down. (let’s hope ours are close to the same)

The definition of “information security” is the most fundamental aspect of information security. If we don’t have a solid fundamental understanding of information security, good luck with the rest.

OK, so what’s next?

Notice the words “managing risk” in the definition? Information security isn’t “eliminating risk” because that’s not possible. Managing risk; however, is quite possible. Seems our next fundamental is to define how to manage risk. Logic is still our friend, so let’s use it again:

  • You cannot manage risk unless you define risk. = risk definition
  • You cannot manage risk unless you understand it. = risk assessment
  • You cannot manage risk unless you measure it. = risk measurement (management 101 – “you can’t manage what you can’t measure“)
  • You cannot manage risk unless you know what to do with it. = risk decision-making
Risk Definition

If managing risk is fundamental to information security, it’s a good idea for us to define risk. The dictionary definitions of risk are not entirely helpful or practical. For instance:

  1. possibility of loss or injury – this only accounts for likelihood and says nothing of impact.
  2. someone or something that creates or suggests a hazard – this is more “threat” than risk.

In simple terms, risk is:

the likelihood of something bad happening and the impact if it did

OK, but how do we then determine likelihoods and impacts?

These are functions of threats and vulnerabilities. More logic, this time theoretical:

  • If you have no weakness (in a control), it doesn’t matter what the threat is. You have zero risk.
  • If you have infinite weakness (meaning no control), but have no threats, you also have zero risk.
  • If you have infinite weakness (meaning no control), and have many applicable threats, you (potentially) have infinite risk.
  • Zero risk and infinite risk are not practically feasible; therefore, risk is between zero and infinity.

Makes sense. The important things to remember about risk are likelihood, impact, threat, and vulnerability. Also, it helps to remember that risk is always relative.

Risk Assessment

The next fundamental in “managing risk” is to assess risk. To some folks, assessing information security risk seems like a daunting and/or useless exercise. There are several reasons for this. One reason might be because it is new to you. Risk assessments aren’t new (we do risk assessments all the time), but doing them in the context of information security is new.

Examples of everyday risk assessments:

  • You’re driving down the road and the traffic light turns yellow. The risk assessment is quick and mostly effective. What’s the likelihood of an accident or a police officer watching? What would the repercussions be (or impact)? You quickly look around, checking each direction. You assess your speed and distance. If you assess the risk to be acceptable, you go for it. If you assess the risk to be unacceptable, you hit the brakes.

NOTE: Risk decision-making for information security comes later in this post.

  • You just used the restroom. Do you wash your hands or not? You assess the risk of not washing your hands. Will I get sick, or worse, get someone else sick if I don’t wash? What are the chances? What could be the outcome if you don’t wash your hands? If you deem the risk to be acceptable without washing, you might just walk out the door. If you deem the risk to be unacceptable (hopefully), you’ll take a minute or two and wash your hands.

We all do risk assessments, and we do them throughout the day. We’re used to these risk assessments, and we don’t think much about them. Most of us aren’t used to information security risk assessments. There are so many controls and threats (known and unknown). It’s easy to become overwhelmed, confused, and paralyzed; leading to inaction.

Some truth about information security (risk) assessments:

  • There is no such thing as a perfect one.
  • Your one is probably going to be your worst and most painful one.
  • You cannot manage information security without one.
  • They’re fundamental.

Just do an information security risk assessment. Worry about comparisons, good ones versus a bad ones, later (you’re probably not ready to judge anyway).

Risk Measurement

People argue about measurements. Don’t. Fight the urge.

You can use an existing risk measurement; FAIR, S2Score, etc. or create one yourself. If you’re going to create your own risk measurement, here are some simple tips:

  1. Make the measurement as objective as possible. Instead of open-ended inputs or subjective inputs, use binary ones. Binary inputs are things like true/false, yes/no, etc.
  2. Use the measurement consistently. An inch is an inch, no matter where you apply it. A meter is a meter, no matter where you use it. For example, if a “true” answer to some criteria results in a vulnerability score of 5 today. It should be a 5 tomorrow too. Applying threats may change things, but the algorithm is still the same.
  3. The criteria being measured are relevant. For instance, take the crime rate in a neighborhood. Is it relevant to information security risk? The answer is yes. Our definition of information security is “administrative, physical, and technical” risk. Crime rates are relevant to physical security threats.

If you are new(er) to information security risk management, you may want to use a metric that’s already been defined by someone else. Again, caution against trying to find the perfect measurement. It’s like arguing whether an inch is a better measurement than a centimeter. Don’t get me started…

Risk Decision-Making

Alright, so you did your information security risk assessment.

Done?

Nope, just getting going now. Before doing your risk assessment, you were risk ignorant. Now, you’re risk learned. Yay you!

What to do with all this risk?

Let’s say your organization scored a 409 on a scale of 300 (worst) – 850 (best), and you discovered several areas where the organization scored close to 300. There’s LOTS of room for improvement. Now you need to make decisions about what you’re going to do. To keep things simple, you only have four options:

  1. Accept the risk as-is. The risk is acceptable to the organization and no additional work is required.
  2. Transfer the risk. The risk is not acceptable, but it’s also not a risk your organization is going to mitigate or avoid. You can transfer the risk, often to a third-party through insurance or other means.
  3. Mitigate the risk. The risk is not acceptable, and your organization has decided to do something about it. Risks are mitigated by reducing vulnerability (or weakness) or by reducing threats.
  4. Avoid the risk. The risk is not acceptable, and your organization has decided to stop doing whatever activity led to the risk.

That’s it. No other choices. Risk ignorance was not a valid option.

There you go! Now you have a start to the fundamentals of information security! The foundation.

Did you notice that I didn’t mention anything about security standards, models, frameworks, identification, authentication, etc.?

These are all fundamentals too, but first things first.

People don’t practice the fundamentals of information security.

We live in an easy button, instant gratification, shortcut world today. Information security is simple, but it’s definitely NOT easy. Good information security takes work, a lot of dirty (NOT sexy) work. What happens when you cut corners in laying a foundation? Bad things.

  • Hacking things. That’s a lot sexier than doing a risk assessment.
  • Blinky lights. These are a lot sexier than making formal risk decisions.
  • Cool buzzwords. So much sexier than the basics. The basics are boring!

Hacking, blinky lights and buzzwords all have their place, but not at the expense of fundamentals.

You have no excuse for not doing the fundamentals. Zero. The truth is, if you know the fundamentals and fail to do them, you’re negligent (or should be found as such). Reminds me, there are a few more fundamentals you should know about before we finish:

  • Roles & Responsibilities – Ultimately, the head of the organization (work and/or home) is the one responsible for information security; all of it. He/she may delegate certain things, but the buck always stops at the top of the food chain. Whatever’s delegated must be crystal clear, and documentation helps. We should always know who does what. (See: E is for Everyone).
  • Asset Management – You can’t secure what you don’t know you have. Assets are things of value; tangible (hardware) and intangible (software, data, people, etc.). Tangible asset management is the place to start, because it’s easier to understand. Once you’ve nailed down your tangible assets, go tackle your intangible ones.
  • Control (access, change, configuration, etc.) – You can’t secure what you can’t control. Administrative controls (the things we use to govern and influence people), physical controls, and technical controls.
    • Start with administrative controls; policies, standards, guidelines, and procedures. These are the rules for the game, and this is where standards like ISO 27002, COBIT, NIST SP 800-53, CIS Controls, etc. can help.
    • Access control; identity management and access management. Authentication plays here.
    • Configuration control; vulnerabilities love to live here (not just missing patches).
    • Change control; one crappy change can lead to complete vulnerability and compromise.

Last fundamental is cycle. Cycle through risk assessment, risk decision-making, and action. The frequency of the cycle depends on you.

Summary

I’d rather over-simplify information security than over-complicate it. Simplification is always a friend, along with logic. Quick summary of the fundamentals of information security:

  • Fundamental #1 – Learn and work within the context of what information security is (risk management).
  • Fundamental #2 – Roles and responsibilities.
  • Fundamental #3 – Asset management.
  • Fundamental #4 – Administrative control.
  • Fundamental #5 – Other controls (several).

Honorable Mention for “F”

As was true in previous ABCs, I got some great suggestions. Here’s some honorable mentions for “F”:

  • Facial Recognition
  • Failover
  • Failure
  • Faraday Cage
  • Fat Finger
  • Fear Uncertainty & Doubt (FUD)
  • Federal Information Processing Standards (FIPS)
  • Federal Information Security Management Act (FISMA)
  • Federal Risk and Authorization Program (FedRAMP)
  • Federated Identity Management (FIM)
  • Feistel Network
  • FERPA
  • Fibonacci Sequence
  • File Integrity Monitoring (FIM)
  • File
  • Fingerprint
  • Firewall
  • Foobar/Fubar
  • Fortran
  • Fraud over Internet Protocol
  • Fuzz Testing

Hope this helps you in your journey! Now on to “G”.

 

Good People Didn’t Vote For Your Candidate

The truth:

There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your candidate”.

Demonize as you will, but here’s a reminder of some things.

People who voted for the other candidate are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.

These people are NOT:

  • “ill”
  • “sick”
  • “dumb”
  • “stupid”
  • “racist”
  • “bigoted”
  • “idiots”
  • “Socialists”
  • “Fascists”
  • or any other demonizing word you want to throw at them.

These people ARE:

  • human beings with basic needs
  • human beings with basic desires
  • human beings with dreams
  • human beings who want to be loved
  • human beings who want to feel grace
  • human beings who have families
  • human beings who have different perspectives (a good thing)
  • human beings who have different beliefs (also a good thing)
  • human beings who have different backgrounds (also a good thing)
  • human beings with many additional things that are beautiful about them.

A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).

It doesn’t matter who “your candidate” is or who “my candidate” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.

There is only ONE team. We are ALL Americans. We are NOT just votes. We are ALL people.

The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.

The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).

So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.

UNSECURITY Podcast – Ep 104 Show Notes – Stigma Against Healthy

Last week was nuts. Is “nuts” the norm? God, I hope not.

The week started off with what seemed like a run of the mill ransomware attack against a healthcare client. The investigation led us to threat hunting with another client. During the threat hunting exercise, Brian Krebs called. He claimed to have information about 427 healthcare organizations who could be attacked by Wednesday (10/28). This led us down all sorts of paths with a few renowned researchers, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, Secret Service (don’t ask), and others.

Eventually, CISA issued a joint cybersecurity advisory with the FBI and Department of Health and Human Services (HHS). See: Ransomware Activity Targeting the Healthcare and Public Health Sector.

On Friday, FRSecure issued their own statement and hosted a very well-attended webinar. See: Situation Update: RYUK Ransomware in Healthcare.

One thing we learned is that incident response in the United States, in terms of our readiness across the public/private sector is in bad shape. It shouldn’t take 3+ days to legitimize a threat and coordinate a response. Thank God we didn’t witness a coordinated attack against 427 hospitals at once. Had this been a real attack against 427 hospitals, we would have been in a world of hurt!

Other things that happened last week include:

  • Episode 103 of the UNSECURITY Podcast, Part Two with Neal O’Farrell of the PsyberResilience Project was awesome! If you missed it, you should go check it out.
  • FRSecure is rocking it! We’re running on all cylinders and making a positive difference in our industry. I’m very proud and humbled at the same time.
  • SecurityStudio finished another incredible month! People are buying into the concept of focusing on the fundamentals and simplification. In case you didn’t know, complexity is the worst enemy of information security.
  • The Security Shit Show was awesome on Thursday night! Personally, I needed the time to talk shit with my peers, Ryan Cloutier and Chris Roberts. It’s like therapy. The title for our discussion was “Kiss and Make Up?” and we talked about what life might look like after the election.

There was probably other important stuff sprinkled in last week too, but the brain can only handle so much!

On to the show!

Episode 104 Topic and Special Guest

A few important things about this episode:

  • This is episode 104, the two-year anniversary of the UNSECURITY Podcast! Holy crap, where did the time go?! It’s been an incredible ride so far, and we’ve met 100s of amazing people along the way.
  • Our topic (or, I guess title) is “The security industry’s stigma against healthy stuff“. Is there a stigma against healthy stuff in our industry? Maybe. We’ll look into it in this episode.
  • We have another special guest, and he’s a good one! We call him Richie Breathe, and he’s a great guy with interesting perspectives on wellness. He’s the perfect guest to wrap up what turned into another semi-series about us and our health.
  • Next week, we’re going to dive back in to incident response. We’ve seen some very interesting (and alarming) trends, and it’ll be good to share with you.

Let’s get on to the notes…

Oh yeah, one more thing before we forget.

GO VOTE!


SHOW NOTES – Episode 104

Date: Tuesday November 3rd, 2020

Episode 104 Topics

  • Opening
  • Happy Anniversary (to us)
    • What’s been your favorite thing about the UNSECURITY Podcast?
    • What’s been your favorite moment or episode?
  •  Special Guest Richie Breathe and the security industry’s stigma against healthy stuff
    • Who’s Richie Breathe?
    • Is there a stigma? If so, how bad do we think it is?
    • Ideas for improving wellness in our industry.
    • Where to go next.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi again everyone. Welcome to another episode of the UNSECURITY Podcast! This is episode 104, the date is November 3rd, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, is a good friend Richie Breathe. Good morning Richie.

[Richie] Cue Richie.

[Evan] First things first. Today is election day. Did you guys vote?

[Brad & Richie] Well, did they?

Happy Anniversary (to us)

[Evan] This is our 104th episode in a row, meaning 104 weeks in a row, meaning two years! I can hardly believe it. Seems like yesterday we did our first episode together Brad. Happy anniversary!

[Brad] Cue Brad

[Evan] I gotta tell you man. I’ve loved every minute of this with you. Sincere gratitude for being my pal in this journey.

[Brad] Cue Brad

[Evan] Now, Richie. You’ve been listening for a while, and we actually met through the podcast, didn’t we?

[Richie] Cue Richie

[Evan] I’ve met 100s of amazing people over the past two years from this show. So many incredible memories. Brad, what’s your favorite thing about the UNSECURITY Podcast?

[Brad] Cue Brad

[Evan] How about you Richie?

[Richie] Cue Richie

[Evan] My favorite thing.

I couldn’t have imagined so much and I’m VERY grateful. How about a favorite moment or episode? Brad?

[Brad] Cue Brad

[Evan] Richie?

[Richie] Cue Richie

[Evan] My favorite moment/episode.

Like I said, it’s been an amazing ride. Here’s to many more episodes and lots more memories!

Transition

Special Guest –  Richie Breathe and the security industry’s stigma against healthy stuff

[Evan] Richie, thanks for being here man. I know we talked about this a while back, and the time has finally come. You first learned about me and Brad through the UNSECURITY Podcast, then started coming to the Daily inSANITY Checkin, right?

[Richie] Cue Richie.

[Evan] The Daily inSANITY Checkin is another HUGE blessing for me. I’ve met some incredible people there and I love sharing life with them. Shout out to you guys!

For people who want to know more, the Daily inSANITY Checkin is just what it says. It’s a daily informal meeting with people who care about each other. It’s a safe place to come, share thoughts, share ideas, or share whatever else comes to mind. The only real rules are to show respect and be yourself. Simple.

We started the Daily inSANITY Checkin immediately after the COVID-19 lockdowns started in March and we’ve been going strong ever since. It’s been incredible. So, Richie. You’re there almost every day, and I’m grateful to have gotten to know you. I know you, but tell the listeners a little about yourself.

[Richie] Cue Richie.

Begin Discussion

The security industry’s stigma against healthy stuff

  • Who’s Richie Breathe?
  • Is there a stigma? If so, how bad do we think it is?
  • Ideas for improving wellness in our industry.
  • Where to go next.

[Evan] Awesome! Great discussion. Thanks again Richie!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Richie, please feel free to comment anytime too!

News

[Evan] Always plenty of interesting things going on in our industry. Here’s a few stories that caught my attention recently:

Wrapping Up – Shout outs

[Evan] Great! Episode 104 is just about complete. Thanks guys! Next week we’re going to tackle some incident response stuff. Things like what’s going on, what people are doing wrong, and how to do things better. Episode 105 will be great, and maybe we’ll invite a guest to boot!

Richie, loved having you join us this week. Thank you!

Any shout outs for either of you?

[Brad and/or Richie] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Richie, how can listeners find you?

[Richie] Cue Richie.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 103 Show Notes – PsyberReslience Project Pt. 2

Happy Tuesday (again)!

There are always 100s of things to talk about each week, and if you’re ADHD like me, you know how hard it can be to stay focused on one thing for too long!

Here are a few things that are top of mind right now:

  • Security ABCs:
  • Election is next week. Please vote. Regardless of who you vote for, you have a voice. The voice might seem insignificant, but when millions of voices speak together, you have something special. This election season has been crazy, just like 2020 has been crazy. I’m looking forward to it being over, so we can return our focus to serious issues facing all of us.
  • Last week on the Security Shit Show, we talked about election security. The title of the show was “Is My Vote Secure?”. This week it’s Chris Roberts‘ topic, and he hasn’t announced it yet. Stay tuned!
  • Business is good – FRSecure is running at or near full capacity and SecurityStudio is serving people well with simple, fundamental, and effective information security risk tools. Good things! FRSecure is hiring BTW.
  • Incidents and calls for our incident response team continue to roll in. There was an incident that occurred this past weekend. Sadly, the way the incident was handled by the client provided good examples of what NOT to do. I’ll right a separate blog post on this story later, but here’s two things you need to do RIGHT NOW. Drop what you’re doing and make sure you’re squared away on:
    1. Check your incident response plan and be sure you know who to call.
      • Double-check the contact information.
      • Is there 24×7 response? Incidents will inevitably happen at the worst time.
      • Who do you call, and who do you call first? Your incident responders, your insurance provider, your legal team, executive management, law enforcement, or…?
    2. Make sure your preferred 3rd-party incident handler/provider is on your insurance provider’s approved list for reimbursement.
      • You waste precious time, energy, and money when you don’t know.
      • Engaging with a 3rd-party incident responder who isn’t on the list will force you into declined reimbursements and/or changed providers (losing more time).
  •  Not a sales push at all, but here’s what FRSecure provides. At a minimum, it makes sense to register with your incident responder (See: IR Registration Services).

  • Not digging the cold weather, but I do live in Minnesota, so…

Episode 102 Quick Recap

Originally, we weren’t planning on making the discussion with Neal O’Farrell into a series, but the talk in episode 102 was too AWESOME! Brad was out sick for the show, but Neal and I had a great talk about his 40(ish) years in our industry, his background growing up in Ireland, his organization (the PsyberResilience Project), our personal mental health issues (stress, burnout, etc.), and mental health in our industry. This is a serious issue in our industry, and we’re not doing a good enough job in tackling our problems.

I’m VERY excited to welcome Neal back again! We’ll talk about resources people can use to improve their lives. Sure to be another great discussion!

These are my (Evan) notes.


SHOW NOTES – Episode 103

Date: Tuesday October 27th, 2020

Episode 103 Topics

  • Opening
  • Special Guest – Neal O’Farrell from the PsyberReslience Project
    • Recap episode 102 – Where we left off.
    • Mental Health Discussion.
    • Specific self-help approaches, what we’ve learned from trying them.
    • Other resources and what you can do to help.
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hi everybody. Welcome to another episode of the UNSECURITY Podcast! This is episode 103, the date is October 27th, 2020, and I’m Evan Francen, your host. Joining me is my good friend and co-worker, Brad Nigh. Good morning Brad.

[Brad] Cue Brad.

[Evan] Also joining us, for the second week in a row is our good friend and founder of the PsyberResilience Project, Neal O’Farrell. Good morning Neal.

[Neal] Cue Neal.

[Evan] How are you guys today? What’s new?

Quick Catch-up

Discussion about any current events, life or otherwise…

Transition

 

Special Guest – Neal O’Farrell from the PsyberReslience Project

[Evan] Neal, thanks for joining us for the podcast again this week. Last week we had a great talk. So great, in fact, we didn’t leave any time for news stuff. No matter though, people can always read news things for themselves.

Anyway, we talked about your background, both of us shared our personal struggles with mental health, and we talked about your organization (the PsyberResilience Project). This week Brad’s joining us, and we’re going to focus on specific self-help approaches that we’ve tried. Before we jump in, Brad, did you get a chance to listen to last week’s podcast?

[Brad] Cue Brad.

[Evan] What did you think about it?

[Brad] Cue Brad.

[Evan] Great! Let’s dig in.

Begin Discussion

Topics to discuss (or ideas):

  • Recap episode 102 – Where we left off.
  • Mental Health Discussion.
  • Specific self-help approaches, what we’ve learned from trying them.
  • Other resources and what you can do to help.

Discuss whatever else comes to mind.

[Evan] Excellent discussion, and I’m sure our listeners found value in it!

Now, we’re at the part of the show where we review a few news items that caught our eye this past week. Neal, please feel free to comment anytime too!

News

[Evan] Some interesting nation-state stuff caught my attention this week. God knows, there’s always plenty of nation-state stuff going on!

Wrapping Up – Shout outs

[Evan] Great! Episode 103 is just about complete. Thanks guys! Neal, it was great having you on the show again this week. I’m looking forward to working together to make our industry better. Brad, always happy when you’re here. Glad you’re feeling better this week!

Any shout outs for either of you?

[Brad and/or Neal] We’ll see.

[Evan] Always grateful for our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Neal, remind our listeners again how they can get in touch with you.

[Neal] Cue Neal.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

E is for Everyone

There are lots of relevant information security words that start with “E”, but I’m going with “Everyone”.

Why?

Three primary reasons:

  1. Information security (good or bad) affects everyone.
  2. Everyone has a role in information security.
  3. If everyone has a role, then everyone must have responsibilities.

There’s a saying I often use:

Information security isn’t about information or security as much as it is about people.

Two important points from this statement:

  1. People suffer when things go bad. If nobody suffered, nobody would care.
  2. People are riskier than technology. Technology only does what we tell it to (for now).

Let’s apply these points to our reasons why “E” is for everyone.

People Suffer

When bad things happen, people suffer. Doesn’t matter if we call the “bad thing” a data breach, a ransomware attack, a phish, business email compromise, or whatever. All bad things related to information security affect real human beings, either directly or indirectly.

Some quick examples:

  • Ransomware attack (poorly prepared) – A ransomware attack hits an organization. The organization isn’t well prepared for it, meaning they didn’t adequately backup their data or adequately protect their backups. The organization has no hope of recovery without negotiating with the attackers and paying the ransom. No worries, “it’s covered by insurance”, a common reply. People suffer:
    • The organization suffered an outage, even if minimal, it’s an outage. Outages mean lost services to customers and lost revenue for the organization. Customers suffer and so do the organization’s stakeholders (owners, investors, employees, etc.).
    • The insurance company suffered the claim loss. This might seem insignificant, but insurance companies are not in the business of losing money. They will raise premiums across the board if necessary to recoup losses. “In the first half of 2020 alone, we observed a 260% increase in the frequency of ransomware attacks amongst our policyholders, with the average ransom demand increasing 47%,” Coalition (one of the largest providers of cyber insurance services in North America). Insurance company stakeholders suffer (even if temporarily), and we all suffer through higher insurance premiums.
    • Paying an attacker a ransom, leads to their re-investment in better and more frequent attacks. We all suffer. Everyone suffers, and worse, the cycle continues.
  • Business email compromise – An organization suffers a business email compromise that leads to $800K loss; stolen money through unauthorized ACH transfers. This resulted in a loss for the organization, its customers, and its stakeholders. They all suffered. This attack resulted in $800K that could no longer be spent on good things; things like expansion, employee benefits, employee salaries, etc.
  • Data breach – A hospital gets hit with ransomware, but this variant also exfiltrated protected health information (PHI). The hospital didn’t properly protect itself, and certainly didn’t protect the patients well. The hospital suffered a significant outage, affecting services for patients when they’re needed most. To make matters worse, all patients who were affected by the lost information are now dealing with significant anxiety and safety issues.
    • Anxiety from knowing their private information is in the hands of someone they don’t trust. Contributing to the anxiety is not knowing when/if their information has been used by criminals or how to fix the problem if it did.
    • When a criminal uses stolen PHI to get treatment, their health information becomes mixed with/added to the victim’s. If the criminal gets treatment for a condition using a victim’s medical record/insurance, the criminal’s treatment is now on the victim’s medical record. The next time the victim gets treatment (legitimately), he/she will be treated as though he/she has the criminal’s condition, leading to potential faulty life/death decisions made by doctors
    • Victims are also faced with medical bills that aren’t theirs. If you’ve dealt with medical bills before, you know how this feels.

The list could go on, but you get the point. These scenarios are based on real stories. Reality, NOT fantasy.

Information security (good or bad) affects EVERYONE.

At Home

At home the problem is more direct, but less understood. Attackers have always gone after people at home. Since the first home PCs were connected to the Internet, they’ve been under attack. If we think attackers have relented, we’re foolish.

The problems at home are less understood for a couple reasons:

  1. The consumer market has been grossly underserved. This market is underserved because consumer information security is more difficult to monetize. This market is very easy to monetize for cool blinky lights, personal assistants, “smart” homes, etc. It’s a pain in the ass to monetize for information security.
  2. Personal attacks, or attacks at home, don’t grab the headlines like organizational attacks do. People aren’t paying attention (as much); however, this might be changing with the explosion in remote working or “work from home”.

At home, your information security and safety are your responsibility. Not mine. Not the government’s. Yours. Sadly, an attack aimed at you or your children is yours to bear, sometimes alone.

People Are Riskier

Riskier how? In terms of being riskier than the technology or in terms of being riskier than they were before?

Yes. Both.

Technology only does what we tell it to do. Tell it to do bad things (on purpose or on accident), and the technology does bad things. Tell it to do good things, and you guessed it, technology will do good things. It’s not technology that’s bad as much as it’s the behavior of technology makers and consumers that can make it bad. Technology makers are incented to get the product (hardware and/or software) into consumers’ hands as quickly and cost-efficiently as possible, NOT as securely as possible. Information security is up to you then. If you don’t know how to secure the product or technology, then you will suffer the consequences.

Technology makers need to be incented to make things more secure, not punished for making things insecure.

Consumers need to learn better information security habits to reduce their risk within their area of influence; in communities, at work, and especially at home.

EVERYONE has a role in information security. What’s yours?

Roles

In simple terms, there are information owners, custodians, and users. In reality, this is where the break down starts. Most people have no clue what their role is. If you don’t know your role, you don’t stand a chance in understanding your responsibilities.

Information Owners

These are people who are directly affected by the loss of confidentiality, accuracy (or integrity), and/or availability of their information. They “own” the information, and it’s theirs.

Examples:

  • My health record is mine.
  • My financial account information is mine.
  • My Social Security Number is mine.
  • My private conversations are mine.
  • My private emails are mine.
  • My credentials for accessing accounts are mine.

I am the information owner. At times, I’m the information owner for people I’m responsible for too, like members of my family.

Information Custodian

These are organizations and people who have been delegated the responsibility of protecting information from the information owner.

Examples:

  • The hospital is a custodian of my health record.
  • The bank is a custodian of my financial account information.
  • The school, employer, bank, credit agency, etc. is custodian of my Social Security Number.
  • The phone carrier (or whoever else I might be using for private conversations) is the custodian of my private conversation.
  • The email provider (personal and work) is the custodian of my private emails.
  • The password manager program (please tell me you use one), and everyone I authenticate with, is the custodian of my credentials for accessing accounts.
Information Users

These are people who use the information in a manner approved by the information owner through the information custodian.

Organizations Are Not Data Owners

Organizations do not “own” our information. Organizations are custodians and users of our information.

Organizations do NOT “own” any information except what they’ve created.

Organizations act like “owners” of our information, but they’re not. If they want to be, then they’ll need to accept the consequences of misuse instead of pushing the consequences onto the real owners (you and me). Organizations act like owners of our information when they make risk decisions on our behalf without our approval. Truly, if more people knew how some (maybe most) organizations protected our information, I’m pretty sure some of us would stop doing business with them.

Responsibilities

Each role has specific responsibilities, but this is where things get even messier.

Information Owner

Information owners must inform/declare to information custodians what’s acceptable and what’s not with respect to protecting their information. Once this has been defined, it’s also the owner’s responsibility to hold the custodian accountable.

The problem

Most people have no idea that they are an information owner or what it means to be an owner. For those who do understand the role, many feel powerless to do anything with it. We have a long ways to go in empowering information owners; to delegate information security responsibilities effectively and simply to data custodians. We’ve tried going down this route, sort of, with compliance mandates, but our compliance initiatives are far behind the times and largely ineffective. Much work to be done here.

Information Custodian

Information custodians protect information according to what’s been delegated by the information owner. If nothing has been delegated (explicitly), custodians are left to their own devices. Some custodians treat our information with extreme care while others could care less. If we’re frustrated by how organizations are protecting our information, maybe we need to back up and look at our responsibilities (as information owners) and create solutions that will allow us to become empowered.

Information User

Easy. Just follow the rules, as defined by the owner and delegated through the custodian. If the user doesn’t understand the rules, it might be due to break downs with information ownership and/or custodianship. If the user doesn’t follow the rules because they don’t want to, there’s other problems of course.

If everyone has a role, then EVERYONE must have responsibilities.

Fundamental

This is not only fundamental information security, this is fundamental logic. We’ve got a lot of work ahead of us.

Honorable Mention for “E”

I received many great suggestions for the letter “E” including:

  • Evolution – information security is certainly evolving, but not fast enough. Complexity is the worst enemy of information security, and we’re going too fast to secure things. Technology is evolving much faster than our ability to secure it.
  • Elephants – the “elephant in the room” is often information security, or the lack thereof. If only we could make the elephant a little smaller and little less intimidating.
  • Efficiency – a great word, but could be a can of worms. If we can make things more secure (less risk) and be more efficient, we have the potential recipe for success!
  • Endpoint – endpoint protection is certainly part of the equation, but I didn’t choose it because of the overemphasis our industry puts on it’s importance. It’s important for sure, but some people (vendors mostly) will claim it’s the silver bullet/easy button. I know the person who suggested “endpoint” is NOT insinuating such a thing (I know him), but others might. Just FYI. silver bullets and easy buttons don’t exist and never will.
  • Encryption – a great suggestion and safe choice. Encryption is wonderful and a critical protection against unauthorized disclosure and/or alteration of data.
  • Evolve – closely related to “evolution” See above.
  • Exfiltration – another great suggestion. Exfiltration is the extraction or taking information from an environment, and the word is often used in relation to data breaches. It often results in a compromise of confidentiality if the data wasn’t adequately protected with encryption (another vote for “encryption” above).

One last word that I was considering was “education“. Education is VERY important and we all must continue learning. There are so many good free and paid education opportunities available everywhere, there’s really no excuse for not investing in yourself.

Next up is “F”. Ooh, a bad word I use too much starts with “F”! You know the word, but it’s not going to make it into the Security ABCs, sorry.

God Showed Up to My Pity Party

Yes, God showed up. Uninvited and unwelcomed.

NOTE/WARNING:

The subject of “God” is touchy for many people. I acknowledge this, and won’t go down the rabbit hole (now). I’ll preface my story with two simple points:

  1. This story isn’t about religion. This is about relationship. Two vastly different things. If it helps, I don’t like religion either, or at all.
  2. Nobody is forcing you to read this. Feel free to stop reading this at any time.

OK, back to my personal pity party.

Pity Party!

This was my party. All mine.

I invited the most important person in my life (me), and I was sure he was coming (again, me.). The best time for me to have a pity party is early in the morning. Mornings are great times for pity parties because it’s easier for me to be alone.

This particular party took place one morning a couple weeks ago. I woke up in a pissy mood, so it was the perfect time to hold my pity party!

I even had a theme. “2020 Sucks!” In my mind, I replayed all the crappy things about this year, and I found I had lots of things to celebrate:

  • COVID-19, and all the disruption it brought to daily life
    • Closed offices.
    • Closed schools.
    • Economic hardships.
    • Fear.
    • Uncertainty.
    • Politicization
    • The saddest/hardest stuff:
      • Sick people.
      • Deaths.
      • Closed businesses (some permanently).
    • Etc.
  • Social (in)Justice:
    • Riots.
    • Cities burning.
    • Systemic racism.
    • Hatred.
    • Killing.
  • 2020 Election:
    • Disinformation.
    • Division.
    • Hatred.

This country I love seems like it’s falling apart. I grew up in a Marine Corps family (Oorah!), so this hits hard and personal. People around me who used to love each other are now at each other’s throats. Damn, this pity party was in full swing!

Wait though, I can kick this thing up a notch!

I haven’t even started to grumble and take the “woe is me” look at my personal issues in 2020:

  • Frustration in my own home.
  • Loneliness and isolation.
  • Hit a deer while riding my motorcycle in May ($11K in damage).
  • Lost my little buddy (dog named “Vike”) in July.
  • Child struggling with school (social issues, lack of routine, etc.)
  • Work stresses from being CEO of two companies. The wind blows the strongest at the top of the mountain.
  • Lost my little sweetheart (dog named “Maizee”) first week in October. Two dogs in one year?! WTF?
  • General insecurities that come with working in the information security industry (yes, we all have them).
  • Etc., etc., and the list could continue.

The party was going great! I was feeling comfortable being shitty. I had a solid shitty attitude. To boot, I felt like I had plenty of blame to toss around and anger to express.

Woop! Woop! Party!

Then “He” showed up.

He showed up like He has before. Subtle. Almost sneaky. No grand entrance or anything.

Upon reflection, I realized He was actually there when the party started. I didn’t know He was there, but He was. At just the right time, He made his presence known to me, with a subtleness I can’t compare to anything else.

He whispered with in a gentle loving voice, “Did you forget?

The whisper wasn’t audible, at least I don’t think it was. There was nobody else in the room to confirm a “yes” or “no”/my sanity. Regardless, whether His voice was audible or not, I’m certain I heard Him.

I responded (not audibly, I don’t think), “Forget what?

He replied, “Forget the blessings. Did you forget the blessings?

I thought for a second. “What blessings?

With more gentleness, and without anger, He reminded me:

  • This was the year I gave you Ryan Cloutier to work with.
  • This was the year I gave you the amazing SecurityStudio team experience at RSA. Remember #MissionBeforeMoney? That was Me.
  • This was the year I gave you a wonderful vacation with your wife and friends. You know that seven-day cruise and everything that came with it?
  • This was the year I gave you 2,500+ students in the FRSecure CISSP Mentor Program. I even let you take credit for it.
  • This was the year I gave you unity and progress at FRSecure; amongst the executive leadership team, the senior management team, and the employees who get the real work done.
  • This was the year I gave you a new motorcycle after you crashed the last one.
  • This was the year I gave you a stronger bond with your wife.
  • This was the year I have you a second vacation, one to the Black Hills of South Dakota with your wife and friends.
  • This was the year I made SecurityStudio profitable for the first time.
  • This was the year I gave you a new puppy with an amazing and vibrant lust for life.
  • This was the year I taught you what unconditional love feels like.
  • This was the year I introduced you to working more closely with Chris Roberts (BTW, I’m using him too) on the Security Shit Show, multiple talks/panels, and business collaboration on My mission (to fix the broken industry).
  • This was the year I gave you new and deeper experiences with co-workers and friends.
  • This was the year I gave you the Daily inSANITY Checkin and new relationships with many wonderful people there (Josh, Jared, Steve, Tony, Richie, Amy, Marlyce, Dwight, Jim, Raul, Shelley, Olga, Jason, Brian, Rod, Caleb, Jeff, Lisa, etc.)

Shall I go on?

Through tears running down my face, I responded, “Thank you. Thank you for coming to my pity party to remind me who I am and what You have done for me.

It was here I realized I’m not cursed. Far, far from it. I’m blessed. Beyond everything that’s been done for me and given to me, I’m blessed by a God who always shows up, even to my pity parties He isn’t invited to.

2020 has been a weird year. It’s been much worse for some than for others, but regardless of how bad it’s been, there’s hope. There’s hope that God will show up for you as He did for me. There’s hope that God will restore what we destroy. I can’t help but wonder how much of what we’ve destroyed was destroyed because we take things for granted. It’s easy to take things for granted when we are given things without 1) earning them (called grace) and 2) realizing where they came from.

Wishing and praying for all brothers and sisters who are struggling today. I pray that you’ll find God, His grace and your blessings.