M is for Money

Fundamentals are critical to the foundation of an information security program (or strategy). Deficiencies in information security fundamentals are analogous to cracks in a fortress foundation. Fortress defenses won’t stand and neither will your information security protection.

The Information Security ABCs are drawn from information security fundamentals. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the fundamentals, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

It’s been too long, but the time has come for the letter “M”.

The magnate’s magnitude of moneymotivated myriad manipulation makes mayhem and mess of society’s macrocosmmasqueraded with mentor-less and maladroit management who’s malfunctioning mandates manifest in the malefactor’s monopoly.

The letter “M” is for “money”. It shouldn’t be, but it is.

Our Tribe

Last year (2020) we spent an estimated $123,000,000,000 (that’s $123 billion) on “cybersecurity” worldwide. That’s a helluva sum of money, and it begs to question:

  1. What did we get for all this money?
  2. Was (all/some/any of) this money well spent?
  3. Is this too much money, not enough money, or about right?

At a macro level, these questions are nearly impossible to answer objectively. There isn’t uniformity in how we apply or measure information security effectiveness (although we’re working hard to change that) and we don’t have quality data. When we consider estimated losses (to “cybercrime”), maybe we get an indication of how we’ll we’re doing.

According to estimates/predictions from Cybersecurity Ventures, cybercrime will cost us $6,000,000,000,000 (that’s $6 trillion) this year (2021), up from $3 trillion in 2015. The trend doesn’t appear to reverse anytime soon, with 2025’s losses expected to approach $10.5 trillion.

Are we doing this right? Our cybersecurity investments are growing, but our losses are growing faster.

Who’s getting paid?

Simple. The $123 billion goes into our pockets. The $6 trillion goes into the criminals’ pockets.

The Good.

There are many, many good people making a good living in our industry. They’re “good” people because they do their work for the right reasons, to protect others, and to protect information that’s been entrusted to them.

We all get paid in this industry. I get paid, you get paid, our co-workers get paid, our bosses get paid, the companies we work for get paid, etc., etc. Some of us get paid a lot, some of us get paid less. There’s nothing wrong with getting paid. We have bills and people to support (whether it’s just us, our family, etc.).

According to CyberSeek, there are 956,341 people employed in the U.S. “cybersecurity workforce” and nearly a half million job openings. The supply of talent is “very low” and the demand is high. If you believe the numbers, our job prospects should be good for a long time. According to ZipRecruiter, “the Average Cyber Security Salary”  is $112,974 per year, ranging from $125,664 in New York to $82,936 in North Carolina.

Again, if we agree with these numbers, the average worker in our industry makes good money. We make twice as much as the average U.S. worker. This is good!

The Bad.

The criminals are expected to steal nearly $6 trillion worldwide in 2021. This is a HUGE number, so let’s try to put this into perspective.

  • The worldwide economy (GDP – nominal) is roughly $94 trillion, so cybercrime is costing about 6.38% of the world’s economy.
  • The global pharmaceutical market is roughly $1.27 trillion. Cybercrime has this number beat by a factor of four.
  • Some estimates put the global drug trade at roughly $450 billion. Not even in the same league as cybercrime.
  • Only the United States ($22 T), European Union ($19.2 T), China ($16.6 T), and Japan ($6.2 T) have economies larger than the cybercrime economy.

Cybercrime is expected to grow by as much as 15% annually. There are (at least) three primary reasons why global cybercrime has gotten (and continues to get) out of hand:

  • Lack of accountability. The lack of accountability when it comes to information security is astounding.
    • There’s very little (if any) accountability for the criminals.
    • There’s no accountability for software companies writing crappy code (as long as we keep buying it, they’ll keep selling it).
    • There’s very little accountability for the CEO who ignores his/her responsibility to protect their company’s assets and customers’ data. Compliance is a joke because we stop once the box is checked. As long as nobody really pays the price, there isn’t much motivation to change. Instead of individuals paying the price, the costs are spread across a wide population through higher fees, higher prices, etc.
  • We like our ignorance. Nobody will admit it, but we must not really care. We have the illusion of care, but we don’t really care. If we did, we would nail the basics. We don’t like the basics because the basics are work. The criminals like that we don’t like the basics because they have less work too. We do less work, they do less work. Maybe that’s the twisted win-win here.
  • We adopt technology much faster that our ability to secure it. We live in an easy button, instant gratification, entitlement world where we lust for new features, blinking lights, and hot gadgets. Every day, we add more and more complexity to our lives, pushing good information security further and further out of reach. Complexity is the worst enemy of security.

The cost of cybercrime seems like a cost we’re willing to accept and it’s definitely a cost we’re going to pay. This doesn’t magically go away, and the endgame is actually pretty scary to think about.

The Ugly.

There are the wolves (the criminals) and there are the wolves in sheep’s clothing (those in our industry who take advantage of others in our industry). There’s a population within our industry who doesn’t give two sh*ts about protecting the innocent, but instead prey on their fear and ignorance. These are the vendors and marketers who will keep selling you crap you don’t need, can’t use, or doesn’t work. Some of these players are very big, and I won’t name names, but you know who they are.

The illogical acceptance of vendor BS:

Vendor: “Buy my thing, you need it.”

Ignorant Victim: “OK, if you say so. It looks cool.”

 

Ignorant Victim: “Hey, I think your thing is making me vulnerable.”

Vendor: “Well you have to patch my thing.”

Ignorant Victim: “But it’s your thing, why do I have to patch it?”

Vendor: “Because when you bought it, the liability became your thing.”

Ignorant Victim: “OK. How often do I need to patch your thing.”

Vendor: “We don’t know, maybe monthly.”

 

Ignorant Victim: “Hey, I don’t think your thing works.”

Vendor: “Oh, that’s because you didn’t configure it right.”

Ignorant Victim: “How do I configure it right?”

Vendor: “You can try reading the manual or you can attend our training. Attending our training is recommended, and it’s only $5,000.”

Ignorant Victim: “OK, so I should pay $5,000 to learn how to use your thing that I paid you for?”

Vendor: “Yep, that’s how it works.”

 

Ignorant Victim: “Hey, a criminal hacked your thing and stole a ton of stuff from us.”

Vendor: “That sucks. Oooh. Looks like you didn’t have our other thing that would protect the first thing from criminals.”

Ignorant Victim: “So I need to buy another thing from you to protect your first thing that was supposed to protect me?”

Vendor: “Yep. Times change and we gotta keep up.”

 

Ignorant Victim: “Hey, me again. Looks like somebody compromised the first thing again, even though we had the second thing.”

Vendor: “Yeah, that’s because we don’t support the first thing anymore. You should have gotten the nextgen first thing.”

Ignorant Victim: “But it seems like the first thing should have done the things that the nextgen thing does now.”

Vendor: “Well, not really. The nextgen thing uses this new proprietary technology that nobody knows about or can explain.”

 

Ignorant Victim: “I don’t think the nextgen thing is serving our needs anymore. It’s really hard to use and I can’t afford the manpower to run it.”

Vendor: “Lucky you! We’ve got a new cloud nextgen managed service thing! You’ll love it.”

Ignorant Victim: “Cool! Do I still need the nextgen first thing and the second thing?”

Vendor: “We can get rid of the the nextgen first thing because we moved that to the cloud, but you should keep the second thing. One more thing, we need to add a third thing so we can talk to the cloud through it.”

 

Vendor: “So how you liking this cloud thing? We just released the hypergen version, and I’d like to show it to you. Oh, and by the way you’re still patching the first thing and third thing, right?”

Ignorant Victim: “Patching? Um, yeah, we’re doing that. Tell me more about this hypergen thing.”

 

Vendor: “Oh crap! Our nextgen cloud thing got it. You suffered because you weren’t in our hypergen thing yet. We’ve added a new feature to the hypergen thing that you’ll need too. It’s super cool, it’s a feature that can think for itself! We call it “artificial intelligence”. It’s finally the easy button we’ve all been looking for!

…and the insanity never ends.

 

Some marketers and vendors in our industry are top notch, but there are far too many who will sell you anything to get your money. They don’t care if it’s the thing you should buy or if it’s a thing you can even use. Just buy it.

Somehow, someday, we need to hold information security product and service vendors accountable for:

  • Making sure their products and/or services do what they say they do. False advertising needs to go.
  • Making sure they don’t sell things that aren’t the right fit. Stop selling customers (or victims) things they can’t use, aren’t ready to use, or shouldn’t use.
  • Making sure they’re held liable for damages caused in full or in part because of their faulty products and/or services.

The truth is, any organization who doesn’t understand and practice information security fundamentals is the PERFECT victim for the criminal AND the wolf in sheep’s clothing. What are the fundamentals? Good you asked.

Information Security Fundamentals

I won’t spend a ton of time on this because we could write a book on this. Wait a second. I did, and so have others.

Briefly…

  1. Roles and responsibilities. Who’s responsible for what and what’s expected of them? Once defined, motivate and hold people accountable.
  2. Asset management. You can’t possibly protect the things you don’t know you have. If asset management seems too complex, it’s probably because your environment is too complex, and something’s out of whack. Assets come in three flavors; hardware, software, and data. You could add “people” as an asset too, but you know, people are hard.
  3. Control. Only now can you determine what controls are adequate. You can’t secure what you can’t control, and there’s lots to do here. Configuration control, access control, change control, etc.
  4. Wrap all this is risk management. Information security IS risk management.

Don’t know what risk management is, or not certain? Make it simple:

  • Assess, Decide, Implement/Do, Assess, Decide, Implement/Do, etc.
    • Risk Assessment – good assessments are objective, measurable, comprehensive, and actionable.
    • Decide – only four choices here: accept the risk, mitigate the risk, transfer the risk, or avoid the risk.
    • Implement/Do – do the work it takes to make the decision a reality.
  • Risk is likelihood something bad will happen and the impact if it did. Likelihood and impact are driven by threats and vulnerabilities. (note: you won’t know your vulnerabilities without asset management).
  • If we’re talking “information security”, we’re talking about operational/administrative controls, physical controls, and technical controls. This is NOT an IT issue.

In Conclusion

M is for money. Lots of money.

Some people say this is a dog eat dog world. I like dogs. They’re wonderful creatures. Often the difference between what makes a good dog and a bad dog is how they were raised. I believe all dogs were good at the start, but some got stuck with sh!tty owners.

The good dog – The good dog serves others. They’re loyal, selfless, dependable, loving, etc. Most people in our industry are “good dogs”, myself included. We’re in this for the right reasons, and we make money as a reward for the good honest work we do.

The bad dog – The bad dogs serve themselves. They steal, fight, hurt others, etc. The criminals are “bad dogs”, but sadly so are some people in our industry. They make money by taking advantage of others. Most bad dogs know they’re bad, but some lack the self-awareness to know any better.

Be a good dog. Make lots of honest money AND make a positive difference in the lives of the people we serve!

UNSECURITY Episode 128 Show Notes

Oh boy. Chalk last week up as “the lost week”.

I live in a suburb of Minneapolis, Minnesota (MN). The same Minneapolis, MN where George Floyd died last May, sparking civil unrest around the world. The same Minneapolis, MN where the eyes of the world are anxiously awaiting the verdict in the trial of former police officer Derek Chauvin, charged with second-degree murder in George Floyd’s death. The same Minneapolis, MN where Daunte Wright lost his life on April 11th, at the hands of 26-year veteran police officer Kimberly Ann Potter.

Minneapolis seems like ground zero for crazy.

Me being me, I don’t like when things don’t make sense. Despite knowing it’s best to let some things go, I decided to embark on a journey of self reflection and sense-making.

The result?

I learned how I process things. I learned I love people. I learned I’m not crazy. I learned we have significant problems facing our society, and not enough people willing to solve them. Even worse, the leaders we elect to solve problems, selfishly use problems to score popularity points and ignorant votes. If our leaders wanted to solve problems, they would. Simple as that.

More to come, but we have a podcast to do!

Special Guest – Roger Grimes

In this episode of the UNSECURITY Podcast, we’re joined by a good friend, a bona fide information security authority, renowned author (of 12 books), and all around awesome human being, Roger Grimes. This is a man I respect deeply and hold in very high esteem. We are information security kindred spirits in a way, and we’re honored to welcome him on our show!

Things about Roger:

  • LinkedIn Profile – https://www.linkedin.com/in/rogeragrimes/
  • Information technology and/or information security expert since the mid-late 1980s
  • Written more than 1,200 national magazine articles on information security and was the weekly computer security columnist for InfoWorld/CSO magazines from 2005 to 2019
  • His “goal in life is to get more people and companies to use data and the scientific method to improve their computer security.” He goes on to state, “If I leave this world without having made the Internet a safer place for all people to compute, I have failed.See, my kind of guy!
  • Spent more than 11 years as Microsoft’s Principal Security Architect.
  • Written 12 books (and working on two now), including:
    • Hacking Multifactor Authentication
    • Cryptography Apocalypse
    • A Data-Driven Computer Defense
    • Hacking the Hacker
    • Malicious Mobile Code
    • And more…

Seriously dig this guy, and pumped that he’s joining us this week!

Other Guests Coming

Roger is our first special guest in a series of special guests. We might keep hosting special guests indefinitely. Here’s what’s coming soon:

  • Episode 129 Special Guest – Ron Woerner
    • I met Ron through my good friend Ryan Cloutier, and I’m very grateful for it.
    • Ron has a laundry list of accolades. He’s the CEO and President of Cyber-AAA, Professor of CyberSecurity Studies at Bellevue University, featured speaker at the RSA conference for more than 12 years, and much more.
  • Episode 130 Special Guest – John Strand
    • Believe it or not, I have never met John in person. Despite running in some of the same circles for many years, this will be the first time I meet him.
    • John also has a laundry list of accomplishments. He’s the Founder and Owner of Black Hills Information Security, Senior Instructor with the SANS Institute, teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Detection for System Administrators. John is the course author for SEC464: Hacker Detection for System Administrators and the co-author for SEC580: Metasploit Kung Fu for Enterprise Pen Testing. He’s also presented at the FBI, NASA, NSA, DefCon, and lots of other places.

We’re finalizing details with guests for episode 131 and 132 too. Lots of GREAT conversations to come!

Let’s get right to it, show notes for episode 128 of the UNSECURITY Podcast…


SHOW NOTES – Episode 128 – Tuesday April 20th, 2021

Recorded Friday April 16th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 128, and the date is April 20th, 2021. Joining me is my good friend, great guy, and infosec expert Brad Nigh. Welcome Brad!

Also joining the UNSECURITY Podcast is our special guest, Mr. Roger Grimes! Welcome Roger. It’s an honor to have you on our show!

Introducing Roger Grimes

Some of our listeners may not know Roger. That’s about to change! He has a fascinating information security mind, and we’re all sure to learn some things.

  • Open Discussion.
  • Top of mind things.
  • Current projects.
  • Current events.

Roger and I first met through a friend, Steve Marsden, a few years ago. Almost immediately it became clear that we see information security the same way. Soon after our first conversation, I flew out to see Roger give his talk at the RSA conference and have lunch with him and his wife. It confirmed that he is the “real deal” and I flew on to my next destination immediately after lunch. Since then, we’ve kept in touch, and he even served on SecurityStudio’s board of directors for a time.

This will be a fun conversation, guaranteed!

News

We’ll probably skip news in this show. Guessing that Brad, Roger, and myself will have no problem filling the entire show with good discussion.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Closing – Thank you to all our listeners! HUGE thank you to Roger for joining us. If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Roger, where would you like people to connect with you? (his Twitter handle is @rogeragrimes). Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!

J is for Jaded

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

And now for “J”.

One is justified in their joy and jubilation from the judicious and just protection of information.

The jibes, jeers, judgement, and jitteriness of losing to jackanapes along our journey through the jargon, jabberwocky, jactitation, jostling and jackassery of our juvenile industry makes us justifiably jaded.

There you have it.

“J” is for Jaded

We’re not all jaded all the time, but too many of us jaded too often.

Feeling jaded seems to come with the territory. As someone who works in this industry, sometimes it feels like we’re fighting a fight that can’t be won, we’re losing ground, and that life has given us the short end of the stick. Given enough time in this industry, you’ll either become jaded or you’ve fought hard against becoming so.

If you’ve done something so much that it doesn’t excite you anymore but just leaves you tired, consider yourself jaded. If someone says you look a little jaded, it just means that you look tired.

https://www.vocabulary.com/dictionary/jaded

The formal definition of “jaded”, courtesy of George Merriam and Noah Webster (not really, these two are long gone and Merriam Webster, Inc. was acquired by Encyclopedia Britannica, Inc. in 1964):

  1. Fatigued by overwork : EXHAUSTED
  2. Made dull, apathetic, or cynical by experience or by having or seeing too much of something.

Being fatigued, exhausted, overworked, dull, apathetic, and cynical are not things we should aspire to.

Jaded is Bad

There is nothing good about being jaded. People who are jaded are live a sad life, or at the very least, a life with less joy than there should be.

Here’s what Dr. Stephen Diamond (a clinical and forensic psychologist) has to say about jaded people:

bitter, jaded people tend to project a self-righteous attitude suggesting they’re justified in feeling resentment. They’re often bored and cynical. They observe and criticize more often than they participate. Because they believe they’ve been burned, they no longer have the trust necessary to build solid, positive relationships. They believe the world is unfair and freely express their impatience and anger. They no longer expect success, but don’t accept responsibility for their failures; instead, they blame others. They’re almost always irritable and frequently express annoyance in most situations.

The highlighted words represent traits that are too common with people in our industry, some of these people we know personally, and maybe one of those people is you.

Jaded people often lash out at others. Bitter sarcasm and criticism are hallmarks. They often feel like they’re victims of what they perceive as injustice. The injustice leads to resentment, anger, and general unhappiness. Jaded people are more likely to suffer from burnout, mental health issues (depression, anxiety, et al.), broken relationships, and chemical dependency (self-medication).

Again, think about people we know in our industry; the people we fight alongside every day. There are people we know personally who have a self-righteous attitude, criticize more than they should, and have lost patience with “dumb users” and/or “incompetent management”. Dialogs such as these are examples:

US: “We need to educate our users and constantly make them aware of information security dangers.”

JADED US: “Why waste our time or money? They don’t get it and they never will. They just keep clicking on links and choosing sh*tty passwords.”

OR:

US: “Let’s figure out a better way to communicate with executive management and the board. If they understood better, we’d be able to secure the budget we need.”

JADED US: “What’s the use? Management doesn’t give two sh*ts about information security!”

Someone who’s jaded has given up, lost hope, and just exists to exist. They’re debilitated and they’re debilitating to the people around them. Someone who isn’t jaded, is still fighting the good fight.  They’re relaxed, rested, energetic, and active. Jaded people have a negative impact. People who aren’t jaded make a positive difference, creatively solving problems and hoping for better outcomes. The truth is, jaded people hurt themselves and others. People who aren’t jaded help themselves and others.

Jaded people hurt themselves and others.

Jaded people are NOT bad people. Please don’t make this mistake. Often, they are good people who care(d) deeply about something. They care(d) so much, they took it personal and suffer(ed) for it.

To simple? Maybe, but the point is this; we need to do everything we can to avoid becoming jaded.

But how?

Start with a simple and honest self-evaluation; are you jaded? If you’re not sure, ask someone close to you. Then decide:

  • If you’re jaded, choose to come back or not.
  • If you’re not jaded, learn how to keep yourself from becoming jaded or not.

The mindset and skills are the same either way.

People who work in our industry often (or always) find our work stressful. When we become jaded, we negatively impact our quality of life and become much less effective in our work. Back to our definition of the word; jaded people are fatigued by being overworked and/or made dull, apathetic, or cynical by experience. Being jaded is not acceptable to me, and it shouldn’t be acceptable to you either. So, let’s do something about it.

Fatigued, Overworked, and Exhausted

People who work in our industry are some of the most passionate, motivated, and intelligent people anywhere in the world. We’re unique and we’re amazing! The passion pushes us to work our tails off, mostly without appreciation beyond our paycheck (we do get paid well though). Some of us work 50, 60, 70+ hour weeks, forgo vacations, and sleep much less than we should. Our passion will work against us when/if we’re not in balance. The constant hard-driving workload can lead to fatigue and exhaustion. Eventually, something has to give.

To make matters worse, it doesn’t matter how many hours we put in, security incidents are inevitable. No matter what we do, we cannot prevent all bad things from happening. When the bad thing happens, then “they” notice; the appreciation we longed for becomes condemnation. Nobody cares about the 1,000s of hours we put in, often while others weren’t watching. They want to know why the bad thing happened and who’s to blame.

Feeling any injustice? Oh, how we need tools to fight against becoming jaded! So, what to do?

Priorities

Somewhere along the line, we might get our priorities messed up. Our job is a job. We do it as well as we can, but we must recognize that work is not life. Work is part of life, but it is NOT life. Good priorities might look something like this:

  1. Faith
  2. Spouse (if you’ve got one)
  3. Family
  4. Work
  5. Friends

Notice how “self” isn’t listed? Self supersedes all priorities. Self-preservation is primal.

You could switch #4 (Work) on the list with #5 (Friends) and still be OK. Regardless, work is NOT in the top three. Bad priorities look like this:

  1. Work
  2. Fame
  3. Money
  4. Spouse
  5. Work
  6. Family
  7. Work
  8. Friends

The first list lends itself to health, the second list lends itself to becoming fatigued, overworked, and exhausted. Couple messed up priorities with the nature of our work; guaranteed failure (if failure is defined as preventing all bad things), and you have a recipe for becoming jaded.

Health (Spiritual, Mental, and Physical)

All health requires maintenance. If we’re not maintaining our health, we can expect it to fail (eventually) and we can expect it to suck.

This isn’t the place or time to preach Jesus to you, but we all need a spiritual “higher power”. This is the place we go when the world doesn’t make sense, and we all know the world doesn’t make any damn sense, right?! If you need help finding a spiritual advisor, reach out to a close personal friend for guidance. If you don’t have a close personal friend to trust for this guidance, you get my advice; seek Jesus! That’s all the preaching you’ll get (for now).

According to the National Institute of Mental Health, nearly one in five U.S. adults live with a mental illness (51.5 million people in 2019), and less than half (44.8% or 23.0 million people in 2019) received mental health services. Think about these numbers for a second. Due to the nature of what we do and the stress related to it, the percentages for us are probably worse than the U.S. population. Most of us rely VERY heavily on our minds, and if our minds our broken, then what? If you need help, or think you might need help, here are some great resources to check out (DO NOT IGNORE THIS):

It’s easy to overlook our physical health, but we can’t. Most of us sit for hours on end at a computer keyboard. This is not healthy. We must get up, get out, exercise more, and eat healthier. There’s nothing glamorous about dying of a heart attack while reverse engineering a piece of code.

Our health has a direct impact upon being jaded. The more unhealthy we are, the more likely we are to become jaded. The inverse is also true.

Dull, Apathetic, and Cynical

The second part to our definition of “jaded” is being dull, apathetic, and cynical by experience or by having or seeing too much of something.

Seriously, how many times have we:

  • Seen someone click a link they shouldn’t have?
  • Witnessed someone fall for a phishing attack after we’ve taught them a kajillion times not to?
  • Read about a breach that should have been prevented?
  • Told people to master the basics, only to see them NOT compile/maintain an asset inventory?
  • Shaken our heads at dumb mistakes people (including “we”) make?
  • Beat our heads against the wall trying to get management to give a sh*t?

After a while, shouldn’t we just give up? What’s the use? People keep doing dumb things and making crappy decisions. Aren’t we tired of it yet?!

Spoken like someone who’s jaded.

Maybe it’s not them. Maybe it’s us.

Expectations

Maybe we’re jaded because we have too many or the wrong expectations. We’re less likely to become jaded when things go well, when we experience things that are good (or exceed our expectations). It’s not like we’d say:

  • “Dammit, Jane in accounting picked a great password again!”, or
  • “Life would be so much better if Joe would just click links without thinking more often.”, or
  • “It just sucks when management always gives us the budget we need for information security.”

Absolutely not. Some (or a lot) of our jadedness comes from being disappointed. We’re setting the wrong or unrealistic expectations, leading to disappointment, leading to frustration, leading to becoming jaded. We think expectations are good, but they’re often not.

What did we expect in the first place? Did we actually expect humans to NOT be human? Did we expect management to treat information security like it was THE issue versus AN issue? Did we expect people to listen to us when we don’t speak their language? Did we expect to not have breaches? Did we expect such a thing as risk elimination, or did we realize this is actually about risk management?

If we set any expectation, we should expect to be disappointed if we have expectations. Expect disappointment, and if it happens often and long enough, it WILL lead to frustration. Frustration is the last step in the path to becoming jaded. This is the “jade cycle” (simplified), see diagram.

The math: (-e + e2) = -d + -j, where e is expectations, e2 is better expectations, d is disappointment and j is jadedness. Essentially, fewer expectations and better expectations = less disappointment and less jadedness. Living life without expectations is NOT the goal, living a life with fewer and more realistic expectations is the goal.

NOTE: The exception is computers and other logical, binary things. We can always expect computers to do what we tell them to do. Care must be taken with emotional and non-binary (analog) things like human beings.

Summary

Beware and be aware of jadedness in yourself and others in our industry. It makes us less effective and it steals our joy. If you need help, ask for it. Being jaded is more common than many of us realize, and it does nothing to help our cause. The cause being better information security, and through it, better lives.

This is no honorable mention for “J” because it’s a letter we don’t use enough. 😉

Next up, “K”. What are some good relevant words for this letter?

I is for If

The ABCs of Information Security

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

Here’s our progress thus far:

Now for “I”…

“I” is for “if”.*

What if we were less ignorant, imperious, incoherent, irksome and impetuous, but a little more integrous, inoffensive, instrumental, interpersonal, and ingenious? Would we be less inundated with incessant information security incidents?

What if we were less inept and imprudent with the technology that’s so intertwined with every aspect of our daily lives? Would it even be possible to become impenetrable, impregnable and impervious to interminable attacks?

What if?

If we do more of the right things right, and less of the wrong things wrong, just think how much better off we’d be. The people we serve would be safer, we would be saner, and the world would be a better place!

The keys to making “if” closer to reality are less ignorance and more integrity.

What if we were less ignorant?

Ignorance is the lack of knowledge, understanding, or information about something.

Ignorance runs rampant within our industry and amongst the people we serve. People don’t know what information security is or what their personal responsibilities are.

If we were less ignorant, we’d know what information security is, and we’d know that it cannot be separated from privacy or physical safety. We’d know the importance of information security basics, and we’d practice them religiously.  If we were less ignorant, we’d know how vulnerable we are and we’d demand better of ourselves. We’d know what we’re responsible for and what we should hold others accountable for. If we were less ignorant, we’d think twice before plugging that new sexy gadget into our home network. We’d demand more protection in the products and technologies marketed and sold to us incessantly.

By definition, we’re all ignorant. Nobody knows everything, but this isn’t the issue. The issue is being ignorant of something we shouldn’t be ignorant of.

Is it OK to be ignorant of:

  • computer security best practices if you use a computer?
  • Internet security best practices if you use the Internet?
  • what things are running on your home network if you have a home network?
  • online safety best practices if you have loved ones (kids, spouse, et al.) who are online?
  • the most significant organizational security risks if you’re the leader of the organization?
  • information security basics if you’re in charge of information security?

The answer in all these circumstances is “NO”. It’s NOT OK to be ignorant of things you are responsible for.

In today’s world, we can no longer separate information security from privacy or safety; even personal, physical safety. Everything is integrated. A single information security incident has the potential to expose private information, but even worse, it has the potential to kill someone. The truth is, information security is a life skill that all people should must learn. Everyone has responsibilities, so what are yours?

Accepting ignorance is a default response when people are confronted with something that seems too complex, too confusing, too technical, or too anything. The key to fighting ignorance is simplification and mastering the basics. The basics are boring, the basics aren’t sexy, but despite these things, the basics are absolutely necessary.

So, what are the unsexy basics?

The first basic principle is to define rules for the game.

At Home
  • If you’re the head of your household, you’re the boss and you make the rules. It’s NOT OK to accept ignorance in this role. Learn what good information security behaviors are, lead by example, and expect others to follow. Ultimately, every bit of data that traverses your home network, every website visited by you and your family members, every device you plug in, everything is your responsibility.
  • If you’re not the head of your household, your job is to follow the rules and provide respectful feedback. No rules? Go see the head of your household and help them define the rules.

Go check out S2Me, it’s a FREE and SIMPLE personal information security risk management tool.

At Work
  • If you’re the CEO (or whatever title sits at the top of the org chart), you’re like the head of the household (above) for your organization.
  • If you’re not the CEO, your job is to follow the rules and provide respectful feedback. No rules? Go see the CEO (or his/her assistant) and help them define the rules.

Quick sidenote: This isn’t the article about writing rules for you, but maybe “R” will stand for rules (later).

No rules = chaos, anarchy, confusion, and disorder. There must be rules. You either define the rules and follow them, or you follow them and provide feedback. Now that you’ve read this, you cannot claim ignorance. You have knowledge, and now you must act.

Knowledge without action is negligence.

I’m not a lawyer, so I won’t give legal advice. The generic definition of negligence is “failure to take proper care in doing something”.  Are you negligent if someone suffers because:

  • you don’t know the right thing to do, but you should?
  • you know the right thing to do, but fail to do it?

Ignorance isn’t bliss, it’s breach.

More than once, I’ve heard the comment “ignorance is bliss”. Ignorance for something you shouldn’t be is nothing more than an excuse for laziness and genuinely not giving a sh*t.

What if we were more integrous?

Integrous is the adjective form of integrity.

Integrity is an oft-used word in our industry, and here’s the definition:

  • the quality of being honest and having strong moral principles that you refuse to change
  • someone’s high artistic standards or standards of doing their job, and that person’s determination not to lower those standards:
  • the quality of being whole and complete

Integrity applies to our industry in (at least) two ways; the integrity of data and the integrity of personnel responsible for protecting data.

Integrity of Data

If you’ve been in our industry for any amount of time, you’ve surely heard of the CIA triad. It’s an acronym for a fundamental concept; we protect the Confidentiality, Integrity, and Availability of data. Our “I” in CIA refers to the wholeness, completeness, and accuracy of the data we try to protect.

Simple. It’s important to remember that our job goes beyond making sure data is kept secret; we also need to make sure it’s accurate and available (to those who are authorized to access it).

Integrity of Personnel

On this point, it’s hard not to rant. To keep us honest, we’ll over-simplify.

In our industry, there are the practitioners who work their tails off to protect people, and there are suppliers who make things practitioners use to protect people. Practitioners and suppliers; integrity is paramount to both. A lack of integrity in either is terrible and sad.

Practitioners

The person behind the keyboard is an integral part of any information protection strategy. Their integrity must be rock solid and continually verified. Background checks, character references, solid OSINT, etc., are all encouraged before hiring anyone. Address the questionable things before hiring, and not after you’ve given them the keys to the kingdom. Depending upon your comfort level, sensitivity of the job, etc., questionable things should be questioned, but they don’t always need to be a disqualifier. Giving people the opportunity to address the questionable things from their past might be good, given that people change (hopefully for the better).

Verify integrity constantly. At work, a practitioner shouldn’t mind having his/her activities monitoring continually. They should see the value in it.

Suppliers

What’s worse, an attacker stealing $100,000 from your organization’s bank account or someone selling you security software that doesn’t work, or you can’t use, or you don’t need, or…? They’re both bad and either way you’re out a hundred grand. Stolen (or wasted) money is money your organization can’t use for better things; market expansion, employee benefits, innovation, etc. Suppliers who sell something to a practitioner when they know it’s not the right thing are like wolves in sheep’s clothing; almost worse than an attacker because at least you know the attacker is bad.

There are many suppliers who operate with integrity in our industry, but we must do a better job weeding out the ones who aren’t.

Summary

There you have it. “I” is for “if”. What if we were less ignorant and more integrous? Things would be much better around here.

*NOTE: “If” was inspired by my good friend Chris Roberts. Thanks!

The UNSECURITY Podcast – Episode 63 Show Notes – Mission

I’m grateful to be back home. Two weeks in Cancun, Mexico where the sun was shining and the temperature was in the 80s. Now, I’m back in Minnesota where there’s a foot of snow on the ground and the temperature is in the single digits. I’m grateful to be back home because I’m with my family again. My FRSecure and SecurityStudio family!

THANK YOU to Brad and Ryan for doing holding down the fort!

OK, I was in Cancun to begin writing our next book. It’s “our” next book because Brad’s going to write his part and Ryan’s going to add a little flair too. The book is unofficially titled “Securing America” and will start to come together over the next couple of months. The (rough) outline looks like this so far:

  • Introduction
  • Information Security Operating System (ISOS)
    • Components
    • The Cycle
  • Securing America
    • Small Business
    • Local Government
    • Education
    • Home
  • The People Component
  • The Asset Component
  • The Control Component
  • The Process Component
  • The Measurement Component
  • The Journey – All Working Together
  • Starting NOW

If this book is anything like the first one (UNSECURITY), there’s likely to be some changes to the outline, but this is what we’ve got so far.

Alright. On to the show. This is episode 63 of the UNSECURITY Podcast. I’ll be hosting and these are my notes. Joining me in studio will be my co-host Brad Nigh and SecurityStudio’s very own Ryan Cloutier.

Let’s do this!

-Evan


SHOW NOTES – Episode 63

Date: Monday, January 20th, 2020

Show Topics:

Our topics this week:

  • Opening
    • Back Home
    • Book (Securing America) Status
    • What did I miss?
  • U.S. and Iran
    • Finishing the discussion from last week.
    • We’re not out of the woods.
  •  The “Mission” and CISSP Mentor Program
    • What is it?
    • Why do we care?
    • How can you join us?
  • News
Opening

[Evan] Hey UNSECURITY Podcast listeners! This is episode 62 and the date is January 20th, 2020. I’m Evan Francen, and it’s good to be back! I’m hosting today’s show, and joining me in studio is my friendly co-host Brad Nigh and my left-hand man Ryan Cloutier. Hey guys.

[Brad & Ryan] They’ll say “hi” or something.

[Evan] Did you guys catch that? I called Ryan my “left-hand man”. Of course you did, you guys read the show notes! You know why I called Ryan my “left-hand man”?

[Brad & Ryan] Stumped. Maybe.

[Evan] Well, I’ll tell you…

[Evan] Alright, I’m back home. It feels good to be back, and it couldn’t have been any better to come back to a bunch of smiling faces at our holiday party on Saturday! What did you guys think?

[Brad & Ryan] Sharing thoughts and such.

[Evan] We have a ton to cover today! Let’s catch-up quick. You guys cool with that?

Catching Up Discussion
  • Back home
    • Holiday Party
    • Q1/2020, Expectations
  • Book (Securing America) things
  • Did I miss anything?

[Evan] Like always, many good things to look forward too. Love you guys and love being back. Last week I had to run halfway through the show. We were talking about tensions between the United States and Iran and how it affects us all. There’s this talk of a cyberwar between us, and I just want to close the loop a little on the topic.

U.S. and Iran Discussion

[Evan] OK, the world’s not likely to end today, but we need to stay vigilant. Complacency and ignorance come with consequences. Switching gears now…

We talk about this mission at FRSecure and SecurityStudio. Brad, you have your take. Ryan, you have yours. I’ve certainly got mine too, but what is this “mission” and why is it important for our listeners to know about it?

Discussion about The “Mission” and CISSP Mentor Program

An open and honest discussion about our mission.

  • What is it?
  • Why do we care so much about it?
  • Are there ways for people to join us? If so, how?

The CISSP Mentor Program Registration is Open!

[Evan] Yes, it’s all about the mission! The theory is if you focus on the mission you’ll make money, but if you focus on the money, you’re certain to miss the mission. Love it! Alright, good talk. Let’s cover a few news stories, and wrap this thing up.

News

There’s always plenty of news in the information security industry. Here are a few stories that caught my eye recently:

Closing

[Evan] Wow. Lot’s going on and plenty of news to stay up on. I guess this is why they pay us the big buck, right?

This is the end of our show, and we close these things out pretty much the same way every week. Keep sending us your feedback, tips, of whatever else you’d like us to know at unsecurity@protonmail.com. If you have a suggested guest for us to reach out to, let us know that too.

If you’re the social type, socialize with us on Twitter, I’m Evan and you can find me @evanfrancen. Brad’s a cool cat, and you can find him @BradNigh. Ryan’s not to shabby himself, follow him at @CLOUTIERSEC.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.


SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at unsecurity@protonmail.com. One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?

News

Here’s our news for this week:

Closing

[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!

Must have more data…

So, I wrote the first book, Unsecurity based more on experience and less on research. It was easy (well, not “easy”) because the audience for the book were the people in my own tribe (information security people). It was like writing a book to myself.

Now I’m writing the second book, and the audience has changed. It’s a book written to and for non-information security people whom I’ve affectionately called “normal” people. This doesn’t mean that a normal person isn’t awesome or exceptional, they are.  It’s just the word I chose to reference people who aren’t information security folks. Maybe “the masses” is a better reference. We’ll see what makes it into the book.

Anyway, I have a problem. Sort of.

The Problem

I had a revelation while I was writing this book. It came to me while I was writing about how we (security people) make the mistake of assuming we know what the masses think. Even worse, we sometimes tell the masses what the masses think. It’s wrong!

Well, I was about to make the same mistake that I was rebuking other security people about.

STOP!

Don’t you think it makes better sense to ask the masses what they think about information security rather than to assume I know what they think? This book will make a lot more sense and be much more helpful if it uses the same language that the masses use and addresses their concerns!

The Solution

The best way I know how to get answers to the questions I have was to create a simple survey, one that can be completed in five minutes or less. So, I did.

So far I’ve received more than 500 responses to the thirty question survey, and the data is awesome! As I’ve mulled through some of the preliminary data, it’s amazing to see what people think! Who’d a thunk?

500 results gives the survey a lot of credibility. The margin of error is ~5%, which is great! Wouldn’t it be great to get a margin of error of <=3%? I think so, and the only way to get there is to ask for more responses. This is where I’m asking for your help.

Would you be so kind as to take this survey (it’s a safe link) and send it to as many of your contacts as you feel comfortable? The survey link is here:

https://www.surveymonkey.com/r/security_for_normal_people

The better the data, the better the book. That’s the theory at least.

I’ll be writing more about the upcoming book in future articles. I think it’s going to be fun, and it’s going to help a lot of people!

THANK YOU!

P.S. The word map you see as the “featured image” in the title is mapped from the raw input (answers without any filters or changes) to the question “What could information security experts do to help people better?” (in the survey).