The UNSECURITY Podcast – Episode 60 Show Notes – 2019 Year End Review

Goodbye 2019. It’s been real.

Where did the time go?

A common question, we ask ourselves. This year I decided to take a stab at answering it.

Here’s where my time went, for what it’s worth (roughly):

  • 38.58% (or 3,380 hours) working
  • 27.09% (or 2,373 hours) sleeping
  • 23.90% (or 2,094 hours) personal (family, friends, etc.) quality time
  • 10.42% (or 913 hours) other

I spent ~15% more time working than I did making memories with my family in 2019. Some priority adjustments are overdue for me in 2020.

Thank God for the gift of reflection.

The end of the year is a good time to reflect. Reflection is healthy. As I reflect on 2019, I can think of many good things about us like improved industry diversity, great personal growth, business accomplishments, and amazing people working round the clock for our collective benefit.

Unfortunately, there are also bad things. Since we’ve got plenty to cover, both good and bad, we’ll use this episode (#60) to discuss the bad. We won’t want to leave a sour taste in your mouth for too long, so we’ll cover the good things, and the things to look forward to in 2020, in next week’s episode (#61).

Now, the bad.

I already mentioned one of the bad things I discovered from 2019, that my priorities are out of whack, but I also learned things about the sad state of our industry. I learned that we’re (still) losing the war, and we’re losing it on multiple fronts.

Are you wondering what war?

The war where the bad people take advantage of the good people. The war where the immoral ones take advantage of the decent ones. Where the informed and corrupt beat the ignorant and noble every single time.

Let me preface the rest of this by saying I’m not a doomsayer. I’m a realist. I’m a realist with a deep desire to share the truth. If you’ve been paying attention, and can be objective, you’ll find it easier to predict our future. Predicting where a path leads is easier when there’s no (or little) change of course.

Our discussion points for episode 60’s year-end review:

  • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
  • Front #2 – Our local governments and schools are losing their battles.
  • Front #3 – Our homes are part of the battleground and we’re not prepared.

All is not lost, and there’s hope. There’s good news too. We’ll cover good news next week. 2020 is the year for you, me, and our industry to get real. It’s time for us to tackle our most significant issues head-on, together!

I am (Evan) leading the show this week, and these are my notes.


SHOW NOTES – Episode 60

Date: Monday, December 30th, 2019

Show Topics:

Our topics this week:

  • Opening
  • The year (2019) in review.
    • Priorities and life adjustments
    • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
    • Front #2 – Our local governments and schools are losing their battles.
    • Front #3 – Our homes are part of the battleground and we’re not prepared.
  • Closing
Opening

[Evan] Welcome to the last UNSECURITY Podcast episode of 2019! We’ve got a great show planned for you. The date is December 30th, and this is episode number 60. Joining me as (almost) always is my guy Brad Nigh. Hi Brad.

[Brad] Early morning version of Brad…

[Evan] No guest today. It’s just me and you. How you doing?

[Brad] More early morning version Brad things…

[Evan] When I put together today’s show notes, I felt like I was a little harsh, maybe even depressing. It’s not like I was depressed when I wrote the notes, but when I take an objective look at what took place this year, it’s sort of depressing to me. 2019 brought with it a record number of breaches, a record number of records disclosed/stolen, ransomware everywhere, etc. Crap man. Do I seem depressed to you?

[Brad] He’s got something to say.

[Evan] Maybe I take this too personal, but I HATE seeing people get taken advantage of. There were too many times this year that we read about people being taken advantage of, and it sucks. Ugh. Maybe I am depressed.

[Brad] More things…

[Evan] Alright, let’s get to it. The 2019 year-end review…

The year (2019) in review discussion
  • Priorities and life adjustments
  • Front #1 – Breaches are more common than ever, and we seem to care less than ever.
    • Another record year for breaches, do we care?
    • Sources; https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ and https://lifehacker.com/the-worst-data-breaches-of-2019-1840616463
    • “total number of breaches was up 33% over last year”
    • “medical services, retailers and public entities most affected”
    • “5,183 data breaches for a total of 7.9 billion exposed records”
    • Risk Based Security stated that 2019 is/was the “worst year on record” for breaches
      • January – Marriott breach (383 million)
      • February – 617 million accounts, from 16 websites and for sale on the dark web
      • March – 100s of millions of Facebook and Instagram accounts
      • April – 540 million Facebook records
      • May – 885 million First American Financial records
      • June – 20 million patients, bill collector American Medical Collection Association
      • July – Capital One and 100 million credit card applications
      • August – MoviePass and 160 million unencrypted/unauthenticated records
      • September – 218 million Words with Friends accounts
      • October – 4 billion social media profile records (???)
      • November – Facebook again…
      • December – we’re still waiting…
    • Breach fatigue.
    • Are we getting better at finding/reporting breaches? Are breaches happening more often? Are we getting worse?
  • Front #2 – Our local governments and schools are losing their battles.
    • Ransomware nails our local governments and schools.
    • A great article by Michael Mayes at CPO Magazine; the Top 10 Ransomware Stories of 2019.
      • “As the year ends, it’s time to declare 2019 the Year of Ransomware Escalation.”
      • Baltimore was “just one of 82 cities and municipalities to publicly report being struck by ransomware” in 2019.
      • “By December 1, a total of 72 US school districts have fallen victim to ransomware, impacting 867 individual schools and over 10,000 students.”
      • Nine “school districts representing 98 individual schools have been attacked by ransomware just in November. They include:
        • Wood County Schools, Parkersburg, West VA
        • Port-Neches Grove Independent School District, Port Neches, TX
        • Penn-Harris-Madison School Corporation, Mishawaka, IN
        • Livingston New Jersey School District, Livingston, NJ
        • Chicopee Public Schools, Chicopee, MA
        • Claremont Unified School District, Claremont, CA
        • Sycamore School District 427, DeKalb, IL
        • Sunapee Middle High School, Sunapee, NH
        • Main School Administrative District #6, Buxton, ME”
      • Louisiana declared a state of emergency twice in 2019
    • Do we just accept it?
    • We started a civic duty push in 2019, calling for citizens to inquire about ransomware protections from their local government officials. We’ll need to pick this up again this year, and include schools too.
  • Front #3 – Our homes are part of the battleground and we seem ignorant about it.
    • Security, privacy, and safety at home.
    • We still don’t emphasize information security, privacy, and safety enough at home.
    • Did this problem get worse in 2019?
    • Will this get worse before it gets better?

[Evan] That wasn’t too depressing, was it?

[Brad] Gives his honest opinion.

[Evan] We’ve got a lot of work to do, and there are no easy answers. No easy buttons. I think the answer is found in learning and applying information security fundamentals. We spent 2019 working hard at SecurityStudio and FRSecure to reach people with simple, but practical information security solutions like our vCISO, S2Org (information security risk assessment for all organizations), S2Vendor, S2Me (information security risk assessment for all people) and others. We even made some of our tools free! We’ll continue our quest to reach people and help wherever we can!

Got anything to add Mr. Nigh?

[Brad] Adds if he wants to add.

Closing

[Evan] That’s a wrap for another show. Heck, not just another show, but another year!

Thank you and Happy New Year to our listeners! Be sure to tune in next week, when we’ll cover some positive developments from 2019 and maybe a prediction or two. We love recording these shows for you, and we hope you enjoy them. Send us your questions and feedback at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and this other guy is @BradNigh.

That’s it! Talk to you all again next week!

#S2Roadshow Recap – Week Nine

This week on the SecurityStudio Roadshow, we made the trip down to Scottsdale, Arizona to visit the people attending the ISSA Phoenix Q4 2019 Chapter Meeting. Of course, we got our fill of good BBQ too!

SecurityStudio Roadshow Summary

If you’re new, or you’re confused about this #S2Roadshow thing, start here (maybe).

Previous Week’s Recaps:

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

Our mission is to fix the broken information security industry. Success requires collaboration, partnership, and transparency.

BBQ Reviews

In the spirit of transparency, we have a secondary mission on the #S2Roadshow. We eat as much BBQ as we can. After stuffing ourselves, I summarize our BBQ reviews at the end of each recap article (see below).

Scottsdale, Arizona

We arrived in Phoenix/Scottsdale on Wednesday (12/4), the day before the ISSA chapter meeting. After getting our sweet rental, a 2019 Dodge Charger Hemi, we drove straight to our first BBQ joint, NakedQ BBQ in Scottsdale.

This slideshow requires JavaScript.

When you’re from Minnesota, a December trip to Scottsdale doesn’t suck. The weather was great. After BBQ, we were off to the hotel for some meetings and to catch up with work.

 

This slideshow requires JavaScript.

Next was a dinner meeting with a good friend and partner from the area, and afterwards day one was complete. Four or five great meetings, some good work completed, and two BBQ visits. Not bad.

Day two started with, you guessed it, more BBQ, before we headed off to the ISSA chapter meeting. Three BBQ visits in less than 24 hours. Think maybe we’re overdoing this? I think not!

ISSA Phoenix Q4 2019 Chapter Meeting

We’ve been to more than a couple ISSA chapter meetings, and this was one of the best! Lorna Kertész, the chapter President does a great job running things. She was running all over the place making sure things went off without a hitch. Huge shout out to Lorna!

Overall, this was a fantastic meeting! The venue was top notch, the speakers were great, and the happy hour was very well attended. On a scale of 1 – 10 for chapter meetings, this one was a 10!

When John and I arrived, it was cool to know that there were some people who were expecting me. A couple people came up to tell me that they’d read my book, and a few mentioned that they’d attended the FRSecure CISSP Mentor Program. Feels like we’re making a difference.

The first speaker of the day was Rachel Harpley from Recruit Bit Security. She gave a very good talk titled “Yule be Sorry without Security Researchers”. Rachel is cool. She’s got some great things to share and her perspectives about information security are spot on (in my opinion). If you haven’t met her, or attended one of her talks before, you should! It was fun to visit with her for after her talk.

The next speaker was Dr. Paulo Shakarian CEO and co-founder of CYR3CON. This dude is smart! He gave a legit talk titled “Artificial Intelligence Research for Forecasting Exploit Usage”. We caught up after his talk and scheduled a meeting (week after) to discuss how his research can make the SecurityStudio platform better. The prospects of tying legit AI into SecurityStudio’s S2Org technical vulnerability scoring are very exciting!

My talk followed the talks of these two esteemed speakers.

This slideshow requires JavaScript.

I gave a similar talk that I’ve given across the country now. Want the deck? Four topics in the agenda, housekeeping, meat, the dream, and call to action. The talk was well received, and the interaction with the attendees was super! Gave away three books, and had some wonderful discussions with people afterwards.Like I said earlier, this meeting was a 10 on a scale of 1 – 10. The only thing that would have made it better is if the guy next to me wouldn’t have gotten up and left his laptop unlocked.

I talked to him about it afterwards. We’re cool.

BBQ Reviews

You know how we roll, right?! BBQ man! As much as we can get, and yes, we (well I am) are gaining a few pounds along the way.

Three BBQ reviews this week; all three in Scottsdale. We expected good BBQ in Kansas City, but Scottsdale, Arizona?! Believe it or not, Scottsdale has some awesome BBQ joints! Here’s our take on the three we visited.

NakedQ BBQ – https://www.thenakedbbq.com/ – Overall: 8.25

  • Atmosphere – 7, the atmosphere for this place was OK. It was another one of those strip mall feeling sort of places.
  • Service – 9, Everyone was very pleasant and went out of their way to make sure you were satisfied. It’s great when people come out from behind the counter to see how you’re doing.
  • Portion/Value – 8, the price was better than I expected and the portions were generous.
  • Taste – 9, the food tasted great and you could tell it was made by people who know what they’re doing. The best brisket we’ve had in a while.

This slideshow requires JavaScript.

This was really, really good BBQ. I had a 1/4 pound of brisket, jalapeno sausage, turkey, and pulled pork, and they were all great. It’s a tie between the brisket and sausage for my favorite.

The Thumb – https://www.thethumb.com/ – Overall: 8.5

  • Atmosphere – 10, the atmosphere for this place was one of the best yet. The restaurant is part of a gas station and a gift shop. Totally comfortable and cozy. My kind of BBQ joint to just chill and visit with friends.
  • Service – 10, Seriously, these people know how to serve and make you feel like you’re a king (or queen, as the case may be)! One of the few places where they offer you a sample before you order. Once we ordered, they brought the food out to us, grabbed an assortment of sauces, gave us some free goodies, and constantly made sure we were happy.
  • Portion/Value – 7, the portions were hefty, but the price reflected it. Better than average, I’d say.
  • Taste – Maybe my expectations were set too high after experiencing the super cool atmosphere and getting service reserved for royalty, but the food tasted OK. Not great, but good maybe.

This slideshow requires JavaScript.

We met a good friend and business partner for dinner here. Overall, we had a great time and I’d visit this place again. Oh yeah, one more thing. This place was featured by Guy Fieri too. Some people think that’s pretty cool.

Little Miss BBQ – https://www.littlemissbbq.com/ – Overall: 8.75

  • Atmosphere – 9, this was a cool joint. It sort of felt like I was down south in the 70s. This is a order your food, grab your food, and sit sort of BBQ joint.
  • Service – 9, certainly above average. We arrived before the place was open and there was already a line around the corner. While we waited, a waitress walked the line offering samples of their home made sausage. While we ordered, the cook gave us a small cut sample of the pastrami brisket. After we ordered, we were assured that we had everything we needed to be happy.
  • Portion/Value – 8, very reasonable and worth every penny.
  • Taste – 9, We would have said “10”, but we use that number very sparingly. The brisket might have been the best we’ve had so far on the SecurityStudio Roadshow. It might be a toss-up between this place and Pecan Lodge (Dallas, TX in week #3). The taste of the meats here was incredible.

This slideshow requires JavaScript.

This was the best BBQ we’ve had for a long time, if ever, on the SecurityStudio Roadshow. If you like BBQ and you are in the Scottsdale area, you have to visit this place. It’s amazing!

BBQ Summary

Three new BBQ joints to add to our list, and this makes 28 we’ve visit so far. This was a VERY good BBQ week for us, with all three BBQ joints easily making the top 10. The winner this week was Little Miss BBQ, but it was close. Pecan Lodge is still on top as the overall #S2Roadshow leader with a score of 9 (but we need to go back an validate this now), and Little Miss joins Bowlegged BBQ in the #2 spot. The current overall standings are listed below.

Overall Standings (at the end of #S2Roadshow Week Eight):

  • Pecan Lodge – 9
  • Little Miss BBQ – 8.75
  • Bowlegged BBQ – 8.75
  • The Thumb – 8.5
  • Divine Swine – 8.5
  • Naked Q BBQ – 8.25
  • Dinosaur BBQ – 8.25
  • Big Ed’s BBQ – 8.25
  • Mission BBQ – 8
  • Slaps BBQ – 8
  • Q39 BBQ – 7.75
  • Cousin’s BBQ – 7.75
  • Blackwood BBQ – 7.5
  • Broad Street BBQ – 7.5
  • Hard Eight – 7.25
  • Spring Creek Barbeque – 7.25
  • Redd’s BBQ – 7.25
  • RIBBRO BBQ – 7.25
  • Iron Horse – 7
  • Lucille’s Smokehouse BBQ – 7
  • Texas Bar-B-Q Joint – 7
  • Fire Breather BBQ – 7
  • Smoque – 6.75
  • Sweet Lucy’s Smokehouse – 6.75
  • Red Coal BBQ – 6.75
  • Bad to the Bone BBQ – 6.75
  • Unkl Moe’s – 6.5
  • Hambone’s Smokehouse – 6.25
  • Shakedown BBQ – N/A (wasn’t open when it was supposed to be, wasted trip)

Next Week’s #S2Roadshow

A couple of talks this week, one in St. Paul, MN and another visit to Dallas, TX. We’re visiting the Minnesota Government IT Symposium on Wednesday and we’re visiting the Dallas/Fort Worth ISC2 chapter on Friday. Looking forward to meeting a bunch of great people this week, and we’re looking forward to revisiting Pecan Lodge.

Stay tuned for next week’s #S2Roadshow updates. You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

#S2Roadshow Recap – Week Eight

Kansas City (MO) and Irvine (CA)

Monday was spent catching up in the office before heading off to Kansas City early Tuesday morning.

A day in Kansas City and three days in Orange County, California this week. Not bad!

SecurityStudio Roadshow Summary

If you’re new, or you’re confused about this #S2Roadshow thing, start here (maybe).

Previous Week’s Recaps:

The purpose of the SecurityStudio Roadshow (#S2Roadhow) is to meet people and make partners. We want to meet people, understand their businesses, and help them grow using simple, fundamental, and compliant solutions (S2Score, S2Org, S2Vendor, and S2Team/S2Me).

Our mission is to fix the broken information security industry. Success requires collaboration, partnership, and transparency.

BBQ Reviews

In full transparency, we have a secondary mission on the #S2Roadshow. We eat as much BBQ as we can. After stuffing ourselves, I summarize our BBQ reviews at the end of each recap article (see below).

Kansas City, Missouri

The Roadshow officially started on early Tuesday morning with a five something AM flight to Kansas City. The primary purpose for making the trip back to Kansas City was an important meeting with Lockton, our awesome partner. We had four people visiting from our office; myself, John Harmon, Alex Titze, and Chris Dian. I took a earlier flight than the other guys, so my job was to get the car and come back to pick them up.

I was greeted in Kansas City by the happiest and most encouraging rental car bus driver you could imagine. Ross was great!

Got the car, grabbed a coffee (red eye) at Starbuck’s, then came back to the airport to pick up the guys. Love these guys!

This slideshow requires JavaScript.

Lockton Meeting

The meeting with Lockton went great! We gave an introductory presentation to personnel in offices throughout the United States and discussed logistics about how we work together. Before heading back to the airport, we had to make a BBQ stop. This time we drove to Slaps BBQ (review below).

At the airport, we had great meeting with Chubb, a new potential partner. Chubb is reviewing the entire SecurityStudio platform, and seems most interested in using the S2Team/S2Me for their clients.

After this meeting, I was off to Irvine/Orange County, while the others headed back to Minneapolis.

Irvine, California

California is a beautiful place, that’s for sure! I had meetings with partners and potential partners while I was here, but things were low-key for the most part. Low-key is good when I have many days worth of email to catch-up on. The primary purpose for this visit was to preach at Webster University on Thursday evening.

My rental car was nicer than usual. Enterprise upgraded me (for no cost) to a Mercedes GL 320. If you know me, you know that I’m not a flashy guy who feels the need to drive a flashy car. At home, I drive a base model F250, so this is a change. A friend  told me that it looks like I’m driving a storm trooper helmet. Take a look at the picture below, yes?

John Harmon joined me on Thursday morning. We decided to check under the hood. Looks complicated.

This slideshow requires JavaScript.

We had some extra time on Thursday afternoon, so we took in a few sights. Like I said earlier, California is a beautiful place!

This slideshow requires JavaScript.

ISSA-OC

My talk is part of the “Cybersecurity Seminar Series”, a joint effort of ISSA of Orange County and Webster University. I wasn’t scheduled to be there until 6:00(ish) PM, so we made a stop at an In-N-Out Burger on the way. On all my travels, this was my first ever experience with an In-N-Out Burger. I can’t believe what I’d been missing!

This slideshow requires JavaScript.

We arrived on time (yay us!) and were greeted by the event organizer, Dr. Brian Dozer. Brian is the Director at Webster University and the ISSA Program Director. Super cool and nice guy! The facility was great, the audience was great, and we met some great people here!

Here’s a copy of my slide deck. Use it (or not) in any manner you wish! I added a slide to the usual deck, a simple challenge for audience members to get a free copy of my book. The challenge is to solve a simple monoalphabetic substitution cipher of one of Robby Bragg’s poems. If you don’t know (or remember), Robby was a wonderful person who used to work at FRSecure before he tragically took his own life on May 17th, 2018. I keep Robby’s memory alive on the #S2Roadshow by highlighting the need to address mental health issues head-on. The slides with Robby’s tribute and the challenge are pictured below.

This slideshow requires JavaScript.

After giving the talk, it was back to the hotel. More meetings on Friday, then back to Minneapolis Friday afternoon. Another great trip!

BBQ Reviews

You know how we roll, right?! BBQ man! As much as we can get, and yes, we (well I am) are gaining a few pounds along the way.

Four BBQ reviews this week. One in Kansas City (Slaps BBQ) and three in California (Fire Breather BBQ, RIBBRO BBQ, and Bad to the Bone BBQ). Reviews below!

Slaps BBQ – https://slapsbbqkc.com/ – Overall: 8 

  • Atmosphere – 8, this was a pretty cool place, located in an industrial part of town. The all brick building featured an indoor eating area, plus there were two more eating areas outside. The eating area on top of the building featured a great view of the Kansas City skyline.
  • Service – 9, I love when the BBQ is made to order right in front of you. They cut the meat and dish it out as you order it, right in front of you. The staff was very courteous and very helpful.
  • Portion/Value – 8, definitely above average. We got filled up at a very reasonable price.
  • Taste – 7, the brisket was good and the pulled pork was good. The best part was the jalapeno cheddar sausage. All the BBQ was good, but not amazing.

This slideshow requires JavaScript.

We went to Slaps on a recommendation from a close friend. She’s a local and told us this was her favorite BBQ in all of Kansas City. It was good, but I’ve had better in this town.

Fire Breather BBQ – http://www.firebreatherbbq.com/ – Overall: 7

  • Atmosphere – 6, there wasn’t anything special about this place. It was located in a strip mall type setting and sort of felt like fast food.
  • Service – 7, average(ish). The staff was courteous and helpful, but nothing special.
  • Portion/Value – 8, definitely above average. Again, I got my fill and I didn’t have to mortgage my house for it.
  • Taste – 7, the brisket had a great fat cap on it, and it was an excellent cut of meat, but there was no smoke ring at all. It was hard to taste the smoke flavor in the other meat too (pulled pork).

This slideshow requires JavaScript.

Overall, I could take it or leave it. I’d stop here again if I was driving by, but I wouldn’t go out of my way for this place.

RIBBRO BBQ – https://www.ribbrobbq.com/ – Overall: 7.25

  • Atmosphere – 8, This BBQ joint is also located in a strip mall setting, but they did a great job making it feel homey. Classic country music playing on the sound system seemed to round out a good atmosphere.
  • Service – 6, service was less than great. There were three people working here when we arrived and they were all busy trying to fill a catering order, which made the wait longer than it should have been. They were really nice people though!
  • Portion/Value – 7, the price was OK for what you get.
  • Taste – 8, the taste was definitely above average, but not great. The brisket was nice and moist. The ribs were good, but had some sort of weird spice in the dry rub. I couldn’t put a finger on what the spice was, and I wasn’t sure if I liked it or not.

This slideshow requires JavaScript.

John was VERY hungry after he got off the plane from Minneapolis, so we got here right when they opened. The service (which was what scored the lowest) might have been better if we’d gotten there a little later in the day.

Bad to the Bone BBQ – https://www.badtothebone-bbq.com/ – Overall: 6.75

  • Atmosphere – 8, this place felt like a BBQ joint on the one hand and a little like a sports bar on the other. Overall, the atmosphere was very good.
  • Service – 7, nothing special about the service. You order at the counter, grab a number, then wait for someone to bring your food.
  • Portion/Value – 5, the worst part about this place was the price for what you get. Even by California standards, this was too costly.
  • Taste – 7, the taste was good, but they put sauce on my meat. I don’t like sauce on my meat unless I’m the one putting it on.

This slideshow requires JavaScript.

I was expecting better, but maybe that’s what I get for having expectations. I probably wouldn’t visit this place again, primarily for the value/price factor.

BBQ Summary

Four new BBQ joints to add to our list. This was an OK BBQ week. The winner this week was Slaps BBQ (Kansas City). Pecan Lodge is still on top as the overall #S2Roadshow leader with a score of 9, and Bowlegged BBQ is still in the #2 spot. The current overall standings are listed below.

NOTE: I’ll organize this list with links to the reviews next week.

Overall Standings (at the end of #S2Roadshow Week Eight):

  • Pecan Lodge – 9
  • Bowlegged BBQ – 8.75
  • Divine Swine – 8.5
  • Dinosaur BBQ – 8.25
  • Big Ed’s BBQ – 8.25
  • Mission BBQ – 8
  • Slaps BBQ – 8
  • Q39 BBQ – 7.75
  • Cousin’s BBQ – 7.75
  • Blackwood BBQ – 7.5
  • Broad Street BBQ – 7.5
  • Hard Eight – 7.25
  • Spring Creek Barbeque – 7.25
  • Redd’s BBQ – 7.25
  • RIBBRO BBQ – 7.25
  • Iron Horse – 7
  • Lucille’s Smokehouse BBQ – 7
  • Texas Bar-B-Q Joint – 7
  • Fire Breather BBQ – 7
  • Smoque – 6.75
  • Sweet Lucy’s Smokehouse – 6.75
  • Red Coal BBQ – 6.75
  • Bad to the Bone BBQ – 6.75
  • Unkl Moe’s – 6.5
  • Hambone’s Smokehouse – 6.25
  • Shakedown BBQ – N/A (wasn’t open when it was supposed to be, wasted trip)

Next Week’s #S2Roadshow

No trip planned this week. We’re taking the week off for Thanksgiving. HAPPY THANKSGIVING!

Stay tuned for next week’s #S2Roadshow updates. You can follow us on Twitter (@evanfrancen, @HarmonJohn, @StudioSecurity, and the #S2Roadshow hashtag) and on LinkedIn.

See you next week! If you want to collaborate with us, get in touch!

The UNSECURITY Podcast – Episode 45 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes. Hope you all had a great week!

For last week’s show, Brad was in studio while I was calling in from Sofia, Bulgaria. Brad was joined by Ryan Cloutier, an awesome return guest. As far as I could tell, it was another great show. I had some connectivity issues, but who doesn’t have connectivity issues in Bulgaria? Brad did a great job holding things together while we chatted about issues such as liability and speaking information security with “humans”.

Catch episode 44 here.

I was in Bulgaria to visit members of our SecurityStudio development team, check out the new office, and spend some time planning future releases of the software. Bulgaria is eight hours ahead, so timing with U.S. resources was interesting.

This slideshow requires JavaScript.

The trip was very successful and we made significant progress on a number of fronts. While I was halfway around the world, Brad held down the fort. He’s a really good leader and I’m sure he has a bunch of things going on. I didn’t get to check in with him last week, so we’ll ask how he’s doing on the podcast.

Lots of other really cool stuff to share, but I’ll do that in another post or on the show.

Let’s do some show notes now.


SHOW NOTES – Episode 45

Date: Monday, September 16th, 2019

Show Topics:

Our topics this week:

  • Catching Up
    • More Mentor Program success
    • Civic duty example
  • vCISO Revisited
  • Book Announcement

[Evan] – Hi folks, welcome to the UNSECURITY Podcast. This is episode 45 and I’m your host, Evan Francen. Brad’s joining me as usual. Hi Brad!

[Brad] Brad politely says hello to me and by proxy all of our listeners. Good Brad.

[Evan] Man, this is two shows in a row where I’m out of studio. Today I’m stuck in Washington, D.C. for a meeting. Only one day, so that’s good. What’s up with you?

[Brad] Stuff and things.

[Evan] We haven’t recorded together in person the last couple of weeks, and I haven’t even been able to catch up with you. You cool if we catchup quick?

[Brad] Brad will probably say “yes”.

[Evan] Alright, let’s start with your week. Tell us what you’ve been up to.

Catching up

  • What Brad’s up to.
  • What I’m up to.
  • We have more Mentor Program success to talk about
  • One of our listeners is setting a great example for all of us in holding his local government accountable for security.

[Evan] Alright, lots of good things. We’re all in this together and there’s a job and place for everyone.

[Brad] Brad’s words of wisdom.

[Evan] We’re always grateful for feedback that we get from listeners. If you’d got some, email us at unsecurity@protonmail.com. One of the more popular topics in the past few months has been that of the virtual Chief Information Security Officer (or vCISO). We’ve received some great questions about how to become a vCISO. A couple of episode ago, we talked about what a good vCISO is, but we didn’t really talk about how to become one. Let’s do that.

How to become a vCISO discussion

  • If you’re new (less experience).
  • If you’re experienced (even existing CISOs)
  • What are the benefits to being a vCISO versus being a FTE CISO?

[Evan] Alright. Good perspective and good discussion. Thank you Brad.

[Brad] Brad’s gotta say something or we’ll have an uncomfortable silence here.

[Evan] OK, last topic before we get into some news. I want to announce something that I’m VERY excited about. You and I are going to write a book, right?

[Brad] Brad confirms. See if you can notice any change in the tone of his voice when he responds.

New book announcement and discussion

There’s a tie in here with vCISO too.

[Evan] I’m pumped about writing with you Brad. What better time than 4th quarter to get started?

[Brad] He’s lived through multiple 4th quarters, so he’ll laugh/cry.

[Evan] Let’s close this thing out with some news, eh?

News

Here’s our news for this week:

Closing

[Evan] There you have it. Thank you for another great show Brad!

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 44 Show Notes

Welcome back for another quick recap of the week and another dose of UNSECURITY Podcast show notes!

Last week, Brad and I were back in studio together to record episode 43. It was a good show, where we covered some relevant topics such as (more fricken) incident response, vCISO questions, and how we (the good guys) can’t possibly do all the things that they (the bad guys) do.

Quick words about vCISO

  • It’s the future of information security leadership.
  • There are good vCISOs and less good (maybe bad) vCISOs, you need to learn the differences.
  • We got some great feedback this week from people who aspire to be a vCISO, which was really cool!

Quick words about good guys and bad guys

  • There’s a gap between what we can do and what they can do.
  • We have rules, they don’t.
  • We have ideas about how to close some of the obvious gaps (didn’t cover in the episode 43, but we’ll cover this somewhere in the future).

If you missed episode 43, you can always go back and nab it here.

Hoping you all had a great week. It was a short week, but if you’re like me, it only meant that we crammed more stuff into less time.

Most of my time this week was spent working with SecurityStudio partners find success in serving their clients. This is a blast because we create situations where everyone wins, and we do it together.

This week I started exploring the possibility of helping an incredible organization combat sex trafficking in the United States. The organization is SHAREtogether, and they’re doing amazing work. The organization is run by Jaco Booyens, the director of the movie 8 Days. If you get a chance, check them out and watch the movie (it’s been watched more than 2,000,000 times). If you feel more inclined, do more to help. Right now, my involvement is more exploratory, but I’m sure there will be more to this story before it’s all said and done.

Anyway, on the the show! Brad is leading the show this week, and he’ll have another returning


SHOW NOTES – Episode 44

Date: Monday, September 9th, 2019

Show Topics:

Our topics this week:

  • The security expert’s take on liability.
  • Speaking information security for “humans”.
    • What’s the problem?
    • Ideas for solving the problem(s).
    • Consequences of the failure to solve the problem.
  • Industry News

[Brad] – Brad can choose any opening he’d like. This is his show to lead. The standard one sort of goes like this…

Welcome to the UNSECURITY Podcast, episode 44. Joining me is my co-host, Evan Francen. Say hi Evan.

[Evan] I’ll say something here. Probably. Maybe I’ll stay silent to through Brad off, but now that it’s in the show notes, I think I let the cat out of the bag. Whatever.

[Brad] Also joining us today is a repeat guest. Ryan Cloutier is here in person. Ryan is an amazing information security expert with a noble mission. He was also on with us back in episode 27, back in May. Welcome Ryan.

[Ryan] Ryan’s a guy with something to say, so he’ll say something here.

[Brad] This week, Evan’s in Bulgaria. What’s going on over there, Evan?

[Evan] Stuff.

[Brad] It’s sort of funny. We’re beginning to think you don’t like Ryan all that much because last time he was on, you were in California. You got something against Ryan or what?

[Evan] Maybe.

[Brad] We brought Ryan on the show again because we love his perspectives on helping “normal” people, or as he likes to call them, “humans”, secure themselves better. Great mission, but before we cover that, let’s talk about some common questions we get about liability. Now, we’re not lawyers, so don’t think this is official legal advice, but we do work with lawyers pretty often when we investigate breaches.

Discussion about liability, from a security person’s perspective

[Brad] So, the key is to do the things that a “reasonable” person would do in your same circumstance. This leads to a whole bunch of questions that you should be asking yourself.

Now let’s switch gears a little bit. Ryan, you’ve got this deep desire to help “humans” secure themselves better, and this passion is shared with us here at FRSecure. You recently posted an open letter to the security community on Evan’s blog and you regularly speak to crowds all over the United States. Let’s talk about all this for a bit.

Discussion about Ryan’s mission and speaking “human”

  • What are some of the problems we’re facing when speaking “human”?
  • What ideas do we have for solving the problem(s)?
  • What are some of consequences of the failure to solve the problem?

[Brad] There’s so much we can do together, as a community, to do this better. Great discussion. What’s our one call to action?

[Brad] OK, on to this week’s security news.

News

Here’s our news for this week:

Closing

[Brad] Alright. Another great show. Thank you for joining me Ryan.

Evan, have a good time in Bulgaria. Bring me home a gift or something.

A special thank you to our loyal listeners. We love your feedback and sincerely appreciate the fact that you join us each week. Send your feedback to us at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen.

Talk to you all again next week!

The UNSECURITY Podcast – Episode 38 Show Notes

YES! I’m on time again. If I get good at this, I won’t need to make this comment anymore. Odds of that?

As usual, I’ll give a quick review of the week, then we’ll jump right into the show notes.

It was another good and productive week. Gooder and more productiver than I probably deserve, but this is what you get when you are surrounded by awesome people all the time. 

  • Monday started with UNSECURITY Podcast (episode 37). Our guest was the one and only MN State Representative Jim Nash. If you missed it, you should give it a listen. We call BS on some things, then chat about some other things. All in all it was a great show. After that, it was coffee with a friend and a lot of writing.
  • Tuesday started with coffee with SecurityStudio’s VP of Software Development, Ivan Peev. After coffee it was an executive leadership meeting (all executives rated it a 10, which is always good), more writing, and a global information security strategy meeting with an awesome vCISO client.
  • Wednesday was great. An FRSecure Customer Advisory Board (CAB) meeting, coffee with Peter Vinge (Director of Operations – FRSecure), more writing, a few more meetings, more writing, and a meeting with legal counsel.
  • Thursday started with a SecurityStudio User Advisory Group meeting, then the rest of the day was spent writing.
  • Friday (today) started with a coffee meeting with my good friend and SecurityStudio’s president, John Harmon. We had a cool discussion about family, health, and some security strategy stuff. After coffee came a SecurityStudio product strategy meeting, and now I’m writing again.

What’s with all the writing?

It’s been a while since I’ve updated people on the status of this second book. The first book (Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry?) was published this year, and it’s been really well-received. This first book was written to information security professionals. This second book is an information security book written to information security amateurs, or common everyday people. The book’s parts are (for now):

  • Introduction
  • Part 1 – Current State of Affairs (nation-state, cyberwarfare, businesses, attackers, security, privacy, and safety)
  • Part 2 – Motivation (find your motivation to act, family, friends, community, country, and business)
  • Part 3 –  Application (applying the basics and building habits)
  • Part 4 – Introducing and Using S2Me (the assessment, recommendations, and conclusions)
  • Closing

If you read my first book, you might remember where I said that writing a book is a bitch. It still is. The amazingness of the experience is more than worth it though. More to come in the coming weeks and months.

Let’s get to the show…


SHOW NOTES – Episode 38

Date: Monday, July 29th, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth follow-up
  • Project Bacon
  • Industry News

[Evan] – Hi everybody! Holy buckets, we’ve got a good show planned today. Good morning, and in case you don’t know the voice yet, this is Evan and this is episode 38 of the UNSECURITY Podcast. No Brad joining me today. He’s got a “vacation”. Who does that?! Anyway, in his place is my good friend and SecurityStudio’s president John Harmon. This is where you say “hi” John.

[John] He’s a quick thinker with a sharp tongue, so I’ll need to be on my toes with his response (probably).

[Evan] So, Brad’s on vacation. I joked a little about that, but I can hardly think of someone who deserves it as much as he does. Kudos to him for taking some time off to be with his family. Before we get into talking more about our guest and some cool things, I just want to give our listeners a quick update on our Civic Ransomware Awareness Project and an idea for a follow-up to the #100DaysOfTruth thing.

Quick Civic Ransomware Awareness Project Update and New Idea Discussion

John can talk here too, I just don’t have anything specific for him yet.

[Evan] This is our 38th episode of the podcast, and we finally have you on the show. Sorry it took so long. Now, I know you pretty well because we’ve been working together for quite some time now, but the listeners may not know who you are. Tell us about yourself.

[John] Tells us a story about himself

Talking About John

[Evan] I gotta tell you man, I love working with you every day. You’re a guy that truly gets what we’re trying to do and you’re absolutely sold out on our mission. Later this year, like October, you and I are embarking on a new journey. We affectionately call it Project Bacon. Where did the name come from?

[John] The name was John’s idea, but let’s hear him out.

[Evan] The name is awesome. Besides, who doesn’t like Bacon? So, we have this Project Bacon thing. What is it?

[John] Tells us what Project Bacon is.

[Evan] OK, I think I get it (of course I do, but I need to act like I don’t so the show is more interesting or something). Why are we doing this?

[John] Oh yeah! The “why” is the best part.

More Project Bacon Discussion

[Evan] I’m pumped about Project Bacon. It’s going to be a blast and we’re doing good things all along the way. John, you’ve listened to our podcast before. We always close this thing out with a few news stories. You game?

[John] John is always game.

Industry News

Here’s our news to discuss in this week’s show. The depth of the discussion will depend on our time.

Closing

[Evan] – OK. That’s how it is. So many cool things going on and too many things to talk about. Thank you John for filling in for Brad this week. Project Bacon is going to be great! Also, a special thank you to our listeners. Each week, the number of listeners to our podcast continues to grow, and each week we received great feedback from you. Please keep it coming. If we haven’t had a chance to respond, it isn’t because we don’t care, we just haven’t gotten around to it yet.

If you want to keep up with the haps, be sure to follow me, Brad, and/or John on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and John is @HarmonJohn. Email the show at unsecurity@protonmail.com. Have a great week everybody!

The UNSECURITY Podcast – Episode 37 Show Notes

On time this week? Absolutely! We take these things seriously around here, you know that!

Happy Friday UNSECURITY Podcast listeners! It was a great week for us, hope yours was good (or better).

Weeks like this one at FRSecure and SecurityStudio are always special. We held our end of quarter meeting at our Minnetonka, MN headquarters. Our people fly in from all over the country to celebrate, collaborate, and have fun. It’s AWESOME to see everyone and spend time catching up.

This slideshow requires JavaScript.

We are all family here, and it’s an amazing experience when everyone gets to come home. We have people fly in for the week from Florida, Nevada, Kentucky, and soon to be Missouri. It’s magical when everyone gets together. One of our core values is “work hard, play hard”, and it’s fun to see everyone collaborating then going out and having fun afterwards. Seriously amazing people doing incredible things.

I love these people!

Like almost every quarter, the team killed it again. It was another record quarter revenue and profit-wise, but this is secondary to the impact this team is making in our industry.

The mood was awesome. Blessings everywhere.

On to the show notes, eh? (What am I Canadian now?)

Originally, we were planning to cover a new SecurityStudio initiative we affectionately call “Project Bacon”. We’re going to put that off until next week because we have a special guest joining us for this show. Our special guest is Jim Nash, who represents District 47A in the Minnesota State House of Representatives.


SHOW NOTES – Episode 37

Date: Monday, July 22nd, 2019

Today’s Topics:

We’re going to touch on the following topics this week:

  • Civic Ransomware Awareness Project update
  • The #100DaysofTruth update
  • Calling BS on BS
  • Industry News

[Evan] – Hey oh. Good morning everyone. My name is Evan Francen. My show to host this week, so if you don’t like it, blame Brad. Speaking of Brad, he’s here. Hi Brad.

[Brad] Hi (or something similar)

[Evan] Also joining us this morning is Mr. Jim Nash. Now, I’ve got a special affinity for Jim. He’s a good friend, and he also represents my home district in the Minnesota State House of Representatives. Hi Jim.

[Jim] He also says “hi” or something of the like.

[Evan] Jim, I’m grateful for the work you do for the people of our district and I’m also very thankful for advocating like you do for information security. You’re a tremendous advocate for FRSecure, for the State, and for the US as a whole. Thank you.

[Jim] Graciously accepts my gratitude and says something wisdomy that will awe his constituents. I’ll probably have to cut him short because politicians sometimes like to talk.

[Evan] Let’s jump right in, shall we? We have a lot to cover in this week’s show. Real quick, like real real quick, what did you think about last week?

[ALL] Stuff.

[Evan] Yeah, it was a great week for sure. Quick update on the civic ransomware call to action stuff. I actually gave this thing a real name now, “Civic Ransomware Awareness Project”. We received a few more updates; a couple from our backyard here in Minnesota and one as far away as Idaho.

Civic Ransomware Awareness Project discussion

[Evan] I hope we’ll continue the efforts to work together, people from all walks and backgrounds, including the private and public sector, to make information security better for everybody.

[ALL] Maybe they say something maybe they don’t. It’s early Monday morning for crying out loud.

[Evan] Another thing from last week. Don’t know if you guys noticed, but I finished my #100DaysofTruth series. What did you think?

#100DaysofTruth discussion

[Evan] It was a fun exercise. People have been asking me “now what”? Here’s the plan, and you heard it here first. The FRSecure Marketing Team is summarizing all one hundred days into a single blog post, we’re going to produce an ebook out of the content, we’re going to create an audiobook, and I’m thinking about doing #100DaysofLies.

[ALL] Maybe some more comments, maybe I need to kick them under the table to wake them up.

[Evan] Alright, next thing I wanted to talk about was something that you, Jim, brought to my attention last week. This should be a good discussion. Jim came to me an told me that there’s this guy (he didn’t recall his name at the time) who is out there preaching that there are companies in the United States that are unhackable. As you can probably imagine, I’m not buying it. So I wrote a blog post here at evanfrancen.comblog post here at evanfrancen.com, and I’d like to talk about it. Whatya say guys? Game?

[ALL] Of course they’re game!

Calling BS on BS discussion

NOTE: Go into the background some more, then talk about the BS.

[Evan] Alright. Good spirited discussion. Let’s wrap this thing up with some news, then get on with what is sure to be another great week!

Industry News

Here’s the news to discuss, just two this week because we covered so much other stuff and we’re running out of time:

Closing

[Evan] – Well, damn. That’s how it is. We do a ton of things around here and we talk about a lot of stuff. Special thanks to Jim Nash for joining us this week. Jim, you’re a good man. Also, a special thanks to our listeners. You guys give us awesome feedback every week and tips about what you’d like us to talk about. Be sure to follow me, Brad, and/or Jim on Twitter. I’m @evanfrancen, Brad’s @BradNigh, and Jim’s  @JimNashMN. Email the show at unsecurity@protonmail.com. Have a great week everybody!

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.

CALL TO ACTION – Do Something About Civic Ransomware

Another city ransomware attack, another payment to the attackers. Another win for the bad guys, and another loss for the rest of us. The question is, are you going to do anything about it?

This time the news comes from Lake City, Florida. The 12,000+ citizens of the small(ish) northern Florida town will foot the 42 bitcoin (~$500,000) bill for the city’s poor preparation. Actually, insurance will cover the direct cost and the city only pays $10,000. Chalk up another loss up for U.S. cities (and their citizens). The money the attackers walk away with will most certainly be used to attack other victims, including other cities. Oh, and as far as insurance goes, we all pay a price in higher insurance premiums and limited coverage options. Insurance companies aren’t in the business of losing money.

The quote of the day; “I would’ve never dreamed this could’ve happened, especially in a small town like this” – Lake City Mayor Stephen Witt.

(BTW, I don’t view this as his fault. We, the information security community, obviously failed in reaching him with the message)

Additional details of this latest ransomware payment:

So, what are YOU going to do about this? Yes, you! When I refer to “you”, I’m referring to everyone/anyone, security people and non-security people alike. All of us are in this together.

Should we wait until your city gets hit, or maybe we believe in the false narrative that it will never happen to you/your city?

Will your mayor or local government official be quoted on the news, having “never dreamed” that such a thing could happen?

DO SOMETHING – START HERE

Earlier this week, I posted an article about an email that I was going to send to my city and county officials. I sent the emails a couple of days ago, but haven’t heard anything back yet. Not to worry, I’m determined (and so should you be).

One of the things I didn’t really expect was for people to follow my lead. It was impressive to read and hear about people who took this as a call to action. They’ve been inquiring of their local governments about ransomware protections too! That’s great news! So far, more than a dozen people have told me that they have written their city and/or county government. Some are even getting good responses back.

Here’s what I’m asking you to do:

  • If you haven’t emailed your city and county government officials (inquiring about their ransomware readiness), PLEASE DO IT.
  • If you’ve emailed your city and/or county government officials, but haven’t received a response within a few days. PLEASE EMAIL AGAIN. Stay engaged until you get an answer.
  • If you’ve emailed your city and/or county government officials, and have received a response PLEASE SEND THE RESPONSE TO US. You can send it to us through the UNSECURITY Podcast email address (unsecurity@protonmail.com).
  • No matter what you do, please follow these rules:
    • DO – Always be courteous.
    • DO – Always be respectful.
    • DO – Help if you can.
    • DO – Remember the goal, we are trying to help and we are trying to prevent more occurrences of the Atlanta, Baltimore, Riviera Beach, and now Lake City ransomware events.
    • DO – Ask us questions and make suggestions (unsecurity@protonmail.com).
    • DON’T – Try to answer questions that you don’t feel (or know you’re not) qualified to answer. Email unsecurity@protonmail.com, and we’ll find a good resource/answer for you.
    • DON’T – Use threatening language or insinuate threats of any kind.

EMAIL TEMPLATE

Feel free to use this sample email template that I used or create your own.

———-START EMAIL———-

Dear <INSERT NAME>,

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you.

How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack?

I ask you because there have been a rash of ransomware attacks that have hit city governments recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/), the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers), and Lake City, Florida (https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/). I hope we’ve planned well and will not pay a ransom (even through insurance) if/when an attack was to occur. Rather than reacting for such an occurrence, I’m hoping that our <CITY/COUNTY> has planned ahead.

Although I work in the information security field, I have no interest in selling anything. I’m just a concerned/interested citizen. If I can help, I will.

Thank you for making <CITY/COUNTY> a great place to live!

Respectfully,

-<YOURNAME>

———-END EMAIL———-

Let’s make this a way we can start fighting back against criminals who are fleecing our cities and our friends. This is only the start. Next steps come after getting responses.

Again, we are all in this together. Please be helpful, respectful, and courteous.