UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

UNSECURITY Episode 121 Show Notes

Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!

Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:

  • Kevin Mandia, CEO of FireEye
  • Sudhakar Ramakrishna, CEO of Solarwinds
  • Brad Smith, President of Microsoft
  • George Kurtz, President and CEO of CrowdStrike

This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!

There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.

So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.


SHOW NOTES – Episode 121 – Tuesday March 1st, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!

Quick Catching Up

  • What’s new?
    • Working on S2Org r3, IR assessment, and other things.
    • The Gray Matter Society
    • Who would make a good guest next week?
  • Anything else new at FRSecure and/or SecurityStudio?

The Meat

Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary

  • Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
  • Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
  • Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
  • George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
  • The hearing went ~2 1/2 hours, did you make it through it all?
  • So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
  • An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
    • Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
    • Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring,  system monitoring, application monitoring on premises of our customers.
    • Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world  is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
    • Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
    • Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
    • Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
    • Senator Wyden: Very good.
    • Mr. Smith: I’m squarely in the “it depends” camp.
    • Senator Wyden: OK.
    • Mr. Smith: For the same reasons that Kevin said.
    • Senator Wyden: OK, I think we have one other person, don’t we?
    • Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
    • Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
  • Other thoughts and discussion about the hearing.
  • There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks

News

News stories to cover this week, include:

Wrapping Up – Shout Outs

Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

Service and Sacrifice – Happy Birthday USMC

Today marks the 245th birthday of the United States Marine Corps (USMC).

HAPPY BIRTHDAY MARINES!

  • To the greatest fighting force on the planet.
  • To the faithful men and women who serve our country with bravery only they can fathom.
  • To the “Jarheads”, “Devil Dogs”, “Teufel Hunden”,  and “Leathernecks” who give all so others can have.

Quick History

The storied history of the USMC began on November 10th 1775, when Captain Samuel Nicholas gathered two battalions of Continental Marines in accordance with the Continental Marine Act of 1775. Less than six months after being formed, these brave men set out on their first amphibious assault, the successful Raid of Nassau (March 1–10, 1776).

Our beloved USMC has fought in (at least) twenty-eight armed conflicts including:

  • Revolutionary War
  • Quasi-War with France
  • Barbary Wars
  • War of 1812
  • Creek-Seminole Indian War
  • Mexican War
  • Civil War-Union
  • Spanish-American War
  • Samoa (1899)
  • Boxer Rebellion
  • Nicaragua (1912)
  • Mexico (1914)
  • Dominican Republic (1916-1920)
  • Haiti (1915-1934)
  • Nicaragua (1926-1933)
  • World War I
  • World War II
  • Korean War
  • Dominican Republic (1965)
  • Vietnam War
  • Lebanon (1982-1984)
  • Grenada (1983)
  • Persian Gulf (1988) (Oil Platforms)
  • Panama (1989)
  • Persian Gulf War (1990-1991)
  • Somalia (1992-1994)
  • Afghanistan (2001-2015)
  • Iraq (2003-2016)

From 1775 to 2015, more than 41,000 Marines have made the ultimate sacrifice for us on the battlefield. Additionally, more than 200,000 have been wounded (Source: Marine Corps University). The fact that these numbers are as low as they are is a testament to Marine dedication, training, effectiveness and lethality. Regardless of the numbers, let’s not forget that each one of these soldiers was a father, mother, son, daughter, aunt, uncle, brother, sister, and/or friend. It’s our duty as citizens of this great country to ensure their sacrifices were not made in vain; that their sacrifices might live on through our own acts of service to others.

My Marine Corps Story (brief)

I was born in the Naval Hospital Philadelphia to two Marine Corps parents. My father served in active duty from 1957/8 until retirement in 1978, and my mother also served. Although her active Marine Corps duty was not as long as my father’s, her duties (raising me and keeping my father in line) was a helluva lot more challenging. I’m an only child who grew up on base (Camp Pendleton and Quantico).

Although I didn’t serve directly in the Marine Corps myself, the Marine Corps culture is a huge part of who I am. The Marines, my mother and my father taught me so many good things about the right way to live. Things like respect, discipline, work ethic, drive, mission, etc. I am forever grateful!

Happy Birthday

So, Happy Birthday Marines!

There are no words to describe how grateful I am. Regardless of how many people express gratitude for your service consciously, the gratitude is in their subconscious every time they exercise a constitutional right, walk down a street, eat a warm meal, embrace a family member, or do anything made possible by your service. Thank you for standing guard day and night for me, my family, and all Americans. I don’t take you or your sacrifices for granted, and I pray I never will.

The USMC always serves faithfully, rightfully earning their motto, Semper fidelis. Saying you’re faithful is one thing, demonstrating it through blood, sweat, and tears for 245 years is something entirely different.

Good People Didn’t Vote For Your Guy

The truth:

There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your guy”.

Demonize as you will, but here’s a reminder of some things.

People who voted for the other guy are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.

These people are NOT:

  • “ill”
  • “sick”
  • “dumb”
  • “stupid”
  • “racist”
  • “bigoted”
  • “idiots”
  • “Socialists”
  • “Fascists”
  • or any other demonizing word you want to throw at them.

These people ARE:

  • human beings with basic needs
  • human beings with basic desires
  • human beings with dreams
  • human beings who want to be loved
  • human beings who want to feel grace
  • human beings who have families
  • human beings who have different perspectives (a good thing)
  • human beings who have different beliefs (also a good thing)
  • human beings who have different backgrounds (also a good thing)
  • human beings with many additional things that are beautiful about them.

A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).

It doesn’t matter who “your guy” is or who “my guy” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.

There is only ONE team. We are ALL Americans.

The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.

The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).

So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.

 

 

UNSECURITY Podcast – Ep 101 Show Notes – Election Security

Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!

Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!

Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.


SHOW NOTES – Episode 101

Date: Wednesday October 14th, 2020

Episode 101 Topics

  • Opening
  • Catching Up (as per usual)
  • Election Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.

[Brad] Brad does Brad.

[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.

Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.

[Brad] He might comment here.

Catching Up

[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.

[Brad] Cue Brad.

[Evan] I’ll share some stuff too (probably).

Transition

Election Security

[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?

[Brad] Cue Brad.

[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.

There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.

There’s more to election security than protecting voting machines, so let’s talk about this.

Resources

[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.

Election Security Discussion

Open discussion

[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.

News

[Evan] Here are some recent and interesting news stories to talk about.

Wrapping Up – Shout outs

[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?

[Brad] We’ll see.

[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2

Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.

Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.

Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.

Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.


SHOW NOTES – Episode 100

Date: Wednesday October 7th, 2020

Episode 100 Topics

  • Opening
  • Catching Up (as per usual)
  • the social dilemma, Part Two
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about how busy things have been

[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.

Catching Up

[Evan] Evan’s cool story

[Brad] A recap of my week

Transition

the social dilemma, Part Two

[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.

[Brad] Great discussion here are some news stories

News

[Brad] Here are news stories that caught me eye this week:

Wrapping Up – Shout outs

[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 99 Show Notes – The Social Dilemma

Happy Tuesday! Here we are again, and lots going on…

The big news (sort of) is the first presidential debate is tonight. I wonder how many people will tune in. Personally, I’m not sure if I will. We’ll see.

A few weeks ago my wife asked me to watch the social dilemma with her on Netflix, so I did. I’d heard about the documentary/movie from some friends, but didn’t get around to watching it until then. Wow!

The opening quote from the movie:

Nothing vast enters the life of mortals without a curse

-Sophocles

He was right. Today, Brad and I will give your our reviews about the social dilemma and talk about our thoughts. These are my (Evan) show notes for episode 99.


SHOW NOTES – Episode 99

Date: Tuesday, September 29th, 2020

Episode 99 Topics

  • Opening
  • Catching Up
  • the social dilemma
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in to episode 99 of the UNSECURITY Podcast. Today is September 29th, 2020 and joining me is my co-host and friend Brad Nigh.

Good morning Brad.

[Brad] Cue Brad.

[Evan] We’ve got a special show planned for our listeners this week. Brad, you and I both watched the social dilemma on Netflix. It’s a documentary about social media in our society that was released in January. Funny how neither of us had watched it until recently, and now (as of this morning) it’s trending as the #6 most popular video on Netflix. I guess it’s better late to the party than not showing up at all!

Before we jump in, I’m dying to hear your thoughts, let’s catch up quick. This is customary.

Catching Up

[Evan] Brad, how you doing? What’s new?

[Brad] Cue Brad.

[Evan] Cue Evan.

Transition

the social dilemma

[Evan] You watched the social dilemma, right?

[Brad] Cue Brad.

[Evan] What did you think?

Our review and discussion

  • What if I’m not a social media user/addict, why should I care?
  • We see different realities? Different news feeds?
  • Data (you and I) sold to the highest bidder.
  • Where does this all end if we don’t act (now)?

Any sufficiently advanced technology is indistinguishable from magic

-Arthur C. Clarke

[Evan] If you haven’t seen the social dilemma yet, I highly suggest you do. Sit down, spend the hour and a half, and consider it all. If you’ve got a spouse, invite them to watch it with you. If you’ve got teenage kids, see if you can peel them away from their phones long enough too.

We’ve got to do more about this, and we’ve got to move much quicker than we are.

[Evan] OK, news. Let’s do some quick news stories.

News

[Evan] Three news stories to talk about briefly this week:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 99 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

UNSECURITY Podcast – Episode 98 Show Notes

Here we are again, another Tuesday, and another episode of the UNSECURITY Podcast!

Tons going on, as usual.

Last week we released a couple new FREE things at SecurityStudio:

  • Work From Home Security Policy Template – Located at the bottom of our S2Team page. If you don’t know what S2Team is, you should definitely take a look. If you just want the template and don’t care, here it is.
  • Ransomware Recovery Contract – A simple contract between executive management and IT to ensure accountability for ransomware recovery. Executive management likes it because they finally know what to ask for, and IT likes it because they can use it to show they’re doing what they should/can to prevent a prolonged ransomware outage. I’ve uploaded the contract to my site here.

ADDED: Brad reminded me on the show that FRSecure made a free Incident Response Plan Template available last week. Take a look. It’s really, really good (and free)!

Other goings on include developing and improvement of new services (including the release of SecurityStudio v3.9 and an incident response capability assessment), continued collaboration with great partners, a few speaking engagements, episode 19 of the Security Shit Show, deployment of S2Team, and other things.

Alright, enough about that. Let’s get to the show notes, shall we? These are my (Evan) notes.


SHOW NOTES – Episode 98

Date: Tuesday, September 22nd, 2020

Episode 98 Topics

  • Opening
  • Catching Up
  • Accountability
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in to episode 98 of the UNSECURITY Podcast. Today is September 22nd, 2020 and joining me is my co-host and friend Brad Nigh.

Good morning Brad.

[Brad] Cue Brad.

[Evan] I think we have a good show planned for listeners this week. This episode is all about accountability. I’d like to discuss how accountability works in information security, who should be accountable for what, and give some tips for improving accountability where we work and in the world around us.

Lots to cover on the topic of accountability. Before we jump in, quick catchup with Brad.

Catching Up

[Evan] Brad, how you doing? What’s new?

[Brad] Cue Brad.

[Evan] Cue Evan.

Transition

Accountability

[Evan] Alright, let’s talk about accountability, or maybe the lack of accountability, in information security. This has been a topic that’s been dominating my thoughts again for the past couple weeks. I say “again” because this isn’t the first time we’ve talked about it.

During an episode of the Security Shit Show a couple weeks ago, I think it was episode 18, we were talking about ransomware. The talk was great, but the frustration we all felt was apparent. Why do we keep doing the same things over and over again? Why don’t people do the basics? My take was the lack of accountability. So, I drafted a Ransomware Recovery Contract to help.

Have you seen the Ransomware Recovery Contract?

[Brad] Cue Brad (I’m sort of springing this on him).

[Evan] So, the greater issue of accountability in general. Let’s talk about it here, for our benefit and the benefit of our listeners.

  • The importance of accountability.
    • Repeating the same mistakes over and over.
    • Safe to assume people know?
    • People die now.
  • When to define accountability.
  • Who’s ultimately accountable for what?
    • In tech – buggy software, social media (see the social dilemma), etc.
    • Big organizations.
    • Small organizations.
    • Public organizations.
    • School districts.
  • Examples of accountability disfunction.
  • Examples of good accountability.
  • What to do about it.
    • Get out ahead. Better now than never (or later).
    • Will CEOs be personally liable someday?

[Evan] This is a deep subject with much to be said. Everything moves so fast, and sadly accountability is severely lagging behind.

[Evan] For listeners who are wondering about us doing a series titled “Politics and Information Security”, it’s still being considered. We just have to put it all together.

[Evan] OK, news. Let’s do some quick news stories.

News

[Evan] Three news stories to talk about briefly this week:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 98 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!

You Don’t Know Me

Let’s cut through the bullshit. You don’t know me, and I don’t know you.

Here’s why this is important; despite us not knowing each other, I will judge you and you will judge me. This is human nature. We make our judgements based on information we have available and our own historical perspective (or world view). Judgement might not be overt, but you and I are always engaging in making judgements. You might think this is a bad thing, but it’s not. Judgement, by itself, is nothing more than:

  • the process of forming an opinion or evaluation by discerning and comparing
  • an opinion or estimate so formed
  • the capacity for judging: discernment
  • a proposition stating something believed or asserted

Judgement is good. When you judge me or I you, this could be a good thing; however, it’s only good without bias (unlikely).

Bias is a one-sided, closed-minded, and destructive mindset. Bias doesn’t discriminate, but it leads to discrimination. Look at the definitions of “bias”, “racism”, and “discrimination” for a second.

We can conclude that judgement is good, bias (and racism and discrimination) is bad.

The point

You don’t know me; therefore, if you were to judge me, what would your judgment be based on? If you don’t get to know me, you’d have to judge based on superficial things like how I look, the vehicle(s) I drive, how I dress, etc.

What if I told you these things about me?

  • I’m white/Caucasian.
  • I’m a man.
  • I have a long beard.
  • I drive an F250 pickup truck.
  • I drive a Harley Davidson motorcycle.
  • I live in a small town.
  • I have a good job.
  • I am licensed to carry a firearm.
  • I go to church every Sunday.

Would you think that I’m some sort of right-wing nut job? Would you treat me like one?

How about you? Let’s say:

  • You’re black/African American.
  • You’re a man.
  • You look “normal”, but you’re not clean shaven.
  • You’re middle-aged.
  • You’ve never been married.
  • You have plenty of money.
  • You wear nice clothes.
  • You drive nice sports cars.
  • You didn’t graduate high school.
  • You grew up in New Orleans

Would I think you’re a drug dealer, a thug, or involved in some sort of criminal activity? Would I treat you like you were?

God, I hope not!

In both cases, these judgements are 100% wrong! Like not even close. The judgements are wrong because they are biased.

Me, I am not some right-wing whacko. I despise most of what they stand for and I would never consider doing some of the things they do. Despite this, I can see how someone would mistake me for one. I look the way I look and like the things I like because I do. That’s it, nothing more and nothing less. I hate hatred in all its forms and have a genuinely deep love for people. I don’t just love people like me either, I love people from all walks, all backgrounds, and all beliefs. People who aren’t like me fascinate me.

About the only time I don’t love people is when I must share the road with them, but I’m told that’s sort of normal(ish).

The second person I referenced is Tyler Perry. He is an amazing man with an incredibly inspiring story. Rising from where he did to where he is now is a miraculous journey. He’s impacted thousands (maybe millions) of people across the globe with his works and his story. If you don’t know his story, I’d suggest you read up on him. He grew from a very troubled youth (shitty father figure, attempted suicide, child molestation, etc.) to become a tremendously successful actor, writer, producer, comedian, and director. In my opinion, he’s one of the most inspiring men alive today.

So, again, bias is bad. Put your bias to death as much as you are able.

What to work on

Here are some of the things I will work on to kill my own bias. I can’t change the world, but I can work on me. Here’s my pledge (to myself as much as anyone else):

  1. I will give people the benefit of the doubt. If I don’t know something to be true, instead or going the shitty route, I’ll take the good path in my thoughts and feelings toward others.
  2. I will seek other people’s perspectives. I don’t know what it’s like to be someone else. A person’s perspective is their reality. Understanding their reality and validating it where possible will go a long way towards killing my own biases.
  3. I will listen to people more. We’re all quick to offer advice and stories about the things we’re passionate about. I’ll do better at hearing these things from other people. Who knows, maybe I’ll learn a bunch.
  4. I will embrace the uniqueness in people. We all belong to people groups, either by birth or by choice. Despite whatever people group we belong to, there are beautifully unique things about each one of us. I want to discover the unique gifts in people and embrace them.
  5. I seek to change people and/or their minds less. You have your beliefs and I have mine. We can each be us.
  6. I’ll be a friend to anyone. This doesn’t mean there aren’t boundaries. All relationships have them, even friendships.
  7. I’ll work to find common ground. You’re not me and I’m not you. You believe certain things and so do I. We’re both human beings and if we can’t find anything more common than that, so be it. We’ll start there.

These are seven things that I’ll work on. I said it earlier, I don’t know you, so I can’t suggest the things you should work on. Only you can determine these things, and (probably) only after deep, honest introspection.

I truly love people, and it saddens me to see us hurt each other like we do.