UNSECURITY Episode 132 Show Notes

Hey Listeners!

Spring is in full bloom (finally) in Minnesota, and life is good. The weather is great, and last week, our Governor (Tim Walz) lifted the mask mandate for people who are vaccinated and maintain some semblance of social distancing. It’s good to see people’s faces again, especially when they’re smiling. 🙂

We’re grateful for the guests who have joined our show the past four weeks! We’ve learned a ton from these conversations.

If you missed any of these shows, you can find them here:

NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.

This week, we’re not planning to have a guest, so you’ll have to put up with Brad and I.

Next week (episode 133) we’re hoping to have Gabriel Friedlander from Wizer on the show!

Let’s get to the episode 132 show notes, shall we?


SHOW NOTES – Episode 132 – Tuesday May 18th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 132, and the date is May 18th, 2021. Joining me is my good friend, highly-skilled information security expert, and all around great guy, Brad Nigh.

Good morning Brad!

There are so many things happening in our world, it’s hard to keep track. One interesting event from the last week (other than the Colonial Pipeline attack) was the announcement of President Biden’s Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity”. In today’s episode, Brad and I are going to break this down.

Improving the Nation’s Cybersecurity

  • The EO was announced by the Administration on 5/12/21.
  • There’s a lot of information to unpack here, including:
  • Section 1. Policy, containing:
    • Policy statement.
    • Scope.
  • Section 2. Removing Barriers to Sharing Threat Information, containing:
    • Review existing reporting requirements and procedures.
    • Recommend updates to the Federal Acquisition Regulation (FAR).
    • Update the FAR.
    • Enforce IT/OT provider compliance.
    • Centralize reporting.
    • Provide budget for this section.
  • Section 3. Modernizing Federal Government Cybersecurity
    • Adopt security best practices.
    • Advance toward Zero Trust Architecture.
    • Accelerate movement to secure cloud services.
    • Adopt multi-factor authentication.
    • Encrypt data at rest and in transit.
    • Centralize and streamline access to cybersecurity data.
    • Invest in both technology and personnel to match the modernization goals.
  • Section 4. Enhancing Software Supply Chain Security
    • Develop standards, tools, and best practices for secure software development.
    • Enforce secure software development practices.
    • Define and enforce a “Software Bill of Materials (SBOM)”.
    • Define “critical software” and its protection requirements.
    • Consumer labeling programs for IoT and software.
  • Section 5. Establishing a Cyber Safety Review Board
    • Requirements for a new “Cyber Safety Review Board”.
    • All requirements are for the Secretary of Homeland Security and the (yet to be established) Cyber Safety Review Board (“board”).
  • Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents; the playbook:
    • Will Incorporate all appropriate NIST standards.
    • Be used by all Federal Civilian Executive Branch (FCEB) Agencies.
    • Will articulate progress and completion through all phases of an incident response.
    • Will allow flexibility so it may be used in support of various response activities.
    • Establishes a requirement that the Director of CISA reviews and validates FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.
    • Defines key terms and use such terms consistently with any statutory definitions.
  • Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
    • The adoption of a Federal Government-wide Endpoint Detection and Response (EDR) initiative.
    • CISA threat hunting on FCEB networks and systems without agency authorization.
    • Information sharing between the Department of Defense and the Department of Homeland Security
  • Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
    • Types of logs to be maintained.
    • Time periods to retain the logs and other relevant data.
    • Time periods for agencies to enable recommended logging and security requirements.
    • How to protect logs (logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention)
    • Data shall be retained in a manner consistent with all applicable privacy laws and regulations.
    • Ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
    • Permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.
  • Section 9. National Security Systems
  • Section 10. Definitions
  • Section 11. General Provisions

This will be a great conversation as Brad and I share our summary, thoughts and opinions on all this!

News

Just time for one news story this week. This one is from Brian Krebs, “Try This One Weird Trick Russian Hackers Hate“.

Wrapping Up – Shout Outs

Who’s getting shout outs this week?

Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.

Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.

That’s it. Talk to you all again next week!

…and we’re done.

Operationally Cumbersome?

The leading cause of death in the workplace is falls. 36.5% of all fatalities are due to falls, followed by 10.1% caused by being struck with an object. Recognizing the problem, OSHA created requirements to protect workers from falls, including:

  • guardrail systems
  • safety net systems
  • personal fall arrest systems
  • covers
  • positioning device systems
  • fences
  • barricades
  • controlled access zones

All these controls, when used properly, save lives.

Hypothetical Scenario

A successful construction company is working on a 30-story office building. Timelines were already tight, but a series of material delivery delays has put them way behind schedule. In a rush to complete the project, it’s easy overlook certain things. In this case, a properly configured personal fall arrest system was overlooked. They bought the system, the system was onsite, but the system wasn’t installed correctly. Nobody noticed until one day a worker, twenty stories up, slipped and fell to his death.

As you can imagine, there was a serious investigation. In the end, the company admitted their oversight, received a fine, settled a lawsuit with the worker’s family, and continued operations.

A few weeks later, same thing happens. Another investigation, another slap on the wrist, another settled lawsuit, and back to business as usual.

A few months go by, and there’s another incident! The investigation cited the same cause as the others, a poorly configured/installed personal fall arrest system. This time, OSHA wants a public hearing and invites company representatives to answer questions before their panel. At the hearing, company representatives were asked the following question:

If a properly deployed personal fall arrest system had been used, would these lives have been saved?

A company representative responds:

It depends. In theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

Seems reasonable, right?. We certainly don’t want to get in the way of company production!

Or, wait a second. This doesn’t seem right. Poor safety because good safety is “operationally cumbersome” doesn’t sit well with you. Good, it shouldn’t!

Sadly, a similar analogy plays out all over the information security industry every day.

Hearing on the Hack of U.S. Networks by a Foreign Adversary

The construction analogy hit home while watching recent testimony in front of the U.S. Select Committee on Intelligence.

On February 23rd, 2021, Kevin Mandia (FireEye CEO), Sudhakar Ramakrishna (SolarWinds CEO), Brad Smith (Microsoft President), and George Kurtz (CrowdStrike President and CEO) were invited to give their testimony about the attacks on SolarWinds Orion last year (and ongoing). These are four very powerful men in our industry, and I appreciate what they’ve accomplished. In general, I have a great amount of respect for these men, but I’m not comfortable in their representation of our industry without also considering (many) others. Some of the reasons I’m not comfortable, include these facts:

  • They run billion and multi-billion dollar companies that sell products and services to protect things.
    • If people were already protected, they’d have nothing to sell. There is incentive to keep people insecure.
    • Companies must continue to produce new products (See: product life cycle diagram below). Without new products, sales decline. As long as people keep buying (regardless of need), they’ll keep making.

  • They have significant personal financial interests in the performance (sales, profit, etc.) of their companies.
  • They represent shareholders who have significant financial interests in the performance of their companies.
  • They may lack clear perspective of what most Americans and American companies are struggling with due to where they sit.

A hearing such as this is a fantastic opportunity for people to tout their accomplishments (which they do), tout their companies accomplishments (which they do),  and sell more stuff as a result. I DO NOT fault the witnesses for doing these things. It’s their job!

Let’s just hope our Senators take the hearing and witnesses in proper context and seek many more perspectives before attempting to draft new policy.

IMPORTANT NOTE: It may appear in this article that I’m critical of the people in this Senate hearing, but this is NOT the point. The people participating in the hearing have done tremendous things for our industry and our country. For all we know, if we were in one of their seats, we would respond in much the same way they did. If anything, I’m critical of us, our industry. We have tools sitting right under our noses that we don’t use correctly. Instead of learning to use our tools correctly, and actually using our tools correctly, we go looking for more tools. This is ILLOGICAL, and might should be negligent.

The point.

At one point during the hearing (1:22:08, if you’re watching the video), Senator Wyden (D-OR) begins a logical and enlightening line of questioning.

Senator Wyden:

The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?”

To which Mr. Ramakrishna (SolarWinds) responds:

Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.”

Key points:

  1. SolarWinds Orion did not require Internet connectivity to function.
  2. The IRS had Orion.
  3. The IRS did not permit Orion to communicate with the Internet.
  4. Attackers were not able to control the IRS Orion server (because it couldn’t communicate home).
  5. The attack against the IRS was mitigated.

Senator Wyden continues:

Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.”

Points made by Senator Wyden:

  1. Network security 101 includes blocking high-risk applications from connecting to the Internet when it’s not specifically required for functionality.
  2. Firewalls are designed to block unwanted and unnecessary network traffic.
  3. There is good authoritative guidance for using firewalls properly, including from the NSA and NIST.
  4. None of this is new.
  5. Organizations that don’t follow “network security 101” are irresponsible.

Kevin Mandia responds first:

And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.

OK, here the logic falls apart. The answer “it depends”, followed by “firewalls never stopped” a FireEye red team exercise, did NOT answer Senator Wyden’s question. Logically, this (non) answer would only be valid if (at a minimum):

  • The FireEye red team exercises were run against a “network security 101” firewall configuration.
  • The FireEye red team exercises were a variant or emulation of the SolarWinds attack.

The question was whether a “network security 101” (or a properly configured) firewall would have mitigated the SolarWinds attack (meaning a firewall configured to only permit necessary traffic, as per NSA and NIST guidance). The non-answer justification continues by mentioning “in theory, it’s a sound thing, but it’s academic”. Since it’s been brought up, this IS NOT theoretical, it’s factual. If an attacker cannot communicate with a system (either directly or by proxy), the attacker cannot attack or control the system.

The last part of this statement brings us (finally) to our original point. Using a firewall, the way it’s supposed to be used (“network security 101”) is “operationally cumbersome”.

Responses from the others:

  • Mr. RamakrishnaSo my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules. (THE BEST ANSWER)
  • Mr. SmithI’m squarely in the “it depends” camp. (Um, OK. So, a non-answer.)
  • Mr. KurtzYes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys. (Basically the same statement as the first. DID NOT answer the question.).

So the score is 3 to 1, “it depends” (without answering the question) versus “yes” (the correct answer).

Operationally Cumbersome

If a firewall (or any tool) is effective in preventing harm when it’s used correctly, why aren’t we using it correctly? The reason “because it’s operationally cumbersome” is NOT a valid argument.

It’s like saying “I don’t do things correctly because it’s hard” or “I don’t have time to do things right, so I don’t” or (as in our construction example) “We don’t have time to use a personal fall arrest system correctly, so people die”? Truth is, our infrastructures are so interconnected today, a failure to configure a firewall properly could/will eventually result in someone’s death.

So what do we do today? We do the illogical:

  • Since we don’t have time (or skill or operational bandwidth or whatever) to use an effective tool effectively, we purchase another tool.
  • We won’t have the time (or skill or operational bandwidth or whatever) to use this new tool effectively either, so we purchase another tool.
  • We won’t have time (or skill or operational bandwidth or whatever) to use the new tool and this newer tool effectively, so we purchase yet another tool.
  • The insanity continues…

What we must do (sooner or later):

  • inventory the tools we already have
  • learn how to use the tools we already have properly (knowledge/skill)
  • use the tools we already have properly (in practice)
  • then (and ONLY then) seek additional (or different) tools to address the remaining gaps

As an industry, we must (sooner or later):

  • make this “network security 101” (it’s not new, so we can’t call it the “new network security 101”)
  • hold organizations responsible for “network security 101” (the opposite being, the “new irresponsible” or negligent)

Other facts

Firewalls are NOT the end all, but they are an important part of security strategy. Here we are, many years down the road and we’re still fighting the same fight: the basics.

  • Firewalls have been around for more than 35 years.
  • Firewalls block unwanted and unnecessary network traffic (inbound/ingress and outbound/egress).
  • A properly configured, “network security 101”, “responsible”, “best practice” implementation of a firewall would have mitigated the SolarWinds (or similar) attack.
  • Many (maybe most) U.S. organizations have a firewall that is capable to mitigating the SolarWinds (or similar) attack.
  • There are still ways to bypass a firewall, but if you don’t have your firewall configured properly, what are the chances you’d stop a bypass anyway?
    • application vulnerabilities
    • SQL injection
    • social engineering
    • physical access
    • man-in-the-middle

Operationally cumbersome is not a valid excuse for our failures to understand and follow the basics.

UNSECURITY Episode 123 Show Notes

Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!

This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:

  • Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
  • Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
  • Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
  • Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?

We’re not doing this enough in society and we’re not doing this enough in our industry either.

    • Why?
    • Have we lost our respect for other human beings?
    • Have we lost our ability to reason?
    • Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?

I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.

Now on to show notes for episode 123…


SHOW NOTES – Episode 123 – Wednesday March 17th, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!

  • We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
  • Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
  • We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
  • Oh yeah, we’ve got a couple news stories too, but whatever.

Reason

  • Have we lost our ability to reason?
  • What is reason anyway?
  • Why is reason (and logic) critical to information security?
  • Why is reason (and logic) critical to risk (all risk)?
  • Why is reason (and logic) critical to life?
  • There are parallels here, like:
    • Information security is risk management.
    • There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
    • There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
    • The goal is management.
  • If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
    • Ask “Why?” often, almost incessantly, like a three year-old.
    • Ask yourself “Why”.
      • Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
      • Notice the difference between emotional response and logical response.
      • Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
    • Ask others “Why”.
      • Respectfully out of a desire to understand, and not in a confrontational manner.
      • Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
      • Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
        • They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
        • They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
    • Encourage others (especially people you trust) to question you.
      • Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
      • When other people ask you “why”, view it as an opportunity to state your case.
      • When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).

NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.

Passwords

  • Why do we need them?
  • What makes a password good versus bad?
  • What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!

NOTE: Regardless of timing, we will discuss “Mentions” in this episode.

Mentions

  • FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
  • S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!

News

Wrapping Up – Shout Outs

Good talk. Thank you Ryan, and thank you listeners!

…and we’re done.

UNSECURITY Episode 121 Show Notes

Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!

Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:

  • Kevin Mandia, CEO of FireEye
  • Sudhakar Ramakrishna, CEO of Solarwinds
  • Brad Smith, President of Microsoft
  • George Kurtz, President and CEO of CrowdStrike

This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!

There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.

So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.


SHOW NOTES – Episode 121 – Tuesday March 1st, 2021

Opening

[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!

Quick Catching Up

  • What’s new?
    • Working on S2Org r3, IR assessment, and other things.
    • The Gray Matter Society
    • Who would make a good guest next week?
  • Anything else new at FRSecure and/or SecurityStudio?

The Meat

Open Hearing: Hearing on the Hack of U.S. Networks by a Foreign Adversary – https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary

  • Kevin Mandia’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-022321.pdf
  • Sudhakar Ramakrishna’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-sramakrishna-022321.pdf
  • Brad Smith’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-bsmith-022321.pdf
  • George Kurtz’s Opening Statement – https://www.intelligence.senate.gov/sites/default/files/documents/os-gkurtz-022321.pdf
  • The hearing went ~2 1/2 hours, did you make it through it all?
  • So, Amazon Web Services didn’t show up. They haven’t been forthcoming or helpful
  • An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
    • Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
    • Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring,  system monitoring, application monitoring on premises of our customers.
    • Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world  is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
    • Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
    • Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
    • Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
    • Senator Wyden: Very good.
    • Mr. Smith: I’m squarely in the “it depends” camp.
    • Senator Wyden: OK.
    • Mr. Smith: For the same reasons that Kevin said.
    • Senator Wyden: OK, I think we have one other person, don’t we?
    • Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
    • Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
  • Other thoughts and discussion about the hearing.
  • There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks

News

News stories to cover this week, include:

Wrapping Up – Shout Outs

Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

Service and Sacrifice – Happy Birthday USMC

Today marks the 245th birthday of the United States Marine Corps (USMC).

HAPPY BIRTHDAY MARINES!

  • To the greatest fighting force on the planet.
  • To the faithful men and women who serve our country with bravery only they can fathom.
  • To the “Jarheads”, “Devil Dogs”, “Teufel Hunden”,  and “Leathernecks” who give all so others can have.

Quick History

The storied history of the USMC began on November 10th 1775, when Captain Samuel Nicholas gathered two battalions of Continental Marines in accordance with the Continental Marine Act of 1775. Less than six months after being formed, these brave men set out on their first amphibious assault, the successful Raid of Nassau (March 1–10, 1776).

Our beloved USMC has fought in (at least) twenty-eight armed conflicts including:

  • Revolutionary War
  • Quasi-War with France
  • Barbary Wars
  • War of 1812
  • Creek-Seminole Indian War
  • Mexican War
  • Civil War-Union
  • Spanish-American War
  • Samoa (1899)
  • Boxer Rebellion
  • Nicaragua (1912)
  • Mexico (1914)
  • Dominican Republic (1916-1920)
  • Haiti (1915-1934)
  • Nicaragua (1926-1933)
  • World War I
  • World War II
  • Korean War
  • Dominican Republic (1965)
  • Vietnam War
  • Lebanon (1982-1984)
  • Grenada (1983)
  • Persian Gulf (1988) (Oil Platforms)
  • Panama (1989)
  • Persian Gulf War (1990-1991)
  • Somalia (1992-1994)
  • Afghanistan (2001-2015)
  • Iraq (2003-2016)

From 1775 to 2015, more than 41,000 Marines have made the ultimate sacrifice for us on the battlefield. Additionally, more than 200,000 have been wounded (Source: Marine Corps University). The fact that these numbers are as low as they are is a testament to Marine dedication, training, effectiveness and lethality. Regardless of the numbers, let’s not forget that each one of these soldiers was a father, mother, son, daughter, aunt, uncle, brother, sister, and/or friend. It’s our duty as citizens of this great country to ensure their sacrifices were not made in vain; that their sacrifices might live on through our own acts of service to others.

My Marine Corps Story (brief)

I was born in the Naval Hospital Philadelphia to two Marine Corps parents. My father served in active duty from 1957/8 until retirement in 1978, and my mother also served. Although her active Marine Corps duty was not as long as my father’s, her duties (raising me and keeping my father in line) was a helluva lot more challenging. I’m an only child who grew up on base (Camp Pendleton and Quantico).

Although I didn’t serve directly in the Marine Corps myself, the Marine Corps culture is a huge part of who I am. The Marines, my mother and my father taught me so many good things about the right way to live. Things like respect, discipline, work ethic, drive, mission, etc. I am forever grateful!

Happy Birthday

So, Happy Birthday Marines!

There are no words to describe how grateful I am. Regardless of how many people express gratitude for your service consciously, the gratitude is in their subconscious every time they exercise a constitutional right, walk down a street, eat a warm meal, embrace a family member, or do anything made possible by your service. Thank you for standing guard day and night for me, my family, and all Americans. I don’t take you or your sacrifices for granted, and I pray I never will.

The USMC always serves faithfully, rightfully earning their motto, Semper fidelis. Saying you’re faithful is one thing, demonstrating it through blood, sweat, and tears for 245 years is something entirely different.

Good People Didn’t Vote For Your Guy

The truth:

There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your guy”.

Demonize as you will, but here’s a reminder of some things.

People who voted for the other guy are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.

These people are NOT:

  • “ill”
  • “sick”
  • “dumb”
  • “stupid”
  • “racist”
  • “bigoted”
  • “idiots”
  • “Socialists”
  • “Fascists”
  • or any other demonizing word you want to throw at them.

These people ARE:

  • human beings with basic needs
  • human beings with basic desires
  • human beings with dreams
  • human beings who want to be loved
  • human beings who want to feel grace
  • human beings who have families
  • human beings who have different perspectives (a good thing)
  • human beings who have different beliefs (also a good thing)
  • human beings who have different backgrounds (also a good thing)
  • human beings with many additional things that are beautiful about them.

A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).

It doesn’t matter who “your guy” is or who “my guy” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.

There is only ONE team. We are ALL Americans.

The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.

The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).

So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.

 

 

UNSECURITY Podcast – Ep 101 Show Notes – Election Security

Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!

Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!

Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.


SHOW NOTES – Episode 101

Date: Wednesday October 14th, 2020

Episode 101 Topics

  • Opening
  • Catching Up (as per usual)
  • Election Security
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.

[Brad] Brad does Brad.

[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.

Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.

[Brad] He might comment here.

Catching Up

[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.

[Brad] Cue Brad.

[Evan] I’ll share some stuff too (probably).

Transition

Election Security

[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?

[Brad] Cue Brad.

[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.

There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.

There’s more to election security than protecting voting machines, so let’s talk about this.

Resources

[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.

Election Security Discussion

Open discussion

[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.

News

[Evan] Here are some recent and interesting news stories to talk about.

Wrapping Up – Shout outs

[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?

[Brad] We’ll see.

[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.

That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2

Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.

Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.

Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.

Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.


SHOW NOTES – Episode 100

Date: Wednesday October 7th, 2020

Episode 100 Topics

  • Opening
  • Catching Up (as per usual)
  • the social dilemma, Part Two
  • News
  • Wrapping Up – Shout outs
Opening

[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.

[Evan] Talks about how busy things have been

[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.

Catching Up

[Evan] Evan’s cool story

[Brad] A recap of my week

Transition

the social dilemma, Part Two

[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.

[Brad] Great discussion here are some news stories

News

[Brad] Here are news stories that caught me eye this week:

Wrapping Up – Shout outs

[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?

[Evan] We’ll see.

[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!

UNSECURITY Podcast – Ep 99 Show Notes – The Social Dilemma

Happy Tuesday! Here we are again, and lots going on…

The big news (sort of) is the first presidential debate is tonight. I wonder how many people will tune in. Personally, I’m not sure if I will. We’ll see.

A few weeks ago my wife asked me to watch the social dilemma with her on Netflix, so I did. I’d heard about the documentary/movie from some friends, but didn’t get around to watching it until then. Wow!

The opening quote from the movie:

Nothing vast enters the life of mortals without a curse

-Sophocles

He was right. Today, Brad and I will give your our reviews about the social dilemma and talk about our thoughts. These are my (Evan) show notes for episode 99.


SHOW NOTES – Episode 99

Date: Tuesday, September 29th, 2020

Episode 99 Topics

  • Opening
  • Catching Up
  • the social dilemma
  • News
  • Wrapping Up – Shout outs
Opening

[Evan] Good morning everyone. Thanks for tuning in to episode 99 of the UNSECURITY Podcast. Today is September 29th, 2020 and joining me is my co-host and friend Brad Nigh.

Good morning Brad.

[Brad] Cue Brad.

[Evan] We’ve got a special show planned for our listeners this week. Brad, you and I both watched the social dilemma on Netflix. It’s a documentary about social media in our society that was released in January. Funny how neither of us had watched it until recently, and now (as of this morning) it’s trending as the #6 most popular video on Netflix. I guess it’s better late to the party than not showing up at all!

Before we jump in, I’m dying to hear your thoughts, let’s catch up quick. This is customary.

Catching Up

[Evan] Brad, how you doing? What’s new?

[Brad] Cue Brad.

[Evan] Cue Evan.

Transition

the social dilemma

[Evan] You watched the social dilemma, right?

[Brad] Cue Brad.

[Evan] What did you think?

Our review and discussion

  • What if I’m not a social media user/addict, why should I care?
  • We see different realities? Different news feeds?
  • Data (you and I) sold to the highest bidder.
  • Where does this all end if we don’t act (now)?

Any sufficiently advanced technology is indistinguishable from magic

-Arthur C. Clarke

[Evan] If you haven’t seen the social dilemma yet, I highly suggest you do. Sit down, spend the hour and a half, and consider it all. If you’ve got a spouse, invite them to watch it with you. If you’ve got teenage kids, see if you can peel them away from their phones long enough too.

We’ve got to do more about this, and we’ve got to move much quicker than we are.

[Evan] OK, news. Let’s do some quick news stories.

News

[Evan] Three news stories to talk about briefly this week:

Wrapping Up – Shout outs

[Evan] OK. That’s about it. Episode 99 is almost a wrap. Brad, any shout outs this week?

[Brad] Shout out…

[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.

If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.

That’s it, talk you all again next week!