Spring is in full bloom (finally) in Minnesota, and life is good. The weather is great, and last week, our Governor (Tim Walz) lifted the mask mandate for people who are vaccinated and maintain some semblance of social distancing. It’s good to see people’s faces again, especially when they’re smiling. 🙂
We’re grateful for the guests who have joined our show the past four weeks! We’ve learned a ton from these conversations.
If you missed any of these shows, you can find them here:
NOTE: We’re looking for people from other walks of life to share their perspectives too, especially men and women of color. Let us know at unsecurity@protonmail.com if you have suggestions.
This week, we’re not planning to have a guest, so you’ll have to put up with Brad and I.
Let’s get to the episode 132 show notes, shall we?
SHOW NOTES – Episode 132 – Tuesday May 18th, 2021
Opening
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 132, and the date is May 18th, 2021. Joining me is my good friend, highly-skilled information security expert, and all around great guy, Brad Nigh.
Good morning Brad!
There are so many things happening in our world, it’s hard to keep track. One interesting event from the last week (other than the Colonial Pipeline attack) was the announcement of President Biden’s Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity”. In today’s episode, Brad and I are going to break this down.
Improving the Nation’s Cybersecurity
The EO was announced by the Administration on 5/12/21.
There’s a lot of information to unpack here, including:
Section 1. Policy, containing:
Policy statement.
Scope.
Section 2. Removing Barriers to Sharing Threat Information, containing:
Review existing reporting requirements and procedures.
Recommend updates to the Federal Acquisition Regulation (FAR).
Update the FAR.
Enforce IT/OT provider compliance.
Centralize reporting.
Provide budget for this section.
Section 3. Modernizing Federal Government Cybersecurity
Adopt security best practices.
Advance toward Zero Trust Architecture.
Accelerate movement to secure cloud services.
Adopt multi-factor authentication.
Encrypt data at rest and in transit.
Centralize and streamline access to cybersecurity data.
Invest in both technology and personnel to match the modernization goals.
Develop standards, tools, and best practices for secure software development.
Enforce secure software development practices.
Define and enforce a “Software Bill of Materials (SBOM)”.
Define “critical software” and its protection requirements.
Consumer labeling programs for IoT and software.
Section 5. Establishing a Cyber Safety Review Board
Requirements for a new “Cyber Safety Review Board”.
All requirements are for the Secretary of Homeland Security and the (yet to be established) Cyber Safety Review Board (“board”).
Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents; the playbook:
Will Incorporate all appropriate NIST standards.
Be used by all Federal Civilian Executive Branch (FCEB) Agencies.
Will articulate progress and completion through all phases of an incident response.
Will allow flexibility so it may be used in support of various response activities.
Establishes a requirement that the Director of CISA reviews and validates FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.
Defines key terms and use such terms consistently with any statutory definitions.
Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
The adoption of a Federal Government-wide Endpoint Detection and Response (EDR) initiative.
CISA threat hunting on FCEB networks and systems without agency authorization.
Information sharing between the Department of Defense and the Department of Homeland Security
Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
Types of logs to be maintained.
Time periods to retain the logs and other relevant data.
Time periods for agencies to enable recommended logging and security requirements.
How to protect logs (logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention)
Data shall be retained in a manner consistent with all applicable privacy laws and regulations.
Ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
Permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.
Section 9. National Security Systems
Section 10. Definitions
Section 11. General Provisions
This will be a great conversation as Brad and I share our summary, thoughts and opinions on all this!
Thank you to all our listeners! Thank you Brad for a great conversation! If you have something you’d like to tell us, feel free to email the show at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh.
Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure.
That’s it. Talk to you all again next week!
…and we’re done.
https://evanfrancen.com/wp-content/uploads/2021/05/cyber-security-5.jpg550900Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2021-05-18 10:40:542021-05-18 10:40:54UNSECURITY Episode 132 Show Notes
The leading cause of death in the workplace is falls. 36.5% of all fatalities are due to falls, followed by 10.1% caused by being struck with an object. Recognizing the problem, OSHA created requirements to protect workers from falls, including:
guardrail systems
safety net systems
personal fall arrest systems
covers
positioning device systems
fences
barricades
controlled access zones
All these controls, when used properly, save lives.
Hypothetical Scenario
A successful construction company is working on a 30-story office building. Timelines were already tight, but a series of material delivery delays has put them way behind schedule. In a rush to complete the project, it’s easy overlook certain things. In this case, a properly configured personal fall arrest system was overlooked. They bought the system, the system was onsite, but the system wasn’t installed correctly. Nobody noticed until one day a worker, twenty stories up, slipped and fell to his death.
As you can imagine, there was a serious investigation. In the end, the company admitted their oversight, received a fine, settled a lawsuit with the worker’s family, and continued operations.
A few weeks later, same thing happens. Another investigation, another slap on the wrist, another settled lawsuit, and back to business as usual.
A few months go by, and there’s another incident! The investigation cited the same cause as the others, a poorly configured/installed personal fall arrest system. This time, OSHA wants a public hearing and invites company representatives to answer questions before their panel. At the hearing, company representatives were asked the following question:
“If a properly deployed personal fall arrest system had been used, would these lives have been saved?“
A company representative responds:
“It depends. In theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.“
Seems reasonable, right?. We certainly don’t want to get in the way of company production!
Or, wait a second. This doesn’t seem right. Poor safety because good safety is “operationally cumbersome” doesn’t sit well with you. Good, it shouldn’t!
Sadly, a similar analogy plays out all over the information security industry every day.
Hearing on the Hack of U.S. Networks by a Foreign Adversary
The construction analogy hit home while watching recent testimony in front of the U.S. Select Committee on Intelligence.
On February 23rd, 2021, Kevin Mandia (FireEye CEO), Sudhakar Ramakrishna (SolarWinds CEO), Brad Smith (Microsoft President), and George Kurtz (CrowdStrike President and CEO) were invited to give their testimony about the attacks on SolarWinds Orion last year (and ongoing). These are four very powerful men in our industry, and I appreciate what they’ve accomplished. In general, I have a great amount of respect for these men, but I’m not comfortable in their representation of our industry without also considering (many) others. Some of the reasons I’m not comfortable, include these facts:
They run billion and multi-billion dollar companies that sell products and services to protect things.
If people were already protected, they’d have nothing to sell. There is incentive to keep people insecure.
Companies must continue to produce new products (See: product life cycle diagram below). Without new products, sales decline. As long as people keep buying (regardless of need), they’ll keep making.
They have significant personal financial interests in the performance (sales, profit, etc.) of their companies.
They represent shareholders who have significant financial interests in the performance of their companies.
They may lack clear perspective of what most Americans and American companies are struggling with due to where they sit.
A hearing such as this is a fantastic opportunity for people to tout their accomplishments (which they do), tout their companies accomplishments (which they do), and sell more stuff as a result. I DO NOT fault the witnesses for doing these things. It’s their job!
Let’s just hope our Senators take the hearing and witnesses in proper context and seek many more perspectives before attempting to draft new policy.
IMPORTANT NOTE: It may appear in this article that I’m critical of the people in this Senate hearing, but this is NOT the point. The people participating in the hearing have done tremendous things for our industry and our country. For all we know, if we were in one of their seats, we would respond in much the same way they did. If anything, I’m critical of us, our industry. We have tools sitting right under our noses that we don’t use correctly. Instead of learning to use our tools correctly, and actually using our tools correctly, we go looking for more tools. This is ILLOGICAL, and might should be negligent.
The point.
At one point during the hearing (1:22:08, if you’re watching the video), Senator Wyden (D-OR) begins a logical and enlightening line of questioning.
Senator Wyden:
“The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?”
To which Mr. Ramakrishna (SolarWinds) responds:
“Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.”
Key points:
SolarWinds Orion did not require Internet connectivity to function.
The IRS had Orion.
The IRS did not permit Orion to communicate with the Internet.
Attackers were not able to control the IRS Orion server (because it couldn’t communicate home).
The attack against the IRS was mitigated.
Senator Wyden continues:
“Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.”
Points made by Senator Wyden:
Network security 101 includes blocking high-risk applications from connecting to the Internet when it’s not specifically required for functionality.
Firewalls are designed to block unwanted and unnecessary network traffic.
There is good authoritative guidance for using firewalls properly, including from the NSA and NIST.
None of this is new.
Organizations that don’t follow “network security 101” are irresponsible.
Kevin Mandia responds first:
“And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.“
OK, here the logic falls apart. The answer “it depends”, followed by “firewalls never stopped” a FireEye red team exercise, did NOT answer Senator Wyden’s question. Logically, this (non) answer would only be valid if (at a minimum):
The FireEye red team exercises were run against a “network security 101” firewall configuration.
The FireEye red team exercises were a variant or emulation of the SolarWinds attack.
The question was whether a “network security 101” (or a properly configured) firewall would have mitigated the SolarWinds attack (meaning a firewall configured to only permit necessary traffic, as per NSA and NIST guidance). The non-answer justification continues by mentioning “in theory, it’s a sound thing, but it’s academic”. Since it’s been brought up, this IS NOT theoretical, it’s factual. If an attacker cannot communicate with a system (either directly or by proxy), the attacker cannot attack or control the system.
The last part of this statement brings us (finally) to our original point. Using a firewall, the way it’s supposed to be used (“network security 101”) is “operationally cumbersome”.
Responses from the others:
Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules. (THE BEST ANSWER)
Mr. Smith: I’m squarely in the “it depends” camp. (Um, OK. So, a non-answer.)
Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys. (Basically the same statement as the first. DID NOT answer the question.).
So the score is 3 to 1, “it depends” (without answering the question) versus “yes” (the correct answer).
Operationally Cumbersome
If a firewall (or any tool) is effective in preventing harm when it’s used correctly, why aren’t we using it correctly? The reason “because it’s operationally cumbersome” is NOT a valid argument.
It’s like saying “I don’t do things correctly because it’s hard” or “I don’t have time to do things right, so I don’t” or (as in our construction example) “We don’t have time to use a personal fall arrest system correctly, so people die”? Truth is, our infrastructures are so interconnected today, a failure to configure a firewall properly could/will eventually result in someone’s death.
So what do we do today? We do the illogical:
Since we don’t have time (or skill or operational bandwidth or whatever) to use an effective tool effectively, we purchase another tool.
We won’t have the time (or skill or operational bandwidth or whatever) to use this new tool effectively either, so we purchase another tool.
We won’t have time (or skill or operational bandwidth or whatever) to use the new tool and this newer tool effectively, so we purchase yet another tool.
The insanity continues…
What we must do (sooner or later):
inventory the tools we already have
learn how to use the tools we already have properly (knowledge/skill)
use the tools we already have properly (in practice)
then (and ONLY then) seek additional (or different) tools to address the remaining gaps
As an industry, we must (sooner or later):
make this “network security 101” (it’s not new, so we can’t call it the “new network security 101”)
hold organizations responsible for “network security 101” (the opposite being, the “new irresponsible” or negligent)
Other facts
Firewalls are NOT the end all, but they are an important part of security strategy. Here we are, many years down the road and we’re still fighting the same fight: the basics.
Firewalls have been around for more than 35 years.
Firewalls block unwanted and unnecessary network traffic (inbound/ingress and outbound/egress).
A properly configured, “network security 101”, “responsible”, “best practice” implementation of a firewall would have mitigated the SolarWinds (or similar) attack.
Many (maybe most) U.S. organizations have a firewall that is capable to mitigating the SolarWinds (or similar) attack.
There are still ways to bypass a firewall, but if you don’t have your firewall configured properly, what are the chances you’d stop a bypass anyway?
application vulnerabilities
SQL injection
social engineering
physical access
man-in-the-middle
Operationally cumbersome is not a valid excuse for our failures to understand and follow the basics.
Happy St. Patrick’s Day! For those of you who aren’t into this holiday (for whatever reason), Happy (everyday) Day!
This has been a week full of great experiences and awesome conversations with wonderful people. It’s the people we serve who inspire us to work as hard as we do. Here’s a small sampling:
Daytona Bike Week (last week) – if you’ve never been to a bike rally before, I recommend you try it out someday (even if you don’t ride). There are interesting people from all walks of life and the diversity (backgrounds, race, preferences, thought, etc.) would probably surprise you.
Co-workers – discussions about everything from mental health (many of us did the Mental Health First Aid certification course together last week), to life challenges (relationships, family, health, etc.), to work challenges, and everything in between. It’s a blessing (to them and to me) when I stop, listen, and invest in others.
Customers/peers – had some check-ins this week with a few enterprise CISOs I call friends. Life as a CISO can be extremely DIFFICULT. It’s encouraging to know people care about me, and I them. CISOs are human beings who need love just like all of us do!
Everyday people – we’re all beautifully unique. We are similar in some respects, but there are wonderful things that make me me and you you. We’re a hodge podge of emotions, biases, beliefs, perspectives, and experiences. Rather than fight because you think differently than I do, why don’t I embrace the uniqueness and differences? Why not try to understand them and you better?
We’re not doing this enough in society and we’re not doing this enough in our industry either.
Why?
Have we lost our respect for other human beings?
Have we lost our ability to reason?
Are we afraid to share who we really are out of fear? Fear of being marginalized, silenced, and attacked (physically and online)?
I believe people are AMAZING! I believe people are worthy of respect (even if it’s only a little). I believe people should be heard and understood. I believe information security isn’t about information or security as much as it is about people. I believe people are who we serve. I believe we must invest in people more. I believe in understanding people (better). I believe loving people gives us our best chance at doing our (information security) jobs effectively, and I believe loving people gives us our only chance of saving society.
Now on to show notes for episode 123…
SHOW NOTES – Episode 123 – Wednesday March 17th, 2021
Opening
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 123, and the date is March 17th, 2021. Filling in for Brad again this week if my good friend and co-worker Ryan Cloutier. Welcome Ryan, glad to have you back!
We’ve got a great show planned today. We’ll start with the importance of reason and logic in information security, our jobs, and in life. There are many parallels between information security (or “cybersecurity” as some people call it) and life.
Then, if we have time, we’ll talk about passwords. Everybody hates passwords.
We’ll close the show with a few mentions; about the FRSecure CISSP Mentor Program and SecurityStudio’s free S2Me (very quickly growing in popularity).
Oh yeah, we’ve got a couple news stories too, but whatever.
Reason
Have we lost our ability to reason?
What is reason anyway?
Why is reason (and logic) critical to information security?
Why is reason (and logic) critical to risk (all risk)?
Why is reason (and logic) critical to life?
There are parallels here, like:
Information security is risk management.
There’s no such thing as risk elimination or infinite risk; they are two different ends of the spectrum.
There’s no such think as 100% reason/logic without emotion or vice versa; two different ends of the spectrum.
The goal is management.
If we’ve lost our ability to reason, how can we get it back? Or, if we never had the ability to reason, how do we learn it?
Ask “Why?” often, almost incessantly, like a three year-old.
Ask yourself “Why”.
Not in a way that beats yourself up, but in a way that you understand why you’re doing what you’re doing and/or why you believe what you believe.
Notice the difference between emotional response and logical response.
Learn to use logic and emotion where they are and how they are appropriate. Seems mechanical and awkward at first, but it should become natural/habitual over time.
Ask others “Why”.
Respectfully out of a desire to understand, and not in a confrontational manner.
Learn how to ask without offense. If the person your asking takes offense despite your best efforts, that’s on them.
Maybe they need help understanding logic versus emotion? Interesting tells about people who are unable or unwilling to use reason or logic to defend a position (or make a point):
They change the subject. You asked a question about one thing, and quickly find yourself in a discussion about something different.
They attack your character. This is a classic emotional response where the person you’re questioning probably isn’t sure why he/she believes what they do. Don’t take offense, but recognize this tactic for what it is.
Encourage others (especially people you trust) to question you.
Be prepared to defend why you believe what you believe. If you can’t (with reason), then maybe you should question what you believe.
When other people ask you “why”, view it as an opportunity to state your case.
When other people ask you “why”, it’s a great opportunity for you to learn (about perspective and reason).
NOTE: We could talk for a long time about Reason, so we might not get to the topic of “Passwords”. If we don’t get to Passwords in this episode, we’ll get to it in episode 124.
Passwords
Why do we need them?
What makes a password good versus bad?
What do we (Ryan and I) do to practice good password behavior? BTW, neither of us is perfect!
NOTE: Regardless of timing, we will discuss “Mentions” in this episode.
Mentions
FRSecure CISSP Mentor Program – We’re less than one month away from the start! I think there are more than 4,000 students signed up, so this is going to be AWESOME!
S2Me – the FREE SecurityStudio personal risk management tool has been growing very fast (in terms of popularity). Big news happening here, and we’re making a difference!
Good talk. Thank you Ryan, and thank you listeners!
Who’s getting shout outs this week?
Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, Ryan is @CLOUTIERSEC, and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!
…and we’re done.
https://evanfrancen.com/wp-content/uploads/2021/03/brain-5662028_1280.jpg9111280Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2021-03-17 22:01:232021-03-17 22:01:23UNSECURITY Episode 123 Show Notes
Happy Tuesday! It’s time to get ready for another episode (#121) of the UNSECURITY Podcast!
Not sure if you caught it last week, but there was an open U.S. Senate hearing on Tuesday (2/23). The hearing was titled “Hearing on the Hack of U.S. Networks by a Foreign Adversary” and lasted about two and a half hours. The hearing was about the events surrounding the SolarWinds Orion Hack, and what we can do to prevent (or at least reduce the likelihood of) similar events in the future. Witnesses included some well-known people in our industry:
Kevin Mandia, CEO of FireEye
Sudhakar Ramakrishna, CEO of Solarwinds
Brad Smith, President of Microsoft
George Kurtz, President and CEO of CrowdStrike
This hearing was a big deal because U.S. policymakers are trying to figure out what to do, and how “to make sure this doesn’t happen again.” If policy makers draft policy based solely on what these witnesses said, we might be in some serious trouble!
There were some really interesting things said during the hearing, and we’re going to share our thoughts on today’s show.
So, let’s do this! These are the notes for episode 121 of the UNSECURITY Podcast.
SHOW NOTES – Episode 121 – Tuesday March 1st, 2021
Opening
[Evan] Welcome listeners! Thanks for tuning into this episode of the UNSECURITY Podcast. This is episode 121, the date is March 2nd, 2021, and joining me as usual is my good friend, Brad Nigh. Good morning Brad!
Quick Catching Up
What’s new?
Working on S2Org r3, IR assessment, and other things.
The Gray Matter Society
Who would make a good guest next week?
Anything else new at FRSecure and/or SecurityStudio?
An interesting Q&A (starting at 1:22:08) from Senator Wyden (D-OR)
Senator Wyden: The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves. My view is that message leads to privacy violating laws and billions of more taxpayer funds for cybersecurity. Now it might be embarrassing, but the first order of business has to be identifying where well-know cybersecurity measures could have mitigated the damage caused by the breach. For example, there are concrete ways for the government to improve its ability to identify hackers without resorting to warrantless monitoring of the domestic internet. So, my first question is about properly configured firewalls. Now the initial malware in SolarWinds Orion software was basically harmless. It was only after that malware called home that the hackers took control, and this is consistent with what the Internal Revenue Service told me. Which is while the IRS installed Orion, their server was not connected to the Internet, and so the malware couldn’t communicate with the hackers. So, this raises the question of why other agencies didn’t take steps to stop the malware from calling home. So, my question will be for Mr. Ramakrishna, and I indicated to your folks I was going to ask this. You stated that the back door only worked if Orion had access to the internet, which was not required for Orion to operate. In your view, shouldn’t government agencies using Orion have installed it on servers that were either completely disconnected from the internet, or were behind firewalls that blocked access to the outside world?
Mr. Ramakrishna: Thanks for the question Senator Wyden. It is true that the Orion platform software does not need connectivity to the internet for it to perform its regular duties, which could be network monitoring, system monitoring, application monitoring on premises of our customers.
Senator Wyden: Yeah, it just seems to me what I’m asking about is network security 101, and any responsible organization wouldn’t allow software with this level of access to internal systems to connect to the outside world, and you basically said almost the same thing. My question then, for all of you is, the idea that organizations should use firewalls to control what parts of their networks are connected to the outside world is not exactly brand new. NSA recommends that organizations only allow traffic that is required for operational tasks, all other traffic ought to be denied. And NIST, the standards and technology group recommends that firewall policies should be based on blocking all inbound and outbound traffic with exceptions made for desired traffic. So, I would like to go down the row and ask each one of you for a “yes” or “no” answer whether you agree with the firewall advice that would really offer a measure of protection from the NSA and NIST. Just yes or no, and ah, if I don’t have my glasses on maybe I can’t see all the name tags, but let’s just go down the row.
Mr. Mandia: And I’m gonna give you the “it depends”. The bottom line is this, we do over 6oo red teams a year, firewalls have never stopped one of them. A firewall is like having a gate guard outside a New York City apartment building, and they can recognize if you live there or not, and some attackers are perfectly disguised as someone who lives in the building and walks right by the gate guard. It’s ah, in theory, it’s a sound thing, but it’s academic. In practice it is operationally cumbersome.
Senator Wyden: I don’t want to use up all my time. We’ll say that your response to NSA and the National Institute of Standards is “it depends”. Let’s just go down the row.
Mr. Ramakrishna: So my answer Senator is “yes”. Do standards such as NIST 800-53 and others that define specific guidelines and rules.
Senator Wyden: Very good.
Mr. Smith: I’m squarely in the “it depends” camp.
Senator Wyden: OK.
Mr. Smith: For the same reasons that Kevin said.
Senator Wyden: OK, I think we have one other person, don’t we?
Mr. Kurtz: Yes, and I would say firewalls help, but are insufficient, and as Kevin said, and I would agree with him. There isn’t a breach that we’ve investigated that the company didn’t have a firewall or even legacy antivirus. So, when you look at the capabilities of a firewall, they’re needed, but certainly they’re not be all end goal, and generally they’re a speed bump on the information super highway for the bad guys.
Senator Wyden: I’m going to close, and uh, my colleagues are all waiting. Bottom line for me is that multiple agencies were still breached under your watch by hackers exploiting techniques that experts had warned about for years. So, in the days ahead it’s gonna be critical that you give this committee assurances that spending billions of dollars more after there weren’t steps to prevent disastrous attacks that experts had been warning about was a good investment. So, that discussion is something we’ll have to continue, thank you Mr. Chairman.
Other thoughts and discussion about the hearing.
There was general consensus amongst the witnesses that there’s a strong need for mandatory reporting of cyber attacks
Good talk! It will be interesting to see what legislation comes out of Washington in response to SolarWinds.
Who’s getting shout outs this week?
Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!
…and we’re done.
https://evanfrancen.com/wp-content/uploads/2021/03/1200px-Seal_of_the_United_States_Senate.png12001200Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2021-03-02 01:01:072021-03-02 01:01:07UNSECURITY Episode 121 Show Notes
To the faithful men and women who serve our country with bravery only they can fathom.
To the “Jarheads”, “Devil Dogs”, “Teufel Hunden”, and “Leathernecks” who give all so others can have.
Quick History
The storied history of the USMC began on November 10th 1775, when Captain Samuel Nicholas gathered two battalions of Continental Marines in accordance with the Continental Marine Act of 1775. Less than six months after being formed, these brave men set out on their first amphibious assault, the successful Raid of Nassau (March 1–10, 1776).
Our beloved USMC has fought in (at least) twenty-eight armed conflicts including:
Revolutionary War
Quasi-War with France
Barbary Wars
War of 1812
Creek-Seminole Indian War
Mexican War
Civil War-Union
Spanish-American War
Samoa (1899)
Boxer Rebellion
Nicaragua (1912)
Mexico (1914)
Dominican Republic (1916-1920)
Haiti (1915-1934)
Nicaragua (1926-1933)
World War I
World War II
Korean War
Dominican Republic (1965)
Vietnam War
Lebanon (1982-1984)
Grenada (1983)
Persian Gulf (1988) (Oil Platforms)
Panama (1989)
Persian Gulf War (1990-1991)
Somalia (1992-1994)
Afghanistan (2001-2015)
Iraq (2003-2016)
From 1775 to 2015, more than 41,000 Marines have made the ultimate sacrifice for us on the battlefield. Additionally, more than 200,000 have been wounded (Source: Marine Corps University). The fact that these numbers are as low as they are is a testament to Marine dedication, training, effectiveness and lethality. Regardless of the numbers, let’s not forget that each one of these soldiers was a father, mother, son, daughter, aunt, uncle, brother, sister, and/or friend. It’s our duty as citizens of this great country to ensure their sacrifices were not made in vain; that their sacrifices might live on through our own acts of service to others.
My Marine Corps Story (brief)
I was born in the Naval Hospital Philadelphia to two Marine Corps parents. My father served in active duty from 1957/8 until retirement in 1978, and my mother also served. Although her active Marine Corps duty was not as long as my father’s, her duties (raising me and keeping my father in line) was a helluva lot more challenging. I’m an only child who grew up on base (Camp Pendleton and Quantico).
Although I didn’t serve directly in the Marine Corps myself, the Marine Corps culture is a huge part of who I am. The Marines, my mother and my father taught me so many good things about the right way to live. Things like respect, discipline, work ethic, drive, mission, etc. I am forever grateful!
Happy Birthday
So, Happy Birthday Marines!
There are no words to describe how grateful I am. Regardless of how many people express gratitude for your service consciously, the gratitude is in their subconscious every time they exercise a constitutional right, walk down a street, eat a warm meal, embrace a family member, or do anything made possible by your service. Thank you for standing guard day and night for me, my family, and all Americans. I don’t take you or your sacrifices for granted, and I pray I never will.
The USMC always serves faithfully, rightfully earning their motto, Semper fidelis. Saying you’re faithful is one thing, demonstrating it through blood, sweat, and tears for 245 years is something entirely different.
There were hundreds of thousands, maybe millions, of worthy people who didn’t vote for “your guy”.
Demonize as you will, but here’s a reminder of some things.
People who voted for the other guy are NOT bad people. Sure, there are bad apples in any large group, but the vast majority of Americans are not bad people.
These people are NOT:
“ill”
“sick”
“dumb”
“stupid”
“racist”
“bigoted”
“idiots”
“Socialists”
“Fascists”
or any other demonizing word you want to throw at them.
These people ARE:
human beings with basic needs
human beings with basic desires
human beings with dreams
human beings who want to be loved
human beings who want to feel grace
human beings who have families
human beings who have different perspectives (a good thing)
human beings who have different beliefs (also a good thing)
human beings who have different backgrounds (also a good thing)
human beings with many additional things that are beautiful about them.
A failure to recognize these things about other people, especially those who don’t see eye to eye with you, makes you the same thing you rail against (intolerant, bigoted, etc.).
It doesn’t matter who “your guy” is or who “my guy” is. We both (Democrats and Republicans) have players on our team who demonize players on the other team. The lie is that there are two teams to begin with.
There is only ONE team. We are ALL Americans.
The other teams play for China, Russia, Iran, etc. You’d be remiss if you thought otherwise.
The sooner we learn to embrace the good things about us and shed the bad things, the better off our team will be. A team full of players who constantly fight each other doesn’t win (or accomplishing anything meaningful).
So, what are the good things? Go back to the list (above). The greatest of the “good things” is love. Choose and show love. It’s the best thing we’ve got.
https://evanfrancen.com/wp-content/uploads/2020/06/inclusion-2728130_1280.png8531280Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2020-11-04 12:04:542020-11-04 12:04:54Good People Didn’t Vote For Your Guy
Well, it’s already mid-October and the election is 21 days (three weeks) away. Things have never seemed crazier or more divided, at least not in my lifetime. Good fodder for discussion in episode 101 of the UNSECURITY Podcast!
Work-wise things are also crazy, but good. Fourth quarter is always nuts for an information security company, and doesn’t matter is it’s consulting (FRSecure) or SaaS (SecurityStudio). Everyone is running at full capacity and finding life margin is a challenge!
Hope you’re happy and healthy! On the the show; I’m (Evan) leading this show and these are my notes.
SHOW NOTES – Episode 101
Date: Wednesday October 14th, 2020
Episode 101 Topics
Opening
Catching Up (as per usual)
Election Security
News
Wrapping Up – Shout outs
Opening
[Evan] Hey there, thank you for tuning into this episode of the UNSECURITY Podcast. The date is October 14th, 2020 and this is episode 101. I’m Evan Francen, your host for this show. Joining me is my good friend and co-host Brad Nigh. Good morning Brad.
[Brad] Brad does Brad.
[Evan] I know we’re a day late getting the podcast out again this week, but holy cow we’ve been busy! We’ll try to get back on track next week.
Brad, I want to reiterate how I enjoyed our discussion the past couple of weeks about the social dilemma, a Netflix documentary about social media and its effects on society. Lots to think about. In fact, I’m planning to watch it again this week.
[Brad] He might comment here.
Catching Up
[Evan] So, what’s new? Tell us what a day in the life of Brad looks like.
[Brad] Cue Brad.
[Evan] I’ll share some stuff too (probably).
Transition
Election Security
[Evan] As you know, we’re only 20 days from the election. If you haven’t registered to vote yet, you should. Go to vote.gov and check it out. Brad have you registered to vote?
[Brad] Cue Brad.
[Evan] I’m registered and ready to cast my ballot! The date is November 3rd.
There’s been much said about election security. A simple Google search of “election security” produces over 2.2 million results! Election security isn’t a new thing, even though it’s been front and center the past few election cycles.
There’s more to election security than protecting voting machines, so let’s talk about this.
[Evan] There’s a lot more to election security than infrastructure. What about voter intimidation, disinformation, and security after election night? We’re talking about disinformation on Thursday night’s Security Sh*t Show because this is a significant issue in today’s society.
Election Security Discussion
Open discussion
[Evan] Good discussion! Securing an election has never been more difficult. Let’s catchup on some news quick.
News
[Evan] Here are some recent and interesting news stories to talk about.
[Evan] Great! Episode 101 is just about complete. Thanks Brad, do you have any shout outs this week?
[Brad] We’ll see.
[Evan] Always grateful for our listeners! We’re behind on email, but we’ll promise to respond soon. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh.
Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more things we do when we do what we do.
That’s it! Talk to you all again next week!
https://evanfrancen.com/wp-content/uploads/2020/10/vote.jpg341512Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2020-10-13 06:54:452020-10-13 06:54:45UNSECURITY Podcast – Ep 101 Show Notes – Election Security
Hard to believe that this is episode 100 already! I’ll have to write a recap of the journey sometime soon.
Crazy things all over the place here at FRSecure and SecurityStudio. If you’ve been an information security consultant, or if you know one, you know that 4th quarter is a crazy time of year. Turns out, COVID-19 and 2020 is NOT the exception. We’re happily swamped.
Having said all that, we’re a day late getting the podcast out again this week. Not because we didn’t try, but because life and work get in the way sometimes.
Hope you’re happy and healthy! On the the show; Brad’s leading and these are Brad’s notes.
SHOW NOTES – Episode 100
Date: Wednesday October 7th, 2020
Episode 100 Topics
Opening
Catching Up (as per usual)
the social dilemma, Part Two
News
Wrapping Up – Shout outs
Opening
[Brad] Welcome back! This is episode 100 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is October 6th, and joining me this morning as usual is Evan Francen.
[Evan] Talks about how busy things have been
[Brad] Last week we had a really good discussion about The Social Dilemma and we didn’t get to everything so we are doing part 2 today. But before we get going let’s recap our week.
Catching Up
[Evan] Evan’s cool story
[Brad] A recap of my week
Transition
the social dilemma, Part Two
[Brad] Okay let’s pick up where we left off. There are no shortage of takes on the movie, here are some I found interesting.
[Brad] That’s it for episode 100. Thank you Evan, do you have any shout outs this week?
[Evan] We’ll see.
[Brad] Thank you to all our listeners! Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen.
Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.
That’s it! Talk to you all again next week!
https://evanfrancen.com/wp-content/uploads/2020/09/socialmediaaddiction.png187269Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2020-10-07 07:58:102020-10-07 07:58:10UNSECURITY Podcast – Ep 100 Show Notes – The Social Dilemma Pt2
Happy Tuesday! Here we are again, and lots going on…
The big news (sort of) is the first presidential debate is tonight. I wonder how many people will tune in. Personally, I’m not sure if I will. We’ll see.
A few weeks ago my wife asked me to watch the social dilemma with her on Netflix, so I did. I’d heard about the documentary/movie from some friends, but didn’t get around to watching it until then. Wow!
The opening quote from the movie:
Nothing vast enters the life of mortals without a curse
-Sophocles
He was right. Today, Brad and I will give your our reviews about the social dilemma and talk about our thoughts. These are my (Evan) show notes for episode 99.
SHOW NOTES – Episode 99
Date: Tuesday, September 29th, 2020
Episode 99 Topics
Opening
Catching Up
the social dilemma
News
Wrapping Up – Shout outs
Opening
[Evan] Good morning everyone. Thanks for tuning in to episode 99 of the UNSECURITY Podcast. Today is September 29th, 2020 and joining me is my co-host and friend Brad Nigh.
Good morning Brad.
[Brad] Cue Brad.
[Evan] We’ve got a special show planned for our listeners this week. Brad, you and I both watched the social dilemma on Netflix. It’s a documentary about social media in our society that was released in January. Funny how neither of us had watched it until recently, and now (as of this morning) it’s trending as the #6 most popular video on Netflix. I guess it’s better late to the party than not showing up at all!
Before we jump in, I’m dying to hear your thoughts, let’s catch up quick. This is customary.
What if I’m not a social media user/addict, why should I care?
We see different realities? Different news feeds?
Data (you and I) sold to the highest bidder.
Where does this all end if we don’t act (now)?
Any sufficiently advanced technology is indistinguishable from magic
-Arthur C. Clarke
[Evan] If you haven’t seen the social dilemma yet, I highly suggest you do. Sit down, spend the hour and a half, and consider it all. If you’ve got a spouse, invite them to watch it with you. If you’ve got teenage kids, see if you can peel them away from their phones long enough too.
We’ve got to do more about this, and we’ve got to move much quicker than we are.
[Evan] OK, news. Let’s do some quick news stories.
News
[Evan] Three news stories to talk about briefly this week:
[Evan] OK. That’s about it. Episode 99 is almost a wrap. Brad, any shout outs this week?
[Brad] Shout out…
[Evan] We’re very grateful for our listeners and we love hearing from you. Send us messages by email at unsecurity@protonmail.com or check us out on Twitter, @UnsecurityP.
If you wanna socialize with me or Brad directly, we dare you! I’m @evanfrancen, and Brad’s @BradNigh. We work for people and if you want to follow those people, SecurityStudio is @studiosecurity and FRSecure is @FRSecure.
That’s it, talk you all again next week!
https://evanfrancen.com/wp-content/uploads/2020/09/socialmediaaddiction.png187269Evan Francenhttps://evanfrancen.com/wp-content/uploads/2019/05/evan-francen-white.pngEvan Francen2020-09-29 06:34:592020-09-29 06:34:59UNSECURITY Podcast – Ep 99 Show Notes – The Social Dilemma